Play interactive tour

Edit tour

Analysis Report ANS_309487487_#049844874.exe

Overview

General Information

Sample Name:	ANS_309487487_#049844874.exe
Analysis ID:	383118
MD5:	203109ad6d2efdca0bf52cab63a7ce6a
SHA1:	471d5a99a2e8bfe03a9e119b327c45b6994ffaf6
SHA256:	5e7e5b02d1de0da6b91520884a92af6f7597fd2e39ec5b714ba089815785ad74
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM3

Yara detected Nanocore RAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

ANS_309487487_#049844874.exe (PID: 5688 cmdline: 'C:\Users\user\Desktop\ANS_309487487_#049844874.exe' MD5: 203109AD6D2EFDCA0BF52CAB63A7CE6A)

schtasks.exe (PID: 4012 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zgEmPmIdAWvDGJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpDC3C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 5404 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)

schtasks.exe (PID: 4904 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp6007.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 4132 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp6940.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 5400 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0 MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 5564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 5824 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 5864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 6360 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "15fbba02-3f99-4e02-884c-0827498f", "Group": "1118", "Domain1": "myhustle.duckdns.org", "Domain2": "", "Port": 1118, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.497078079.0000000006CF0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
00000004.00000002.497078079.0000000006CF0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
00000004.00000002.497210658.0000000006D50000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
00000004.00000002.497210658.0000000006D50000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
00000004.00000002.497223355.0000000006D60000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
00000004.00000002.497223355.0000000006D60000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
00000000.00000002.245770427.0000000004612000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x25e145:$x1: NanoCore.ClientPluginHost 0x25e182:$x2: IClientNetworkHost 0x261cb5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.245770427.0000000004612000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.245770427.0000000004612000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x25dead:$a: NanoCore 0x25debd:$a: NanoCore 0x25e0f1:$a: NanoCore 0x25e105:$a: NanoCore 0x25e145:$a: NanoCore 0x25df0c:$b: ClientPlugin 0x25e10e:$b: ClientPlugin 0x25e14e:$b: ClientPlugin 0xcd28e:$c: ProjectData 0x25e033:$c: ProjectData 0x2871b5:$c: ProjectData 0x25ea3a:$d: DESCrypto 0x266406:$e: KeepAlive 0x2643f4:$g: LogClientMessage 0x2605ef:$i: get_Connected 0x25ed70:$j: #=q 0x25eda0:$j: #=q 0x25edbc:$j: #=q 0x25edec:$j: #=q 0x25ee08:$j: #=q 0x25ee24:$j: #=q
00000000.00000002.245029737.0000000004459000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x146275:$x1: NanoCore.ClientPluginHost 0x1462b2:$x2: IClientNetworkHost 0x149de5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.245029737.0000000004459000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.245029737.0000000004459000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x145fdd:$a: NanoCore 0x145fed:$a: NanoCore 0x146221:$a: NanoCore 0x146235:$a: NanoCore 0x146275:$a: NanoCore 0x14603c:$b: ClientPlugin 0x14623e:$b: ClientPlugin 0x14627e:$b: ClientPlugin 0x146163:$c: ProjectData 0x146b6a:$d: DESCrypto 0x14e536:$e: KeepAlive 0x14c524:$g: LogClientMessage 0x14871f:$i: get_Connected 0x146ea0:$j: #=q 0x146ed0:$j: #=q 0x146eec:$j: #=q 0x146f1c:$j: #=q 0x146f38:$j: #=q 0x146f54:$j: #=q 0x146f84:$j: #=q 0x146fa0:$j: #=q
00000004.00000002.484801611.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.484801611.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.484801611.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000004.00000002.496231866.0000000006570000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000004.00000002.496231866.0000000006570000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000004.00000002.496231866.0000000006570000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb44d7:$a: NanoCore 0xb44fc:$a: NanoCore 0xb4555:$a: NanoCore 0xc46f4:$a: NanoCore 0xc471a:$a: NanoCore 0xc4776:$a: NanoCore 0xd15cd:$a: NanoCore 0xd1626:$a: NanoCore 0xd1659:$a: NanoCore 0xd1885:$a: NanoCore 0xd1901:$a: NanoCore 0xd1f1a:$a: NanoCore 0xd2063:$a: NanoCore 0xd2537:$a: NanoCore 0xd281e:$a: NanoCore 0xd2835:$a: NanoCore 0xdb6d9:$a: NanoCore 0xdb755:$a: NanoCore 0xde038:$a: NanoCore 0xe3601:$a: NanoCore 0xe367b:$a: NanoCore
00000004.00000002.497316492.0000000006DB0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000004.00000002.497316492.0000000006DB0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
00000004.00000002.497195825.0000000006D40000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
00000004.00000002.497195825.0000000006D40000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
00000004.00000002.497368728.0000000006DF0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
00000004.00000002.497368728.0000000006DF0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
00000004.00000002.497254796.0000000006D80000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
00000004.00000002.497254796.0000000006D80000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
00000004.00000002.495352573.0000000005810000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
00000004.00000002.495352573.0000000005810000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
00000004.00000002.493121486.00000000043CC000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.493121486.00000000043CC000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfd9:$a: NanoCore 0x1032:$a: NanoCore 0x106f:$a: NanoCore 0x10e8:$a: NanoCore 0x14793:$a: NanoCore 0x147a8:$a: NanoCore 0x147dd:$a: NanoCore 0x223f2:$a: NanoCore 0x22417:$a: NanoCore 0x22470:$a: NanoCore 0x3260d:$a: NanoCore 0x32633:$a: NanoCore 0x3268f:$a: NanoCore 0x3f4e4:$a: NanoCore 0x3f53d:$a: NanoCore 0x3f570:$a: NanoCore 0x3f79c:$a: NanoCore 0x3f818:$a: NanoCore 0x3fe31:$a: NanoCore 0x3ff7a:$a: NanoCore 0x4044e:$a: NanoCore
00000004.00000002.488658155.0000000002FA1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.497240382.0000000006D70000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
00000004.00000002.497240382.0000000006D70000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
00000004.00000002.497299959.0000000006DA0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
00000004.00000002.497299959.0000000006DA0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
00000004.00000002.490957634.0000000003FE9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.490957634.0000000003FE9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x35cd:$a: NanoCore 0x3626:$a: NanoCore 0x3663:$a: NanoCore 0x36dc:$a: NanoCore 0x16d87:$a: NanoCore 0x16d9c:$a: NanoCore 0x16dd1:$a: NanoCore 0x2fd6b:$a: NanoCore 0x2fd80:$a: NanoCore 0x2fdb5:$a: NanoCore 0x362f:$b: ClientPlugin 0x366c:$b: ClientPlugin 0x3f6a:$b: ClientPlugin 0x3f77:$b: ClientPlugin 0x16b43:$b: ClientPlugin 0x16b5e:$b: ClientPlugin 0x16b8e:$b: ClientPlugin 0x16da5:$b: ClientPlugin 0x16dda:$b: ClientPlugin 0x2fb27:$b: ClientPlugin 0x2fb42:$b: ClientPlugin
00000004.00000002.496076693.00000000064E0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000004.00000002.496076693.00000000064E0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000004.00000002.497154583.0000000006D20000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
00000004.00000002.497154583.0000000006D20000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
00000004.00000002.497176371.0000000006D30000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
00000004.00000002.497176371.0000000006D30000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
Process Memory Space: RegSvcs.exe PID: 5404	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2ca0:$x1: NanoCore.ClientPluginHost 0x48620:$x1: NanoCore.ClientPluginHost 0x52f3a:$x1: NanoCore.ClientPluginHost 0x65ab5:$x1: NanoCore.ClientPluginHost 0x68b04:$x1: NanoCore.ClientPluginHost 0x6deb8:$x1: NanoCore.ClientPluginHost 0x7130d:$x1: NanoCore.ClientPluginHost 0x73ef8:$x1: NanoCore.ClientPluginHost 0x7b09c:$x1: NanoCore.ClientPluginHost 0x7fef7:$x1: NanoCore.ClientPluginHost 0x8c6d1:$x1: NanoCore.ClientPluginHost 0xa8071:$x1: NanoCore.ClientPluginHost 0xb6a2c:$x1: NanoCore.ClientPluginHost 0xd797e:$x1: NanoCore.ClientPluginHost 0xedc97:$x1: NanoCore.ClientPluginHost 0xf4e3b:$x1: NanoCore.ClientPluginHost 0xf9c96:$x1: NanoCore.ClientPluginHost 0x106470:$x1: NanoCore.ClientPluginHost 0x121e10:$x1: NanoCore.ClientPluginHost 0x1307cb:$x1: NanoCore.ClientPluginHost 0x13f501:$x1: NanoCore.ClientPluginHost
Process Memory Space: RegSvcs.exe PID: 5404	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 5404	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2c62:$a: NanoCore 0x2ca0:$a: NanoCore 0x2d2c:$a: NanoCore 0xd6c9:$a: NanoCore 0xd6ed:$a: NanoCore 0xd745:$a: NanoCore 0x485e3:$a: NanoCore 0x48620:$a: NanoCore 0x486a9:$a: NanoCore 0x4da41:$a: NanoCore 0x4da64:$a: NanoCore 0x4dab9:$a: NanoCore 0x52efc:$a: NanoCore 0x52f3a:$a: NanoCore 0x52fc6:$a: NanoCore 0x5d963:$a: NanoCore 0x5d987:$a: NanoCore 0x5d9df:$a: NanoCore 0x655fb:$a: NanoCore 0x6569c:$a: NanoCore 0x656ff:$a: NanoCore
Process Memory Space: ANS_309487487_#049844874.exe PID: 5688	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 43 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.RegSvcs.exe.6d80000.25.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
4.2.RegSvcs.exe.6d80000.25.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
4.2.RegSvcs.exe.64e0000.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
4.2.RegSvcs.exe.64e0000.14.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
4.2.RegSvcs.exe.6df0000.30.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
4.2.RegSvcs.exe.6df0000.30.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
4.2.RegSvcs.exe.43d1030.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
4.2.RegSvcs.exe.43d1030.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
4.2.RegSvcs.exe.43d1030.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.RegSvcs.exe.5810000.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
4.2.RegSvcs.exe.5810000.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
4.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.RegSvcs.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.2.RegSvcs.exe.3ff0624.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
4.2.RegSvcs.exe.3ff0624.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
4.2.RegSvcs.exe.3ff0624.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.RegSvcs.exe.6d40000.21.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
4.2.RegSvcs.exe.6d40000.21.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
4.2.RegSvcs.exe.3ff0624.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28791:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287be:$x2: IClientNetworkHost
4.2.RegSvcs.exe.3ff0624.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28791:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2986c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287ab:$s5: IClientLoggingHost
4.2.RegSvcs.exe.3ff0624.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.RegSvcs.exe.6df0000.30.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
4.2.RegSvcs.exe.6df0000.30.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
4.2.RegSvcs.exe.6d70000.24.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
4.2.RegSvcs.exe.6d70000.24.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
4.2.RegSvcs.exe.6cf0000.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
4.2.RegSvcs.exe.6cf0000.18.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
4.2.RegSvcs.exe.6db0000.27.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
4.2.RegSvcs.exe.6db0000.27.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
4.2.RegSvcs.exe.5810000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
4.2.RegSvcs.exe.5810000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
4.2.RegSvcs.exe.6da0000.26.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
4.2.RegSvcs.exe.6da0000.26.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
4.2.RegSvcs.exe.6da0000.26.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
4.2.RegSvcs.exe.6da0000.26.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
4.2.RegSvcs.exe.6d60000.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
4.2.RegSvcs.exe.6d60000.23.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
0.2.ANS_309487487_#049844874.exe.485ffb8.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.ANS_309487487_#049844874.exe.485ffb8.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.ANS_309487487_#049844874.exe.485ffb8.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.ANS_309487487_#049844874.exe.485ffb8.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
4.2.RegSvcs.exe.2fcf924.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
4.2.RegSvcs.exe.3feb7ee.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5c7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5f4:$x2: IClientNetworkHost
4.2.RegSvcs.exe.3feb7ee.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5c7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6a2:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5e1:$s5: IClientLoggingHost
4.2.RegSvcs.exe.3feb7ee.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.RegSvcs.exe.3feb7ee.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d57d:$a: NanoCore 0x2d592:$a: NanoCore 0x2d5c7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d339:$b: ClientPlugin 0x2d354:$b: ClientPlugin
4.2.RegSvcs.exe.6dbe8a4.29.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
4.2.RegSvcs.exe.6dbe8a4.29.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
4.2.RegSvcs.exe.6d70000.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
4.2.RegSvcs.exe.6d70000.24.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
4.2.RegSvcs.exe.6d50000.22.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
4.2.RegSvcs.exe.6d50000.22.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
4.2.RegSvcs.exe.6cf0000.18.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
4.2.RegSvcs.exe.6cf0000.18.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
4.2.RegSvcs.exe.3ff4c4d.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24168:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x24195:$x2: IClientNetworkHost
4.2.RegSvcs.exe.3ff4c4d.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24168:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25243:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x24182:$s5: IClientLoggingHost
4.2.RegSvcs.exe.3ff4c4d.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.RegSvcs.exe.6d80000.25.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
4.2.RegSvcs.exe.6d80000.25.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
4.2.RegSvcs.exe.4223b75.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
4.2.RegSvcs.exe.4223b75.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
4.2.RegSvcs.exe.6d40000.21.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
4.2.RegSvcs.exe.6d40000.21.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
4.2.RegSvcs.exe.6db0000.27.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
4.2.RegSvcs.exe.6db0000.27.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
4.2.RegSvcs.exe.6d30000.20.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
4.2.RegSvcs.exe.6d30000.20.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3f0b:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost
4.2.RegSvcs.exe.6574629.16.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
4.2.RegSvcs.exe.6574629.16.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
4.2.RegSvcs.exe.6574629.16.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.RegSvcs.exe.6570000.15.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
4.2.RegSvcs.exe.6570000.15.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
4.2.RegSvcs.exe.6570000.15.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.RegSvcs.exe.6db4c9f.28.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
4.2.RegSvcs.exe.6db4c9f.28.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
4.2.RegSvcs.exe.6d20000.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
4.2.RegSvcs.exe.6d20000.19.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
4.2.RegSvcs.exe.6d30000.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
4.2.RegSvcs.exe.6d30000.20.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
4.2.RegSvcs.exe.6570000.15.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
4.2.RegSvcs.exe.6570000.15.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
4.2.RegSvcs.exe.6570000.15.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.RegSvcs.exe.4217941.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
4.2.RegSvcs.exe.4217941.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
4.2.RegSvcs.exe.6d60000.23.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
4.2.RegSvcs.exe.6d60000.23.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
4.2.RegSvcs.exe.4217941.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14db3:$a: NanoCore 0x14dd9:$a: NanoCore 0x14e35:$a: NanoCore 0x21c8c:$a: NanoCore 0x21ce5:$a: NanoCore 0x21d18:$a: NanoCore 0x21f44:$a: NanoCore 0x21fc0:$a: NanoCore 0x225d9:$a: NanoCore 0x22722:$a: NanoCore 0x22bf6:$a: NanoCore 0x22edd:$a: NanoCore 0x22ef4:$a: NanoCore 0x2bd98:$a: NanoCore 0x2be14:$a: NanoCore 0x2e6f7:$a: NanoCore 0x33cc0:$a: NanoCore 0x33d3a:$a: NanoCore
0.2.ANS_309487487_#049844874.exe.485ffb8.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.ANS_309487487_#049844874.exe.485ffb8.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.ANS_309487487_#049844874.exe.485ffb8.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x391fd:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q
4.2.RegSvcs.exe.43cc1fa.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2221d:$x1: NanoCore.ClientPluginHost 0x32439:$x1: NanoCore.ClientPluginHost 0x3f5a2:$x1: NanoCore.ClientPluginHost 0x45af0:$x1: NanoCore.ClientPluginHost 0x4bac1:$x1: NanoCore.ClientPluginHost 0x5552d:$x1: NanoCore.ClientPluginHost 0x5f958:$x1: NanoCore.ClientPluginHost 0x6a935:$x1: NanoCore.ClientPluginHost 0x766d7:$x1: NanoCore.ClientPluginHost 0x9b5db:$x1: NanoCore.ClientPluginHost 0xaaa1b:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x22247:$x2: IClientNetworkHost 0x32466:$x2: IClientNetworkHost 0x3f5db:$x2: IClientNetworkHost 0x45b29:$x2: IClientNetworkHost 0x5568a:$x2: IClientNetworkHost 0x5f991:$x2: IClientNetworkHost
4.2.RegSvcs.exe.43cc1fa.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.RegSvcs.exe.43cc1fa.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x221f8:$a: NanoCore 0x2221d:$a: NanoCore 0x22276:$a: NanoCore 0x32413:$a: NanoCore 0x32439:$a: NanoCore 0x32495:$a: NanoCore 0x3f2ea:$a: NanoCore 0x3f343:$a: NanoCore 0x3f376:$a: NanoCore 0x3f5a2:$a: NanoCore 0x3f61e:$a: NanoCore 0x3fc37:$a: NanoCore 0x3fd80:$a: NanoCore 0x40254:$a: NanoCore
4.2.RegSvcs.exe.43d5659.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x18dbe:$x1: NanoCore.ClientPluginHost 0x28fda:$x1: NanoCore.ClientPluginHost 0x36143:$x1: NanoCore.ClientPluginHost 0x3c691:$x1: NanoCore.ClientPluginHost 0x42662:$x1: NanoCore.ClientPluginHost 0x4c0ce:$x1: NanoCore.ClientPluginHost 0x564f9:$x1: NanoCore.ClientPluginHost 0x614d6:$x1: NanoCore.ClientPluginHost 0x6d278:$x1: NanoCore.ClientPluginHost 0x9217c:$x1: NanoCore.ClientPluginHost 0xa15bc:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x18de8:$x2: IClientNetworkHost 0x29007:$x2: IClientNetworkHost 0x3617c:$x2: IClientNetworkHost 0x3c6ca:$x2: IClientNetworkHost 0x4c22b:$x2: IClientNetworkHost 0x56532:$x2: IClientNetworkHost 0x614f0:$x2: IClientNetworkHost 0x6d292:$x2: IClientNetworkHost
4.2.RegSvcs.exe.43d5659.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.RegSvcs.exe.43d5659.10.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb13a:$a: NanoCore 0xb14f:$a: NanoCore 0xb184:$a: NanoCore 0x18d99:$a: NanoCore 0x18dbe:$a: NanoCore 0x18e17:$a: NanoCore 0x28fb4:$a: NanoCore 0x28fda:$a: NanoCore 0x29036:$a: NanoCore 0x35e8b:$a: NanoCore 0x35ee4:$a: NanoCore 0x35f17:$a: NanoCore 0x36143:$a: NanoCore 0x361bf:$a: NanoCore 0x367d8:$a: NanoCore 0x36921:$a: NanoCore 0x36df5:$a: NanoCore 0x370dc:$a: NanoCore 0x370f3:$a: NanoCore 0x3c691:$a: NanoCore 0x3c70b:$a: NanoCore
0.2.ANS_309487487_#049844874.exe.461f788.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2509bd:$x1: NanoCore.ClientPluginHost 0x2509fa:$x2: IClientNetworkHost 0x25452d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.ANS_309487487_#049844874.exe.461f788.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.ANS_309487487_#049844874.exe.461f788.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x250725:$a: NanoCore 0x250735:$a: NanoCore 0x250969:$a: NanoCore 0x25097d:$a: NanoCore 0x2509bd:$a: NanoCore 0x250784:$b: ClientPlugin 0x250986:$b: ClientPlugin 0x2509c6:$b: ClientPlugin 0xbfb06:$c: ProjectData 0x2508ab:$c: ProjectData 0x279a2d:$c: ProjectData 0x2512b2:$d: DESCrypto 0x258c7e:$e: KeepAlive 0x256c6c:$g: LogClientMessage 0x252e67:$i: get_Connected 0x2515e8:$j: #=q 0x251618:$j: #=q 0x251634:$j: #=q 0x251664:$j: #=q 0x251680:$j: #=q 0x25169c:$j: #=q
0.2.ANS_309487487_#049844874.exe.47b8168.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb7fdd:$x1: NanoCore.ClientPluginHost 0xb801a:$x2: IClientNetworkHost 0xbbb4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.ANS_309487487_#049844874.exe.47b8168.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.ANS_309487487_#049844874.exe.47b8168.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb7d45:$a: NanoCore 0xb7d55:$a: NanoCore 0xb7f89:$a: NanoCore 0xb7f9d:$a: NanoCore 0xb7fdd:$a: NanoCore 0xb7da4:$b: ClientPlugin 0xb7fa6:$b: ClientPlugin 0xb7fe6:$b: ClientPlugin 0xb7ecb:$c: ProjectData 0xe104d:$c: ProjectData 0xb88d2:$d: DESCrypto 0xc029e:$e: KeepAlive 0xbe28c:$g: LogClientMessage 0xba487:$i: get_Connected 0xb8c08:$j: #=q 0xb8c38:$j: #=q 0xb8c54:$j: #=q 0xb8c84:$j: #=q 0xb8ca0:$j: #=q 0xb8cbc:$j: #=q 0xb8cec:$j: #=q
4.2.RegSvcs.exe.42381a2.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb537:$a: NanoCore 0xb5b3:$a: NanoCore 0xde96:$a: NanoCore 0x1345f:$a: NanoCore 0x134d9:$a: NanoCore 0x18076:$a: NanoCore 0x19432:$a: NanoCore 0x1947c:$a: NanoCore 0x1a0d6:$a: NanoCore 0x22ea0:$a: NanoCore 0x22f8a:$a: NanoCore
4.2.RegSvcs.exe.43d1030.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x1d3e7:$x1: NanoCore.ClientPluginHost 0x2d603:$x1: NanoCore.ClientPluginHost 0x3a76c:$x1: NanoCore.ClientPluginHost 0x40cba:$x1: NanoCore.ClientPluginHost 0x46c8b:$x1: NanoCore.ClientPluginHost 0x506f7:$x1: NanoCore.ClientPluginHost 0x5ab22:$x1: NanoCore.ClientPluginHost 0x65aff:$x1: NanoCore.ClientPluginHost 0x718a1:$x1: NanoCore.ClientPluginHost 0x967a5:$x1: NanoCore.ClientPluginHost 0xa5be5:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x1d411:$x2: IClientNetworkHost 0x2d630:$x2: IClientNetworkHost 0x3a7a5:$x2: IClientNetworkHost 0x40cf3:$x2: IClientNetworkHost 0x50854:$x2: IClientNetworkHost 0x5ab5b:$x2: IClientNetworkHost 0x65b19:$x2: IClientNetworkHost 0x718bb:$x2: IClientNetworkHost
4.2.RegSvcs.exe.43d1030.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.RegSvcs.exe.43d1030.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf763:$a: NanoCore 0xf778:$a: NanoCore 0xf7ad:$a: NanoCore 0x1d3c2:$a: NanoCore 0x1d3e7:$a: NanoCore 0x1d440:$a: NanoCore 0x2d5dd:$a: NanoCore 0x2d603:$a: NanoCore 0x2d65f:$a: NanoCore 0x3a4b4:$a: NanoCore 0x3a50d:$a: NanoCore 0x3a540:$a: NanoCore 0x3a76c:$a: NanoCore 0x3a7e8:$a: NanoCore 0x3ae01:$a: NanoCore 0x3af4a:$a: NanoCore 0x3b41e:$a: NanoCore 0x3b705:$a: NanoCore 0x3b71c:$a: NanoCore 0x40cba:$a: NanoCore 0x40d34:$a: NanoCore
4.2.RegSvcs.exe.4223b75.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a58:$a: NanoCore 0x15ab1:$a: NanoCore 0x15ae4:$a: NanoCore 0x15d10:$a: NanoCore 0x15d8c:$a: NanoCore 0x163a5:$a: NanoCore 0x164ee:$a: NanoCore 0x169c2:$a: NanoCore 0x16ca9:$a: NanoCore 0x16cc0:$a: NanoCore 0x1fb64:$a: NanoCore 0x1fbe0:$a: NanoCore 0x224c3:$a: NanoCore 0x27a8c:$a: NanoCore 0x27b06:$a: NanoCore 0x2c6a3:$a: NanoCore 0x2da5f:$a: NanoCore 0x2daa9:$a: NanoCore
Click to see the 104 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5404, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zgEmPmIdAWvDGJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpDC3C.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zgEmPmIdAWvDGJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpDC3C.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\ANS_309487487_#049844874.exe' , ParentImage: C:\Users\user\Desktop\ANS_309487487_#049844874.exe, ParentProcessId: 5688, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zgEmPmIdAWvDGJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpDC3C.tmp', ProcessId: 4012

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000004.00000002.490957634.0000000003FE9000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "15fbba02-3f99-4e02-884c-0827498f", "Group": "1118", "Domain1": "myhustle.duckdns.org", "Domain2": "", "Port": 1118, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\zgEmPmIdAWvDGJ.exe

ReversingLabs: Detection: 37%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.245770427.0000000004612000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.245029737.0000000004459000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.484801611.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.496231866.0000000006570000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.493121486.00000000043CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.488658155.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.490957634.0000000003FE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5404, type: MEMORY
Source: Yara match	File source: 4.2.RegSvcs.exe.43d1030.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ff0624.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ff0624.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3feb7ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ff4c4d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.6574629.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.6570000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.6570000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43cc1fa.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43d5659.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ANS_309487487_#049844874.exe.461f788.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ANS_309487487_#049844874.exe.47b8168.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43d1030.9.raw.unpack, type: UNPACKEDPE

Source: 4.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.2.RegSvcs.exe.6570000.15.unpack	Avira: Label: TR/NanoCore.fadte

Source: ANS_309487487_#049844874.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: ANS_309487487_#049844874.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000004.00000003.250320525.00000000012C8000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.266011315.0000000000042000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000002.281116598.00000000002A2000.00000002.00020000.sdmp, dhcpmon.exe.4.dr
Source:	Binary string: Svcs.pdbE source: RegSvcs.exe, 00000004.00000002.486523461.0000000001275000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb,h source: RegSvcs.exe, 00000004.00000002.486523461.0000000001275000.00000004.00000020.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp
Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.4.dr
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: RegSvcs.exe, 00000004.00000003.303453473.0000000006798000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb^h/ source: RegSvcs.exe, 00000004.00000002.486523461.0000000001275000.00000004.00000020.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 4x nop then lea esp, dword ptr [ebp-04h]

4_2_0692C120

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49709 -> 185.140.53.9:1118
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49715 -> 185.140.53.9:1118
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49719 -> 185.140.53.9:1118
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49720 -> 185.140.53.9:1118
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49722 -> 185.140.53.9:1118
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49723 -> 185.140.53.9:1118
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49724 -> 185.140.53.9:1118
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49726 -> 185.140.53.9:1118
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49735 -> 185.140.53.9:1118
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49736 -> 185.140.53.9:1118
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49738 -> 185.140.53.9:1118
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49740 -> 185.140.53.9:1118
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49741 -> 185.140.53.9:1118
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49742 -> 185.140.53.9:1118

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: myhustle.duckdns.org

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: myhustle.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.5:49709 -> 185.140.53.9:1118

Source: Joe Sandbox View

IP Address: 185.140.53.9 185.140.53.9

Source: Joe Sandbox View

ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG

Source: unknown

DNS traffic detected: queries for: myhustle.duckdns.org

Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257735814.0000000009877000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: ANS_309487487_#049844874.exe, 00000000.00000002.243313663.0000000001668000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: RegSvcs.exe, 00000004.00000002.496231866.0000000006570000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.245770427.0000000004612000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.245029737.0000000004459000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.484801611.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.496231866.0000000006570000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.493121486.00000000043CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.488658155.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.490957634.0000000003FE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5404, type: MEMORY
Source: Yara match	File source: 4.2.RegSvcs.exe.43d1030.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ff0624.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ff0624.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3feb7ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ff4c4d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.6574629.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.6570000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.6570000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43cc1fa.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43d5659.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ANS_309487487_#049844874.exe.461f788.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ANS_309487487_#049844874.exe.47b8168.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43d1030.9.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000004.00000002.497078079.0000000006CF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.497210658.0000000006D50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.497223355.0000000006D60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.245770427.0000000004612000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.245770427.0000000004612000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.245029737.0000000004459000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.245029737.0000000004459000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.484801611.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.484801611.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.496231866.0000000006570000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.497316492.0000000006DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.497195825.0000000006D40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.497368728.0000000006DF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.497254796.0000000006D80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.495352573.0000000005810000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.493121486.00000000043CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.497240382.0000000006D70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.497299959.0000000006DA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.490957634.0000000003FE9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.496076693.00000000064E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.497154583.0000000006D20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.497176371.0000000006D30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 5404, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 5404, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.6d80000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.64e0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6df0000.30.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.43d1030.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.5810000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.3ff0624.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6d40000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.3ff0624.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6df0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6d70000.24.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6cf0000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6db0000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.5810000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6da0000.26.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6da0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6d60000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.2fcf924.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.3feb7ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.3feb7ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.6dbe8a4.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6d70000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6d50000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6cf0000.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.3ff4c4d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6d80000.25.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.4223b75.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6d40000.21.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6db0000.27.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6d30000.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6574629.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6570000.15.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6db4c9f.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6d20000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6d30000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6570000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.4217941.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.6d60000.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.4217941.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.43cc1fa.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.43cc1fa.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.43d5659.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.43d5659.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.ANS_309487487_#049844874.exe.461f788.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ANS_309487487_#049844874.exe.461f788.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.ANS_309487487_#049844874.exe.47b8168.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.ANS_309487487_#049844874.exe.47b8168.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.42381a2.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.43d1030.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.43d1030.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.4223b75.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03195BD0	0_2_03195BD0
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03193158	0_2_03193158
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_031999C1	0_2_031999C1
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03195F78	0_2_03195F78
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_031975F0	0_2_031975F0
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03191C98	0_2_03191C98
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03197B20	0_2_03197B20
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03191BDF	0_2_03191BDF
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03195BC2	0_2_03195BC2
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03190A50	0_2_03190A50
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03190A42	0_2_03190A42
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03197ABA	0_2_03197ABA
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03199AE2	0_2_03199AE2
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03196151	0_2_03196151
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_0319314A	0_2_0319314A
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_031921B8	0_2_031921B8
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_031969B8	0_2_031969B8
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_0319280C	0_2_0319280C
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03192828	0_2_03192828
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_031978B8	0_2_031978B8
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_031910BA	0_2_031910BA
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_031978A8	0_2_031978A8
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_031910C8	0_2_031910C8
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03190F00	0_2_03190F00
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03195F68	0_2_03195F68
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03193620	0_2_03193620
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03190699	0_2_03190699
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03190EF1	0_2_03190EF1
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_031975DF	0_2_031975DF
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03190C82	0_2_03190C82
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_05E5CDB8	0_2_05E5CDB8
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_05E55C68	0_2_05E55C68
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_05E5D7C9	0_2_05E5D7C9
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_05E5F678	0_2_05E5F678
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_05E5B620	0_2_05E5B620
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_05E5B610	0_2_05E5B610
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_05E5B1E0	0_2_05E5B1E0
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_05E5C1DD	0_2_05E5C1DD
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_05E549B0	0_2_05E549B0
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_05E56928	0_2_05E56928
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_05E598A0	0_2_05E598A0
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_05E5A320	0_2_05E5A320
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_05E5D248	0_2_05E5D248
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_05E5C208	0_2_05E5C208
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_07F30040	0_2_07F30040
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_07F38F80	0_2_07F38F80
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_07F38F72	0_2_07F38F72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02F8E480	4_2_02F8E480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02F8E471	4_2_02F8E471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02F8BBD4	4_2_02F8BBD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06920040	4_2_06920040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0692A200	4_2_0692A200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_069292B0	4_2_069292B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06929EC8	4_2_06929EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06929F86	4_2_06929F86

Source: ANS_309487487_#049844874.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: zgEmPmIdAWvDGJ.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: ANS_309487487_#049844874.exe, 00000000.00000002.246725643.000000000496C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameU~ vs ANS_309487487_#049844874.exe
Source: ANS_309487487_#049844874.exe, 00000000.00000002.243313663.0000000001668000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs ANS_309487487_#049844874.exe
Source: ANS_309487487_#049844874.exe, 00000000.00000002.258053879.0000000010D80000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs ANS_309487487_#049844874.exe
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257837403.000000000A5B0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs ANS_309487487_#049844874.exe
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257022487.0000000007F10000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs ANS_309487487_#049844874.exe
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257022487.0000000007F10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs ANS_309487487_#049844874.exe
Source: ANS_309487487_#049844874.exe, 00000000.00000002.244600851.0000000003451000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMetroFramework.dll> vs ANS_309487487_#049844874.exe
Source: ANS_309487487_#049844874.exe	Binary or memory string: OriginalFilenameU~ vs ANS_309487487_#049844874.exe

Source: ANS_309487487_#049844874.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000004.00000002.497078079.0000000006CF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.497078079.0000000006CF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.497210658.0000000006D50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.497210658.0000000006D50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.497223355.0000000006D60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.497223355.0000000006D60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.245770427.0000000004612000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.245770427.0000000004612000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.245029737.0000000004459000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.245029737.0000000004459000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.484801611.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.484801611.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.496231866.0000000006570000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.496231866.0000000006570000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.497316492.0000000006DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.497316492.0000000006DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.497195825.0000000006D40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.497195825.0000000006D40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.497368728.0000000006DF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.497368728.0000000006DF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.497254796.0000000006D80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.497254796.0000000006D80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.495352573.0000000005810000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.495352573.0000000005810000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.493121486.00000000043CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.497240382.0000000006D70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.497240382.0000000006D70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.497299959.0000000006DA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.497299959.0000000006DA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.490957634.0000000003FE9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.496076693.00000000064E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.496076693.00000000064E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.497154583.0000000006D20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.497154583.0000000006D20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.497176371.0000000006D30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.497176371.0000000006D30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: RegSvcs.exe PID: 5404, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 5404, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.6d80000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6d80000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.64e0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.64e0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6df0000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6df0000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.43d1030.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.43d1030.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.5810000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.5810000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.3ff0624.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.3ff0624.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6d40000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6d40000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.3ff0624.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.3ff0624.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6df0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6df0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6d70000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6d70000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6cf0000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6cf0000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6db0000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6db0000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.5810000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.5810000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6da0000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6da0000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6da0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6da0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6d60000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6d60000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.2fcf924.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.3feb7ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.3feb7ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.3feb7ee.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.6dbe8a4.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6dbe8a4.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6d70000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6d70000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6d50000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6d50000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6cf0000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6cf0000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.3ff4c4d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.3ff4c4d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6d80000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6d80000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.4223b75.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.4223b75.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6d40000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6d40000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6db0000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6db0000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6d30000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6d30000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6574629.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6574629.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6570000.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6570000.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6db4c9f.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6db4c9f.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6d20000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6d20000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6d30000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6d30000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6570000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6570000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.4217941.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.4217941.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.6d60000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.6d60000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.4217941.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.43cc1fa.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.43cc1fa.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.43d5659.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.43d5659.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.ANS_309487487_#049844874.exe.461f788.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.ANS_309487487_#049844874.exe.461f788.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.ANS_309487487_#049844874.exe.47b8168.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.ANS_309487487_#049844874.exe.47b8168.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.42381a2.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.43d1030.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.43d1030.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.4223b75.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: ANS_309487487_#049844874.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: zgEmPmIdAWvDGJ.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@17/14@16/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe

File created: C:\Users\user\AppData\Roaming\zgEmPmIdAWvDGJ.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5592:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4500:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{15fbba02-3f99-4e02-884c-0827498fae1d}
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Mutant created: \Sessions\1\BaseNamedObjects\mXqOXPexfwXu
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5564:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5864:120:WilError_01

Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe

File created: C:\Users\user\AppData\Local\Temp\tmpDC3C.tmp

Jump to behavior

Source: ANS_309487487_#049844874.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe

File read: C:\Users\user\Desktop\ANS_309487487_#049844874.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ANS_309487487_#049844874.exe 'C:\Users\user\Desktop\ANS_309487487_#049844874.exe'
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zgEmPmIdAWvDGJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpDC3C.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp6007.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp6940.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zgEmPmIdAWvDGJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpDC3C.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp6007.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp6940.tmp'	Jump to behavior

Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ANS_309487487_#049844874.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ANS_309487487_#049844874.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000004.00000003.250320525.00000000012C8000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.266011315.0000000000042000.00000002.00020000.sdmp, dhcpmon.exe, 00000011.00000002.281116598.00000000002A2000.00000002.00020000.sdmp, dhcpmon.exe.4.dr
Source:	Binary string: Svcs.pdbE source: RegSvcs.exe, 00000004.00000002.486523461.0000000001275000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb,h source: RegSvcs.exe, 00000004.00000002.486523461.0000000001275000.00000004.00000020.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp
Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.4.dr
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: RegSvcs.exe, 00000004.00000003.303453473.0000000006798000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb^h/ source: RegSvcs.exe, 00000004.00000002.486523461.0000000001275000.00000004.00000020.sdmp

Data Obfuscation:

.NET source code contains method to dynamically call methods (often used by packers)

Show sources

Source: ANS_309487487_#049844874.exe, Imager/MainWindow.cs	.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: zgEmPmIdAWvDGJ.exe.0.dr, Imager/MainWindow.cs	.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 0.0.ANS_309487487_#049844874.exe.dc0000.0.unpack, Imager/MainWindow.cs	.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 0.2.ANS_309487487_#049844874.exe.dc0000.0.unpack, Imager/MainWindow.cs	.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)

.NET source code contains potential unpacker

Show sources

Source: ANS_309487487_#049844874.exe, Imager/MainWindow.cs	.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: zgEmPmIdAWvDGJ.exe.0.dr, Imager/MainWindow.cs	.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.ANS_309487487_#049844874.exe.dc0000.0.unpack, Imager/MainWindow.cs	.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.ANS_309487487_#049844874.exe.dc0000.0.unpack, Imager/MainWindow.cs	.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_0319230D push cs; iretd	0_2_0319230F
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_0319132E push ds; iretd	0_2_0319132F
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03192325 push cs; iretd	0_2_03192327
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03191B25 push ss; iretd	0_2_03191B27
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03191A4E push ss; iretd	0_2_03191A50
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03191A7D push ss; iretd	0_2_03191A7E
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03191A63 push ss; iretd	0_2_03191A64
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_031912BE push ds; iretd	0_2_031912BF
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_031912D2 push ds; iretd	0_2_031912D3
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_031912E8 push ds; iretd	0_2_031912EA
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_0319CE56 push FFFFFF8Bh; iretd	0_2_0319CE5F
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03198E8A pushad ; ret	0_2_03198E91
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03197ED0 push es; ret	0_2_03197ED1
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_03197EC6 push es; ret	0_2_03197EC7
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_0319851C pushad ; iretd	0_2_0319851D
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_031914D2 push 0000001Ch; iretd	0_2_031914D4
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_059385E9 push E801005Eh; retf	0_2_05938601
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_059300F0 push eax; mov dword ptr [esp], ecx	0_2_059300F4
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_05E5B782 push esp; ret	0_2_05E5B783
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_05E55AC2 pushfd ; iretd	0_2_05E55AC9
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_07F3DE92 pushfd ; retf	0_2_07F3DE99
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Code function: 0_2_07F3DDF0 push esp; retf	0_2_07F3DDF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0692E701 push eax; iretd	4_2_0692E70D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0692C770 pushad ; ret	4_2_0692C771
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0692D6F2 push es; retf	4_2_0692D6F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0692D6F6 push es; retf	4_2_0692D6F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0692D6FA push es; retf	4_2_0692D6F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0692D6FA push ds; iretd	4_2_0692D7B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0692D7B6 push ds; iretd	4_2_0692D7B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0692D7DD push ds; iretd	4_2_0692D801
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0692DA16 push ds; iretd	4_2_0692DA15

Source: initial sample	Static PE information: section name: .text entropy: 7.9483521266
Source: initial sample	Static PE information: section name: .text entropy: 7.9483521266

Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	File created: C:\Users\user\AppData\Roaming\zgEmPmIdAWvDGJ.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zgEmPmIdAWvDGJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpDC3C.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match

File source: Process Memory Space: ANS_309487487_#049844874.exe PID: 5688, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: ANS_309487487_#049844874.exe, 00000000.00000002.257735814.0000000009877000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257735814.0000000009877000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 5010	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 4413	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: foregroundWindowGot 811	Jump to behavior

Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe TID: 5588	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe TID: 5764	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1140	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6444	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Thread delayed: delay time: 31500	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: ANS_309487487_#049844874.exe, 00000000.00000002.257735814.0000000009877000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: RegSvcs.exe, 00000004.00000002.497511351.00000000071F0000.00000002.00000001.sdmp, RegSvcs.exe, 0000000B.00000002.266480288.0000000005480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.269094971.0000000004960000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257735814.0000000009877000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257735814.0000000009877000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257735814.0000000009877000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257735814.0000000009877000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257735814.0000000009877000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RegSvcs.exe, 00000004.00000002.497511351.00000000071F0000.00000002.00000001.sdmp, RegSvcs.exe, 0000000B.00000002.266480288.0000000005480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.269094971.0000000004960000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegSvcs.exe, 00000004.00000002.497511351.00000000071F0000.00000002.00000001.sdmp, RegSvcs.exe, 0000000B.00000002.266480288.0000000005480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.269094971.0000000004960000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257735814.0000000009877000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257735814.0000000009877000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: ANS_309487487_#049844874.exe, 00000000.00000002.257735814.0000000009877000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: RegSvcs.exe, 00000004.00000002.496575693.0000000006700000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegSvcs.exe, 00000004.00000002.497511351.00000000071F0000.00000002.00000001.sdmp, RegSvcs.exe, 0000000B.00000002.266480288.0000000005480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.269094971.0000000004960000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F0E008	Jump to behavior

Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zgEmPmIdAWvDGJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpDC3C.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp6007.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp6940.tmp'	Jump to behavior

Source: RegSvcs.exe, 00000004.00000002.489302829.000000000327A000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000004.00000002.488166594.0000000001990000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000004.00000002.488166594.0000000001990000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 00000004.00000002.488166594.0000000001990000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: RegSvcs.exe, 00000004.00000002.488658155.0000000002FA1000.00000004.00000001.sdmp	Binary or memory string: Program ManagerD$
Source: RegSvcs.exe, 00000004.00000002.497459855.0000000006F6D000.00000004.00000001.sdmp	Binary or memory string: Program Managerram Manager
Source: RegSvcs.exe, 00000004.00000002.490079641.00000000033E2000.00000004.00000001.sdmp	Binary or memory string: Program Managerh!r
Source: RegSvcs.exe, 00000004.00000002.497029471.0000000006BAC000.00000004.00000001.sdmp	Binary or memory string: Program Manager8
Source: RegSvcs.exe, 00000004.00000002.488166594.0000000001990000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: RegSvcs.exe, 00000004.00000002.488166594.0000000001990000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: RegSvcs.exe, 00000004.00000002.488956229.00000000030D6000.00000004.00000001.sdmp	Binary or memory string: Program ManagerHa

Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Users\user\Desktop\ANS_309487487_#049844874.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ANS_309487487_#049844874.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.245770427.0000000004612000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.245029737.0000000004459000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.484801611.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.496231866.0000000006570000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.493121486.00000000043CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.488658155.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.490957634.0000000003FE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5404, type: MEMORY
Source: Yara match	File source: 4.2.RegSvcs.exe.43d1030.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ff0624.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ff0624.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3feb7ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ff4c4d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.6574629.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.6570000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.6570000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43cc1fa.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43d5659.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ANS_309487487_#049844874.exe.461f788.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ANS_309487487_#049844874.exe.47b8168.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43d1030.9.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: RegSvcs.exe, 00000004.00000002.497078079.0000000006CF0000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: RegSvcs.exe, 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: RegSvcs.exe, 00000004.00000002.493121486.00000000043CC000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.245770427.0000000004612000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.245029737.0000000004459000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.484801611.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.496231866.0000000006570000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.493121486.00000000043CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.488658155.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.490957634.0000000003FE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5404, type: MEMORY
Source: Yara match	File source: 4.2.RegSvcs.exe.43d1030.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ff0624.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ff0624.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3feb7ee.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ff4c4d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.6574629.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.6570000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.6570000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ANS_309487487_#049844874.exe.485ffb8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43cc1fa.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43d5659.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ANS_309487487_#049844874.exe.461f788.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ANS_309487487_#049844874.exe.47b8168.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.43d1030.9.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection212	Masquerading2	Input Capture21	Security Software Discovery211	Remote Services	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection212	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol21	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information3	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing23	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\zgEmPmIdAWvDGJ.exe	38%	ReversingLabs	Win32.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File
4.2.RegSvcs.exe.6570000.15.unpack	100%	Avira	TR/NanoCore.fadte		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
myhustle.duckdns.org	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
myhustle.duckdns.org	185.140.53.9	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
myhustle.duckdns.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	false		high
http://www.tiro.com	ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	false		high
http://www.fonts.com	ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ANS_309487487_#049844874.exe, 00000000.00000002.257735814.0000000009877000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	ANS_309487487_#049844874.exe, 00000000.00000002.251783792.0000000006360000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.140.53.9	myhustle.duckdns.org	Sweden		209623	DAVID_CRAIGGG	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	383118
Start date:	07.04.2021
Start time:	09:05:04
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ANS_309487487_#049844874.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@17/14@16/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.4% (good quality ratio 0.4%) Quality average: 100% Quality standard deviation: 0%
HCA Information:	Successful, ratio: 99% Number of executed functions: 157 Number of non-executed functions: 35
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 93.184.220.29, 104.42.151.234, 104.43.139.144, 95.100.54.203, 52.147.198.201, 13.64.90.137, 20.82.210.154, 23.10.249.26, 23.10.249.43, 20.54.26.129 Excluded domains from analysis (whitelisted): www.bing.com, skypedataprdcolwus17.cloudapp.net, cs9.wac.phicdn.net, fs.microsoft.com, arc.msn.com.nsatc.net, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/383118/sample/ANS_309487487_#049844874.exe

Simulations

Behavior and APIs

Time	Type	Description
09:05:57	API Interceptor	2x Sleep call for process: ANS_309487487_#049844874.exe modified
09:06:10	Task Scheduler	Run new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" s>$(Arg0)
09:06:10	API Interceptor	883x Sleep call for process: RegSvcs.exe modified
09:06:10	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
09:06:11	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.140.53.9	t5R60D503x.exe	Get hash	malicious	Browse
	GT_0397337_03987638BNG.exe	Get hash	malicious	Browse
	1PH37n4Gva.exe	Get hash	malicious	Browse
	malwa.exe	Get hash	malicious	Browse
	HDF_39837635_0398376HJD.exe	Get hash	malicious	Browse
	E0029876556_209876689.exe	Get hash	malicious	Browse
	BGD_03987365_0398736DSC.exe	Get hash	malicious	Browse
	DHL_AWB #9855452108.exe	Get hash	malicious	Browse
	Simo_Inquiry_FOB_Order_9820_xlsx.exe	Get hash	malicious	Browse
	Summer_richiesta_di_preventivo_070820.exe	Get hash	malicious	Browse
	RF172474228ES.exe	Get hash	malicious	Browse
	MAJDALANI INOX S.A Pedido 050820.exe	Get hash	malicious	Browse
	MAJDALANI INOX SA Pedido.exe	Get hash	malicious	Browse
	Correos de Espa#U00f1a Recibo de impresi#U00f3n de paquete retrasado.exe	Get hash	malicious	Browse
	PDF_Tosoh-Inquiry.exe	Get hash	malicious	Browse
	Tosoh inquiry list 30072020_PDF.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DAVID_CRAIGGG	tmp2.exe	Get hash	malicious	Browse	185.140.53.71
	tmp.exe	Get hash	malicious	Browse	185.140.53.71
	NEW_ORDER.pdf.exe	Get hash	malicious	Browse	185.140.53.138
	Doc_58YJ54-521DERG701-55YH701.exe	Get hash	malicious	Browse	185.140.53.230
	Quotation_Request.pdf.exe	Get hash	malicious	Browse	185.140.53.138
	FRQ_05694 revised quantity.exe	Get hash	malicious	Browse	185.140.53.69
	INVOICE 15112021.xlsx	Get hash	malicious	Browse	185.140.53.130
	URGENT_ORDER.pdf.exe	Get hash	malicious	Browse	185.140.53.138
	IMG-001982-AW00173-SSE73I.exe	Get hash	malicious	Browse	185.140.53.230
	FYI-Orderimg.exe	Get hash	malicious	Browse	185.140.53.67
	Purchase_Order.pdf.exe	Get hash	malicious	Browse	185.140.53.138
	PO-94765809570-Order pdf.exe	Get hash	malicious	Browse	185.140.53.7
	Commercial E-invoice.exe	Get hash	malicious	Browse	185.140.53.137
	Order23032021.xls	Get hash	malicious	Browse	185.140.53.130
	ZcQwvgqtuQ.exe	Get hash	malicious	Browse	91.193.75.245
	lKIPqaYkKB.exe	Get hash	malicious	Browse	185.140.53.161
	t5R60D503x.exe	Get hash	malicious	Browse	185.140.53.9
	Purchase OrderDated19032021.xls	Get hash	malicious	Browse	185.140.53.130
	0u1JLpIwRo.exe	Get hash	malicious	Browse	185.140.53.139
	PO-21322.xlsm	Get hash	malicious	Browse	185.165.153.116

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Dekont_12VK2102526 VAKIF KATILIM.exe	Get hash	malicious	Browse
	taiwan.exe	Get hash	malicious	Browse
	SWIFT COPY.exe	Get hash	malicious	Browse
	GS_ PO NO.1862021.exe	Get hash	malicious	Browse
	purchase order.exe	Get hash	malicious	Browse
	Payment Advice.exe	Get hash	malicious	Browse
	Quotation.pdf...exe	Get hash	malicious	Browse
	PURCHASE ORDER.exe	Get hash	malicious	Browse
	money.exe	Get hash	malicious	Browse
	TT COPY.exe	Get hash	malicious	Browse
	$$$.exe	Get hash	malicious	Browse
	ORDER.exe	Get hash	malicious	Browse
	PO-0561.exe	Get hash	malicious	Browse
	Encrypted Documents.exe	Get hash	malicious	Browse
	Statement of Account.exe	Get hash	malicious	Browse
	PURCHASE ORDER COPY.exe	Get hash	malicious	Browse
	GS_ PO NO.1862021.exe	Get hash	malicious	Browse
	Wrong_Invoice.exe	Get hash	malicious	Browse
	REQUEST FOR QUOTAION.exe	Get hash	malicious	Browse
	New Order.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45152
Entropy (8bit):	6.149629800481177
Encrypted:	false
SSDEEP:	768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
MD5:	2867A3817C9245F7CF518524DFD18F28
SHA1:	D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
SHA-256:	43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
SHA-512:	7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Dekont_12VK2102526 VAKIF KATILIM.exe, Detection: malicious, Browse Filename: taiwan.exe, Detection: malicious, Browse Filename: SWIFT COPY.exe, Detection: malicious, Browse Filename: GS_ PO NO.1862021.exe, Detection: malicious, Browse Filename: purchase order.exe, Detection: malicious, Browse Filename: Payment Advice.exe, Detection: malicious, Browse Filename: Quotation.pdf...exe, Detection: malicious, Browse Filename: PURCHASE ORDER.exe, Detection: malicious, Browse Filename: money.exe, Detection: malicious, Browse Filename: TT COPY.exe, Detection: malicious, Browse Filename: $$$.exe, Detection: malicious, Browse Filename: ORDER.exe, Detection: malicious, Browse Filename: PO-0561.exe, Detection: malicious, Browse Filename: Encrypted Documents.exe, Detection: malicious, Browse Filename: Statement of Account.exe, Detection: malicious, Browse Filename: PURCHASE ORDER COPY.exe, Detection: malicious, Browse Filename: GS_ PO NO.1862021.exe, Detection: malicious, Browse Filename: Wrong_Invoice.exe, Detection: malicious, Browse Filename: REQUEST FOR QUOTAION.exe, Detection: malicious, Browse Filename: New Order.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ANS_309487487_#049844874.exe.log Download File
Process:	C:\Users\user\Desktop\ANS_309487487_#049844874.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\tmp6007.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	5.135668813522653
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mXxtn:cbk4oL600QydbQxIYODOLedq3ZXj
MD5:	8CAD1B41587CED0F1E74396794F31D58
SHA1:	11054BF74FCF5E8E412768035E4DAE43AA7B710F
SHA-256:	3086D914F6B23268F8A12CB1A05516CD5465C2577E1D1E449F1B45C8E5E8F83C
SHA-512:	99C2EF89029DE51A866DF932841684B7FC912DF21E10E2DD0D09E400203BBDC6CBA6319A31780B7BF8B286D2CEA8EA3FC7D084348BF2F002AB4F5A34218CCBEF
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp6940.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpDC3C.tmp Download File
Process:	C:\Users\user\Desktop\ANS_309487487_#049844874.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1651
Entropy (8bit):	5.180198443688216
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBVtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3d
MD5:	F59A4E52C5AF4407199142EDC5E26377
SHA1:	387755BD484FE5E07A8A7657955E9F15D0F08117
SHA-256:	6A9F77E90593E194E33E1F09D2543B640322912192AA07DB8599B5F1D4ED39A8
SHA-512:	3D407381E8E3C6ABE283BFE5DE37C1A2995C81A3C99A728D72A7B62FD56331464428EAD8C19DBC020AC59EB573180284A50D585840C5F87E87345815DD3DC224
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	2088
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCe
MD5:	0D6805D12813A857D50D42D6EE2CCAB0
SHA1:	78D83F009D842F21FE2AB0EAFFD00E5AAD1776F4
SHA-256:	182E0F8AA959549D61C66D049645BA8445D86AEAD2B8C3552A9836FA1E5BD484
SHA-512:	5B29496F3AB3CCB915CF37042F4956BB00E577B5F15457A5A739BE1BD50C481FB7E3297EED575DCA7A7BD30ECBC140DD3666CD7DEDD25DFB7AEB41A1B5BEDA4A
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:Pc9t:U
MD5:	19B475F1566BC5B63E8B39713E96CB7B
SHA1:	A3FEBA3421A1F88CDE6AF68D8632DF38C14A3D31
SHA-256:	49EE73A5135A3D3F5E3B25060369447755F89024BE23483C13B60FF47F657C4A
SHA-512:	F42BB7118C1E49DF91E55928E6B146B8AC11F7B42932B760E6D12673E0290CFE37F2F463747BDE79044210B04635C26A2AB6C18D036F7FDE35E3A579FA263219
Malicious:	true
Preview:	.Id....H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.830795005765378
Encrypted:	false
SSDEEP:	3:oMty8WddSWA1KMNn:oMLW6WA1j
MD5:	08E799E8E9B4FDA648F2500A40A11933
SHA1:	AC76B5E20DED247803448A2F586731ED7D84B9F3
SHA-256:	D46E34924067EB071D1F031C0BC015F4B711EDCE64D8AE00F24F29E73ECB71DB
SHA-512:	5C5701A86156D573BE274E73615FD6236AC89630714863A4CB2639EEC8EC1BE746839EBF8A9AEBA0A9BE326AF6FA02D8F9BD7A93D3FFB139BADE945572DF5FE9
Malicious:	false
Preview:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Users\user\AppData\Roaming\zgEmPmIdAWvDGJ.exe Download File
Process:	C:\Users\user\Desktop\ANS_309487487_#049844874.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	988672
Entropy (8bit):	7.599577245128144
Encrypted:	false
SSDEEP:	24576:m1izcvE+woErFNL01jT9p6fUyCbTEUSOWPy6bwSc:mU+wBB9S6fFQrSX6g
MD5:	203109AD6D2EFDCA0BF52CAB63A7CE6A
SHA1:	471D5A99A2E8BFE03A9E119B327C45B6994FFAF6
SHA-256:	5E7E5B02D1DE0DA6B91520884A92AF6F7597FD2E39EC5B714BA089815785AD74
SHA-512:	8B567CEEB8EB7158495659687FAD6B74AE8F889604D8CC8AF7BF7FE8A6C4C931EF3622B55A6C7D8C16C5F8C6A25DE398ACBB8A245596DAA94AB3C72A6ACB0F55
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Xl`..............0......(.......... ... ....@.. ....................................@.....................................O.... ...%...................`....................................................... ............... ..H............text...0.... ...................... ..`.rsrc....%... ...&..................@..@.reloc.......`......................@..B........................H........g..\Q......Z...P....P...........................................0..n.........}.....(.......(......r...p.(....(....o......{.....(....o......{....r...p.(....(....o......{.....(....o........0..`........(.........(.....o............,....t......o....r-..p(......,...o......+..(....o....(......+....0...........(....o ...o!...o"....+.....0..;........(.........(.....o............,..r-..p.+....t....o#....+....0..;........(.........(.....o............,..r-..p.+....t....o$.

\Device\ConDrv Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.44831826838854
Encrypted:	false
SSDEEP:	24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
MD5:	1AEB3A784552CFD2AEDEDC1D43A97A4F
SHA1:	804286AB9F8B3DE053222826A69A7CDA3492411A
SHA-256:	0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
SHA-512:	5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.599577245128144
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	ANS_309487487_#049844874.exe
File size:	988672
MD5:	203109ad6d2efdca0bf52cab63a7ce6a
SHA1:	471d5a99a2e8bfe03a9e119b327c45b6994ffaf6
SHA256:	5e7e5b02d1de0da6b91520884a92af6f7597fd2e39ec5b714ba089815785ad74
SHA512:	8b567ceeb8eb7158495659687fad6b74ae8f889604d8cc8af7bf7fe8a6c4c931ef3622b55a6c7d8c16c5f8c6a25de398acbb8a245596daa94ab3c72a6acb0f55
SSDEEP:	24576:m1izcvE+woErFNL01jT9p6fUyCbTEUSOWPy6bwSc:mU+wBB9S6fFQrSX6g
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Xl`..............0......(......*.... ... ....@.. ....................................@................................

File Icon


Icon Hash:	60c2d2d89484dc1c

Static PE Info

General
Entrypoint:	0x4c0a2a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x606C5803 [Tue Apr 6 12:45:55 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc09d8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc2000	0x325e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbea30	0xbec00	False	0.93988445077	data	7.9483521266	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xc2000	0x325e8	0x32600	False	0.303916912221	data	4.85960749449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf6000	0xc	0x200	False	0.041015625	data	0.0776331623432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xc22e0	0x7006	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
RT_ICON	0xc92e8	0x3580	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0xcc868	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
RT_ICON	0xdd090	0x94a8	data
RT_ICON	0xe6538	0x5488	data
RT_ICON	0xeb9c0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294902776
RT_ICON	0xefbe8	0x25a8	data
RT_ICON	0xf2190	0x10a8	data
RT_ICON	0xf3238	0x988	data
RT_ICON	0xf3bc0	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xf4028	0x92	data
RT_VERSION	0xf40bc	0x33e	data
RT_MANIFEST	0xf43fc	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2013 - 2021
Assembly Version	1.9.0.21
InternalName	U.exe
FileVersion	1.9.0.21
CompanyName
LegalTrademarks
Comments
ProductName	Layered Styler
ProductVersion	1.9.0.21
FileDescription	Layered Styler
OriginalFilename	U.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/07/21-09:06:13.508131	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49709	1118	192.168.2.5	185.140.53.9
04/07/21-09:06:22.447080	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49715	1118	192.168.2.5	185.140.53.9
04/07/21-09:06:28.206968	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49719	1118	192.168.2.5	185.140.53.9
04/07/21-09:06:34.440086	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49720	1118	192.168.2.5	185.140.53.9
04/07/21-09:06:40.461048	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49722	1118	192.168.2.5	185.140.53.9
04/07/21-09:06:46.536426	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49723	1118	192.168.2.5	185.140.53.9
04/07/21-09:06:52.466731	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49724	1118	192.168.2.5	185.140.53.9
04/07/21-09:06:57.696674	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49726	1118	192.168.2.5	185.140.53.9
04/07/21-09:07:20.316455	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49735	1118	192.168.2.5	185.140.53.9
04/07/21-09:07:26.457068	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49736	1118	192.168.2.5	185.140.53.9
04/07/21-09:07:32.604394	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49738	1118	192.168.2.5	185.140.53.9
04/07/21-09:07:41.176968	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49740	1118	192.168.2.5	185.140.53.9
04/07/21-09:07:47.966544	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49741	1118	192.168.2.5	185.140.53.9
04/07/21-09:07:54.950513	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49742	1118	192.168.2.5	185.140.53.9

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 7, 2021 09:06:13.071259022 CEST	49709	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:13.345798016 CEST	1118	49709	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:13.345900059 CEST	49709	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:13.508131027 CEST	49709	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:13.774518013 CEST	1118	49709	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:13.794981003 CEST	1118	49709	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:13.806773901 CEST	49709	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:14.085242033 CEST	1118	49709	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:14.085453987 CEST	49709	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:14.314754009 CEST	1118	49709	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:14.534962893 CEST	49709	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:14.657521009 CEST	49709	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:14.817023039 CEST	49709	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:14.925762892 CEST	1118	49709	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:14.933578014 CEST	49709	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:14.964658976 CEST	1118	49709	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:14.968367100 CEST	49709	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:15.005408049 CEST	1118	49709	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:15.005661964 CEST	49709	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:15.035629034 CEST	1118	49709	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:15.035814047 CEST	49709	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:15.055413008 CEST	1118	49709	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:15.055608988 CEST	49709	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:19.236116886 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:22.348040104 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:22.446363926 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:22.446463108 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:22.447079897 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:22.648147106 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:22.734726906 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:22.735241890 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:22.922859907 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:22.923072100 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:23.121344090 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:23.123116970 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:23.368674040 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:23.441032887 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:23.453001976 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:23.453195095 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:23.482443094 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:23.494613886 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:23.494749069 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:23.651871920 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:23.663697958 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:23.663873911 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:23.675789118 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:23.696500063 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:23.696646929 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:23.715296984 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:23.723474026 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:23.723654032 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:23.742367983 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:23.754738092 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:23.754905939 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:23.833262920 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:23.870568991 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:23.870687008 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:23.884780884 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:23.884848118 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:23.898178101 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:23.898327112 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:23.911798954 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:23.911887884 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:23.925776958 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:23.925849915 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:23.938056946 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:23.938142061 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:23.964909077 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:23.965002060 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:23.973136902 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:23.973215103 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:23.981427908 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:23.981513977 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:23.994460106 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:23.994529963 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:24.025948048 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:24.026071072 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:24.036422014 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:24.036499023 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:24.061844110 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:24.061902046 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:24.067998886 CEST	1118	49715	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:24.068068027 CEST	49715	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:27.963238001 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:28.206032038 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:28.206212044 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:28.206968069 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:28.465496063 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:28.486905098 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:28.487360001 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:28.871505022 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:28.872925043 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:29.060480118 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.135443926 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:29.142662048 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.142817974 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:29.146958113 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.147099972 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:29.151454926 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.151568890 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:29.156058073 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.156183004 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:29.446918964 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.446949959 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.446962118 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.447137117 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:29.447191954 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.447261095 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:29.447320938 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.448267937 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.448373079 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:29.449021101 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.449043036 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.449115038 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:29.638415098 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.642232895 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.642375946 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:29.646435022 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.652581930 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.652648926 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:29.656474113 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.660955906 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.661143064 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:29.680443048 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.680465937 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.680531025 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:29.680574894 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.695239067 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.695396900 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:29.698256016 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.698275089 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.698335886 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:29.709079981 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.716756105 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.716777086 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.716860056 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:29.716881990 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.716924906 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:29.828054905 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.828648090 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.828731060 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:29.831079960 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.856652975 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.856678963 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.856693983 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.856826067 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:29.857445002 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.866566896 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.866679907 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:29.877147913 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.879559040 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.879659891 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:29.880466938 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:29.957983017 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.040520906 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.040741920 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.040772915 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.040821075 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.041043043 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.041069031 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.041438103 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.041512012 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.041589022 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.042833090 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.042968035 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.043046951 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.043083906 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.043144941 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.043184996 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.045190096 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.045366049 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.045447111 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.045893908 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.068582058 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.068662882 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.071954966 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.071990013 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.072076082 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.075088024 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.075256109 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.075304985 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.086775064 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.089210033 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.089284897 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.091698885 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.103115082 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.103215933 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.105633974 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.137742996 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.137824059 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.138616085 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.152715921 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.152802944 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.162260056 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.185934067 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.185966015 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.186006069 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.186037064 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.186681986 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.186732054 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.203849077 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.203959942 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.219043970 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.219129086 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.246243000 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.246280909 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.246306896 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.246336937 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.246362925 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.248356104 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.248444080 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.277062893 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.277097940 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.277115107 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.277153969 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.277199984 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.280160904 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.280244112 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.281407118 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.281470060 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.283710957 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.286730051 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.307615995 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.307641029 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.307718039 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.307729006 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.307781935 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.322192907 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.322269917 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.322288036 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.322350025 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.322407961 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.322622061 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.326175928 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.340073109 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.340105057 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.340121031 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.340204954 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.340243101 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.340756893 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.344657898 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.355454922 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.355490923 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.355529070 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.355571032 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.356106997 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.356350899 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.364099979 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.364173889 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.374587059 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.374747038 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.374830008 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.375289917 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.375364065 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.378585100 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.379645109 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.404942989 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.404990911 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.405056000 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.411828041 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.411850929 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.411906004 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.411982059 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.412024975 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.621824980 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.621850967 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.621865988 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.621881962 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.621897936 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.621913910 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.621918917 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.621963978 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.622096062 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.622112989 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.622128963 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.622154951 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.622175932 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.622240067 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.622292042 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:30.718616009 CEST	1118	49719	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:30.720686913 CEST	49719	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:34.229265928 CEST	49720	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:34.439002037 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:34.439238071 CEST	49720	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:34.440085888 CEST	49720	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:34.759150982 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:34.775469065 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:34.780370951 CEST	49720	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:34.983514071 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:35.161537886 CEST	49720	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:35.178072929 CEST	49720	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:35.379355907 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:35.449018955 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:35.449093103 CEST	49720	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:35.781636000 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:35.812953949 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:35.827613115 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:35.827754021 CEST	49720	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:35.856048107 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:35.860109091 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:35.860219955 CEST	49720	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:36.037810087 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:36.045332909 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:36.045437098 CEST	49720	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:36.073343992 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:36.100115061 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:36.100269079 CEST	49720	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:36.109544039 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:36.123528004 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:36.123691082 CEST	49720	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:36.140055895 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:36.162347078 CEST	49720	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:36.164000988 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:36.164103031 CEST	49720	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:36.263376951 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:36.263514042 CEST	49720	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:36.297359943 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:36.297504902 CEST	49720	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:36.537327051 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:36.537477016 CEST	49720	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:36.545592070 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:36.545727968 CEST	49720	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:36.565818071 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:36.565856934 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:36.565974951 CEST	49720	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:36.575525045 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:36.575632095 CEST	49720	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:36.587594986 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:36.587696075 CEST	49720	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:36.605709076 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:36.605815887 CEST	49720	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:36.615500927 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:36.615606070 CEST	49720	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:36.625659943 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:36.625825882 CEST	49720	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:36.636673927 CEST	1118	49720	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:36.636833906 CEST	49720	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:40.268130064 CEST	49722	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:40.460244894 CEST	1118	49722	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:40.460402966 CEST	49722	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:40.461047888 CEST	49722	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:40.726581097 CEST	1118	49722	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:40.755456924 CEST	1118	49722	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:40.755933046 CEST	49722	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:40.975075006 CEST	1118	49722	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:41.162050962 CEST	49722	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:41.164109945 CEST	49722	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:41.386842966 CEST	1118	49722	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:41.387017012 CEST	49722	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:46.309622049 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:46.535696983 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:46.535809040 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:46.536426067 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:46.875680923 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:46.875705957 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:46.876065969 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:47.084368944 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:47.162547112 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:47.209841967 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:47.375742912 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:47.459448099 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:47.466808081 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:47.466917992 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:47.715251923 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:47.805124998 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:47.824682951 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:47.827826977 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:47.941170931 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:47.944478035 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:47.944596052 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:48.066210985 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:48.095201969 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:48.095364094 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:48.115834951 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:48.147133112 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:48.147237062 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:48.185467958 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:48.204781055 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:48.204947948 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:48.225764036 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:48.235230923 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:48.235373974 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:48.255763054 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:48.255860090 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:48.326803923 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:48.326872110 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:48.355674028 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:48.355853081 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:48.374697924 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:48.374803066 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:48.405903101 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:48.406066895 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:48.425801039 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:48.425954103 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:48.455102921 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:48.455172062 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:48.555665016 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:48.555762053 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:48.585530043 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:48.585594893 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:48.609170914 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:48.609246969 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:48.627327919 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:48.627403021 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:48.635396957 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:48.635541916 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:48.655539989 CEST	1118	49723	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:48.655662060 CEST	49723	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:52.283567905 CEST	49724	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:52.465698957 CEST	1118	49724	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:52.465884924 CEST	49724	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:52.466731071 CEST	49724	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:52.751853943 CEST	1118	49724	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:52.801440001 CEST	1118	49724	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:52.801809072 CEST	49724	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:53.015826941 CEST	1118	49724	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:53.069247007 CEST	49724	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:53.210477114 CEST	49724	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:53.265224934 CEST	1118	49724	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:53.265300035 CEST	49724	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:57.450309038 CEST	49726	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:57.695755005 CEST	1118	49726	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:57.695946932 CEST	49726	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:57.696674109 CEST	49726	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:57.945677996 CEST	1118	49726	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:58.044580936 CEST	1118	49726	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:58.100951910 CEST	49726	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:58.211463928 CEST	49726	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:58.324758053 CEST	1118	49726	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:58.382186890 CEST	49726	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:58.756818056 CEST	1118	49726	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:58.756975889 CEST	49726	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:06:59.220558882 CEST	1118	49726	185.140.53.9	192.168.2.5
Apr 7, 2021 09:06:59.243098974 CEST	49726	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:03.323551893 CEST	49734	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:06.335988045 CEST	49734	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:12.336508989 CEST	49734	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:20.086184978 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:20.315319061 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:20.315623999 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:20.316454887 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:20.605309963 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:20.675400019 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:20.675801039 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:21.001319885 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:21.003016949 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:21.336234093 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:21.336467981 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:21.405466080 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:21.405683041 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:21.465269089 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:21.465413094 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:21.514816046 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:21.514981985 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:21.584758997 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:21.584877968 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:21.597373962 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:21.655683994 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:21.695985079 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:21.696316004 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:21.735773087 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:21.790514946 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:21.866158962 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:21.895859957 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:21.896246910 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:21.915622950 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:21.962434053 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:21.965718031 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:21.995418072 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:21.995636940 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.016019106 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.045578957 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.045804977 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.065279007 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.086116076 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.086348057 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.105530977 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.116141081 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.117039919 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.136006117 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.162192106 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.162408113 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.175462961 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.185288906 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.185415030 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.205854893 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.213361979 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.225764990 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.229068041 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.235682964 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.237046003 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.255310059 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.257180929 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.275614023 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.277034044 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.286784887 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.287122011 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.305773020 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.305927992 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.325660944 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.325723886 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.336153984 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.336232901 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.347585917 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.347692966 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.363924026 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.364042997 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.366591930 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.366697073 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.375720024 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.375817060 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.385622978 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.385783911 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.546361923 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.546474934 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.546585083 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.546603918 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.546690941 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.546801090 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.546883106 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.548192978 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.548219919 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.548232079 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.548295021 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.548310041 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.548314095 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.548383951 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.548403025 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.548437119 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.548482895 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.548499107 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.556237936 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.556382895 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:22.565278053 CEST	1118	49735	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:22.565352917 CEST	49735	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:26.267092943 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:26.456331015 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:26.456506014 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:26.457067966 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:26.714401007 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:26.729305029 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:26.729739904 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:26.928591013 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:26.930085897 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.194542885 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.214179039 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.214206934 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.214219093 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.214298964 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.214992046 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.215075016 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.291678905 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.404491901 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.404654980 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.408554077 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.408677101 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.411595106 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.411768913 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.415088892 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.415160894 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.418601990 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.418728113 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.439317942 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.439537048 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.441540003 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.441580057 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.441644907 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.556471109 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.592396975 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.598036051 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.598210096 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.599000931 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.603286028 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.603682995 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.610286951 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.614742041 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.614880085 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.617949009 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.621434927 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.621598005 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.624583006 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.628725052 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.628875971 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.635657072 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.638804913 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.638948917 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.649173021 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.650037050 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.650160074 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.651587963 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.656944036 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.657102108 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.820283890 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.820728064 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.820847988 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.821873903 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.821902990 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.821921110 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.821989059 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.825890064 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.826042891 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.830290079 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.834779978 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.834971905 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.836967945 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.857688904 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.857918978 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.864317894 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.864356041 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.864372969 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.864548922 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.877804041 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.877841949 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.878019094 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.889518976 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.889731884 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.891617060 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.901155949 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.901602030 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.901791096 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.904470921 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.904639959 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.921401978 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.925246000 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.925430059 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.929065943 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.934537888 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.934731960 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.935688019 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.941967010 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.942197084 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.955312967 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.955368996 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.955544949 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.963191032 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.965692997 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.965930939 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:27.971271992 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.974966049 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:27.975203991 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.002862930 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.005059958 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.005253077 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.023509026 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.023564100 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.023725986 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.034950972 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.037123919 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.037159920 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.037237883 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.038659096 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.038893938 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.057931900 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.059446096 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.059509993 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.059653997 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.071703911 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.073590994 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.074028969 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.076057911 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.076205015 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.101491928 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.101572037 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.101716995 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.107064962 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.107101917 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.107223988 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.137717962 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.181660891 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.260648966 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.331435919 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.331478119 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.331602097 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.331716061 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.331753969 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.331805944 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.332024097 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.333621025 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.333863020 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.333889961 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.333959103 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.335812092 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.335846901 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.335933924 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.336064100 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.337601900 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.337902069 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.338066101 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.338128090 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.338553905 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.341603994 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.360460997 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.360500097 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.360625982 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.363931894 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.365619898 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.377641916 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.381277084 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.381431103 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.394845009 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.397633076 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.409439087 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.409570932 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.411092043 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.411758900 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.425328016 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.425437927 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.427635908 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.427757025 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.460601091 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.460633039 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.460653067 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.460705996 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.460746050 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.475869894 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.475974083 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.477238894 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.477360964 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.486160994 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.486282110 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.487961054 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.488080025 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.488533020 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.488600969 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.507869005 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.508004904 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.508059978 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.508424044 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.508476019 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.539817095 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.539951086 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.554523945 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.554673910 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.585860014 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.585932016 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.600898027 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.600955963 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.601536036 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.601594925 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.619777918 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.619878054 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.620542049 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.620610952 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.650876999 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.650958061 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.651498079 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.651524067 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.651551008 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.651565075 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.651601076 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.652364969 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.652441978 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.661545992 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.661729097 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.664094925 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.664228916 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.668306112 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.668443918 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.694169044 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.694346905 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:28.694660902 CEST	1118	49736	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:28.694746017 CEST	49736	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:32.367070913 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:32.603507042 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:32.603624105 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:32.604393959 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:32.845850945 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:32.895138979 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:32.903831959 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:33.092649937 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:33.115303993 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:33.518733978 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:33.520101070 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:33.635581970 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:33.635660887 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:33.635854959 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:33.639899969 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:33.641067982 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:33.661653996 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:33.662127018 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:33.751866102 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:33.846781015 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:33.877815962 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:33.881499052 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:33.884449005 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:33.898186922 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:33.898310900 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.029629946 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.029659986 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.029710054 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.029726982 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.029756069 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.029809952 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.078102112 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.105777025 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.105885029 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.106625080 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.135385990 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.135469913 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.201942921 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.229897976 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.230102062 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.234827995 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.257829905 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.258143902 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.258440018 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.272433043 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.274142027 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.283343077 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.295048952 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.298186064 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.300545931 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.324940920 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.324971914 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.325140953 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.345563889 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.346180916 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.354954004 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.364542007 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.366179943 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.374259949 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.374375105 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.374492884 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.382589102 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.382633924 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.382754087 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.402479887 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.406162977 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.417131901 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.417572975 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.423974991 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.426171064 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.434921980 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.435116053 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.463026047 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.463224888 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.476219893 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.476428986 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.496258974 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.496486902 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.507462025 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.507498980 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.507700920 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.511864901 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.512061119 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.531742096 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.531774998 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.531958103 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.657959938 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.657991886 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.658003092 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.658015013 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.658198118 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.658495903 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.658571959 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.659482956 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.659516096 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.659658909 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.659962893 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.659984112 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.660046101 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.660094023 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.661837101 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.661973953 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.662837982 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.662961006 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.663369894 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.663465977 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.663837910 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.663872004 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.663923025 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.663954020 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.664405107 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.664494038 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.665561914 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.665585041 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.665685892 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.675959110 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.676145077 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.679054976 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.679246902 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.707228899 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.707416058 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.709819078 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.715506077 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.715543985 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.715692997 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.738562107 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.738589048 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.738743067 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.739029884 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.739147902 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.747647047 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.747781038 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.747797012 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.747893095 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.769690037 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.769876003 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.774667978 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.775449991 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.775572062 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.779608011 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.792746067 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.792923927 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.805299044 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.808680058 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.808809042 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.810522079 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.812612057 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.812753916 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.836527109 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.837282896 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.837418079 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.839061975 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.858932018 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.859164953 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.874876022 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.891864061 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.891895056 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.892039061 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.921307087 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.921459913 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.939239025 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.939260006 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.939394951 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:34.970232964 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.970767975 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:34.970889091 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.001221895 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.018591881 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.018775940 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.033615112 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.033655882 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.033772945 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.035794020 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.046108961 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.046266079 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.046473980 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.048959017 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.049103022 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.060529947 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.063493013 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.063664913 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.065403938 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.093070984 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.093106031 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.093126059 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.093238115 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.093307972 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.110893011 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.110934973 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.110958099 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.110977888 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.111092091 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.111143112 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.111330032 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.114712000 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.114862919 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.137861013 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.137902021 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.137919903 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.138076067 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.138422966 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.138514042 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.140784025 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.140820980 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.140907049 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.140944004 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.144469023 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.144615889 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.147573948 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.170064926 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.170161963 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.175776958 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.177117109 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.177167892 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.177243948 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.227510929 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.227538109 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.227672100 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.230492115 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.230607986 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.252727985 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.252772093 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.252909899 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.270545959 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.270580053 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.270605087 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.270716906 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.277678967 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.277834892 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.308547974 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.310602903 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.310734987 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.336532116 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.369379997 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.369472980 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.369596004 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.401772976 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.401809931 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.401870966 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.418932915 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.419110060 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.429708958 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.430623055 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.430762053 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.434833050 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.461324930 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.461368084 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.461549044 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.461569071 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.461606026 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:35.461628914 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.557231903 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.738893986 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:35.740923882 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.049211979 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.049360037 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.109733105 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.109762907 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.109873056 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.121646881 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.121747017 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.149629116 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.149667978 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.149810076 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.158912897 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.159008026 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.168863058 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.169017076 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.178565979 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.178677082 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.189486027 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.189572096 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.210776091 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.210804939 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.210849047 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.210886002 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.216064930 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.216227055 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.223956108 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.224071026 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.245524883 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.245672941 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.253801107 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.253952026 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.255213976 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.255320072 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.275955915 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.276150942 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.277632952 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.277754068 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.280953884 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.281083107 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.289690018 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.289844990 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.307590008 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.307684898 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.308772087 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.308880091 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.312629938 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.312815905 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.314929008 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.315098047 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.321718931 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.321880102 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.340661049 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.340743065 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.343631029 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.343714952 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.345573902 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.345633984 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.354837894 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.354917049 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.371253014 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.371664047 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.375550985 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.375653028 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.378215075 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.378272057 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.379421949 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.379499912 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.385541916 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.385622978 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.402784109 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.402874947 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.405702114 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.405760050 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.411815882 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.411847115 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.411914110 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.436074018 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.436243057 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.437278032 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.437340975 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.440360069 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.440450907 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.443835974 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.443896055 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.463475943 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.651871920 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.651959896 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.666469097 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.666500092 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.666537046 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.666548014 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.666625977 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.666692019 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.666738987 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.667363882 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.667386055 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.667397022 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.667443991 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.669913054 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.669966936 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.670028925 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.670569897 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.670602083 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.670631886 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.683660030 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.697696924 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.697782993 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.712574959 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.712644100 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.729106903 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.729232073 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.747323990 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.747420073 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.760950089 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.761043072 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.775440931 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.775515079 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.776133060 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.776201010 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.795068026 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.795151949 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.797503948 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.797578096 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.799946070 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.800035954 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.805020094 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.805104971 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.809128046 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.809231043 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.811602116 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.811789036 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.823162079 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.823254108 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.826564074 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.826631069 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.843931913 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.844043970 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.858356953 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.858454943 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.874548912 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.874656916 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.889914989 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.891011953 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.905435085 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.905529022 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.907474995 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.907561064 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.924015045 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.924163103 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.935425997 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.935508013 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.937755108 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.937833071 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.949517965 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.949609041 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.952611923 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.952675104 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.956171989 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.956248045 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.966516018 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.966604948 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.969105005 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.969177961 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.971525908 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.971592903 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.997374058 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.997457027 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:36.998760939 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:36.998811960 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:37.018248081 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:37.018342018 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:37.019846916 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:37.019912004 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:37.032615900 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:37.032687902 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:37.049835920 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:37.049892902 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:37.050538063 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:37.050590992 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:37.064707994 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:37.064790964 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:37.067121029 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:37.067249060 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:37.081088066 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:37.081171989 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:37.083903074 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:37.083991051 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:37.316121101 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:37.316222906 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:37.331897974 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:37.331934929 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:37.331949949 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:37.331988096 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:37.332045078 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:37.332268953 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:37.332396984 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:37.332422018 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:37.332498074 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:37.333374977 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:37.333420038 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:37.333441019 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:37.333477974 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:37.334259987 CEST	1118	49738	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:37.334335089 CEST	49738	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:40.976308107 CEST	49740	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:41.175731897 CEST	1118	49740	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:41.176930904 CEST	49740	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:41.176968098 CEST	49740	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:41.419581890 CEST	1118	49740	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:41.494683027 CEST	1118	49740	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:41.500824928 CEST	49740	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:42.026492119 CEST	49740	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:42.281486988 CEST	1118	49740	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:42.282891989 CEST	49740	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:42.528995037 CEST	1118	49740	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:42.604662895 CEST	1118	49740	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:42.651503086 CEST	49740	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:42.667949915 CEST	49740	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:42.958930969 CEST	1118	49740	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:42.959022999 CEST	49740	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:43.001569986 CEST	1118	49740	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:43.001687050 CEST	49740	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:43.175740957 CEST	1118	49740	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:43.235527039 CEST	1118	49740	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:43.275578022 CEST	1118	49740	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:43.275722980 CEST	49740	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:43.355654955 CEST	1118	49740	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:43.401680946 CEST	49740	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:43.624870062 CEST	1118	49740	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:43.667324066 CEST	49740	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:43.683464050 CEST	49740	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:43.704658985 CEST	1118	49740	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:43.704746962 CEST	49740	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:43.714463949 CEST	1118	49740	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:43.714626074 CEST	49740	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:43.764617920 CEST	1118	49740	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:43.764825106 CEST	49740	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:43.925251007 CEST	1118	49740	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:43.925432920 CEST	49740	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:47.761296034 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:47.965709925 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:47.965873957 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:47.966543913 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:48.266273975 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:48.267509937 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:48.267909050 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:48.485039949 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:48.486479998 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:48.765397072 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:48.765485048 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:48.895625114 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:48.895719051 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:48.934988022 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:48.935081959 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:48.975434065 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:48.975527048 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.015625954 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.015716076 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.035387039 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.146008968 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.185584068 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.185720921 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.224756002 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.255175114 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.255373001 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.384958029 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.405199051 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.405397892 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.426482916 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.445630074 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.445808887 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.464792013 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.485349894 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.485481024 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.498723030 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.506618023 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.506747961 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.525835991 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.543890953 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.543996096 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.545480013 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.558023930 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.558113098 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.615345955 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.626365900 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.626557112 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.636049032 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.646517038 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.646729946 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.668380976 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.670784950 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.670927048 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.675851107 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.676038980 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.685549974 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.685765028 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.695343971 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.695554018 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.736754894 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.737080097 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.745982885 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.746233940 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.756129026 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.756288052 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.766206026 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.769751072 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.775976896 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.776074886 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.776171923 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.825608969 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.825643063 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.825659037 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.825683117 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.825711966 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.826154947 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.826224089 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.826971054 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.827032089 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.828614950 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.828696966 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.837856054 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.838015079 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.847022057 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.847441912 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.896120071 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.896186113 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.896317959 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.897821903 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.897914886 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.898794889 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.898828030 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.898911953 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.899179935 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.899266005 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.905926943 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.906111956 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.955756903 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.955899000 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.996371031 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.996480942 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:49.997694016 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:49.997865915 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.006891966 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.007059097 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.076636076 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.076680899 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.076704979 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.076729059 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.076757908 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.076800108 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.076836109 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.085525990 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.087479115 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.096174002 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.105323076 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.105351925 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.105410099 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.116095066 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.116126060 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.116261959 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.127042055 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.127240896 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.137183905 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.137214899 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.137449026 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.146702051 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.156347990 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.156436920 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.156547070 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.167277098 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.167329073 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.167586088 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.176523924 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.176708937 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.186187983 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.186223030 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.186381102 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.196217060 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.206903934 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.207089901 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.207231045 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.216736078 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.216763020 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.216906071 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.226550102 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.226764917 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.236546993 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.236584902 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.236825943 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.245544910 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.255461931 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.255492926 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.255654097 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.265649080 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.265681982 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.265868902 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.275259018 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.275454998 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.287507057 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.287652016 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.287758112 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.296838999 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.306781054 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.306822062 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.306999922 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.316611052 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.316674948 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.316792011 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.325599909 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.325751066 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.335766077 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.336299896 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.336407900 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.346338987 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.346375942 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.346596003 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.357439995 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.367775917 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.367820024 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.367995977 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.377055883 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.377224922 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.386907101 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.386939049 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.387063026 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.396619081 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.396653891 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.396755934 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.405620098 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.449105024 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.661196947 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.661227942 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.661238909 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.661370039 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.665329933 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.665445089 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.668782949 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.672132969 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.672276020 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.673336029 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.673455000 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.675307035 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.675403118 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.677501917 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.677580118 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.679116964 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.679140091 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.679218054 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.679887056 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.679904938 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.679965019 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.681626081 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.681647062 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.681710958 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.681725979 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.681783915 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.682777882 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.682835102 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.682854891 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.682924032 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.683934927 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.683957100 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.684067965 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.684602976 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.684679985 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.685159922 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.685229063 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.699013948 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.699269056 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.705581903 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.705780983 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.707408905 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.707565069 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.709676027 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.709722042 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.709800005 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.737627029 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.737849951 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.739087105 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.739254951 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.746543884 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.746570110 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.746645927 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.746673107 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.759675026 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.759895086 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.769243956 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.769432068 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.771697998 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.771859884 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.775785923 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.775810003 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.775856972 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.775943995 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.775985956 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.783202887 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.783298016 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.806096077 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.806222916 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.807627916 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.807704926 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.809156895 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.809242010 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.811647892 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.811714888 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.836903095 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.836932898 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.837038994 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.837090969 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.839090109 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.839199066 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.857641935 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.857788086 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.858931065 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.859016895 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.907217979 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.907392979 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.921255112 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.921379089 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.923902035 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.924029112 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.944169998 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.944262981 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.944925070 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.944983959 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.945125103 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.945173025 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.965763092 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.965783119 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.965816021 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.965847015 CEST	1118	49741	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:50.965859890 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:50.965893030 CEST	49741	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:54.740056038 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:54.949743986 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:54.949866056 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:54.950512886 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:55.191701889 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:55.252629995 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:55.252887011 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:55.479594946 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:55.480401993 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:55.743824005 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:55.817790985 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:55.847807884 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:55.847903967 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:55.854974985 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:55.886710882 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:55.886838913 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:56.047694921 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.075339079 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.075673103 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:56.087831020 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.099368095 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.099493027 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:56.131225109 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.144900084 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.145071030 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:56.155267000 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.169167042 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.169258118 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:56.279881001 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.291598082 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.291682959 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:56.375524044 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.398750067 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.398876905 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:56.420855999 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.430810928 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.430947065 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:56.451518059 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.461091995 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.461282015 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:56.537859917 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.547780037 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.547847033 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:56.557560921 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.565613031 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.565692902 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:56.587991953 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.598499060 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.598664999 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:56.605101109 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.605123997 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.605195045 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:56.627022028 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.645535946 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.645641088 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:56.654849052 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.678742886 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.678765059 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.678836107 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:56.690757990 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.690932035 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:56.876709938 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.886627913 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.886657953 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.886737108 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:56.896703959 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.896802902 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:56.906846046 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.915566921 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.915617943 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:56.915626049 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.925525904 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.926238060 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:56.935519934 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.946053028 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.946120024 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.946137905 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.946152925 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.946207047 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:56.947463989 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.947482109 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.947534084 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:56.948431015 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:56.948508024 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:56.996619940 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.036851883 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.036890030 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.037012100 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.053172112 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.055645943 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.055675983 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.055737019 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.065752029 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.065929890 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.075592041 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.076033115 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.076122999 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.086819887 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.096623898 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.096653938 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.096766949 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.106642008 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.106730938 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.116698027 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.116724968 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.116777897 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.125564098 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.135628939 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.135683060 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.135768890 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.146009922 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.146066904 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.146190882 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.158298969 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.158370972 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.166661024 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.167028904 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.167110920 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.175873995 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.185472012 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.185508013 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.185609102 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.196244001 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.196423054 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.206027985 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.206161976 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.206239939 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.216754913 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.216844082 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.218127966 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.226730108 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.238379955 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.238414049 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.238502026 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.246545076 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.246886015 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.256308079 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.256342888 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.256432056 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.265469074 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.265506983 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.265573025 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.275998116 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.286777020 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.286813021 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.286892891 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.297244072 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.300056934 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.306490898 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.306524038 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.306653976 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.356266022 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.356295109 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.356396914 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.367065907 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.367116928 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.367186069 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.367296934 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.368166924 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.368275881 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.368369102 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.368393898 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.368453979 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.376844883 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.376898050 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.376982927 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.386874914 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.396522045 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.396559954 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.396615982 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.405540943 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.405591011 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.405632019 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.415888071 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.415994883 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.426350117 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.426690102 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.426779985 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.436145067 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.447369099 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.447413921 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.447431087 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.488451004 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.495547056 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.496351957 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.496409893 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.496443033 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.496917963 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.496990919 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.497042894 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.498681068 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.498779058 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.505795002 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.505855083 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.505920887 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.515366077 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.515403986 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.515482903 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.565895081 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.565937996 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.565962076 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.566118002 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.566286087 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.566422939 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.785780907 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.785820007 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.785841942 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.785864115 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.785936117 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.785995007 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.786303997 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.786428928 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.786540031 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.786952972 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.787031889 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.787086964 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.788774967 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.789489985 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.789534092 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.790071011 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.790652037 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.790680885 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.791429996 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.795845032 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.795921087 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.795947075 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.805356979 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.805466890 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.818022013 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.818057060 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.820630074 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.826637030 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.836601019 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.836632967 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.836657047 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.846678019 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.846715927 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.846935034 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.855830908 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.856017113 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.865561962 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.865597963 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.865688086 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.875549078 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.875602961 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.875742912 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:57.886183023 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:57.934140921 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.065627098 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.067384958 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.067523956 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.073120117 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.075634003 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.075784922 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.085344076 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.095791101 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.096235991 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.101404905 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.119123936 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.119267941 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.121733904 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.121854067 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.121880054 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.121953964 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.122041941 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.122112989 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.122509956 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.122684002 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.122747898 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.123811007 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.124162912 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.124243975 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.124316931 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.126036882 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.126132011 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.133349895 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.134958029 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.135077000 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.149573088 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.149616003 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.149759054 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.151436090 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.154715061 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.154900074 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.159862995 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.163866997 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.163999081 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.171098948 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.174613953 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.174707890 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.174758911 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.175082922 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.175203085 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.181322098 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.200967073 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.200998068 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.201081038 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.203670025 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.203772068 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.205502033 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.208319902 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.208514929 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.209752083 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.262495041 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.305141926 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.317558050 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.317958117 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.319346905 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.321527958 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.321660042 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.335067034 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.335764885 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.335994959 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.339732885 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.365293980 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.365328074 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.365350008 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.367146969 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.367893934 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.369406939 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.369556904 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.374321938 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.381951094 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.382113934 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.383680105 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.384988070 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.385293007 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.389569998 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.391473055 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.392472029 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.399100065 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.403598070 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.403873920 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.405874968 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.414887905 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.414978027 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.417198896 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.419791937 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.420001030 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.423908949 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.431525946 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.431804895 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.435595036 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.439611912 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.440071106 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.447496891 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.451827049 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.452214956 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.477904081 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.477942944 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.478009939 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.478101015 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.480053902 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.480201960 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.481420040 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.509373903 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.509506941 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.509541988 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.509630919 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.509682894 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.512806892 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.515417099 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.515588045 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.525141954 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.541769028 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.541986942 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.543979883 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.559813023 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.559947968 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.575113058 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.589524031 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.589740992 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.637250900 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.639586926 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.639688015 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.672069073 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.701769114 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.701800108 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.701812029 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.701925993 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.721219063 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.723869085 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.723900080 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.723997116 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.735323906 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.735460997 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.737853050 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.739257097 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.739418983 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.751580954 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.755151987 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.755264044 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.771665096 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.783952951 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.784213066 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.799420118 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.815999985 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.816158056 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:58.847074032 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:58.902848005 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:59.023551941 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:59.023581982 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:59.023780107 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:59.023915052 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:59.024044037 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:59.024112940 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:59.025964975 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:59.025996923 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:59.026179075 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:59.026530981 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:59.026711941 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:59.026791096 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:59.027308941 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:59.027337074 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:59.027411938 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:59.028172016 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:59.028193951 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:59.028265953 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:59.028270960 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:59.029210091 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:59.029232025 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:59.029320955 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:59.255814075 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:59.539704084 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:59.579521894 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:59.597477913 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:07:59.809431076 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:07:59.818660975 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:08:00.021117926 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:08:00.021222115 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:08:00.350388050 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:08:00.354402065 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:08:00.545564890 CEST	1118	49742	185.140.53.9	192.168.2.5
Apr 7, 2021 09:08:00.546238899 CEST	49742	1118	192.168.2.5	185.140.53.9
Apr 7, 2021 09:08:00.904274940 CEST	1118	49742	185.140.53.9	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 7, 2021 09:05:43.285545111 CEST	62060	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:05:43.298794031 CEST	53	62060	8.8.8.8	192.168.2.5
Apr 7, 2021 09:05:43.314178944 CEST	65307	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:05:43.327506065 CEST	53	65307	8.8.8.8	192.168.2.5
Apr 7, 2021 09:05:43.362580061 CEST	61805	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:05:43.374855042 CEST	53	61805	8.8.8.8	192.168.2.5
Apr 7, 2021 09:05:47.394865990 CEST	54795	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:05:47.407481909 CEST	53	54795	8.8.8.8	192.168.2.5
Apr 7, 2021 09:05:48.378079891 CEST	49557	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:05:48.393063068 CEST	53	49557	8.8.8.8	192.168.2.5
Apr 7, 2021 09:05:50.323812008 CEST	61733	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:05:50.336774111 CEST	53	61733	8.8.8.8	192.168.2.5
Apr 7, 2021 09:05:55.078866959 CEST	65447	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:05:55.091243029 CEST	53	65447	8.8.8.8	192.168.2.5
Apr 7, 2021 09:06:11.759711027 CEST	52441	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:06:12.778274059 CEST	52441	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:06:12.791774035 CEST	53	52441	8.8.8.8	192.168.2.5
Apr 7, 2021 09:06:13.459623098 CEST	62176	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:06:13.477528095 CEST	53	62176	8.8.8.8	192.168.2.5
Apr 7, 2021 09:06:16.342705011 CEST	59596	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:06:16.355904102 CEST	53	59596	8.8.8.8	192.168.2.5
Apr 7, 2021 09:06:17.039968014 CEST	65296	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:06:17.052984953 CEST	53	65296	8.8.8.8	192.168.2.5
Apr 7, 2021 09:06:17.537570953 CEST	63183	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:06:17.550870895 CEST	53	63183	8.8.8.8	192.168.2.5
Apr 7, 2021 09:06:19.049269915 CEST	60151	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:06:19.229712009 CEST	53	60151	8.8.8.8	192.168.2.5
Apr 7, 2021 09:06:21.596417904 CEST	56969	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:06:21.608889103 CEST	53	56969	8.8.8.8	192.168.2.5
Apr 7, 2021 09:06:22.647125959 CEST	55161	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:06:22.660080910 CEST	53	55161	8.8.8.8	192.168.2.5
Apr 7, 2021 09:06:24.949235916 CEST	54757	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:06:24.964416981 CEST	53	54757	8.8.8.8	192.168.2.5
Apr 7, 2021 09:06:27.948117018 CEST	49992	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:06:27.961658955 CEST	53	49992	8.8.8.8	192.168.2.5
Apr 7, 2021 09:06:34.214905024 CEST	60075	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:06:34.227855921 CEST	53	60075	8.8.8.8	192.168.2.5
Apr 7, 2021 09:06:35.420773029 CEST	55016	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:06:35.439161062 CEST	53	55016	8.8.8.8	192.168.2.5
Apr 7, 2021 09:06:40.253118992 CEST	64345	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:06:40.266549110 CEST	53	64345	8.8.8.8	192.168.2.5
Apr 7, 2021 09:06:46.295386076 CEST	57128	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:06:46.307823896 CEST	53	57128	8.8.8.8	192.168.2.5
Apr 7, 2021 09:06:52.268774986 CEST	54791	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:06:52.282419920 CEST	53	54791	8.8.8.8	192.168.2.5
Apr 7, 2021 09:06:55.857532024 CEST	50463	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:06:55.890573025 CEST	53	50463	8.8.8.8	192.168.2.5
Apr 7, 2021 09:06:57.263880968 CEST	50394	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:06:57.446436882 CEST	53	50394	8.8.8.8	192.168.2.5
Apr 7, 2021 09:06:58.466825008 CEST	58530	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:06:58.480253935 CEST	53	58530	8.8.8.8	192.168.2.5
Apr 7, 2021 09:06:59.214893103 CEST	53813	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:06:59.227873087 CEST	53	53813	8.8.8.8	192.168.2.5
Apr 7, 2021 09:06:59.622144938 CEST	63732	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:06:59.640738010 CEST	53	63732	8.8.8.8	192.168.2.5
Apr 7, 2021 09:07:03.308799982 CEST	57344	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:07:03.322525978 CEST	53	57344	8.8.8.8	192.168.2.5
Apr 7, 2021 09:07:19.901367903 CEST	54450	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:07:20.084091902 CEST	53	54450	8.8.8.8	192.168.2.5
Apr 7, 2021 09:07:26.252872944 CEST	59261	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:07:26.265705109 CEST	53	59261	8.8.8.8	192.168.2.5
Apr 7, 2021 09:07:30.485004902 CEST	57151	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:07:30.497556925 CEST	53	57151	8.8.8.8	192.168.2.5
Apr 7, 2021 09:07:32.351288080 CEST	59413	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:07:32.364850998 CEST	53	59413	8.8.8.8	192.168.2.5
Apr 7, 2021 09:07:36.925448895 CEST	60516	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:07:36.957753897 CEST	53	60516	8.8.8.8	192.168.2.5
Apr 7, 2021 09:07:40.743916988 CEST	51649	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:07:40.926371098 CEST	53	51649	8.8.8.8	192.168.2.5
Apr 7, 2021 09:07:47.746645927 CEST	65086	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:07:47.759985924 CEST	53	65086	8.8.8.8	192.168.2.5
Apr 7, 2021 09:07:54.722879887 CEST	56432	53	192.168.2.5	8.8.8.8
Apr 7, 2021 09:07:54.735752106 CEST	53	56432	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 7, 2021 09:06:11.759711027 CEST	192.168.2.5	8.8.8.8	0x2a45	Standard query (0)	myhustle.duckdns.org	A (IP address)	IN (0x0001)
Apr 7, 2021 09:06:12.778274059 CEST	192.168.2.5	8.8.8.8	0x2a45	Standard query (0)	myhustle.duckdns.org	A (IP address)	IN (0x0001)
Apr 7, 2021 09:06:19.049269915 CEST	192.168.2.5	8.8.8.8	0xb260	Standard query (0)	myhustle.duckdns.org	A (IP address)	IN (0x0001)
Apr 7, 2021 09:06:27.948117018 CEST	192.168.2.5	8.8.8.8	0x3471	Standard query (0)	myhustle.duckdns.org	A (IP address)	IN (0x0001)
Apr 7, 2021 09:06:34.214905024 CEST	192.168.2.5	8.8.8.8	0xd042	Standard query (0)	myhustle.duckdns.org	A (IP address)	IN (0x0001)
Apr 7, 2021 09:06:40.253118992 CEST	192.168.2.5	8.8.8.8	0x64aa	Standard query (0)	myhustle.duckdns.org	A (IP address)	IN (0x0001)
Apr 7, 2021 09:06:46.295386076 CEST	192.168.2.5	8.8.8.8	0x8f51	Standard query (0)	myhustle.duckdns.org	A (IP address)	IN (0x0001)
Apr 7, 2021 09:06:52.268774986 CEST	192.168.2.5	8.8.8.8	0xd64	Standard query (0)	myhustle.duckdns.org	A (IP address)	IN (0x0001)
Apr 7, 2021 09:06:57.263880968 CEST	192.168.2.5	8.8.8.8	0x3a08	Standard query (0)	myhustle.duckdns.org	A (IP address)	IN (0x0001)
Apr 7, 2021 09:07:03.308799982 CEST	192.168.2.5	8.8.8.8	0x99f4	Standard query (0)	myhustle.duckdns.org	A (IP address)	IN (0x0001)
Apr 7, 2021 09:07:19.901367903 CEST	192.168.2.5	8.8.8.8	0xe1c9	Standard query (0)	myhustle.duckdns.org	A (IP address)	IN (0x0001)
Apr 7, 2021 09:07:26.252872944 CEST	192.168.2.5	8.8.8.8	0xd4b6	Standard query (0)	myhustle.duckdns.org	A (IP address)	IN (0x0001)
Apr 7, 2021 09:07:32.351288080 CEST	192.168.2.5	8.8.8.8	0xfd97	Standard query (0)	myhustle.duckdns.org	A (IP address)	IN (0x0001)
Apr 7, 2021 09:07:40.743916988 CEST	192.168.2.5	8.8.8.8	0x4306	Standard query (0)	myhustle.duckdns.org	A (IP address)	IN (0x0001)
Apr 7, 2021 09:07:47.746645927 CEST	192.168.2.5	8.8.8.8	0x1b09	Standard query (0)	myhustle.duckdns.org	A (IP address)	IN (0x0001)
Apr 7, 2021 09:07:54.722879887 CEST	192.168.2.5	8.8.8.8	0x43d1	Standard query (0)	myhustle.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Apr 7, 2021 09:06:12.791774035 CEST	8.8.8.8	192.168.2.5	0x2a45	No error (0)	myhustle.duckdns.org	185.140.53.9	A (IP address)	IN (0x0001)
Apr 7, 2021 09:06:19.229712009 CEST	8.8.8.8	192.168.2.5	0xb260	No error (0)	myhustle.duckdns.org	185.140.53.9	A (IP address)	IN (0x0001)
Apr 7, 2021 09:06:27.961658955 CEST	8.8.8.8	192.168.2.5	0x3471	No error (0)	myhustle.duckdns.org	185.140.53.9	A (IP address)	IN (0x0001)
Apr 7, 2021 09:06:34.227855921 CEST	8.8.8.8	192.168.2.5	0xd042	No error (0)	myhustle.duckdns.org	185.140.53.9	A (IP address)	IN (0x0001)
Apr 7, 2021 09:06:40.266549110 CEST	8.8.8.8	192.168.2.5	0x64aa	No error (0)	myhustle.duckdns.org	185.140.53.9	A (IP address)	IN (0x0001)
Apr 7, 2021 09:06:46.307823896 CEST	8.8.8.8	192.168.2.5	0x8f51	No error (0)	myhustle.duckdns.org	185.140.53.9	A (IP address)	IN (0x0001)
Apr 7, 2021 09:06:52.282419920 CEST	8.8.8.8	192.168.2.5	0xd64	No error (0)	myhustle.duckdns.org	185.140.53.9	A (IP address)	IN (0x0001)
Apr 7, 2021 09:06:57.446436882 CEST	8.8.8.8	192.168.2.5	0x3a08	No error (0)	myhustle.duckdns.org	185.140.53.9	A (IP address)	IN (0x0001)
Apr 7, 2021 09:07:03.322525978 CEST	8.8.8.8	192.168.2.5	0x99f4	No error (0)	myhustle.duckdns.org	185.140.53.9	A (IP address)	IN (0x0001)
Apr 7, 2021 09:07:20.084091902 CEST	8.8.8.8	192.168.2.5	0xe1c9	No error (0)	myhustle.duckdns.org	185.140.53.9	A (IP address)	IN (0x0001)
Apr 7, 2021 09:07:26.265705109 CEST	8.8.8.8	192.168.2.5	0xd4b6	No error (0)	myhustle.duckdns.org	185.140.53.9	A (IP address)	IN (0x0001)
Apr 7, 2021 09:07:32.364850998 CEST	8.8.8.8	192.168.2.5	0xfd97	No error (0)	myhustle.duckdns.org	185.140.53.9	A (IP address)	IN (0x0001)
Apr 7, 2021 09:07:40.926371098 CEST	8.8.8.8	192.168.2.5	0x4306	No error (0)	myhustle.duckdns.org	185.140.53.9	A (IP address)	IN (0x0001)
Apr 7, 2021 09:07:47.759985924 CEST	8.8.8.8	192.168.2.5	0x1b09	No error (0)	myhustle.duckdns.org	185.140.53.9	A (IP address)	IN (0x0001)
Apr 7, 2021 09:07:54.735752106 CEST	8.8.8.8	192.168.2.5	0x43d1	No error (0)	myhustle.duckdns.org	185.140.53.9	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ANS_309487487_#049844874.exe PID: 5688 Parent PID: 5840

General

Start time:	09:05:49
Start date:	07/04/2021
Path:	C:\Users\user\Desktop\ANS_309487487_#049844874.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ANS_309487487_#049844874.exe'
Imagebase:	0xdc0000
File size:	988672 bytes
MD5 hash:	203109AD6D2EFDCA0BF52CAB63A7CE6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.245770427.0000000004612000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.245770427.0000000004612000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.245770427.0000000004612000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.245029737.0000000004459000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.245029737.0000000004459000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.245029737.0000000004459000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 4012 Parent PID: 5688

General

Start time:	09:06:00
Start date:	07/04/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zgEmPmIdAWvDGJ' /XML 'C:\Users\user\AppData\Local\Temp\tmpDC3C.tmp'
Imagebase:	0x13c0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5592 Parent PID: 4012

General

Start time:	09:06:00
Start date:	07/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 5404 Parent PID: 5688

General

Start time:	09:06:01
Start date:	07/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xc60000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.497078079.0000000006CF0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.497078079.0000000006CF0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.497210658.0000000006D50000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.497210658.0000000006D50000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.497223355.0000000006D60000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.497223355.0000000006D60000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.484801611.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.484801611.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.484801611.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.496231866.0000000006570000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.496231866.0000000006570000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.496231866.0000000006570000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.492533618.0000000004168000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.497316492.0000000006DB0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.497316492.0000000006DB0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.497195825.0000000006D40000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.497195825.0000000006D40000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.497368728.0000000006DF0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.497368728.0000000006DF0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.497254796.0000000006D80000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.497254796.0000000006D80000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.495352573.0000000005810000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.495352573.0000000005810000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.493121486.00000000043CC000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.493121486.00000000043CC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.488658155.0000000002FA1000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.497240382.0000000006D70000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.497240382.0000000006D70000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.497299959.0000000006DA0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.497299959.0000000006DA0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.490957634.0000000003FE9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.490957634.0000000003FE9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.496076693.00000000064E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.496076693.00000000064E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.497154583.0000000006D20000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.497154583.0000000006D20000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.497176371.0000000006D30000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.497176371.0000000006D30000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 4904 Parent PID: 5404

General

Start time:	09:06:06
Start date:	07/04/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp6007.tmp'
Imagebase:	0xdd0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5864 Parent PID: 4904

General

Start time:	09:06:07
Start date:	07/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 4132 Parent PID: 5404

General

Start time:	09:06:08
Start date:	07/04/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp6940.tmp'
Imagebase:	0x7ff797770000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4500 Parent PID: 4132

General

Start time:	09:06:09
Start date:	07/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 5400 Parent PID: 904

General

Start time:	09:06:10
Start date:	07/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0
Imagebase:	0xb30000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5564 Parent PID: 5400

General

Start time:	09:06:11
Start date:	07/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: dhcpmon.exe PID: 5824 Parent PID: 904

General

Start time:	09:06:11
Start date:	07/04/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0x40000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5864 Parent PID: 5824

General

Start time:	09:06:11
Start date:	07/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6360 Parent PID: 3472

General

Start time:	09:06:19
Start date:	07/04/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0x2a0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6368 Parent PID: 6360

General

Start time:	09:06:19
Start date:	07/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: ANS_309487487_#049844874.exe PID: 5688 Parent PID: 5840 ANS_309487487_#049844874.exeCOMMON

Executed Functions

Function 031999C1, Relevance: 2.7, Strings: 2, Instructions: 221COMMON

Download Yara Rule

Strings

ya[, xrefs: 03199C0E
VF', xrefs: 03199BBE

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID: ya[$VF'
API String ID: 0-911011452
Opcode ID: 032cd5b788bd2dbe2c24f2e8b6235acb63d6ff32417064de6f16e352fe00a0a9
Instruction ID: b980d10047b40ffb30113b0e804460fe344b53562078c6a92f31b47a5333bd21
Opcode Fuzzy Hash: 032cd5b788bd2dbe2c24f2e8b6235acb63d6ff32417064de6f16e352fe00a0a9
Instruction Fuzzy Hash: 86918C70E1A218CFDF18CFA5D98199DFBB6FB8D310F21A52AD406BB254D73499828B04

Uniqueness

Uniqueness Score: -1.00%

Function 03199AE2, Relevance: 2.6, Strings: 2, Instructions: 136COMMON

Download Yara Rule

Strings

ya[, xrefs: 03199C0E
VF', xrefs: 03199BBE

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID: ya[$VF'
API String ID: 0-911011452
Opcode ID: c03cdd30f937d79823c48112c606c2a041e0930907621aaccee0261bae4153d9
Instruction ID: 46a9258e26cd531e3d61cb0def868a456c65fe5d263735428fc8c30f024d1e8c
Opcode Fuzzy Hash: c03cdd30f937d79823c48112c606c2a041e0930907621aaccee0261bae4153d9
Instruction Fuzzy Hash: 66515C70E06218DFEF58CFA5D98199DFBB2FB89210F21A52AD406BB254D73499828B14

Uniqueness

Uniqueness Score: -1.00%

Function 03193158, Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

=3, xrefs: 031933AD

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID: =3
API String ID: 0-214920196
Opcode ID: 818cb98c4f1c5febff34a2510e5a36888f5e4ad3b051aaa9fd74baa0d6e1a629
Instruction ID: 90c293faca13d5219d80812a8218fda2f3608e167e4066fc19fbf4f32c0ba8c3
Opcode Fuzzy Hash: 818cb98c4f1c5febff34a2510e5a36888f5e4ad3b051aaa9fd74baa0d6e1a629
Instruction Fuzzy Hash: 04B11878E04219CFDF08CFEAC54059EFBF2AF8D310F25856AD419EB259D73499818B64

Uniqueness

Uniqueness Score: -1.00%

Function 0319314A, Relevance: 1.5, Strings: 1, Instructions: 250COMMON

Download Yara Rule

Strings

=3, xrefs: 031933AD

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID: =3
API String ID: 0-214920196
Opcode ID: db7f7e3fc0c9f28369fd2094683404a3514ac8037bcb4cd3119a2f78badfb617
Instruction ID: de8226dcfc33d2b72978a568e0e1a3f6be3d00ecf754a5b2ac783a0af075c111
Opcode Fuzzy Hash: db7f7e3fc0c9f28369fd2094683404a3514ac8037bcb4cd3119a2f78badfb617
Instruction Fuzzy Hash: 0CA14978E052198FDF08CFEAC54059EFBF2AF8D310F25856AC418EB259DB349985CB64

Uniqueness

Uniqueness Score: -1.00%

Function 07F30040, Relevance: .9, Instructions: 927COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257037007.0000000007F30000.00000040.00000001.sdmp, Offset: 07F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 720a2da82cc75eadc4130e822b653bb29c7b18c60d4d1c14081ad01156e895bf
Instruction ID: 934e9eda789b10b35fb1cf520a0de0ba01643d3ac60fddab18e1d69fb8bc102e
Opcode Fuzzy Hash: 720a2da82cc75eadc4130e822b653bb29c7b18c60d4d1c14081ad01156e895bf
Instruction Fuzzy Hash: 8BA22771E102198FCB25DB68CC546DDB7B2FF89300F1482AAD80AA7355EB74AE95CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03191BDF, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a073d5b9d206ddd64f83174a727ff31a8f605ba0e25fe4dd57f70a5acae4b85c
Instruction ID: 49f18bff7903fcd04875e23b3fcab1c53f4e85332e1f00de0500e80927520e93
Opcode Fuzzy Hash: a073d5b9d206ddd64f83174a727ff31a8f605ba0e25fe4dd57f70a5acae4b85c
Instruction Fuzzy Hash: 38C19B34914245EFDB04CFB8E584A8CBBF2FF49714B1994BAE404DB226DB34A986CF11

Uniqueness

Uniqueness Score: -1.00%

Function 03191C98, Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9853a8566188ecec012ca652ec571761c3ff73a9c12e23cc05e77a031f1d11a2
Instruction ID: 056c5e5e42a56e2ae38f5647748f55cf0ff190a4ffc4d1be5a83b2488210403a
Opcode Fuzzy Hash: 9853a8566188ecec012ca652ec571761c3ff73a9c12e23cc05e77a031f1d11a2
Instruction Fuzzy Hash: A7914870A14209EFEB04DFA4E58598DBBF2FB48711F19D47AE009DB226DB34A981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03195BC2, Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e60325d1f2abbc9905e685cb025d171b9784c9c64f558f5e06020d2ce480fad9
Instruction ID: 376f6f6050dc5e4f6efd3c374cfa1b3cd8f8e85173262b7824e0596c584c8677
Opcode Fuzzy Hash: e60325d1f2abbc9905e685cb025d171b9784c9c64f558f5e06020d2ce480fad9
Instruction Fuzzy Hash: 7D81F274E142099FDB08DFE5D9455AEBBB2FF89300F20842AE816BB358DB349946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 03195BD0, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14aa22c9fcc77a9a86a72a4ed32e8c288b410a5402cdd2c7ebd83860729cca68
Instruction ID: c792df0c6a0541ccd14e877326744686fed5644568c42bf29cf99512fc242d0a
Opcode Fuzzy Hash: 14aa22c9fcc77a9a86a72a4ed32e8c288b410a5402cdd2c7ebd83860729cca68
Instruction Fuzzy Hash: A881D074E142099FDB08DFE5D9455AEBBB2FF89300F20842AE816BB358DB349946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 031975DF, Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445fa67b37c2be0581d2e513d43d5e9717d2ce6584b855238e0c0b585b19041d
Instruction ID: 528d03b09aa9cd1c034d2e4cfd241e138a69984786d93312dbe1a4b56992472b
Opcode Fuzzy Hash: 445fa67b37c2be0581d2e513d43d5e9717d2ce6584b855238e0c0b585b19041d
Instruction Fuzzy Hash: E1612C74E26208DFEF08CFA9D6846EDFBB2EF89310F24A42AD405B7294D73489418B14

Uniqueness

Uniqueness Score: -1.00%

Function 031975F0, Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 897ca1ee41efc8981565d9a97c2bce97be4d174c847184dfd72f045faa6b62f5
Instruction ID: 7a5479e7ae0927035069c1d52aa27530f4a3bfdc1dcc50d5d8fa15b8911fcc2c
Opcode Fuzzy Hash: 897ca1ee41efc8981565d9a97c2bce97be4d174c847184dfd72f045faa6b62f5
Instruction Fuzzy Hash: B1612D74D26208DBEF08CFA9D5846EDFBB6EF8D310F24A42AD405B7294D77489418B14

Uniqueness

Uniqueness Score: -1.00%

Function 03195F68, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b22d3f8ed7a6c76203dab787435ad15b1caa46a2f52bb14e9db2da5b57334a0
Instruction ID: 0e11997a976cb9667958e47fc0a0d0b4e3fbca3de91a0d993f56c1089099734a
Opcode Fuzzy Hash: 1b22d3f8ed7a6c76203dab787435ad15b1caa46a2f52bb14e9db2da5b57334a0
Instruction Fuzzy Hash: 11416570E05249AFDF09CFA9D5805EEBBF2EB8E210F10986AD011F7258D7389A41CF65

Uniqueness

Uniqueness Score: -1.00%

Function 03195F78, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15fc87961adc8233b6db720f8ffec64290c05dc109bd4512b312199aee640665
Instruction ID: 2ec7cd81011cd29c2b35cbb1f312b2627446ab9c6912682a193dc8883d77832c
Opcode Fuzzy Hash: 15fc87961adc8233b6db720f8ffec64290c05dc109bd4512b312199aee640665
Instruction Fuzzy Hash: CD413370E05209EFDF08CFA9D5805EEBBF6FB89210F10982AD015B7258D7349A41CF65

Uniqueness

Uniqueness Score: -1.00%

Function 03198F1E, Relevance: 1.6, APIs: 1, Instructions: 150processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 0319907B

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: babb72174f3ba7c37d4019bb97fb6b7cdd4d3e2dc3d2b5eafbbd475657889d8e
Instruction ID: 54b8ec9d46b5239b501e7bc2cededdee53f44cc28faf03daad5f7938ebc187b2
Opcode Fuzzy Hash: babb72174f3ba7c37d4019bb97fb6b7cdd4d3e2dc3d2b5eafbbd475657889d8e
Instruction Fuzzy Hash: C95105719003699FDF20CF95C880BDDBBB6BF88314F1581AAE908B7250DB715A89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 03198F28, Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 0319907B

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 601aa478657fdb0a9ca971afeb13027d88a73e507e8031c71284bfc4a24aed55
Instruction ID: 7546e03aca7c1ab80ec1c496de467189d4ab5e6def44d86497599ca70f4c42e4
Opcode Fuzzy Hash: 601aa478657fdb0a9ca971afeb13027d88a73e507e8031c71284bfc4a24aed55
Instruction Fuzzy Hash: 2A51F4719003699FDF20DF95C880BDDBBB6BF88314F1580AAE908B7210DB755A89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07F33344, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07F33E0D,?,?), ref: 07F33EBF

Memory Dump Source

Source File: 00000000.00000002.257037007.0000000007F30000.00000040.00000001.sdmp, Offset: 07F30000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 716c072cbb16960884da7b3d1c1dd5decfd005a570542728d7dff66430456eb2
Instruction ID: e6db349595324c9e44c820f23b0875e342f8d00f0e1eaf6e3af7f769303add56
Opcode Fuzzy Hash: 716c072cbb16960884da7b3d1c1dd5decfd005a570542728d7dff66430456eb2
Instruction Fuzzy Hash: FE31C3B5D01249AFCB10DF99D884ADEBBF4FF58320F18852AE915A7310D774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07F33E22, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07F33E0D,?,?), ref: 07F33EBF

Memory Dump Source

Source File: 00000000.00000002.257037007.0000000007F30000.00000040.00000001.sdmp, Offset: 07F30000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: dcd2b423290f33037182471a3a1cace784c7514289e5b25e85cfd3802d6cf22b
Instruction ID: e2a578f26217e1eef76f699d93a1a8c708b3fff5eb238937e21bdddd94c57577
Opcode Fuzzy Hash: dcd2b423290f33037182471a3a1cace784c7514289e5b25e85cfd3802d6cf22b
Instruction Fuzzy Hash: DA31C0B5D012499FCB10CF9AD884ADEBBF4FF58324F18842AE915A7310D774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 031994C8, Relevance: 1.6, APIs: 1, Instructions: 66injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0319955D

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e71377e85fe29c54621f2080263579e44ad7154068b23c924dd1859155f2d157
Instruction ID: 957d71eec21f4403145003c6cb670eb6c5e5aae9131c9da29827f45934fc4a1a
Opcode Fuzzy Hash: e71377e85fe29c54621f2080263579e44ad7154068b23c924dd1859155f2d157
Instruction Fuzzy Hash: 6E2125B1900249DFDF00CFA9D884BDEBBF4FB48310F04842AE958E3250D378A644CB60

Uniqueness

Uniqueness Score: -1.00%

Function 031994D0, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0319955D

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d24cbf5f0d5b7a72a2d8a15f5a086bdbae1e9c516a0990b52d2d8cd7504305ff
Instruction ID: 23210f87b95e4a80893bddc5907cce74e9c673e33341e7cbb59b83e13ee236d0
Opcode Fuzzy Hash: d24cbf5f0d5b7a72a2d8a15f5a086bdbae1e9c516a0990b52d2d8cd7504305ff
Instruction Fuzzy Hash: 2F21E4B1900359DFDF10CFAAD885BDEBBF4FB48314F54842AE918A3250D774AA44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03199350, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 031993D7

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 06b4da8042c80c55fc30cecb0d1b2f8167694c6beef3479b8a41c03a5136d330
Instruction ID: 616ae612d7f283310c28949216015d472dd1430220390ad681e8ed34e8d7ed3f
Opcode Fuzzy Hash: 06b4da8042c80c55fc30cecb0d1b2f8167694c6beef3479b8a41c03a5136d330
Instruction Fuzzy Hash: 5A21E0B19012599FCB10CFAAD884BDEBBF4FB48320F14842AE958A7251D374A644DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03199358, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 031993D7

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: fb1481e23802f861c7a3f1377e943281cf792d832ed823f468d6f48bc5164b66
Instruction ID: 2f4613937d2ad9658d658060045c0667a3920fb7c55ca5b48933c6d2c35d4d27
Opcode Fuzzy Hash: fb1481e23802f861c7a3f1377e943281cf792d832ed823f468d6f48bc5164b66
Instruction Fuzzy Hash: 5621D0B1901259DFCB10CFAAD884ADEBBF4FB4C320F14842AE958A3250D374A644DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03199291, Relevance: 1.6, APIs: 1, Instructions: 59threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 0319930F

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 4fbc114bb35fb5ac9d3c7dd7611df81df9f05ba700f7fb1bab30cf332d9661d0
Instruction ID: b42a08d0473774421fc3aefcf8d4941590fbf0c9de5a8c8c972114e6893a14fc
Opcode Fuzzy Hash: 4fbc114bb35fb5ac9d3c7dd7611df81df9f05ba700f7fb1bab30cf332d9661d0
Instruction Fuzzy Hash: E72113B1D006599FDB10CFAAC885BEEFBB4FB48324F14812AD418B3640D778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03199298, Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 0319930F

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 784dadbba829325d006bd4dd47dcc21ebfd6d768d081644f034c8fc0be7e5a07
Instruction ID: 8821eeed76826219663eccb2407d57e509f6a75db89f03f86f49ed87a603db7f
Opcode Fuzzy Hash: 784dadbba829325d006bd4dd47dcc21ebfd6d768d081644f034c8fc0be7e5a07
Instruction Fuzzy Hash: D421F4B1D006599BDB10CFAAC8857EEFBB4BB48224F55812AD418B3640D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03199420, Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 03199493

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 66cd43e4d319ce297c51fab6edaf5acdafb3ca4d59cb634cb898644f8fc98bed
Instruction ID: e27b25a1ead9b1f02bf08afc166c2c913a7d26f47d2ae47107bb16297fddbeb1
Opcode Fuzzy Hash: 66cd43e4d319ce297c51fab6edaf5acdafb3ca4d59cb634cb898644f8fc98bed
Instruction Fuzzy Hash: 2211E275900249DFCB20CF9AD884BDEBBF4FB88324F14841AE529A7210C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03199428, Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 03199493

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e5204582a5dfcfa101efa33b6fad784601e9852dd631770d128c34675ba1d6d6
Instruction ID: adb5884c989e2bb7819412de22ddf5d25af781ffb9291c090fc3b43a59322114
Opcode Fuzzy Hash: e5204582a5dfcfa101efa33b6fad784601e9852dd631770d128c34675ba1d6d6
Instruction Fuzzy Hash: 4F11E0B5900289DFDB10DF9AD984BDEBBF4FB88324F14841AE528A7210C775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0319A218, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0319A97D

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: eba553f8343e8df07ab284da8981c5107fc63f024aff61866f905aa7f05374aa
Instruction ID: 9d648fed581d4f3b047351261eeee45f0ee651d25fb80a182516e1c079ffea4e
Opcode Fuzzy Hash: eba553f8343e8df07ab284da8981c5107fc63f024aff61866f905aa7f05374aa
Instruction Fuzzy Hash: CD11F2B58003499FDB10DF99D488BDEBBF8FB88320F15841AE958B7200C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0319A91A, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0319A97D

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a8496dc8257ca85a24d68dca8163f3a586ea72ca5913a66fe7ef9202d7622dec
Instruction ID: 2722fc39a2be2a7c37037128afe6128a57e9a553f384ea7d9bf417d3fd446ace
Opcode Fuzzy Hash: a8496dc8257ca85a24d68dca8163f3a586ea72ca5913a66fe7ef9202d7622dec
Instruction Fuzzy Hash: 4811F2B59002499FDB20CFA9D889BDEFFF8FB98320F15841AE554A7200D374A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03199682, Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 031996E7

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2dd4768f9d75b5f5078baac4e728a6235dffae45259cf25db6b9fae4e16099de
Instruction ID: fb7f7f8667184c55cfee9f04cdb6e1f63a54424b6ffcd044ee7c361562a201a3
Opcode Fuzzy Hash: 2dd4768f9d75b5f5078baac4e728a6235dffae45259cf25db6b9fae4e16099de
Instruction Fuzzy Hash: CD1112B1900259CFDB10CF9AD484BDEFBF4EB88324F25841AD558B7250C774A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 03199688, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 031996E7

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 91754fad04649759736673231856ea94b74327aa6c6875d091a1a2614bfa754e
Instruction ID: 15268a1c3552e88a1fb7580d623016d8cdbe393dbb9324678089e816ff75c58f
Opcode Fuzzy Hash: 91754fad04649759736673231856ea94b74327aa6c6875d091a1a2614bfa754e
Instruction Fuzzy Hash: FE111EB1800289CFCB10DF9AD488BDEFBF8EB88324F24841AD518B3200C774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05934C0A, Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

u$:, xrefs: 05934C4B

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID: u$:
API String ID: 0-2594130877
Opcode ID: 12b8d3cb08141d2be39a148135922f64041dccd2edbc36e4dd7b96cc7a101e0a
Instruction ID: cca155f7236d14516863bfbdfa8bfbebe6f40c871c0b76777057ce9afbe21e54
Opcode Fuzzy Hash: 12b8d3cb08141d2be39a148135922f64041dccd2edbc36e4dd7b96cc7a101e0a
Instruction Fuzzy Hash: C231F1356043108FC701DF68C8594AEBBE2EF8520471989AED819DB3A5DB34EC0ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 059378D0, Relevance: .7, Instructions: 727COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c55e63ad2909a4849b02b33718350e52899db0147752d3ee1f8dc04fa2d41e4d
Instruction ID: 436dcd56316052c329bdc3a3fbaf763efc637d25371557e37a48362a3092a6e0
Opcode Fuzzy Hash: c55e63ad2909a4849b02b33718350e52899db0147752d3ee1f8dc04fa2d41e4d
Instruction Fuzzy Hash: 26723031910609CFCF14EF68C855AEDB7B1FF55304F008699D54AAB269EB30AAC9CF81

Uniqueness

Uniqueness Score: -1.00%

Function 05939148, Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 641da71559c0ac272d444f0bfc2a1f0d2f2d7d72e30ccd8c9db98182834395b0
Instruction ID: 745eba5fc080b745d76d40714aa2e5a76028983ef1b7d21b799de14052b5b29d
Opcode Fuzzy Hash: 641da71559c0ac272d444f0bfc2a1f0d2f2d7d72e30ccd8c9db98182834395b0
Instruction Fuzzy Hash: 53223834A10618CFCB14DF69C884BACB7B2FF89304F1485A9D90AAB3A5DB71AD45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 059348C8, Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4756c6d767ab204f46119ebcbea62d29bf7ae961adc2c35ad58bf69b4c3d6e7a
Instruction ID: a56200a74cc4cf7fbdc6af15cfc6015ae4014aaab8a705c2e1057b7867bbb00d
Opcode Fuzzy Hash: 4756c6d767ab204f46119ebcbea62d29bf7ae961adc2c35ad58bf69b4c3d6e7a
Instruction Fuzzy Hash: D1816775E002189FCF04DFA9C884AEEBBF6FF88304F15852AD409AB354EB749845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05937260, Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602378072d5297b8d4e778b85371c774d4fb561e0868a432b58616cf6ab93bad
Instruction ID: a98988e949716b46a7cb94437fb8a7dfebf6018d0962af1a08e4e854bb35307b
Opcode Fuzzy Hash: 602378072d5297b8d4e778b85371c774d4fb561e0868a432b58616cf6ab93bad
Instruction Fuzzy Hash: 9091F77190071ADFCB01DFA8C884999FBF5FF49310B14979AE819AB256E730E985CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0593D970, Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7599ba7ca5349c75e60339bf2d42d9cff1bd235ca7d503e391538ca20ebe88ff
Instruction ID: ea50cb0e2b645265fdb21d852e3152e74a1a957753e30e6db35939866f159ca0
Opcode Fuzzy Hash: 7599ba7ca5349c75e60339bf2d42d9cff1bd235ca7d503e391538ca20ebe88ff
Instruction Fuzzy Hash: 46912C32900B06CBDB11EF78D894595B7B1FF99314B15CB6ADC997F226EB30A590CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0593D980, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00a2f561248a93112d547d7b50b40c245c5c785238d7f35b76c1672b27988bd2
Instruction ID: 9e2fd03f0836edd6a34451c4e7befa426ca5072983850b1c0016b49893d9e408
Opcode Fuzzy Hash: 00a2f561248a93112d547d7b50b40c245c5c785238d7f35b76c1672b27988bd2
Instruction Fuzzy Hash: EA910B32900B06CBDB11EF78D894595B3B1FF99314B15CB6ADC997F216EB70A990CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05930872, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248c31d1b9e8657475939536e2dcf0d948f75ed183d605a0947c1ebbef608ff2
Instruction ID: 3c395d8a76a03ce80b29c9d766d527fa2be5bc4ad7abf0cc5c82fd2f045015b1
Opcode Fuzzy Hash: 248c31d1b9e8657475939536e2dcf0d948f75ed183d605a0947c1ebbef608ff2
Instruction Fuzzy Hash: 5D71CC78600A00CFC718DF29C59895ABBF2BF8920471589A9E54ACB372EB31EC41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05930690, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b76d34dffd9c0e2b4fc2727d8b377a71847c886acd742beda9ecb82ae43d9bb
Instruction ID: a3757ec01d911a9cf8410e3a818610dd69ee14f4f9f0d9852e91f30aa6fac5d3
Opcode Fuzzy Hash: 0b76d34dffd9c0e2b4fc2727d8b377a71847c886acd742beda9ecb82ae43d9bb
Instruction Fuzzy Hash: F0719274A00206CFCB44CF69C585999FBF5FF49314B1986A9E80ADB312D734E885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0593BB10, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e22791030a139bf49ba0487ee6a194543fb52cfd7e3b60f595b85dcd01f5a070
Instruction ID: 0b1271c5fda93ce01db70d621cdb05d8d345ed0e32e67e605c341d2603d68241
Opcode Fuzzy Hash: e22791030a139bf49ba0487ee6a194543fb52cfd7e3b60f595b85dcd01f5a070
Instruction Fuzzy Hash: EC518730A04618CFCB28DF28D495AAEB7F6FF89704B158569E406DB3A5DB34AC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05939138, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b829ccbe2c313f69b38b642c3b8d926853a97a994c8919643a41f4bd2b4a4eb
Instruction ID: 6bc077102d6d5e0f111de360591b4a44853c93df4c65f6ed50020947e7faffc7
Opcode Fuzzy Hash: 7b829ccbe2c313f69b38b642c3b8d926853a97a994c8919643a41f4bd2b4a4eb
Instruction Fuzzy Hash: CD516B30704604CFDB14EF69C498BADB7E6AF89314F0585BDD916AF3A5DB70AC048B61

Uniqueness

Uniqueness Score: -1.00%

Function 05933C54, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4910f80c284f574e71b2d9f5a850b13c80d2c05a3000b3114e3de458a4215890
Instruction ID: 897d641dec079c40ef91ede62055aa576af1e6a690157536b920290501e21650
Opcode Fuzzy Hash: 4910f80c284f574e71b2d9f5a850b13c80d2c05a3000b3114e3de458a4215890
Instruction Fuzzy Hash: 91518371E002599FCF14DFA9C849AAFBBFAEFC8304F05841AE515E7250EB789905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05937250, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e2bbf1f428b25e3bbd5407ce6091087b6c320e59bfe22a945b6254411277d5
Instruction ID: 8d310c1fb7fee934b150bf6769d4b3f502bd653ad16236cb437f34987caa512f
Opcode Fuzzy Hash: d5e2bbf1f428b25e3bbd5407ce6091087b6c320e59bfe22a945b6254411277d5
Instruction Fuzzy Hash: 0B612C7191070ADFCF41DFA8C884999FBB1FF49320B14979AE859EB255E730E985CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05939EA0, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4b7a8b4315c384d41e055b5352b1bf623b49404b6a52a3fb8961a50c1f2571e
Instruction ID: b42783a87a9e3a4376f42983328268fd98d787825633a59f0182d66aa2d59d61
Opcode Fuzzy Hash: d4b7a8b4315c384d41e055b5352b1bf623b49404b6a52a3fb8961a50c1f2571e
Instruction Fuzzy Hash: 844106307081248FCB19AB35942963E76EBAFC561871540BADA06CF395EF74CC02C3E6

Uniqueness

Uniqueness Score: -1.00%

Function 0593A938, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef2e145fbd252d0f6e7724ed4bda247652f5571e9035de9d7419dec9cd37de32
Instruction ID: fcde4dac1317680f5c97385e76d7233999782fdb17567e6905a5bd55fa5a9f1c
Opcode Fuzzy Hash: ef2e145fbd252d0f6e7724ed4bda247652f5571e9035de9d7419dec9cd37de32
Instruction Fuzzy Hash: FC418E32D1174A9BDB10EFB4E8406DDB7B2FF95304F218A1AE504BB255EB70A995CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05934D14, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1437f5a05b6b0ef7e717fdf1201fcce4b1f24cd0416feb80a284c20cf173b29
Instruction ID: fc3bfb593731e57b7e4ac412a76878bd5585867095e8e55955a13024378c6aaf
Opcode Fuzzy Hash: e1437f5a05b6b0ef7e717fdf1201fcce4b1f24cd0416feb80a284c20cf173b29
Instruction Fuzzy Hash: C84112B1D00258CFCF20CFA9C585ACDBBB1BF48304F26846AD409BB210D7756A4ACF50

Uniqueness

Uniqueness Score: -1.00%

Function 0593A948, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd1aacfdd0ecaa31d2d8de934e43a4f1b092bb3cb41e8ca17c37ee8e49e3e97
Instruction ID: 794f4cd13b429cde366ae201d4fb0f8e93354b01646bb13333f20df21d3a7f83
Opcode Fuzzy Hash: ebd1aacfdd0ecaa31d2d8de934e43a4f1b092bb3cb41e8ca17c37ee8e49e3e97
Instruction Fuzzy Hash: 3C418F32D1170A9BDB10EFA5E8406DDB7B2FF95304F618616E504BB254EB70B995CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0593B760, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19acd153f7477ada3a44b16c17af8eebaa529c39523c515fd547a3de8c97e2b5
Instruction ID: 5b48458a0fd7066e0ef57d4e3d0e48ce7d37eddbf5e7cc633bf44b4266970ab0
Opcode Fuzzy Hash: 19acd153f7477ada3a44b16c17af8eebaa529c39523c515fd547a3de8c97e2b5
Instruction Fuzzy Hash: 6A31D334614605CFE734CF28C486A6AB7E7FB84240F184E6AE597CBA60D778E844CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05934D20, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96b4acc48f340ed84e73300bb9b551a7ab8dc54754f487b3f75650178db5f688
Instruction ID: 4d6766825b21df374a9fc3fc60db9a833acdb6a19c7589241994756dd0906d3e
Opcode Fuzzy Hash: 96b4acc48f340ed84e73300bb9b551a7ab8dc54754f487b3f75650178db5f688
Instruction Fuzzy Hash: 2D41DFB1D0025CCBDF20DFA9C589ADEBBB5BF48304F65852AD409BB240D7756A4ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 05930682, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa1820aaaf15f1d5312e6d502c634224fcf21fd0ebbcc3c292290ce7265168fa
Instruction ID: 5f2f1c507b688a4789453118b68363a23a08f0ed2e7777f7358f65e583920981
Opcode Fuzzy Hash: aa1820aaaf15f1d5312e6d502c634224fcf21fd0ebbcc3c292290ce7265168fa
Instruction Fuzzy Hash: 11410874A04246CFCB14CF68C589A99FBF5FF49310B1986A9D84ADB352D734E885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05933C48, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc99c677a0bb476fbadbd567e56c1a758c01d109aa395bd5bab7281bfcefc05e
Instruction ID: b7cbd941e6c3d15daf0ee5bff6f18307a43cd6f5ffe6ff9f61c2eae2db9a4480
Opcode Fuzzy Hash: dc99c677a0bb476fbadbd567e56c1a758c01d109aa395bd5bab7281bfcefc05e
Instruction Fuzzy Hash: 3441BDB0D10358DBCB14CFAAD889ADEFBB5FF88314F25812AE419AB214DB755845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05934878, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e9a0dcc59de1d761c3f8d8448b53942c9638dbc2ad00b28f4efe2a90db2a860
Instruction ID: ee26fc5d4c4b2604abcf2ca552d664b61d759bb4c30cda2e6d52f04e8c139e0b
Opcode Fuzzy Hash: 7e9a0dcc59de1d761c3f8d8448b53942c9638dbc2ad00b28f4efe2a90db2a860
Instruction Fuzzy Hash: FB310771E082458FCF05CFB888906EE7BB6FF99204F1545ABC505EB292EB348909C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0593BC1B, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f92df90363af35ddb2e212473c4398e99f6795f0a06de11cd1c0cd53f83cbcd0
Instruction ID: 077f5a2b8645ed5ade46ff416c2e51aceefe0c90c02ddf6837098c3f499726ed
Opcode Fuzzy Hash: f92df90363af35ddb2e212473c4398e99f6795f0a06de11cd1c0cd53f83cbcd0
Instruction Fuzzy Hash: D4316D357046148FC729DB28D459A6E37E6FF89704B1541AAE106CB3B5EB38EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0593D6B0, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6848ee8ec8539421f7b6016b66ac05fcc659fd711ef4a0d6562094ff3d932c
Instruction ID: e7f88b9a6b5737ca18ee165036dd3b23314e12b6371d89e7913ec94a6b5696d3
Opcode Fuzzy Hash: 8c6848ee8ec8539421f7b6016b66ac05fcc659fd711ef4a0d6562094ff3d932c
Instruction Fuzzy Hash: CB21B0757046108FCB08EB69D02496D77EAFFC826471540BAE90ACB361EF31DC01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05935F70, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f09f24953e4e34141d6672ae3f55edd34278cf77c535c2acfabeee6cf64158d2
Instruction ID: 43a92c5046024213a3c082785c0f1359b374f02f1d9ad184d0f87f105e377ab4
Opcode Fuzzy Hash: f09f24953e4e34141d6672ae3f55edd34278cf77c535c2acfabeee6cf64158d2
Instruction Fuzzy Hash: 543138B5E00348DFCB10CFAAC845A9EBBF9EF88224F15846AD559E7310D774A905CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0593BB00, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c661f6a142c02a32876fc22043241275a21837eabda71a49bbb662654b6f7d5e
Instruction ID: cfd30fc6a0c5d66ecfda486c6cf8a28de4ba7f96890d5ae19ab59e7b814c18c9
Opcode Fuzzy Hash: c661f6a142c02a32876fc22043241275a21837eabda71a49bbb662654b6f7d5e
Instruction Fuzzy Hash: 77319331A0161ADBCB24DF68C481A9EB7F6FF99700F14892DE406AB394CB71EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05934E98, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c474e629fe5ee9989b6e141f8d6270083a0cd7a0dae322c09d3454ee59f600f
Instruction ID: 7b38a434d53c77633c4879ac36a802c4cb6e468cef30141f8aaca79bb6e78fbb
Opcode Fuzzy Hash: 2c474e629fe5ee9989b6e141f8d6270083a0cd7a0dae322c09d3454ee59f600f
Instruction Fuzzy Hash: 41218B71B001559FDB10DBA9CC059BFBBFAEFC8300B14856AE559E7260EA749E01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0593BD40, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47c08031a1a0a239641f42c6f3cf87359324608a3e5f7e12d3b2557d37f5800a
Instruction ID: 1332243357146a510ab7779b2931bf00c9a4aa8a5f43a9b01b5537a4a0c7e053
Opcode Fuzzy Hash: 47c08031a1a0a239641f42c6f3cf87359324608a3e5f7e12d3b2557d37f5800a
Instruction Fuzzy Hash: 9B314531300605DFC758EF3AC585A1AB7E6FF89A15B5145AED14ACB7A0DB71EC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0593E650, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c6cc242fb05875c450b80c9dd6372d045314ac89df1fb6fd7c6b4045e607bb9
Instruction ID: bee30a6c272cb3e99bc7e53409beb74ea519551fde60dd0e9765bb883e0470a7
Opcode Fuzzy Hash: 2c6cc242fb05875c450b80c9dd6372d045314ac89df1fb6fd7c6b4045e607bb9
Instruction Fuzzy Hash: 3B2144343106218FEB08AB24C459BAD37DAEFC5B00F14806DD5068F7E5CEE5EC418791

Uniqueness

Uniqueness Score: -1.00%

Function 05936640, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771379e743d6ccb5cb509472adcc5456918e148bef8bc78145cf4b9301e331f9
Instruction ID: d988963010a0aa33dbf281cd6c8c5eef69852e64683587fd835f8df4bcb10f21
Opcode Fuzzy Hash: 771379e743d6ccb5cb509472adcc5456918e148bef8bc78145cf4b9301e331f9
Instruction Fuzzy Hash: 493189B6A00244DFDB10CF99D985B9EBBF4FB88324F14846AE419E7310C734A905CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0593B750, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 948004bcd1364e4a81fdfec9ecbe30ebbca3daf012a258bb51c1603f6329cff3
Instruction ID: 8ea7c8f67efaba7a53536aae138f0f86351724e1db1974398ba0ecbb3712d7ca
Opcode Fuzzy Hash: 948004bcd1364e4a81fdfec9ecbe30ebbca3daf012a258bb51c1603f6329cff3
Instruction Fuzzy Hash: 83212634614605CFD730CF28C486A2AB7E6FF85204B094E6AE486CB661D774E8048B90

Uniqueness

Uniqueness Score: -1.00%

Function 05930BD0, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd4e92562f80bc187c1a1b5a01e9cb39af12b1241194ac5eb86b294f64846f7f
Instruction ID: 362aa5088041cef6b37910f00b73f216cb30686468f5f43d2297f0e30d0a6309
Opcode Fuzzy Hash: dd4e92562f80bc187c1a1b5a01e9cb39af12b1241194ac5eb86b294f64846f7f
Instruction Fuzzy Hash: AD314834A08219CBDF10DBA9D84AAEEBBF9EB49314F114565D901FB360DB749D80DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0145D4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243068172.000000000145D000.00000040.00000001.sdmp, Offset: 0145D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 045248427338a87a4f87875c5d94b129e5c8e64568f64b8e634767f7e27de3c6
Instruction ID: 9a759509e1b69670e7579f6f441f4b45296fa368dc8e058b2c9606fa0704efab
Opcode Fuzzy Hash: 045248427338a87a4f87875c5d94b129e5c8e64568f64b8e634767f7e27de3c6
Instruction Fuzzy Hash: 8221F4B1904248EFDB45DF54D8C0B2BBF65FF8821CF24856AED054A217C336D846C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 0593E660, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5287957d281a189fb9e282f2fc309e953f642b95478cf620bc8aa8eed815c501
Instruction ID: 47d1b0ff9798c81b01198e8992ac6c3c55a27b33469997b3775f5d49fdd304ee
Opcode Fuzzy Hash: 5287957d281a189fb9e282f2fc309e953f642b95478cf620bc8aa8eed815c501
Instruction Fuzzy Hash: FF2142343206218FEB48AB69C459BAE37DABFC5B00F14406DE5068F7E5CEE5EC418791

Uniqueness

Uniqueness Score: -1.00%

Function 0593BD30, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed590561840322e7aa7ddba42d4e31808e1c576f7174fc3e557987c27f57f5ce
Instruction ID: b886005f515d59007a2aa47258674d955f40d40c300024b855b167800e73abfd
Opcode Fuzzy Hash: ed590561840322e7aa7ddba42d4e31808e1c576f7174fc3e557987c27f57f5ce
Instruction Fuzzy Hash: C3217A30300605CFC728DF3AD495A5AB7E6FF89605B5145AED14ACB7A0CB71EC01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0593B590, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3a7ceb8a7804cd37a698ede7f803eca6381be77089f0ad9d97c468e5e387213
Instruction ID: 09a0806cce642ef84a70389c224426ab9b71a8a909931072439ae6807a7d2371
Opcode Fuzzy Hash: d3a7ceb8a7804cd37a698ede7f803eca6381be77089f0ad9d97c468e5e387213
Instruction Fuzzy Hash: 6111EE357106204BEB04AB39D41276A72EBEBC5B08F14442EE546DFBE1CEF9EC014791

Uniqueness

Uniqueness Score: -1.00%

Function 0593C1CC, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 544969706ae412fa3c90a99ffa8b9452e0420de453adabaab333e8fbaf54b142
Instruction ID: 4fbe7509d1bda06785dcce12a9032ed0504b16675fe59f3986b69412d6bf3ed7
Opcode Fuzzy Hash: 544969706ae412fa3c90a99ffa8b9452e0420de453adabaab333e8fbaf54b142
Instruction Fuzzy Hash: 8D219D36700A14CFCB20DE19D582E6B77ABFF84621F11442EFA169B750CA31FC418B60

Uniqueness

Uniqueness Score: -1.00%

Function 05938410, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa879a8208b175d8499dc98a6ab9faa55b7689716bbb1838b2a5ae27e2c315fd
Instruction ID: a6eafde0892e54be334edbadf644b799a431dce411dbea0d4087eb52233e0ac1
Opcode Fuzzy Hash: fa879a8208b175d8499dc98a6ab9faa55b7689716bbb1838b2a5ae27e2c315fd
Instruction Fuzzy Hash: FB2153319106199FCB10EF6DD84099DFBF5FF59310B50C26AE958AB200FB31EA94CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0593C22C, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b516551cc67b2f12304404a86045e72413ed56649e94e8cbf5703f782de245b
Instruction ID: 676be867c3e9a6a7795973b0e74d045245658017701700734b425091ef477aa8
Opcode Fuzzy Hash: 5b516551cc67b2f12304404a86045e72413ed56649e94e8cbf5703f782de245b
Instruction Fuzzy Hash: 0221E032A00751CBEB01EF29C894695B7A1FF96304F0985BADC4A2F256DF75A884C790

Uniqueness

Uniqueness Score: -1.00%

Function 0593DE50, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3322427609c0153b8732d1b8f3b7c048625934311a9cfc274f2b78cbc9abcb3
Instruction ID: 77318226bfa6a3ed115a96906972a39376f661abb83caf8af75676ba6d4a6134
Opcode Fuzzy Hash: f3322427609c0153b8732d1b8f3b7c048625934311a9cfc274f2b78cbc9abcb3
Instruction Fuzzy Hash: E721BC32A007419BEB01EF29C8846D5BBA1EF96304F0985BEDC492F257DB75A984C791

Uniqueness

Uniqueness Score: -1.00%

Function 05930BC0, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12bb9507714e8038a5cf2a16e2fc6abd866340d490a6e0b74f67c8798867f594
Instruction ID: 5e4700c55ff864c78104e9eca9565f2dd9f1e62fc8140eed11f0e34cb07a5e9f
Opcode Fuzzy Hash: 12bb9507714e8038a5cf2a16e2fc6abd866340d490a6e0b74f67c8798867f594
Instruction Fuzzy Hash: 23216934904225CBDB15CB68C89AAEDBBF5FB49314F154555D802EB320DB78AD41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0593B5A0, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d222b77a6eacfc16a7874e1774f5edc97304a3213d33403be90d945eedc3205b
Instruction ID: 7fa55056be9f2485232b8c831387e182a0e6b9aa2874a1d6726360ba7c798635
Opcode Fuzzy Hash: d222b77a6eacfc16a7874e1774f5edc97304a3213d33403be90d945eedc3205b
Instruction Fuzzy Hash: 1D11EC353106214BEB04AB39D411B6E72ABEBC9B08F24442EE542DF7E5CEF9EC018791

Uniqueness

Uniqueness Score: -1.00%

Function 05939930, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5510d8aff47472d5e0d7ba9e28befe0555f7db8f5a1f67c80699fc5790ef12f
Instruction ID: b3953921a29ff70434069b30274b69598ebb50a249c4d2d14ee869c176b6162a
Opcode Fuzzy Hash: e5510d8aff47472d5e0d7ba9e28befe0555f7db8f5a1f67c80699fc5790ef12f
Instruction Fuzzy Hash: 50211435654604CFC728CB29D489A6A73FAFF89714B1685AAE046CB371DB74EC41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0593CCD9, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16b9bf8143f75d125321d9a0fda7b762075851633f4262302ac4aeb5bd42940
Instruction ID: 34ce6379102f40a6b1da73e8a24ba6f25dc37708ff37f259c468b43eca7164e8
Opcode Fuzzy Hash: a16b9bf8143f75d125321d9a0fda7b762075851633f4262302ac4aeb5bd42940
Instruction Fuzzy Hash: C7219A31700A44CFCB20CF28C992EAA7BBABF84620F11442DF95A9B751C631EC41CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0593AC31, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3639538f2da1a82d60e1c80ea88f4cf9eea5011e571feca8a10afd4dc899946f
Instruction ID: ffb974ce5f80d8a0ad93a7105245460676fe4d667d4a8c31b7115d0c55eb8576
Opcode Fuzzy Hash: 3639538f2da1a82d60e1c80ea88f4cf9eea5011e571feca8a10afd4dc899946f
Instruction Fuzzy Hash: 8821A531A04609CFCB14DF74C459AAEB7F5BF84340F05862AD9469B364EB74E941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0593E130, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53a51f2617493b4fc01470e353566bdd42d44ac401b3074a80b8e00f3a32e781
Instruction ID: 09148023622efec3df6cc6b3663e39b6b56b5826c2badff8f2c47433995f387a
Opcode Fuzzy Hash: 53a51f2617493b4fc01470e353566bdd42d44ac401b3074a80b8e00f3a32e781
Instruction Fuzzy Hash: 84111931610B058BE734DE6ADA92727B3FABF85710F140E2DE497CBA40D734E9088B91

Uniqueness

Uniqueness Score: -1.00%

Function 059310F0, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbb388f21366d83544d44f6ab7f46eb8f2cf1d48bd3b52d9c8690c11e0850a2e
Instruction ID: 1f46894ccc086a365cd4d6906de1e9c22e69e691f0f14210456d3d4e935e8f46
Opcode Fuzzy Hash: cbb388f21366d83544d44f6ab7f46eb8f2cf1d48bd3b52d9c8690c11e0850a2e
Instruction Fuzzy Hash: B611D335A40208CFCB14EFA1C5456EE77F2EF88304F104A69C906AB3A4DF35AD05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0593D317, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1338ca087eebe191951096fb10e34b945e7602aa31e24e3ddabe6c30cf89f07
Instruction ID: 03df36cabbccab9216c741ff44140790d63cfd8eb8cfc77d55c2ccafeede070b
Opcode Fuzzy Hash: e1338ca087eebe191951096fb10e34b945e7602aa31e24e3ddabe6c30cf89f07
Instruction Fuzzy Hash: 1B21F971E1020A9FCB44DFADC9449EFFBF5FF98200B10855AE415E7214E7749956CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0593AC40, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffd0defa545185c85ddbf937129cda08ef2b6d7dda7aaf5d0df00ff7b0f99477
Instruction ID: 9cb40093986efd4c9d99eaaf80de42c20612a8a29cd6d588dc3445748ef0c461
Opcode Fuzzy Hash: ffd0defa545185c85ddbf937129cda08ef2b6d7dda7aaf5d0df00ff7b0f99477
Instruction Fuzzy Hash: CC11D630B04609CFCB00DB75C445AAEB7F5BF84240F048A2AD5469B364EF74E941CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 05938F68, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22aaa8c8a769defe53f1afab03fa9363ab6256aac5e632feea7f253eb5815d9c
Instruction ID: 3d90c0fc8e741879271e81b94536f48cf848a620e2b16e6c996673104b6b3e51
Opcode Fuzzy Hash: 22aaa8c8a769defe53f1afab03fa9363ab6256aac5e632feea7f253eb5815d9c
Instruction Fuzzy Hash: 1D11C836316605CFDB28CA2AD88297A73EBFFC9221318447DF507C76A1DB24E9418B90

Uniqueness

Uniqueness Score: -1.00%

Function 0593D328, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75c3b7baea6968923f71faf9abe07f48925082eef7e3737ef64659e7c0df108e
Instruction ID: 29cf746653dccff3d6404c62f5ed58bac2def035edc2432aa371d1fcea1b7b24
Opcode Fuzzy Hash: 75c3b7baea6968923f71faf9abe07f48925082eef7e3737ef64659e7c0df108e
Instruction Fuzzy Hash: 7721FC71E0020A9FCB44DFADC8448AFFBF9FF98200B10851AE519E7214E770A956CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0593A850, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1885307feaf6a6eca41ddce96d74157cb933622798cbe889ce5c182d22c27b56
Instruction ID: 8a847ee80cc2377c95de2facf20d4041379ded3697bbf1936f2ce320b785ca86
Opcode Fuzzy Hash: 1885307feaf6a6eca41ddce96d74157cb933622798cbe889ce5c182d22c27b56
Instruction Fuzzy Hash: 43216F32900B5287DB109F29D840781B7A5EF95324F19867ACC4D3F242EB71B984C790

Uniqueness

Uniqueness Score: -1.00%

Function 05931BD2, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70ee289a9c57fc83b233bb99d55fb5167962fba9db1da4f6514a8a71ff76ccc
Instruction ID: 51a7620d4b4d642a5bb65b6403ace0caa017994a9282dbf0f20b8050cd8d6bc2
Opcode Fuzzy Hash: d70ee289a9c57fc83b233bb99d55fb5167962fba9db1da4f6514a8a71ff76ccc
Instruction Fuzzy Hash: DB210974A453508FFF04DF74EC8A6293BA6F78A311F41506AA9098F7C9EEB85950CF12

Uniqueness

Uniqueness Score: -1.00%

Function 05935B0C, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8951d960d4a20e3a96b067e835478733f1721733605f0b434eda03610765420
Instruction ID: 10b4a77e5241f2d2eac57b6703ca3808e2b706b2984006d54d552ef169188b2a
Opcode Fuzzy Hash: a8951d960d4a20e3a96b067e835478733f1721733605f0b434eda03610765420
Instruction Fuzzy Hash: 82213770E16218DFCB15DFA0E5995EDBBB2FF8A300F258499E482722A4CB315965CF00

Uniqueness

Uniqueness Score: -1.00%

Function 0593E120, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59edd9305a67c8144381afa7a1d4ac6cba4e70f5996d97a1f794b858eec191e4
Instruction ID: 03e3f84955180a3499724f42ef78ca445b61326ba350e7a12c97ef71552768d0
Opcode Fuzzy Hash: 59edd9305a67c8144381afa7a1d4ac6cba4e70f5996d97a1f794b858eec191e4
Instruction Fuzzy Hash: 7711AC31700B018BD330DE6ADA52B27B7FABF85710F040E2EE096CBA40C734E8088B91

Uniqueness

Uniqueness Score: -1.00%

Function 0145D4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243068172.000000000145D000.00000040.00000001.sdmp, Offset: 0145D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6ced9d0c9f6690be594cbf568882f55a05229423d0602ee79acece9868a76a
Instruction ID: a4cda863a82704c018f4072d3ec025c5d4c0c52149a80c9cc6af9d86368f9bc6
Opcode Fuzzy Hash: 8c6ced9d0c9f6690be594cbf568882f55a05229423d0602ee79acece9868a76a
Instruction Fuzzy Hash: 72119D76904284CFDB12CF54D9C4B16BF71FB84228F2486AAD8450B667C33AD45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0593BEB9, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0e4de16bd58c2fda2416dd860be0f66e22fd69ce4af2e34733d18fc28586562
Instruction ID: 9859b3000390dae9732a9eb3d828249036c0ea3ef42986f14f0b6652141d3f62
Opcode Fuzzy Hash: a0e4de16bd58c2fda2416dd860be0f66e22fd69ce4af2e34733d18fc28586562
Instruction Fuzzy Hash: 79115E307006188FCB24EA65C449B6E7BFAFF89305F1045AAD449CB2A5DB34E945CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0593A860, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e22cd66ea3a9dcab5d8b6f1bcc8113bed17bf82243858c7963dfb5aabbbbe69
Instruction ID: c686fcd9309120b48b2bd2fc2ddbc02e00039810e1ca1473c971464fc869f0b2
Opcode Fuzzy Hash: 5e22cd66ea3a9dcab5d8b6f1bcc8113bed17bf82243858c7963dfb5aabbbbe69
Instruction Fuzzy Hash: 33114C36D00B5287EB009F59D840281B3B5FF95328F198A7ACC4D3F206EB71B994CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05931BE0, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d2f48714a63b5222c30723c99e148db7f6a3f4bd18dbfe096162510cb2b5ec0
Instruction ID: 33fd2804f5f0b47a09d3d021600725db3fd3e5c6224cd5dda248090d9adbbed3
Opcode Fuzzy Hash: 1d2f48714a63b5222c30723c99e148db7f6a3f4bd18dbfe096162510cb2b5ec0
Instruction Fuzzy Hash: 7C21E5746453509FFF04DF64EC4A6293BAAF78A710F41506AA9098B7C9EEB45840CF22

Uniqueness

Uniqueness Score: -1.00%

Function 059356FE, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271e91193963f05a402d47dcf7d798ced4d545a1f7f9b84887450a0f536f0fb2
Instruction ID: 7077e9a592153a28e4716d718d84f9a76641cd037f2cbfa0c50eb584328625c8
Opcode Fuzzy Hash: 271e91193963f05a402d47dcf7d798ced4d545a1f7f9b84887450a0f536f0fb2
Instruction Fuzzy Hash: 5101F771B082548FCF06E7A4AC5E5BDBBB69FC421070500BAD508DB382DA381912C796

Uniqueness

Uniqueness Score: -1.00%

Function 05931EA8, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07992371532cffabb0663651bb972372ba372f7b90b6322c91f97534afb29491
Instruction ID: eb5c2ff2488e255117702da39a56bdd92f52b5d6024406f1c3229dffda0cda4f
Opcode Fuzzy Hash: 07992371532cffabb0663651bb972372ba372f7b90b6322c91f97534afb29491
Instruction Fuzzy Hash: A7112874E052189BDF18CFAAD441AEDFBF6EF88300F11846AE815F7260EB709904DB60

Uniqueness

Uniqueness Score: -1.00%

Function 059319E0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e026db9a65d08b7f2b4b981aead467acf50e6ddcb02e4c3250a96b70dcb1201
Instruction ID: 231b20a9b21df5e4e6136ab1c4dff7d805849cf98faaa1685013feb0abbfc215
Opcode Fuzzy Hash: 1e026db9a65d08b7f2b4b981aead467acf50e6ddcb02e4c3250a96b70dcb1201
Instruction Fuzzy Hash: E711D631A04104DFEB00DF98C9596AB7FF6EB88311F04826DE809EB364CA35DC09CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 059347E4, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08febe2c94fc4ed0a30c4c0df0ef6b98a62fecf99e5245a85a5094873a4bc489
Instruction ID: 23773dcb6d399b6951c759b41562d9b8f58902b78f54487295fdaec9f8dbf781
Opcode Fuzzy Hash: 08febe2c94fc4ed0a30c4c0df0ef6b98a62fecf99e5245a85a5094873a4bc489
Instruction Fuzzy Hash: 8F11EFB5D046489FCB10DF9AD448B9EFBF8EB89320F15841AE855A7210D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0593BEC8, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7652d7de79b9b42cb99b507b822594cf2f290a2e0c87b6aabb291a08a6108c51
Instruction ID: b9606511e1634a39781b4f306b4b6c3ebc6fc683b359838354f6862549ae8c80
Opcode Fuzzy Hash: 7652d7de79b9b42cb99b507b822594cf2f290a2e0c87b6aabb291a08a6108c51
Instruction Fuzzy Hash: E1116D307006148FCB24EA65C449A6E77FBFF89704F1045AAE00ACB265DB34ED45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05933868, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 082a1a3b3537fdfb6ac274ae93543777caaf65229c9df985f07541dd31dbcf52
Instruction ID: ec847d798fe98305bbb26830e62c1c679302ea588a27b576b831859fbc265156
Opcode Fuzzy Hash: 082a1a3b3537fdfb6ac274ae93543777caaf65229c9df985f07541dd31dbcf52
Instruction Fuzzy Hash: 2F11EFB5D046489FCB10DF9AD448B9EFBF8EB98320F15841AE855A7210D3B4A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 059351B8, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5df28470d45da075938500da41b9dada03b85cb1473f175169c73b9942e326f5
Instruction ID: 3c04b0f491f969b092ea59010a92d0efd4325335ea2ca98a5025a9e300c4dae3
Opcode Fuzzy Hash: 5df28470d45da075938500da41b9dada03b85cb1473f175169c73b9942e326f5
Instruction Fuzzy Hash: C511E2B1D04649CFCB10DF9AD444ADEFBF4EB98324F15841AE459A7210D374A649CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05939FC9, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf7f2f051bea2c16e9cd80af561a817ccc0232b031a5f8c5994c18f7ba9f3a17
Instruction ID: 1b2c5f4e6f1d465f4224316844597fc9e1d3fd885208f3b8341918eb7eaaac2b
Opcode Fuzzy Hash: cf7f2f051bea2c16e9cd80af561a817ccc0232b031a5f8c5994c18f7ba9f3a17
Instruction Fuzzy Hash: 9A01D631304510CBC719AB38C40AB2E73D9AFC9A60B0541A9D846DB390EFB5DC02C3D4

Uniqueness

Uniqueness Score: -1.00%

Function 05930B18, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d76550d1bdf126a38faf6503887dbc18df3a53959136e5ce89e654c559a3d5a1
Instruction ID: a4403cfc7aaeec6db80f8f89e92ceb79924883dac3d613618aa2b9df4578c942
Opcode Fuzzy Hash: d76550d1bdf126a38faf6503887dbc18df3a53959136e5ce89e654c559a3d5a1
Instruction Fuzzy Hash: 9101D132308318DFDB24EBA1A4057AF77FDEF40668F1005ABC109CA691EF31E8448399

Uniqueness

Uniqueness Score: -1.00%

Function 05936068, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6147799150d9ab0bed022d928a7c7ddd1a8fb45a6aaa565c3acb29b89f67fb1d
Instruction ID: 6a56858c63ec01b080b4dc6bd162d1f4f7894f96b54655e081e3ea00727289f4
Opcode Fuzzy Hash: 6147799150d9ab0bed022d928a7c7ddd1a8fb45a6aaa565c3acb29b89f67fb1d
Instruction Fuzzy Hash: EA01F932B042589FCB05D7B9C8155AD7FEADFC5214B0584EAD44DCB352DA39AD068780

Uniqueness

Uniqueness Score: -1.00%

Function 0593B470, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f10e97e52ccb59289b4decc7479072a12b5f1cb3e800be2469856085dee8fbcc
Instruction ID: 49202d4903a266a25fc2e1bf53bc274fddeea8f6f1930602af35251d38847f92
Opcode Fuzzy Hash: f10e97e52ccb59289b4decc7479072a12b5f1cb3e800be2469856085dee8fbcc
Instruction Fuzzy Hash: 7B01F2357143624FE704AB28C410BAEB7A6AFC6700F10C12EC04A9F7E6CDF59C0687A1

Uniqueness

Uniqueness Score: -1.00%

Function 05935C50, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35c6f61dd1fe42f336bd990721b343b1a122487badfd0dfd3fa9ae8e17ead29a
Instruction ID: ac38ac075117cf0a2dcb473ea343dceab0781c3a4048e8bfecfc1ec3a08a1900
Opcode Fuzzy Hash: 35c6f61dd1fe42f336bd990721b343b1a122487badfd0dfd3fa9ae8e17ead29a
Instruction Fuzzy Hash: 3CF04C31B183589FDB05EBB88C554AE3FEADFC615470644BAC809C7241F9346C068790

Uniqueness

Uniqueness Score: -1.00%

Function 059319F0, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0403872c1c11933dfcd5b91af82778b1ea2de8e3878d99eb14be7ff28cf791af
Instruction ID: 12c3e197028f40303b886e64e4cb75b89fd86b6155d35995876e9bbc71faebe8
Opcode Fuzzy Hash: 0403872c1c11933dfcd5b91af82778b1ea2de8e3878d99eb14be7ff28cf791af
Instruction Fuzzy Hash: AE01B171A00214DFEB009F58C919AAB7FFAEB88301F048169E905EB365CA759C04CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0145D651, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243068172.000000000145D000.00000040.00000001.sdmp, Offset: 0145D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f062b5daeb8ad6caba6ab09213cb0cb2b7af8efbbf0e9de7c020a2180dd2459
Instruction ID: 0fd14eaf29f3f6936ce803ba356f04a063785a0ded69ab43333d2a4170eea91a
Opcode Fuzzy Hash: 5f062b5daeb8ad6caba6ab09213cb0cb2b7af8efbbf0e9de7c020a2180dd2459
Instruction Fuzzy Hash: 2E01F7718093849AE7509A55CC84767BF98EF40238F19841BEE4C5B257C3799846C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 05936648, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc7d747fb3d5d8a9e8c6d7fde319253dfab56e5ac2816a2ebfb597a458b80a57
Instruction ID: 9ad66995235507f2718a4f07c96ff9a6c4dca17ccda7685921968fbcd3afb48d
Opcode Fuzzy Hash: cc7d747fb3d5d8a9e8c6d7fde319253dfab56e5ac2816a2ebfb597a458b80a57
Instruction Fuzzy Hash: AD1100B1900248DFCB10DF9AD589BDEBBF8EB88324F14841AD959A7300C774A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05931E60, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5634ff20f3b441c60c336d28ec5397058a362d7d68f668d0bfe96483b99d718f
Instruction ID: 122afc5c244ed02be85b5191affa1420983fe300c65bdbfaf924881877196e31
Opcode Fuzzy Hash: 5634ff20f3b441c60c336d28ec5397058a362d7d68f668d0bfe96483b99d718f
Instruction Fuzzy Hash: 2B012675B052648FCB0ACFA4E9414DCBBB6EF85711B02447AD844DF262DB38E81BCB80

Uniqueness

Uniqueness Score: -1.00%

Function 0593E5C8, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1f5891861efe0d7ce62bba52ae31df9217f863c7bfb09d21de0d5abcc1df958
Instruction ID: 1410b2c7edba1472de36e89f872f78fc849f986ae7824dc6e393833c34475272
Opcode Fuzzy Hash: a1f5891861efe0d7ce62bba52ae31df9217f863c7bfb09d21de0d5abcc1df958
Instruction Fuzzy Hash: 6B01D631A00A15CFCB01FBA8C80A99D7BB1FF81300F018699E50A9F265DB709D41CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 05939E28, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56eee0e1e81e4f0962e9bf494f77574f678079f7b58b24c7e02f4814b751cbdd
Instruction ID: b770c41b94abec5f2afe9036258d747dce3e8083b4e5b5ecd58154278dfb9418
Opcode Fuzzy Hash: 56eee0e1e81e4f0962e9bf494f77574f678079f7b58b24c7e02f4814b751cbdd
Instruction Fuzzy Hash: DC014B74704214CFC314DF69E488A6AB7EAFB88618B14856AE40ACB365CBB1EC05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0593B480, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb488b15fbb25aa8ac4a29cb14a29fe4507740693f923761b0f1480fe4867bd
Instruction ID: 8feb550295b9bcbab1da302e85e76799b7b2df81d17674d279d6d38d1a6b5e66
Opcode Fuzzy Hash: aeb488b15fbb25aa8ac4a29cb14a29fe4507740693f923761b0f1480fe4867bd
Instruction Fuzzy Hash: CFF0AF317103224BE704AB69C410B9EB2DAABC5B00F10C52ED5099F7D5DDF5AC0547E1

Uniqueness

Uniqueness Score: -1.00%

Function 05935720, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e216d3056658c34245c53680abbb7a9e1f71a8ad006c1b38194fc8af8c4300ec
Instruction ID: 01050c50133b948f7324142ececf0d3b809381ddfffef3977cc637f6013a863b
Opcode Fuzzy Hash: e216d3056658c34245c53680abbb7a9e1f71a8ad006c1b38194fc8af8c4300ec
Instruction Fuzzy Hash: 71F09671B001189B8F15A7A9A85D5BEBAFADBC8610B010039D61DA7381EF351E1187D6

Uniqueness

Uniqueness Score: -1.00%

Function 0593F9F8, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0845340fdaddac64e3c7ce12ef1d9f04e842d1734994d95110c3f90e1d001402
Instruction ID: 6bf5d3903c5cc1b6e62cf4a6306228a0f7cda391940f102f5c7e1d4d160a6683
Opcode Fuzzy Hash: 0845340fdaddac64e3c7ce12ef1d9f04e842d1734994d95110c3f90e1d001402
Instruction Fuzzy Hash: 8AF090357409548FD718EA2AD846B7A33EAEFC5714F18C079E14BCB321CE259C038B85

Uniqueness

Uniqueness Score: -1.00%

Function 059301C8, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67362cbcd8f15f8664a0784b6613b9f24afc4867487fce19913c80d6fb7865b
Instruction ID: 6c203856b4cf3bf5716966be954dbacf9f66a77ed4ebfb355865725724fdfcc1
Opcode Fuzzy Hash: a67362cbcd8f15f8664a0784b6613b9f24afc4867487fce19913c80d6fb7865b
Instruction Fuzzy Hash: 95F054327047259F87149E6AE48485EB7EAEBC46253014A3AE20AC7624CF71AC09C794

Uniqueness

Uniqueness Score: -1.00%

Function 05938F59, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f807bdeb68422f0832f7976528c134b3084fc891a898df6a821c712d86f2ad9
Instruction ID: 09fc78704d2ad3273f09e907071dc545af697386052e2dd77a993e5ff9257900
Opcode Fuzzy Hash: 9f807bdeb68422f0832f7976528c134b3084fc891a898df6a821c712d86f2ad9
Instruction Fuzzy Hash: 98F0823535A1019FC7149A1AD846F5A3BEFEFC96127188069F90BCB762DB60DC018BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0593AE61, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8da28885bbf25dfa9d405df3b16b6e95406112b2ccdc1808ab0670980eeb34ed
Instruction ID: f5521512f986c7f0a7faf5bf78333180c63dd91cf95f28901079b02072df759b
Opcode Fuzzy Hash: 8da28885bbf25dfa9d405df3b16b6e95406112b2ccdc1808ab0670980eeb34ed
Instruction Fuzzy Hash: 8CF0F631A046189BCB14DB69DC4487FB7B9EFC9701F00402EE418D7260E7308A00C3A6

Uniqueness

Uniqueness Score: -1.00%

Function 0145D650, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243068172.000000000145D000.00000040.00000001.sdmp, Offset: 0145D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc66428f82d6faf01e03308d11d74070372fe3864050cb414df00a72b7dd806d
Instruction ID: 8ea2adc6085365e5c2e00a6388a41d87701aa7d21d83021d057ba349bcbbeb9e
Opcode Fuzzy Hash: cc66428f82d6faf01e03308d11d74070372fe3864050cb414df00a72b7dd806d
Instruction Fuzzy Hash: 14F06271805284AAE7518A19CC84B63FF98EF41634F18C45AEE4C5F397C3799845CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0593E5D8, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387c5db1fdbc7da71f1cfa6f15468343378e061966debc4b01872b3148f266b6
Instruction ID: 10777fe2b4693cf5bae8da6d804836a80ec56b42845d0d52d977cfdf88af4e55
Opcode Fuzzy Hash: 387c5db1fdbc7da71f1cfa6f15468343378e061966debc4b01872b3148f266b6
Instruction Fuzzy Hash: 48F0AF31A00629CFCB04FBA8C40989DBBB1FF85300B018599E60A9F265EF30AD84CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 059301B8, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16c6024d88dbd3bff53d4b25c668f79390a4ccf3ecadd8d55fa5c53503940413
Instruction ID: 7071bac412376d6d5e3b937d2d7abb2cf95725db162581fb19a634cdf33e79cc
Opcode Fuzzy Hash: 16c6024d88dbd3bff53d4b25c668f79390a4ccf3ecadd8d55fa5c53503940413
Instruction Fuzzy Hash: 6AF0E9313083959FC7165B69A4D881E7FA6EFDA21430205ABE2CACF275CFA09D09C354

Uniqueness

Uniqueness Score: -1.00%

Function 0593AE70, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71bf9a70215c264c4aedfc545519ec15a49d105e78f9a8baa8188d639393f80e
Instruction ID: 083aae37cad39291d838810c5290682ac7c97f537f127dee51e84675d6e95d1c
Opcode Fuzzy Hash: 71bf9a70215c264c4aedfc545519ec15a49d105e78f9a8baa8188d639393f80e
Instruction Fuzzy Hash: 3FF082317146259B8B18DBAAEC4487FB7FDEFC8711B00402EF509D7220E6708E01C3A6

Uniqueness

Uniqueness Score: -1.00%

Function 0593062A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b8ce656d27e3a290d3958aca877b5ca938d65c554ddb10d031a7d67af86e2c7
Instruction ID: 9ba4daf01f1d85a713aaefc9dfc2c7dfeb4f0735b30f08993c5e90d5ee336658
Opcode Fuzzy Hash: 8b8ce656d27e3a290d3958aca877b5ca938d65c554ddb10d031a7d67af86e2c7
Instruction Fuzzy Hash: 9BF0E234244650CFC718DF28C599C583BF5EF4A71971649E9E94ACB372CB62EC44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0593FA08, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 542c320dde3c0e4472636365e3e28616067429c908168da615c1b74e955ec651
Instruction ID: 32a7859b9cc82a857784f936f277beda4557366f0f2dddddfe35ec7f5f46f168
Opcode Fuzzy Hash: 542c320dde3c0e4472636365e3e28616067429c908168da615c1b74e955ec651
Instruction Fuzzy Hash: FBF01234740958CFD758DB2AD455A6E73DAAFC9714B14807DE10ECB360DE65AC028B94

Uniqueness

Uniqueness Score: -1.00%

Function 05935F61, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6b00533935954798f81113f62dadc9727853bd24b075fe17b573765bf98f8a
Instruction ID: c3a4285cab092925f772250b401c99337dc4ffc854b50ea9fc1e31c8f04bfc1e
Opcode Fuzzy Hash: fb6b00533935954798f81113f62dadc9727853bd24b075fe17b573765bf98f8a
Instruction Fuzzy Hash: CEE0D835B006049FDB04CF59C8859DABBFADF88220B15C0EAE85CD7305E63469468710

Uniqueness

Uniqueness Score: -1.00%

Function 0593B520, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c95e73b778f213f46cacd57f97365d91a26ab85bbdd353010761826cbd8da7
Instruction ID: d781937dced161369ca42a06fb169feb1c2a387ea7f577a1215f99bb43fd3975
Opcode Fuzzy Hash: 56c95e73b778f213f46cacd57f97365d91a26ab85bbdd353010761826cbd8da7
Instruction Fuzzy Hash: 13E0C2317052258BE724D95CD443B6A77DBF742314F140936E81ACF752C610E842C3D2

Uniqueness

Uniqueness Score: -1.00%

Function 05935C4E, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 531a14d949d8c38d78f651ac4c968e4f0e4b0c1fe5a38d3a93d903f5f68bae0c
Instruction ID: 2b4c331521703727e8bd864ebc54193465aed8fcf7dcb86faa5caac79af182e8
Opcode Fuzzy Hash: 531a14d949d8c38d78f651ac4c968e4f0e4b0c1fe5a38d3a93d903f5f68bae0c
Instruction Fuzzy Hash: E2E08672B40118AF9B08DBF89D465AF7BEBDFC4214B16C07AD509D7350FA309D424390

Uniqueness

Uniqueness Score: -1.00%

Function 0593B530, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b97befccdcbe6f7b5aa054c12cfc129a47451daf6231ee6e78d974af95fc52a5
Instruction ID: 1b4dea8dc84b45c8b10a2073457d78b3b5a0b115d2a20efc3309780255c5a810
Opcode Fuzzy Hash: b97befccdcbe6f7b5aa054c12cfc129a47451daf6231ee6e78d974af95fc52a5
Instruction Fuzzy Hash: 86E0EC31B142168BD728DE5C9482B6AB7DAFB45714F100866E45ACF741D761E884CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 05935BFE, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43a6b00b015f0300e58f541eba4e5b8e3c2105a32f897efa79a84027d5383ff
Instruction ID: 02d6bff3e418d514f89abd37e4a2cbfc134fe4e797ee6e1fed863339a8221c30
Opcode Fuzzy Hash: d43a6b00b015f0300e58f541eba4e5b8e3c2105a32f897efa79a84027d5383ff
Instruction Fuzzy Hash: 86E0DF75E5011CDACB10AF81E5067FDBBB9FB4A316F214422E142B1550C7700980CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05931AE8, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0d21dc825d783c88106028dc184aacbe681386a34f286b560a85d2110de9c6e
Instruction ID: e8a93f20e9ec7a3fe7617b1925cd48eaa382330eb15d68998f0cd02b615c0ca6
Opcode Fuzzy Hash: e0d21dc825d783c88106028dc184aacbe681386a34f286b560a85d2110de9c6e
Instruction Fuzzy Hash: B9E0D8311081448FC7039FA4D91559A7FA1EF5A35070941F6D404CF1BBC735C815CB92

Uniqueness

Uniqueness Score: -1.00%

Function 059311CC, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb6dfc03c3a0e94fc29bfe23038026a369f50c3ae66d9d0794edb599b4a701f7
Instruction ID: 8209a9b94e751c6aed21b643c4ca54d35b956f89d2246b52d59e03ca165cd83e
Opcode Fuzzy Hash: eb6dfc03c3a0e94fc29bfe23038026a369f50c3ae66d9d0794edb599b4a701f7
Instruction Fuzzy Hash: A6F0A535A0420DCBCF14EBE5D25A5DDBBB2EB88216F2005A9D415B3260DB326E10CB24

Uniqueness

Uniqueness Score: -1.00%

Function 05936E10, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56e39e6ab8dc54b872eb75ed6602b7d1b75db523d9500ddd1a6ebab6d1a1acd8
Instruction ID: e891d9e558af93aa83b2f916b798bc7973dd0a73988d60a011a08f9e260244ab
Opcode Fuzzy Hash: 56e39e6ab8dc54b872eb75ed6602b7d1b75db523d9500ddd1a6ebab6d1a1acd8
Instruction Fuzzy Hash: 1AE0C231186240EFCB218BF1D9AA9EC3B66FF02115728009ED89BC7112CB38641FD720

Uniqueness

Uniqueness Score: -1.00%

Function 05934BB0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5230c9536023ccefea920696e4bf771c0cd30f7a90c73232d87c3777426aae6d
Instruction ID: 3069c340922ff2c2ed8a205a2152604f2f557dd20f50bb2f7624fd6cc09936c7
Opcode Fuzzy Hash: 5230c9536023ccefea920696e4bf771c0cd30f7a90c73232d87c3777426aae6d
Instruction Fuzzy Hash: 3CE02275A09248CFCB02DFB8EA0249C7B74EB4130072045AAD808DB252EB3C9F10DB11

Uniqueness

Uniqueness Score: -1.00%

Function 05936F4E, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d661bc5f780e0e3a4592e4c8088fef000c7b9712a5a9e7a6d4e18ecfd002812f
Instruction ID: f810e4c63d43b183a34465990f6324ecc0e793c6ab897cf7ed061b6b0ab83fc1
Opcode Fuzzy Hash: d661bc5f780e0e3a4592e4c8088fef000c7b9712a5a9e7a6d4e18ecfd002812f
Instruction Fuzzy Hash: 33D01776E01208EFDB04CEA9C9016FEB3FADB84301F11C0AAA409D3180E6350F45AA20

Uniqueness

Uniqueness Score: -1.00%

Function 05934BC0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7299d4fba4209bf936ab609f076baba2ba04e92ff56e006a7ef37b2d11abb882
Instruction ID: dfd52bb96d3b45f85185a04f78522964bc6f3d5c69d9995c729351903f9839b4
Opcode Fuzzy Hash: 7299d4fba4209bf936ab609f076baba2ba04e92ff56e006a7ef37b2d11abb882
Instruction Fuzzy Hash: 74E04F71A0120CEF8B00DFB4E90289DBBB9EB452547214599D808D7215EB399E10DB51

Uniqueness

Uniqueness Score: -1.00%

Function 05936F50, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae96606d66bb17de8f4bb02f2f7369e0e21411c71c60b1e6d749914222e8855
Instruction ID: 5e6adc8572c5c8546488ee702b5defabea645deec37b119301db9469f1b23cfd
Opcode Fuzzy Hash: 2ae96606d66bb17de8f4bb02f2f7369e0e21411c71c60b1e6d749914222e8855
Instruction Fuzzy Hash: 35D05E76E0120CFBDB00CEAAC9016EEB2FEDB84201F10C0AAA408D3180E5345F44A661

Uniqueness

Uniqueness Score: -1.00%

Function 0593D940, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61be286d1f5fba236d329c56d8005e40e38fd5a61f8bc5c82ee0ac78b6278d85
Instruction ID: 1c20d6310933ea45020c60e9ac2785311dc8771c7d74ba8aaf06a3201341ce90
Opcode Fuzzy Hash: 61be286d1f5fba236d329c56d8005e40e38fd5a61f8bc5c82ee0ac78b6278d85
Instruction Fuzzy Hash: FAD0A7227484D41BD621129C2C15BEB5595C7C5755F09047EE900CF386CDA49C0153D5

Uniqueness

Uniqueness Score: -1.00%

Function 05938D68, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889046b64df2fef03ebe7963c8c5bcbcf742f08eaea6b75dbe8ffc4a5bedc95a
Instruction ID: 43392294103527b83ba646c134876fa0f67543bd3b70a2e77f823193a46bafd2
Opcode Fuzzy Hash: 889046b64df2fef03ebe7963c8c5bcbcf742f08eaea6b75dbe8ffc4a5bedc95a
Instruction Fuzzy Hash: 99C08073549F140DD74272F29C02322379C4753015B4D01979C2DCCA82E805D411807B

Uniqueness

Uniqueness Score: -1.00%

Function 05936E20, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c55b6d99716943ef525300edd9e929e1a112f4b7d55e228a182ee924783a4b4a
Instruction ID: c69486e6b941f84c45dec5495e20dd14604d73839c4339e42aa712178f62c37e
Opcode Fuzzy Hash: c55b6d99716943ef525300edd9e929e1a112f4b7d55e228a182ee924783a4b4a
Instruction Fuzzy Hash: 49D0C932255209D7DB2457E5E45AA7A339DAB40609F18406DF40EC6900DB22E8698511

Uniqueness

Uniqueness Score: -1.00%

Function 05936E78, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3559049947ee8f7620915ecf7a8590b7d7de327d683de88a0b0365e433626d89
Instruction ID: d9231e7bf121a1dac93b4ea244845691846ed9e0027a5c8bbb0467bc21cfd3c4
Opcode Fuzzy Hash: 3559049947ee8f7620915ecf7a8590b7d7de327d683de88a0b0365e433626d89
Instruction Fuzzy Hash: 5CE0DF2190D3F14ECB23E724FD5D2643E702723224F0810EAE482891ABC658406CC772

Uniqueness

Uniqueness Score: -1.00%

Function 0593CDE8, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1ad8851a3adf1c7df7059a2bbbae6d7172724829489a724605dc4e13d006abe
Instruction ID: 17730d0bcb152734fe261bd8d25d57093703678584aae68120d678376fd40f75
Opcode Fuzzy Hash: b1ad8851a3adf1c7df7059a2bbbae6d7172724829489a724605dc4e13d006abe
Instruction Fuzzy Hash: FDD05E36200548AFCB819FA8C850FEB3F68AF95308F609055FA084A152C1328862DF00

Uniqueness

Uniqueness Score: -1.00%

Function 0593D899, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc10ba679af02437d64829e01884a909b08db1999d39005a45266eb6a8edd12
Instruction ID: 940d61d1b4720ca4fc472b50707e917afc0f98eb428f2b8872345ef11b322645
Opcode Fuzzy Hash: 7fc10ba679af02437d64829e01884a909b08db1999d39005a45266eb6a8edd12
Instruction Fuzzy Hash: 69D0C931249A894FC750DB64C90AB693BE49B05115F0540FAA50D8F263DA30A8108B49

Uniqueness

Uniqueness Score: -1.00%

Function 0593CDF8, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d832640dc3a5945d2b61946d2beee7057e0594b38760d18f61acadd1db68f23a
Instruction ID: 1dd3a583c0914926667d975f018788749f0e0636a955997b58b640efdf4ec65a
Opcode Fuzzy Hash: d832640dc3a5945d2b61946d2beee7057e0594b38760d18f61acadd1db68f23a
Instruction Fuzzy Hash: F2C0123A200208BFDB40AAD4C841D963BA9AB48B04F50A000BA080A212C232EC62EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0593D8A8, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249446318.0000000005930000.00000040.00000001.sdmp, Offset: 05930000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e474bafeb6f7b45bc7e42df7b6f9cf5fb322a8739f345f66321d0c369a034d93
Instruction ID: 563b29b83df979a110e829da0c9c020c2fff95b75c73817bff4a328ac478291e
Opcode Fuzzy Hash: e474bafeb6f7b45bc7e42df7b6f9cf5fb322a8739f345f66321d0c369a034d93
Instruction Fuzzy Hash: D5C09234240A088FC784EBA9D449E6873E8AF48614B4100FAE20DCF333DA31EC108B58

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 03190699, Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

V"o, xrefs: 03190821
V"o, xrefs: 0319081A

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID: V"o$V"o
API String ID: 0-3232273662
Opcode ID: c6162dea3f284f969b2abd966828edc23a16ca4263bbf252fb3b80e62287af12
Instruction ID: 9985c1e2ca2eabef646b2cb3ed19b1b9606e0730938aa3be4f2cd73e9b6a6b3d
Opcode Fuzzy Hash: c6162dea3f284f969b2abd966828edc23a16ca4263bbf252fb3b80e62287af12
Instruction Fuzzy Hash: B16105B1E0420ADFDF08CFA9D5815AEFBB2FF8D310F14946AD525A7254D7349A828F90

Uniqueness

Uniqueness Score: -1.00%

Function 03190C82, Relevance: 2.7, Strings: 2, Instructions: 156COMMON

Download Yara Rule

Strings

V<, xrefs: 03190E4A
JAF, xrefs: 03190E5D

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID: V<$JAF
API String ID: 0-2446856336
Opcode ID: dc4003fdb30a95714d7da5fce87afc23452f38f3c3d70d5ce7155e43008a8963
Instruction ID: fd0b16bdb67832c6b99f94759c2142149f6bd3e01d96108cfebaa9c4587eefce
Opcode Fuzzy Hash: dc4003fdb30a95714d7da5fce87afc23452f38f3c3d70d5ce7155e43008a8963
Instruction Fuzzy Hash: A661B074E052198FDF08CFA9C9805DEFBF2BB8C210F24956AD415BB215D734AE41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 03192828, Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

0jx, xrefs: 03192A5E

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID: 0jx
API String ID: 0-697370714
Opcode ID: 495e79066cfe5a1fce347d165133986e3da5ae195f1455f90e58f0519204df31
Instruction ID: ff6f2b8e0a54dfeb4c04dd73df86a756eafaecf3d620132ac362105d7ff095f4
Opcode Fuzzy Hash: 495e79066cfe5a1fce347d165133986e3da5ae195f1455f90e58f0519204df31
Instruction Fuzzy Hash: 21A13C74E042199BDB14CFA9C9805ADFBB3FF89305F2485AAD409A7356D7309942CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0319280C, Relevance: 1.5, Strings: 1, Instructions: 215COMMON

Download Yara Rule

Strings

0jx, xrefs: 03192A5E

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID: 0jx
API String ID: 0-697370714
Opcode ID: 65eb07114bba396488564905d52b85325749aa74e14f8f7c3db29c51cda1b055
Instruction ID: 5199f559d689bfb08daa815d271a4cb332b2c90839955cbb91edca97f0916605
Opcode Fuzzy Hash: 65eb07114bba396488564905d52b85325749aa74e14f8f7c3db29c51cda1b055
Instruction Fuzzy Hash: AEA12B74E042599BDB14CFA9C9809AEFBF3FF89305F2485AAD408A7256D7309D42CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05E5B620, Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

V=, xrefs: 05E5B6D4

Memory Dump Source

Source File: 00000000.00000002.251772923.0000000005E50000.00000040.00000001.sdmp, Offset: 05E50000, based on PE: false

Similarity

API ID:
String ID: V=
API String ID: 0-3642819076
Opcode ID: 6c8c32cbf7f5e6680693c5a16ed78048778d8123c82a683758828718fd8bb2b4
Instruction ID: 257a70da10ea42d02fde46da4e844ae4575c127d0b3897a915e0e2bf17f19db7
Opcode Fuzzy Hash: 6c8c32cbf7f5e6680693c5a16ed78048778d8123c82a683758828718fd8bb2b4
Instruction Fuzzy Hash: 5F3129B1E146189BEB18CFABC88069EFBF7BFC8210F14D16AC849A7214EB3045468F51

Uniqueness

Uniqueness Score: -1.00%

Function 05E5B610, Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

V=, xrefs: 05E5B6D4

Memory Dump Source

Source File: 00000000.00000002.251772923.0000000005E50000.00000040.00000001.sdmp, Offset: 05E50000, based on PE: false

Similarity

API ID:
String ID: V=
API String ID: 0-3642819076
Opcode ID: 4dcb14d8e4a6c977b90959b4ea820737af14d14c5527b68fa09f6693b57c0651
Instruction ID: af131e34a1fa3d59a8e470a35479ff516ef52f69c76e5fc6aa0fb571fb6e6f7a
Opcode Fuzzy Hash: 4dcb14d8e4a6c977b90959b4ea820737af14d14c5527b68fa09f6693b57c0651
Instruction Fuzzy Hash: E5312DB1E146589BDB08CFABC9406DEFBF3BFC8200F14C1AAC849A7215EB3049468F51

Uniqueness

Uniqueness Score: -1.00%

Function 031910C8, Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

iPj?, xrefs: 0319114B

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID: iPj?
API String ID: 0-581101365
Opcode ID: db069657984e9a5d5015653e321c2a5e3943fb40137c8376f8f90602257ce9a5
Instruction ID: 2a9d9d764c09e7133cd5c7af5203951c0665baa2b6580b6ab703747eb010fab7
Opcode Fuzzy Hash: db069657984e9a5d5015653e321c2a5e3943fb40137c8376f8f90602257ce9a5
Instruction Fuzzy Hash: F111ADB1E046199BEB1CCFABD84469EFAF7AFCC200F14C17AC918A6214EB3415568F51

Uniqueness

Uniqueness Score: -1.00%

Function 031910BA, Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

iPj?, xrefs: 0319114B

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID: iPj?
API String ID: 0-581101365
Opcode ID: a8838a28c42a60eb91073c943f5bd3af175e30a367169fe6acc022b83133fc6e
Instruction ID: 7b463c162c7d7ecc7e20dddeff4abd666a290d047ea16ee93750ddb3c26a714f
Opcode Fuzzy Hash: a8838a28c42a60eb91073c943f5bd3af175e30a367169fe6acc022b83133fc6e
Instruction Fuzzy Hash: 4811CC71E046599BEB18CFABD84069EFBF3AFC9200F08C07AC508A6265EB3405468F51

Uniqueness

Uniqueness Score: -1.00%

Function 05E598A0, Relevance: .8, Instructions: 816COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251772923.0000000005E50000.00000040.00000001.sdmp, Offset: 05E50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a420d4900274641c9724e494f9626c369c88618620b3814e5183aa801d5e17fc
Instruction ID: 998077a5ac18c95dcc3a5a389d1b6c0ec1f5d5f50be93932affa11ec91db7173
Opcode Fuzzy Hash: a420d4900274641c9724e494f9626c369c88618620b3814e5183aa801d5e17fc
Instruction Fuzzy Hash: 2D52DD31B04214CFDB15DF68C494ABE7BA3BF85228B159069E946DB3A6DF30DC41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05E55C68, Relevance: .7, Instructions: 725COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251772923.0000000005E50000.00000040.00000001.sdmp, Offset: 05E50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0809159e5138aa8d77e012469a4db264c9cd623e89bcb7eb91c8fc1b4fdc72d
Instruction ID: e62ef149366736eada847a5602b7d0296f8b87c7be2b5ef5a0135fe3e2f8356d
Opcode Fuzzy Hash: c0809159e5138aa8d77e012469a4db264c9cd623e89bcb7eb91c8fc1b4fdc72d
Instruction Fuzzy Hash: 4A529034B041159FDB14DF68C488AAEBBB2BF88724F559069ED46EB364DB30EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03193620, Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 772d7f3fb09be132ba96517e24060e1764a53f393271ccb186635943fa2105fd
Instruction ID: ed3228f3749d693acf3d58541c2eca03dd91a7d4d0405bdee4d90204d5a7197f
Opcode Fuzzy Hash: 772d7f3fb09be132ba96517e24060e1764a53f393271ccb186635943fa2105fd
Instruction Fuzzy Hash: 42C1D578E0421A8FDF08CFB9C5546AEFBF2AF88314F15886AC515E7355EB3499018FA1

Uniqueness

Uniqueness Score: -1.00%

Function 05E56928, Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251772923.0000000005E50000.00000040.00000001.sdmp, Offset: 05E50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49d0a0690fbef2412f6e9dc73b47feedf662d83f201171f5b0db4edceed4a86a
Instruction ID: afc8d6b716c53511af7b10054677cc3f828b1b06dc123f65c5e630145cba4345
Opcode Fuzzy Hash: 49d0a0690fbef2412f6e9dc73b47feedf662d83f201171f5b0db4edceed4a86a
Instruction Fuzzy Hash: 15D13775E042288FDB54DFA4D944BEEBBB2FF89310F1081A9D909AB351DB309A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07F38F72, Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257037007.0000000007F30000.00000040.00000001.sdmp, Offset: 07F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f70148bbfcc5c1cd667d02909ec61e2315a6db9c1fe6bdeef721a8f21d9397
Instruction ID: ce6cb7a2671e9b4536ae5e172e838c74980317e628db6d7eae50915a3b95f1f7
Opcode Fuzzy Hash: 33f70148bbfcc5c1cd667d02909ec61e2315a6db9c1fe6bdeef721a8f21d9397
Instruction Fuzzy Hash: 9CD1E731C2175ACACB00EB64D990A9DB771FFA5300F51DB9AD5097B225EB70AEC9CB40

Uniqueness

Uniqueness Score: -1.00%

Function 07F38F80, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257037007.0000000007F30000.00000040.00000001.sdmp, Offset: 07F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fed62a21403545ff9c727198460444d2495de6fc772ccf64ec6765a94d55888
Instruction ID: 01b5965671551c8e28339ff1f0cc172f739adee09dd54b1d3f5faf76117a8c6d
Opcode Fuzzy Hash: 8fed62a21403545ff9c727198460444d2495de6fc772ccf64ec6765a94d55888
Instruction Fuzzy Hash: 51D1E631C2175ACACB00EB64D990A9DB771FFA5300F51DB9AD5097B225EB70AEC9CB40

Uniqueness

Uniqueness Score: -1.00%

Function 05E5A320, Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251772923.0000000005E50000.00000040.00000001.sdmp, Offset: 05E50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d12a089df87301d7d7ae1b058bd5171612f7a73512e1e7cda8e306e200967b
Instruction ID: 2cc86cb39f2354362a988dc8de82495f61144e90f9f5283b3c1cb51f55bb96f6
Opcode Fuzzy Hash: f3d12a089df87301d7d7ae1b058bd5171612f7a73512e1e7cda8e306e200967b
Instruction Fuzzy Hash: E9A1F775E002199FDB08DFA9C944AAEBBF2FF88315F15813AE915AB364DB349841CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05E5C208, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251772923.0000000005E50000.00000040.00000001.sdmp, Offset: 05E50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f00954de8d4fe529fe7259d691ea02d84a2a1872f07588077f0f68668a3f849
Instruction ID: 949d992254c3d4f9b910e1ba026face8edcd70669ce2f53e27a3d1019b85ea2d
Opcode Fuzzy Hash: 7f00954de8d4fe529fe7259d691ea02d84a2a1872f07588077f0f68668a3f849
Instruction Fuzzy Hash: 9191D474E046098FDB48CFEAC9505EEBBF2EF88310F20942AD919BB254E7309945CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05E5C1DD, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251772923.0000000005E50000.00000040.00000001.sdmp, Offset: 05E50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef141d84da15dcc9bf7be997e2b410fa4911ecd000ff01a574545ab01c840206
Instruction ID: b8f24fc62f0c83e854bc1ab58c1d02976870de963a6fd5a2a8d43d9951b3e62b
Opcode Fuzzy Hash: ef141d84da15dcc9bf7be997e2b410fa4911ecd000ff01a574545ab01c840206
Instruction Fuzzy Hash: 4F810575E046098FCB48CFE9C8805EDBBF2EF89310F24942AD819BB264D7309945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05E5F678, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251772923.0000000005E50000.00000040.00000001.sdmp, Offset: 05E50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3906009f29ab07cf9e17c8bf8d593033133d3df4b4337c585938522ac5d091ae
Instruction ID: 4a92dfc4ebe03a95a2a97067b4121e7ab17baccfec4f6142f512d1127d82ea2d
Opcode Fuzzy Hash: 3906009f29ab07cf9e17c8bf8d593033133d3df4b4337c585938522ac5d091ae
Instruction Fuzzy Hash: AC81E374E15209CFCB04CFA9C58499EFBF2FF89310F24945AE565AB220D370AA46CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05E5D248, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251772923.0000000005E50000.00000040.00000001.sdmp, Offset: 05E50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4750c4f16938753de74686b392579ec920e93e6d478c55ac12013030d3d55deb
Instruction ID: f53e9aef3c751d469b1d316f3fca9fc23740764d99e07a6644e74fda1f22dcbc
Opcode Fuzzy Hash: 4750c4f16938753de74686b392579ec920e93e6d478c55ac12013030d3d55deb
Instruction Fuzzy Hash: 9E713AB4E0520ADFCB04CFD5D9809EEFBB2FB88310F14A51AD955AB215D374AA41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05E549B0, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251772923.0000000005E50000.00000040.00000001.sdmp, Offset: 05E50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d1a09315822d298c9d14f494da71bce5baa9c7ce8a3a9738f6837c895d89a12
Instruction ID: 2e3d2a5211dd3aaef3bf0ec20098b95374f6d1e96713e9ffc7693e17b958c91e
Opcode Fuzzy Hash: 8d1a09315822d298c9d14f494da71bce5baa9c7ce8a3a9738f6837c895d89a12
Instruction Fuzzy Hash: 0C71D4B4E01249DFDB04CFA9D884A9DBBF2FF88300F24806AE919AB355DB355942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 031969B8, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e5ff0f8b257901b7649e5345e1c02ba2542a73fa91a3f6bf7dc25343c3561a
Instruction ID: 1291a4fdf1c89a03db59365ad0124845ac6f539b60844c9d350a1bd67518df3d
Opcode Fuzzy Hash: a8e5ff0f8b257901b7649e5345e1c02ba2542a73fa91a3f6bf7dc25343c3561a
Instruction Fuzzy Hash: B6713A70E112199FDF18CFA9D980B9EF7B6FB88310F14D0AAD509AB255DB305A80CF61

Uniqueness

Uniqueness Score: -1.00%

Function 031978B8, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a1ccac1210078a11dc40c1095772386685d5fb6b80e70bc984b54e0289bd9b6
Instruction ID: dd1308935ba4e312a687044c1b0e4216fd09a061d6ff72c989b9b841509db8ff
Opcode Fuzzy Hash: 7a1ccac1210078a11dc40c1095772386685d5fb6b80e70bc984b54e0289bd9b6
Instruction Fuzzy Hash: 62616C71E5562ACBDB28CF65C8407AAB7B6FFC9300F1092E6C50DA7614EB305AC18F50

Uniqueness

Uniqueness Score: -1.00%

Function 05E5CDB8, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251772923.0000000005E50000.00000040.00000001.sdmp, Offset: 05E50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f85fbe4b566237fd6cb683929ef71cfea53b7729efa2dcd81de6f52eddca77f
Instruction ID: fb54d4e10623a4b0313f1c7b271a27e6d219665f28caa5a9449829496db31fd5
Opcode Fuzzy Hash: 2f85fbe4b566237fd6cb683929ef71cfea53b7729efa2dcd81de6f52eddca77f
Instruction Fuzzy Hash: 76514A70E042199FCB08CFA6C5505AEFBF2BF89310F24D46AD859A7255E7349A42CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05E5B1E0, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251772923.0000000005E50000.00000040.00000001.sdmp, Offset: 05E50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cba067c27a7145a10215b6fce4bbccacc4352795e2e7cf49a852b3d02b1589c
Instruction ID: 8255c0f02fccc77efbfb9ee0115fb499b161219389b13a36c7b4935c0d27c838
Opcode Fuzzy Hash: 8cba067c27a7145a10215b6fce4bbccacc4352795e2e7cf49a852b3d02b1589c
Instruction Fuzzy Hash: F551F474E042199FCB04DFAAC5809AEFBF2FF89314F14D169E419A7355DB349941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 031978A8, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 440718fe58fcd08ba7424c720443264f686ef06365e82374b36f851be583ae93
Instruction ID: bfde85c0e07c08928ea02b1eb548f1916238be61e17ce49119cdafbf37580fb7
Opcode Fuzzy Hash: 440718fe58fcd08ba7424c720443264f686ef06365e82374b36f851be583ae93
Instruction Fuzzy Hash: AC514C71D5462A8BDB28CF65C9447AABBB2FFC8300F1086EAC509A7654EB305AC58F40

Uniqueness

Uniqueness Score: -1.00%

Function 03190A42, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b3dcbb324d176d135af6b4cb03f1de790d0e4bdaf9b8dff80e6f5f766462c9d
Instruction ID: b332043580e1258fe78c5224e063aa09cc6bafe3d8c85aafb4920c4ea9f635cf
Opcode Fuzzy Hash: 5b3dcbb324d176d135af6b4cb03f1de790d0e4bdaf9b8dff80e6f5f766462c9d
Instruction Fuzzy Hash: 3F410574E0460A9FDB08CFAAC4815AEFBB2BF8C310F24D56AC415E7254D3349A868F94

Uniqueness

Uniqueness Score: -1.00%

Function 03190A50, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78c68196191b0860259133ca5aad40da5e6a1b05dfaf8ee81c2c6ccd1cf163b2
Instruction ID: db28c1715c91969090f268e6da81ecf64fe8ae918a7528cf1a5a430ab19e2d71
Opcode Fuzzy Hash: 78c68196191b0860259133ca5aad40da5e6a1b05dfaf8ee81c2c6ccd1cf163b2
Instruction Fuzzy Hash: 084104B4E0460ADFDF48CFAAC4815AEFBB2BB8C300F24D46AC415B7254D3349A818F94

Uniqueness

Uniqueness Score: -1.00%

Function 03190EF1, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1e0e8a8837c10c5f9686a2c68589a5fdf1a087e90d12d7e9c56eae51b1907d5
Instruction ID: d93dc112aabe146b9d38319d7179c1b6cd15be00bd7f99adfe1aaeb0f1fdb301
Opcode Fuzzy Hash: b1e0e8a8837c10c5f9686a2c68589a5fdf1a087e90d12d7e9c56eae51b1907d5
Instruction Fuzzy Hash: AB41FE71E0520A9FDB04CFA9C5415AEFBF2FF8C300F25C5AAD509E7254D7349A818B91

Uniqueness

Uniqueness Score: -1.00%

Function 03197B20, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63004ea1810e60dbb260a3c320e0f8f1e470a3bd25a0be1b9dc63e956a4947bd
Instruction ID: 463f4f6eca6ac5ba372109f3fe4572a76dd5769563ba4ef81a096ccdaaa65267
Opcode Fuzzy Hash: 63004ea1810e60dbb260a3c320e0f8f1e470a3bd25a0be1b9dc63e956a4947bd
Instruction Fuzzy Hash: 12514B71D5462ACFCB68CF65C9807E9BBB2FF99300F1096EAC009A7654EB705AC18F40

Uniqueness

Uniqueness Score: -1.00%

Function 03197ABA, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2748502649108376d3b143199e1d84770eabf6f7a9b467f7f9b65242300a4470
Instruction ID: 283a6520ad0373c975bf5698064d7667ea20ae3b2cdf9b5879873d91733098cf
Opcode Fuzzy Hash: 2748502649108376d3b143199e1d84770eabf6f7a9b467f7f9b65242300a4470
Instruction Fuzzy Hash: F2512770D5462ACFCB64CF65C9807E9BBB2FF99300F1096EAC119A6650EB705AC18F50

Uniqueness

Uniqueness Score: -1.00%

Function 03190F00, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79ea55a20e48961cdb62800a238be73039997832d9316eb253238c93f2e8eddb
Instruction ID: 83a91a91bfd821ba716e0b99ea1de403afbff81ba332ca6bcadf535d5a47c4db
Opcode Fuzzy Hash: 79ea55a20e48961cdb62800a238be73039997832d9316eb253238c93f2e8eddb
Instruction Fuzzy Hash: 3541ECB1E0520ADFDB48CFAAC5415AEFBF2FF8C300F25C56AC519A7254D7349A818B94

Uniqueness

Uniqueness Score: -1.00%

Function 05E5D7C9, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251772923.0000000005E50000.00000040.00000001.sdmp, Offset: 05E50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed079b2de014be4bb5d4f13d744bc89a9b3dc1cdfdd68b304cd378ceed3c68e
Instruction ID: 337a7f3833a06efd64d3cb1f6301bb83d94f5f32e06e1be244b90b7f5c93b42a
Opcode Fuzzy Hash: eed079b2de014be4bb5d4f13d744bc89a9b3dc1cdfdd68b304cd378ceed3c68e
Instruction Fuzzy Hash: 07212871E056588BDB19CFA6D9406DEFBB7EFC9310F14C1AAD408AB255EB340A468B90

Uniqueness

Uniqueness Score: -1.00%

Function 031921B8, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82a4df9aadd52cd5ba5e3830bcd3da1e187645730c9f3c84d0cf953bcd015b9d
Instruction ID: 27bc79af1de5246b0fb8764a330bffa6eee7515a5869ae7e5bf11a1ab783bd17
Opcode Fuzzy Hash: 82a4df9aadd52cd5ba5e3830bcd3da1e187645730c9f3c84d0cf953bcd015b9d
Instruction Fuzzy Hash: F0217C71E012189BEB08CFAAED40A9EFBF7EFC8310F14C46AD508B7254DB3059468B61

Uniqueness

Uniqueness Score: -1.00%

Function 03196151, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243669791.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abca216e52cdbca1411c0aeebce2675178b054c33ef2fc6d3388be4754905521
Instruction ID: b9a24ef32204ec0f855ffb18fde6d81a0f273a6a84bc2bf9165261db60cf0948
Opcode Fuzzy Hash: abca216e52cdbca1411c0aeebce2675178b054c33ef2fc6d3388be4754905521
Instruction Fuzzy Hash: FA213871E112199BDB08CFAAE8406DEFBF7EBC8210F14C07BD408A7255EB305A05CBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 5404 Parent PID: 5688 RegSvcs.exeCOMMON

Executed Functions

Function 069237D8, Relevance: 1.7, APIs: 1, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.496882445.0000000006920000.00000040.00000001.sdmp, Offset: 06920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83ce8bb4d5c3e58110c2d05acc9562e9bc71bbb9a06a520621397c3b0935586a
Instruction ID: a10a3901cd5e870d6ba1be9e667ac6fa355f0af5ec2097f7e64c8b339ddd456d
Opcode Fuzzy Hash: 83ce8bb4d5c3e58110c2d05acc9562e9bc71bbb9a06a520621397c3b0935586a
Instruction Fuzzy Hash: B7817571D0026ACFDB10CFA9D8806EEBBB5FF49314F20852AD415BB644EB74994ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 02F893E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02F8962E

Memory Dump Source

Source File: 00000004.00000002.488557724.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ecb1a68241e9f611b8d405f41fc909ae5ee4f8a15b18bc23ace475b65ef60f66
Instruction ID: 6df87c9f8914041626f4c6f69346d65c636dd652aab355d296cdeb454ab705b5
Opcode Fuzzy Hash: ecb1a68241e9f611b8d405f41fc909ae5ee4f8a15b18bc23ace475b65ef60f66
Instruction Fuzzy Hash: AD7126B0A00B098FD724EF29C54576ABBF1BF88254F00892DD64AD7B50DB74E805CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02F8FB20, Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02F8FD0A

Memory Dump Source

Source File: 00000004.00000002.488557724.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6bc32eb0300892a0047e09d62df9a246442c7730c468db4f90acd9876c164da2
Instruction ID: 9320f8b90ad6d5178dc377b2427fbf19371e16646e5ed4718ede1499cb1c3a1e
Opcode Fuzzy Hash: 6bc32eb0300892a0047e09d62df9a246442c7730c468db4f90acd9876c164da2
Instruction Fuzzy Hash: 9A6146B2C043889FCB15CFA9C880ACEBFB1FF49314F18825AE915AB251D7749945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06923884, Relevance: 1.6, APIs: 1, Instructions: 145networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 069239B8

Memory Dump Source

Source File: 00000004.00000002.496882445.0000000006920000.00000040.00000001.sdmp, Offset: 06920000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 119f1366186f069c72d21df28dfcbce940fd2f0465152296d28c29c837d5d90e
Instruction ID: e6c328e49cc615819207062dd9f55b6693ce934e1c88fe921154e98b543c3c0c
Opcode Fuzzy Hash: 119f1366186f069c72d21df28dfcbce940fd2f0465152296d28c29c837d5d90e
Instruction Fuzzy Hash: 6A5154B1D002698FDF10CFA9D9806DEBBB5FF49314F20812AE815B7644DB749846CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02F8FB98, Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02F8FD0A

Memory Dump Source

Source File: 00000004.00000002.488557724.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 90d0c6e05d168887d0adf92092a705f2fd684af6f97f41fe92ff074d7466f0ba
Instruction ID: 65c5048f2c046ea0affbd1c7f2c79849f1d72ac907cacb465d60a36eb7f4ccaa
Opcode Fuzzy Hash: 90d0c6e05d168887d0adf92092a705f2fd684af6f97f41fe92ff074d7466f0ba
Instruction Fuzzy Hash: 56514372C00248AFCF05DFA9C980ACEBFB1FF49304F55826AE919AB221D7359945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06921B75, Relevance: 1.6, APIs: 1, Instructions: 144networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 069239B8

Memory Dump Source

Source File: 00000004.00000002.496882445.0000000006920000.00000040.00000001.sdmp, Offset: 06920000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: ecefd042c4c214c3a4cecd4846b7b5fc0a932728c57c57b6783a4c19b1e77578
Instruction ID: 58f5d93b457512460234a2db1e4bc178b61717be92e291b74c21b73252653d2c
Opcode Fuzzy Hash: ecefd042c4c214c3a4cecd4846b7b5fc0a932728c57c57b6783a4c19b1e77578
Instruction Fuzzy Hash: 7C5133B0D0026D9FDF10CFA9D9806DEBBB5FF49314F20852AE815AB644DB749846CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06921B7C, Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 069239B8

Memory Dump Source

Source File: 00000004.00000002.496882445.0000000006920000.00000040.00000001.sdmp, Offset: 06920000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 00b4e72a36d9a115a2b67d46208cdb6e1278c4ff7c9cc3371e657ac7cbbae06a
Instruction ID: 8d505e8a1f5390f55dbfd6172fcf848990916953cee5a4f9b0a4311f47361465
Opcode Fuzzy Hash: 00b4e72a36d9a115a2b67d46208cdb6e1278c4ff7c9cc3371e657ac7cbbae06a
Instruction Fuzzy Hash: 355133B0D0026D9FDF10CFA9D9806DEBBB5BF49314F208529E815BB644DB749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02F8DA04, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02F8FD0A

Memory Dump Source

Source File: 00000004.00000002.488557724.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b5d4583d4db5d8383adac49910583eb1eb35e03eefe2e150c98ea155db1ef5c1
Instruction ID: d1b3d552de62bd6a4217b2b03e0ffff02954b1631692ffc9ebec172cd6c8a2a1
Opcode Fuzzy Hash: b5d4583d4db5d8383adac49910583eb1eb35e03eefe2e150c98ea155db1ef5c1
Instruction Fuzzy Hash: 7C51EEB1D003089FDB14DF99C980ADEFBB5BF88354F64822AE919AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02F8A14C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F8BCC6,?,?,?,?,?), ref: 02F8BD87

Memory Dump Source

Source File: 00000004.00000002.488557724.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 515d2b940fc18aa761117717429fb69b42a201de9fb35e4be620616bce48582d
Instruction ID: 2ca8e11888885b0ce5c3aaafe75e0823248b0edf449c0e2abb5f068a36ebbc06
Opcode Fuzzy Hash: 515d2b940fc18aa761117717429fb69b42a201de9fb35e4be620616bce48582d
Instruction Fuzzy Hash: 3A2103B5900248AFCB10CF99D984AEEFBF4EB48324F14841AE955B3310D374A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F8BCF9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F8BCC6,?,?,?,?,?), ref: 02F8BD87

Memory Dump Source

Source File: 00000004.00000002.488557724.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6652f0cde3f14dcd4dec319a575e3546596b9cf13ef14ade6f0f61f63ce4262b
Instruction ID: 4044cf89b805b3a694dc40f1f0b2ce157bcb8060584f1d82b9935fb83fd17e26
Opcode Fuzzy Hash: 6652f0cde3f14dcd4dec319a575e3546596b9cf13ef14ade6f0f61f63ce4262b
Instruction Fuzzy Hash: F82103B6D00248AFDB10CFA9D584AEEBBF4EB48324F15841AE954B3310D378A944DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F88768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02F896A9,00000800,00000000,00000000), ref: 02F898BA

Memory Dump Source

Source File: 00000004.00000002.488557724.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 396bec34ee17ed00a6cdf2bc2e78d544ea106aa71f960e11be727cc8808b4923
Instruction ID: d3395431f88001016489d2f76fefb0828ea717b2c3e79d0dc140b9d57f013364
Opcode Fuzzy Hash: 396bec34ee17ed00a6cdf2bc2e78d544ea106aa71f960e11be727cc8808b4923
Instruction Fuzzy Hash: BB11F2B6D002498BCB10DF9AC444AEEFBF4EB48354F45842AE515B7700C7B5A949CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02F89849, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02F896A9,00000800,00000000,00000000), ref: 02F898BA

Memory Dump Source

Source File: 00000004.00000002.488557724.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7376b1a25e0fedc6217508ddd4631cd755dadc4335adfd92b99d864660ed0eb9
Instruction ID: ee481f3227f16a1459b42da5caa5737025474eb982770470bdbe01d55f31dc24
Opcode Fuzzy Hash: 7376b1a25e0fedc6217508ddd4631cd755dadc4335adfd92b99d864660ed0eb9
Instruction Fuzzy Hash: 1D1103B6D002498FCB10DF9AC844AEEFBF4EB48354F45842AE569B7300C775A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02F895C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02F8962E

Memory Dump Source

Source File: 00000004.00000002.488557724.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 40a156d96baab7d87969d4071e0e0fb8c637b01de356fa877f8674d03787902e
Instruction ID: 6390f792be5821c309b0c47b5c2e2ac21da80df01ddfbb4140bb7559d52acb22
Opcode Fuzzy Hash: 40a156d96baab7d87969d4071e0e0fb8c637b01de356fa877f8674d03787902e
Instruction Fuzzy Hash: 9B110FB1D002898FCB10DF9AC444ADEFBF4AF88224F15841AD529A7300C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02F8DA3C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,02F8FE28,?,?,?,?), ref: 02F8FE9D

Memory Dump Source

Source File: 00000004.00000002.488557724.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: beb32345974e6717f5035fe5b4d5cdddcca5c2aa04ca07908f5c7c6827b3acc2
Instruction ID: 0f715f01cc031afd080c7f53db71a123d211a76187b8a96fd618f9f7dd62e8e0
Opcode Fuzzy Hash: beb32345974e6717f5035fe5b4d5cdddcca5c2aa04ca07908f5c7c6827b3acc2
Instruction Fuzzy Hash: DA1122B29002488FCB10DF89D588BDEFBF8EB48324F50855AE919B7740C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02F8FE38, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,02F8FE28,?,?,?,?), ref: 02F8FE9D

Memory Dump Source

Source File: 00000004.00000002.488557724.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: a27c6e716198dd4e0f4db4cd75ac6ca3d31e02b30d38ec917d28d2da5facaba9
Instruction ID: 3ee52bc88e32cee564bbe5afc4c24e9e19e282fb3ec5239d39be324715e86905
Opcode Fuzzy Hash: a27c6e716198dd4e0f4db4cd75ac6ca3d31e02b30d38ec917d28d2da5facaba9
Instruction Fuzzy Hash: F11133B59002489FCB10DF99D589BDEFBF8EB48324F10850AE959B3300C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0692C120, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.496882445.0000000006920000.00000040.00000001.sdmp, Offset: 06920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea403397f68a38da7e8c713c372f3aa78757c81af8400971ec91745822a50b5
Instruction ID: 511839967bb1be8010be9de480bb5c123208e911ae88da69c636b773d30a98dc
Opcode Fuzzy Hash: 9ea403397f68a38da7e8c713c372f3aa78757c81af8400971ec91745822a50b5
Instruction Fuzzy Hash: DE510278E0124CDFDB40DFA4D855AEEBBB2FB89314F208029E915AB398DB706945DF50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 5400 Parent PID: 904 RegSvcs.exeCOMMON

Executed Functions

Function 01250744, Relevance: 1.7, APIs: 1, Instructions: 168COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 01251BEB

Memory Dump Source

Source File: 0000000B.00000002.265579671.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 9fc9e1542a18deba1cc07df3dd905efa8041bbe657011615a2c4f04b792795bd
Instruction ID: dd37642215a11daa9efb995f9806356a9b90f771f4030b6e3f71eecb1ed08662
Opcode Fuzzy Hash: 9fc9e1542a18deba1cc07df3dd905efa8041bbe657011615a2c4f04b792795bd
Instruction Fuzzy Hash: BB713270D102198FDB24CF99C98479EBBF1BF48314F25812DE919AB350EB74A945CF81

Uniqueness

Uniqueness Score: -1.00%

Function 01251A43, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 01251BEB

Memory Dump Source

Source File: 0000000B.00000002.265579671.0000000001250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 5d6d0fb7c11f49dbad1a1c5aba960b2d117353291e96d204f7385c043a10d106
Instruction ID: 34f7c6da6ebc0844838fc5c790f7fc1b21014fae78934bbc6bb2c5486624c86f
Opcode Fuzzy Hash: 5d6d0fb7c11f49dbad1a1c5aba960b2d117353291e96d204f7385c043a10d106
Instruction Fuzzy Hash: AA712270D102198FDB24CFA9C98479EBBF1BF48314F25812EE919AB350EB74A955CF81

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 5824 Parent PID: 904 dhcpmon.exeCOMMON

Executed Functions

Function 02111A3C, Relevance: 1.7, APIs: 1, Instructions: 169COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 02111BEB

Memory Dump Source

Source File: 0000000E.00000002.267029498.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: aa54cb0d660e5f8c03323fe62aa0c7df43f9a1713ae998a5a96f1017d1576a70
Instruction ID: 4574eff7e7f16579ae03069eba6aa0ae9d299e406125ee30017e681241162f74
Opcode Fuzzy Hash: aa54cb0d660e5f8c03323fe62aa0c7df43f9a1713ae998a5a96f1017d1576a70
Instruction Fuzzy Hash: 5D7111B0D002199FDB24CF99C984A9EFBF1BF48314F258129E919AB350EB34A945CF85

Uniqueness

Uniqueness Score: -1.00%

Function 02110744, Relevance: 1.7, APIs: 1, Instructions: 168COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 02111BEB

Memory Dump Source

Source File: 0000000E.00000002.267029498.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 35953981e9c62ac0b4ae3a3c827dc631bd9c00c32180ce9ac51df0282d884184
Instruction ID: cae1a1134236011e52b1cd05289942d6301fc35669712d71d3bf08d5f91f37fc
Opcode Fuzzy Hash: 35953981e9c62ac0b4ae3a3c827dc631bd9c00c32180ce9ac51df0282d884184
Instruction Fuzzy Hash: 537112B0D002199FDB24CF99C98479EFBF1BF48314F258129E919AB350EB34A945CF95

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report ANS_309487487_#049844874.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution