Loading ...

Play interactive tourEdit tour

Analysis Report note-mxm.exe

Overview

General Information

Sample Name:note-mxm.exe
Analysis ID:402865
MD5:116db2200d9be33529615fc98907d4d8
SHA1:29cf6588682aca66c59e41e0517ede00c75cc76d
SHA256:43bc7ada65633263e408152d7b117de464c9d23b2758d96a6822bde9ad27b170
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Startup

  • System is w10x64
  • note-mxm.exe (PID: 6860 cmdline: 'C:\Users\user\Desktop\note-mxm.exe' MD5: 116DB2200D9BE33529615FC98907D4D8)
    • schtasks.exe (PID: 7064 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fGAhpbrTQZcHeY' /XML 'C:\Users\user\AppData\Local\Temp\tmp943B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • note-mxm.exe (PID: 7120 cmdline: C:\Users\user\Desktop\note-mxm.exe MD5: 116DB2200D9BE33529615FC98907D4D8)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "cbea22e5-f897-4039-a352-cfbfd96f", "Group": "chase1", "Domain1": "45.137.22.50", "Domain2": "127.0.0.1", "Port": 4557, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.671855765.0000000003F79000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x11e25d:$x1: NanoCore.ClientPluginHost
  • 0x150a7d:$x1: NanoCore.ClientPluginHost
  • 0x11e29a:$x2: IClientNetworkHost
  • 0x150aba:$x2: IClientNetworkHost
  • 0x121dcd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x1545ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.671855765.0000000003F79000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.671855765.0000000003F79000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x11dfc5:$a: NanoCore
    • 0x11dfd5:$a: NanoCore
    • 0x11e209:$a: NanoCore
    • 0x11e21d:$a: NanoCore
    • 0x11e25d:$a: NanoCore
    • 0x1507e5:$a: NanoCore
    • 0x1507f5:$a: NanoCore
    • 0x150a29:$a: NanoCore
    • 0x150a3d:$a: NanoCore
    • 0x150a7d:$a: NanoCore
    • 0x11e024:$b: ClientPlugin
    • 0x11e226:$b: ClientPlugin
    • 0x11e266:$b: ClientPlugin
    • 0x150844:$b: ClientPlugin
    • 0x150a46:$b: ClientPlugin
    • 0x150a86:$b: ClientPlugin
    • 0x11e14b:$c: ProjectData
    • 0x15096b:$c: ProjectData
    • 0x11eb52:$d: DESCrypto
    • 0x151372:$d: DESCrypto
    • 0x12651e:$e: KeepAlive
    00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      Process Memory Space: note-mxm.exe PID: 6860JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.note-mxm.exe.40870d0.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x429ad:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x429ea:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        • 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        0.2.note-mxm.exe.40870d0.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xff05:$x1: NanoCore Client.exe
        • 0x42725:$x1: NanoCore Client.exe
        • 0x1018d:$x2: NanoCore.ClientPluginHost
        • 0x429ad:$x2: NanoCore.ClientPluginHost
        • 0x117c6:$s1: PluginCommand
        • 0x43fe6:$s1: PluginCommand
        • 0x117ba:$s2: FileCommand
        • 0x43fda:$s2: FileCommand
        • 0x1266b:$s3: PipeExists
        • 0x44e8b:$s3: PipeExists
        • 0x18422:$s4: PipeCreated
        • 0x4ac42:$s4: PipeCreated
        • 0x101b7:$s5: IClientLoggingHost
        • 0x429d7:$s5: IClientLoggingHost
        0.2.note-mxm.exe.40870d0.2.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          0.2.note-mxm.exe.40870d0.2.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xfef5:$a: NanoCore
          • 0xff05:$a: NanoCore
          • 0x10139:$a: NanoCore
          • 0x1014d:$a: NanoCore
          • 0x1018d:$a: NanoCore
          • 0x42715:$a: NanoCore
          • 0x42725:$a: NanoCore
          • 0x42959:$a: NanoCore
          • 0x4296d:$a: NanoCore
          • 0x429ad:$a: NanoCore
          • 0xff54:$b: ClientPlugin
          • 0x10156:$b: ClientPlugin
          • 0x10196:$b: ClientPlugin
          • 0x42774:$b: ClientPlugin
          • 0x42976:$b: ClientPlugin
          • 0x429b6:$b: ClientPlugin
          • 0x1007b:$c: ProjectData
          • 0x4289b:$c: ProjectData
          • 0x10a82:$d: DESCrypto
          • 0x432a2:$d: DESCrypto
          • 0x1844e:$e: KeepAlive
          0.2.note-mxm.exe.40870d0.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xe38d:$x1: NanoCore.ClientPluginHost
          • 0xe3ca:$x2: IClientNetworkHost
          • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
          Click to see the 3 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\note-mxm.exe, ProcessId: 7120, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fGAhpbrTQZcHeY' /XML 'C:\Users\user\AppData\Local\Temp\tmp943B.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fGAhpbrTQZcHeY' /XML 'C:\Users\user\AppData\Local\Temp\tmp943B.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\note-mxm.exe' , ParentImage: C:\Users\user\Desktop\note-mxm.exe, ParentProcessId: 6860, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fGAhpbrTQZcHeY' /XML 'C:\Users\user\AppData\Local\Temp\tmp943B.tmp', ProcessId: 7064

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0.2.note-mxm.exe.40870d0.2.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "cbea22e5-f897-4039-a352-cfbfd96f", "Group": "chase1", "Domain1": "45.137.22.50", "Domain2": "127.0.0.1", "Port": 4557, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\fGAhpbrTQZcHeY.exeMetadefender: Detection: 27%Perma Link
          Source: C:\Users\user\AppData\Roaming\fGAhpbrTQZcHeY.exeReversingLabs: Detection: 57%
          Multi AV Scanner detection for submitted fileShow sources
          Source: note-mxm.exeMetadefender: Detection: 27%Perma Link
          Source: note-mxm.exeReversingLabs: Detection: 57%
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.671855765.0000000003F79000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.note-mxm.exe.40870d0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.note-mxm.exe.40870d0.2.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\fGAhpbrTQZcHeY.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: note-mxm.exeJoe Sandbox ML: detected
          Source: note-mxm.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: note-mxm.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49742 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49747 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49748 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49751 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49753 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49754 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49758 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49768 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49769 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49775 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49776 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49777 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49778 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49779 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49781 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49783 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49784 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49785 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49786 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49787 -> 45.137.22.50:4557
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: 45.137.22.50
          Source: Malware configuration extractorURLs: 127.0.0.1
          Source: global trafficTCP traffic: 192.168.2.4:49742 -> 45.137.22.50:4557
          Source: Joe Sandbox ViewIP Address: 45.137.22.50 45.137.22.50
          Source: Joe Sandbox ViewASN Name: ROOTLAYERNETNL ROOTLAYERNETNL
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: note-mxm.exe, 00000000.00000002.670657533.0000000002F71000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: note-mxm.exe, 00000000.00000002.670401401.00000000013DA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.671855765.0000000003F79000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.note-mxm.exe.40870d0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.note-mxm.exe.40870d0.2.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.671855765.0000000003F79000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.671855765.0000000003F79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.note-mxm.exe.40870d0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.note-mxm.exe.40870d0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.note-mxm.exe.40870d0.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.note-mxm.exe.40870d0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: C:\Users\user\Desktop\note-mxm.exeCode function: 0_2_00BD6C060_2_00BD6C06
          Source: C:\Users\user\Desktop\note-mxm.exeCode function: 0_2_05536F680_2_05536F68
          Source: C:\Users\user\Desktop\note-mxm.exeCode function: 0_2_055372F00_2_055372F0
          Source: C:\Users\user\Desktop\note-mxm.exeCode function: 0_2_055384910_2_05538491
          Source: C:\Users\user\Desktop\note-mxm.exeCode function: 0_2_055387180_2_05538718
          Source: C:\Users\user\Desktop\note-mxm.exeCode function: 0_2_055383F00_2_055383F0
          Source: C:\Users\user\Desktop\note-mxm.exeCode function: 0_2_0553EB380_2_0553EB38
          Source: C:\Users\user\Desktop\note-mxm.exeCode function: 0_2_0553D5580_2_0553D558
          Source: C:\Users\user\Desktop\note-mxm.exeCode function: 0_2_0553D5480_2_0553D548
          Source: C:\Users\user\Desktop\note-mxm.exeCode function: 0_2_055373480_2_05537348
          Source: C:\Users\user\Desktop\note-mxm.exeCode function: 0_2_0553738D0_2_0553738D
          Source: C:\Users\user\Desktop\note-mxm.exeCode function: 0_2_055378400_2_05537840
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\fGAhpbrTQZcHeY.exe 43BC7ADA65633263E408152D7B117DE464C9D23B2758D96A6822BDE9AD27B170
          Source: note-mxm.exe, 00000000.00000002.670586898.00000000014A9000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameSeekOrigin.exeP vs note-mxm.exe
          Source: note-mxm.exe, 00000000.00000002.672562684.000000000413E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs note-mxm.exe
          Source: note-mxm.exe, 00000000.00000002.676279917.000000000BF20000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs note-mxm.exe
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs note-mxm.exe
          Source: note-mxm.exe, 00000000.00000002.670401401.00000000013DA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs note-mxm.exe
          Source: note-mxm.exe, 00000005.00000003.672190079.0000000006D32000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs note-mxm.exe
          Source: note-mxm.exe, 00000005.00000000.663314117.0000000000F02000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSeekOrigin.exeP vs note-mxm.exe
          Source: note-mxm.exeBinary or memory string: OriginalFilenameSeekOrigin.exeP vs note-mxm.exe
          Source: note-mxm.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 00000000.00000002.671855765.0000000003F79000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.671855765.0000000003F79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.note-mxm.exe.40870d0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.note-mxm.exe.40870d0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.note-mxm.exe.40870d0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.note-mxm.exe.40870d0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.note-mxm.exe.40870d0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.note-mxm.exe.40870d0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: note-mxm.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: fGAhpbrTQZcHeY.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@6/8@0/1
          Source: C:\Users\user\Desktop\note-mxm.exeFile created: C:\Users\user\AppData\Roaming\fGAhpbrTQZcHeY.exeJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeMutant created: \Sessions\1\BaseNamedObjects\TiHcXXCDXKvJ
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_01
          Source: C:\Users\user\Desktop\note-mxm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{cbea22e5-f897-4039-a352-cfbfd96fa986}
          Source: C:\Users\user\Desktop\note-mxm.exeFile created: C:\Users\user\AppData\Local\Temp\tmp943B.tmpJump to behavior
          Source: note-mxm.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\note-mxm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
          Source: note-mxm.exeMetadefender: Detection: 27%
          Source: note-mxm.exeReversingLabs: Detection: 57%
          Source: C:\Users\user\Desktop\note-mxm.exeFile read: C:\Users\user\Desktop\note-mxm.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\note-mxm.exe 'C:\Users\user\Desktop\note-mxm.exe'
          Source: C:\Users\user\Desktop\note-mxm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fGAhpbrTQZcHeY' /XML 'C:\Users\user\AppData\Local\Temp\tmp943B.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\note-mxm.exeProcess created: C:\Users\user\Desktop\note-mxm.exe C:\Users\user\Desktop\note-mxm.exe
          Source: C:\Users\user\Desktop\note-mxm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fGAhpbrTQZcHeY' /XML 'C:\Users\user\AppData\Local\Temp\tmp943B.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess created: C:\Users\user\Desktop\note-mxm.exe C:\Users\user\Desktop\note-mxm.exeJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: note-mxm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: note-mxm.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: initial sampleStatic PE information: section name: .text entropy: 7.83711506914
          Source: initial sampleStatic PE information: section name: .text entropy: 7.83711506914
          Source: C:\Users\user\Desktop\note-mxm.exeFile created: C:\Users\user\AppData\Roaming\fGAhpbrTQZcHeY.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\note-mxm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fGAhpbrTQZcHeY' /XML 'C:\Users\user\AppData\Local\Temp\tmp943B.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\note-mxm.exeFile opened: C:\Users\user\Desktop\note-mxm.exe:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: note-mxm.exe PID: 6860, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Users\user\Desktop\note-mxm.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeWindow / User API: threadDelayed 4610Jump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeWindow / User API: threadDelayed 4454Jump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeWindow / User API: foregroundWindowGot 637Jump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeWindow / User API: foregroundWindowGot 782Jump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exe TID: 6864Thread sleep time: -99002s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exe TID: 3840Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exe TID: 6264Thread sleep time: -12912720851596678s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\note-mxm.exeThread delayed: delay time: 99002Jump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fGAhpbrTQZcHeY' /XML 'C:\Users\user\AppData\Local\Temp\tmp943B.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess created: C:\Users\user\Desktop\note-mxm.exe C:\Users\user\Desktop\note-mxm.exeJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeQueries volume information: C:\Users\user\Desktop\note-mxm.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeQueries volume information: C:\Users\user\Desktop\note-mxm.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\note-mxm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

          Stealing of Sensitive Information:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.671855765.0000000003F79000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.note-mxm.exe.40870d0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.note-mxm.exe.40870d0.2.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Detected Nanocore RatShow sources
          Source: note-mxm.exe, 00000005.00000003.672190079.0000000006D32000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.671855765.0000000003F79000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.note-mxm.exe.40870d0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.note-mxm.exe.40870d0.2.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection11Masquerading1Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemorySecurity Software Discovery221Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSVirtualization/Sandbox Evasion31Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing2DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          note-mxm.exe30%MetadefenderBrowse
          note-mxm.exe57%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          note-mxm.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\fGAhpbrTQZcHeY.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\fGAhpbrTQZcHeY.exe30%MetadefenderBrowse
          C:\Users\user\AppData\Roaming\fGAhpbrTQZcHeY.exe57%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          45.137.22.500%Avira URL Cloudsafe
          127.0.0.10%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          45.137.22.50true
          • Avira URL Cloud: safe
          unknown
          127.0.0.1true
          • Avira URL Cloud: safe
          unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namenote-mxm.exe, 00000000.00000002.670657533.0000000002F71000.00000004.00000001.sdmpfalse
            high
            https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssnote-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpfalse
              high

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              45.137.22.50
              unknownNetherlands
              51447ROOTLAYERNETNLtrue

              General Information

              Joe Sandbox Version:32.0.0 Black Diamond
              Analysis ID:402865
              Start date:03.05.2021
              Start time:15:06:57
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 7m 49s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:note-mxm.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:21
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@6/8@0/1
              EGA Information:Failed
              HDC Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 7
              • Number of non-executed functions: 8
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .exe
              Warnings:
              Show All
              • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
              • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: /opt/package/joesandbox/database/analysis/402865/sample/note-mxm.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              15:07:49API Interceptor1037x Sleep call for process: note-mxm.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              45.137.22.50purchase order confirmation.exeGet hashmaliciousBrowse
                purchase order acknowledgement.exeGet hashmaliciousBrowse
                  TBBurmah Trading Co., Ltd - products inquiry .exeGet hashmaliciousBrowse
                    PURCHASE ORDER - #0022223 DATED 29042021.exeGet hashmaliciousBrowse
                      PURCHASE ORDER - #0022223, date29042021.exeGet hashmaliciousBrowse
                        B_N SAO SWIFT MT103.exeGet hashmaliciousBrowse
                          PURCHASE ORDER - #0022223 DATED 28042021.exeGet hashmaliciousBrowse
                            Al kabous group Ltd - purchase order #04272021.exeGet hashmaliciousBrowse
                              Mack Trading Limited - products list.exeGet hashmaliciousBrowse
                                Kim Quy Trading - PRODUCTS LISTS.exeGet hashmaliciousBrowse

                                  Domains

                                  No context

                                  ASN

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  ROOTLAYERNETNLpurchase order confirmation.exeGet hashmaliciousBrowse
                                  • 45.137.22.50
                                  purchase order acknowledgement.exeGet hashmaliciousBrowse
                                  • 45.137.22.50
                                  TBBurmah Trading Co., Ltd - products inquiry .exeGet hashmaliciousBrowse
                                  • 45.137.22.50
                                  FRIEGHT PAYMENT 41,634.20 USD..exeGet hashmaliciousBrowse
                                  • 45.137.22.107
                                  Due Invoices.exeGet hashmaliciousBrowse
                                  • 45.137.22.107
                                  PURCHASE ORDER - #0022223 DATED 29042021.exeGet hashmaliciousBrowse
                                  • 45.137.22.50
                                  PURCHASE ORDER - #0022223, date29042021.exeGet hashmaliciousBrowse
                                  • 45.137.22.50
                                  B_N SAO SWIFT MT103.exeGet hashmaliciousBrowse
                                  • 45.137.22.50
                                  PO0900009.exeGet hashmaliciousBrowse
                                  • 185.222.58.152
                                  PURCHASE ORDER - #0022223 DATED 28042021.exeGet hashmaliciousBrowse
                                  • 45.137.22.50
                                  Order ConfirmationSANQAW12NC9W03.exeGet hashmaliciousBrowse
                                  • 185.222.57.152
                                  PO MT2249C.exeGet hashmaliciousBrowse
                                  • 185.222.57.152
                                  Al kabous LtdPurchase order NO#00421876.exeGet hashmaliciousBrowse
                                  • 185.222.57.152
                                  Al kabous group Ltd - purchase order #04272021.exeGet hashmaliciousBrowse
                                  • 45.137.22.50
                                  0900000000000000000900.exeGet hashmaliciousBrowse
                                  • 185.222.58.152
                                  P08240421_CIF-Pdf.exeGet hashmaliciousBrowse
                                  • 45.137.22.123
                                  ORD-63648.exeGet hashmaliciousBrowse
                                  • 45.137.22.123
                                  FA0900009000.exeGet hashmaliciousBrowse
                                  • 185.222.58.152
                                  Packinglist&certificate of imports.exeGet hashmaliciousBrowse
                                  • 185.222.57.152
                                  TBF-21-52100456221SLIP.exeGet hashmaliciousBrowse
                                  • 185.222.57.152

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  C:\Users\user\AppData\Roaming\fGAhpbrTQZcHeY.exepurchase order acknowledgement.exeGet hashmaliciousBrowse

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\note-mxm.exe.log
                                    Process:C:\Users\user\Desktop\note-mxm.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:modified
                                    Size (bytes):1314
                                    Entropy (8bit):5.350128552078965
                                    Encrypted:false
                                    SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                    MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                    SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                    SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                    SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                    Malicious:true
                                    Reputation:high, very likely benign file
                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                    C:\Users\user\AppData\Local\Temp\tmp943B.tmp
                                    Process:C:\Users\user\Desktop\note-mxm.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1647
                                    Entropy (8bit):5.190755160932022
                                    Encrypted:false
                                    SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGb0tn:cbhK79lNQR/rydbz9I3YODOLNdq3Ky
                                    MD5:9C465D88687A175E59A5172F12074D2C
                                    SHA1:E70078C669274EBEC56EA9BAC13A771C733EA761
                                    SHA-256:7A090FDE949633CC7492697D753BC20A20967C81CC2FAFDAC5407DA6DF50988C
                                    SHA-512:A4C718EAB9DBDD6FF0A3896F8E68C71489D44F94A5FD2C7F7191BAB6FB14C5384B1D80EAB6C77850022981A951124FF14F234309B2B06E3FE8E260CCEF1CB291
                                    Malicious:true
                                    Reputation:low
                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                    Process:C:\Users\user\Desktop\note-mxm.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):1856
                                    Entropy (8bit):7.024371743172393
                                    Encrypted:false
                                    SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCr
                                    MD5:838CD9DBC78EA45A5406EAE23962086D
                                    SHA1:C8273AACDEE03AC0CDCDDBAA83F51D04D6A4203C
                                    SHA-256:6E11A62511C5BBC0413128305069B780C448684B54FAA3E8DD0B4FD3DB8C9867
                                    SHA-512:F7D25EF1FA6F50667DD6785CC774E0AA6BC52A2231FE96E7C59D14EFDFDDA076F6399288CF6EAC8EFA8A75727893432AA155DA0E392F8CD1F26C5C5871EAC6B5
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                    Process:C:\Users\user\Desktop\note-mxm.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):8
                                    Entropy (8bit):3.0
                                    Encrypted:false
                                    SSDEEP:3:liw:liw
                                    MD5:7C5B8D5CE01084BCC3DF9F982DBA59F5
                                    SHA1:E63D0D5F7801A82A6911AA2FF44F4E967A0C7AE6
                                    SHA-256:11401E31B5922DF5D18F3F361853B328BEE3CB50E5DB7E1151A5532B00417939
                                    SHA-512:A88E44890F986794EA56B6E4F5BAE44D0E52D2DF0F650FE42ADF343F2F5262845883D49514AAB1D9790568C6FF594BAFB289AAB1C3B7B720DFFF96125D494264
                                    Malicious:true
                                    Reputation:low
                                    Preview: -.Mw4..H
                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                    Process:C:\Users\user\Desktop\note-mxm.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):40
                                    Entropy (8bit):5.153055907333276
                                    Encrypted:false
                                    SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                    MD5:4E5E92E2369688041CC82EF9650EDED2
                                    SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                    SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                    SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                    Process:C:\Users\user\Desktop\note-mxm.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):327432
                                    Entropy (8bit):7.99938831605763
                                    Encrypted:true
                                    SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                    MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                    SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                    SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                    SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                    Malicious:false
                                    Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                    C:\Users\user\AppData\Roaming\fGAhpbrTQZcHeY.exe
                                    Process:C:\Users\user\Desktop\note-mxm.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):724480
                                    Entropy (8bit):7.664537233778505
                                    Encrypted:false
                                    SSDEEP:12288:KYaTBJ1qtapo1SuoMwcQvFLJlCLL/HDtysCfO263+LS7EytLMsq9Sv:KYaT/1qt8oM9MK9PCYV6OmEcL9v
                                    MD5:116DB2200D9BE33529615FC98907D4D8
                                    SHA1:29CF6588682ACA66C59E41E0517EDE00C75CC76D
                                    SHA-256:43BC7ADA65633263E408152D7B117DE464C9D23B2758D96A6822BDE9AD27B170
                                    SHA-512:B4D80A7769365E0975BF03ADD9F59A618E43FA85F12B1A04C40F428FC32BEE65E14EDB4FD38BEB4DD71C5A588762670C0A2CD18452D790289532BE342C5CBF7E
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: Metadefender, Detection: 30%, Browse
                                    • Antivirus: ReversingLabs, Detection: 57%
                                    Joe Sandbox View:
                                    • Filename: purchase order acknowledgement.exe, Detection: malicious, Browse
                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`.....................8........... ........@.. .......................`............@.................................\...W.... ..t4........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc...t4... ...6..................@..@........................H........^...............7...&..........................................z.(......}.....(....o....}....*..*...0...........{......E............8...Z...u................*..}..... ].4S}......}.....*..}..... ..Q.}......}.....*..}......{.... Km.a}......}.....*..}..... ,...}......}.....*..}......{.... ..=.a}......}.....*..}..... ....}......}.....*..}..... "G.R}......}.....*..}.....*...{....*.s ...z.2.{.....i...*....0..<........{......3..{....(....o....3...}......+..s.......{....}..
                                    C:\Users\user\AppData\Roaming\fGAhpbrTQZcHeY.exe:Zone.Identifier
                                    Process:C:\Users\user\Desktop\note-mxm.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:true
                                    Preview: [ZoneTransfer]....ZoneId=0

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.664537233778505
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Windows Screen Saver (13104/52) 0.07%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    File name:note-mxm.exe
                                    File size:724480
                                    MD5:116db2200d9be33529615fc98907d4d8
                                    SHA1:29cf6588682aca66c59e41e0517ede00c75cc76d
                                    SHA256:43bc7ada65633263e408152d7b117de464c9d23b2758d96a6822bde9ad27b170
                                    SHA512:b4d80a7769365e0975bf03add9f59a618e43fa85f12b1a04c40f428fc32bee65e14edb4fd38beb4dd71c5a588762670c0a2cd18452d790289532be342c5cbf7e
                                    SSDEEP:12288:KYaTBJ1qtapo1SuoMwcQvFLJlCLL/HDtysCfO263+LS7EytLMsq9Sv:KYaT/1qt8oM9MK9PCYV6OmEcL9v
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.....................8........... ........@.. .......................`............@................................

                                    File Icon

                                    Icon Hash:00a275154a880000

                                    Static PE Info

                                    General

                                    Entrypoint:0x49f3b6
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                    Time Stamp:0x608C93C7 [Fri Apr 30 23:33:27 2021 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:v4.0.30319
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x9f35c0x57.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xa20000x13474.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xa00000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000x9d3bc0x9d400False0.882360703994data7.83711506914IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                    .reloc0xa00000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                    .rsrc0xa20000x134740x13600False0.20802671371data4.32608110804IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountry
                                    RT_ICON0xa21600x10828data
                                    RT_ICON0xb29880x25b5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                    RT_GROUP_ICON0xb4f400x22data
                                    RT_VERSION0xb4f640x35cdata
                                    RT_MANIFEST0xb52c00x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Version Infos

                                    DescriptionData
                                    Translation0x0000 0x04b0
                                    LegalCopyrightCopyright 2017
                                    Assembly Version1.0.0.0
                                    InternalNameSeekOrigin.exe
                                    FileVersion1.0.0.0
                                    CompanyName
                                    LegalTrademarks
                                    Comments
                                    ProductNameTechSupportRegistration
                                    ProductVersion1.0.0.0
                                    FileDescriptionTechSupportRegistration
                                    OriginalFilenameSeekOrigin.exe

                                    Network Behavior

                                    Snort IDS Alerts

                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    05/03/21-15:07:57.124675TCP2025019ET TROJAN Possible NanoCore C2 60B497424557192.168.2.445.137.22.50
                                    05/03/21-15:08:03.659148TCP2025019ET TROJAN Possible NanoCore C2 60B497474557192.168.2.445.137.22.50
                                    05/03/21-15:08:10.757124TCP2025019ET TROJAN Possible NanoCore C2 60B497484557192.168.2.445.137.22.50
                                    05/03/21-15:08:16.850580TCP2025019ET TROJAN Possible NanoCore C2 60B497514557192.168.2.445.137.22.50
                                    05/03/21-15:08:22.830791TCP2025019ET TROJAN Possible NanoCore C2 60B497534557192.168.2.445.137.22.50
                                    05/03/21-15:08:28.864359TCP2025019ET TROJAN Possible NanoCore C2 60B497544557192.168.2.445.137.22.50
                                    05/03/21-15:08:34.846801TCP2025019ET TROJAN Possible NanoCore C2 60B497584557192.168.2.445.137.22.50
                                    05/03/21-15:08:40.971003TCP2025019ET TROJAN Possible NanoCore C2 60B497684557192.168.2.445.137.22.50
                                    05/03/21-15:08:46.397894TCP2025019ET TROJAN Possible NanoCore C2 60B497694557192.168.2.445.137.22.50
                                    05/03/21-15:08:52.510849TCP2025019ET TROJAN Possible NanoCore C2 60B497754557192.168.2.445.137.22.50
                                    05/03/21-15:08:58.520473TCP2025019ET TROJAN Possible NanoCore C2 60B497764557192.168.2.445.137.22.50
                                    05/03/21-15:09:04.550871TCP2025019ET TROJAN Possible NanoCore C2 60B497774557192.168.2.445.137.22.50
                                    05/03/21-15:09:10.601121TCP2025019ET TROJAN Possible NanoCore C2 60B497784557192.168.2.445.137.22.50
                                    05/03/21-15:09:16.600739TCP2025019ET TROJAN Possible NanoCore C2 60B497794557192.168.2.445.137.22.50
                                    05/03/21-15:09:22.600482TCP2025019ET TROJAN Possible NanoCore C2 60B497814557192.168.2.445.137.22.50
                                    05/03/21-15:09:28.606933TCP2025019ET TROJAN Possible NanoCore C2 60B497834557192.168.2.445.137.22.50
                                    05/03/21-15:09:34.634981TCP2025019ET TROJAN Possible NanoCore C2 60B497844557192.168.2.445.137.22.50
                                    05/03/21-15:09:40.616698TCP2025019ET TROJAN Possible NanoCore C2 60B497854557192.168.2.445.137.22.50
                                    05/03/21-15:09:47.945632TCP2025019ET TROJAN Possible NanoCore C2 60B497864557192.168.2.445.137.22.50
                                    05/03/21-15:09:53.914914TCP2025019ET TROJAN Possible NanoCore C2 60B497874557192.168.2.445.137.22.50

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    May 3, 2021 15:07:57.037607908 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.084256887 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.084394932 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.124675035 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.196150064 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.221226931 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.270549059 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.285933971 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.362386942 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.392587900 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.392664909 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.392700911 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.392734051 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.392741919 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.392771959 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.392793894 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.435008049 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.439896107 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.439963102 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.439986944 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.440010071 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.440032959 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.440056086 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.440057039 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.440102100 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.440150023 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.440196991 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.440226078 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.440244913 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.440256119 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.440273046 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.440347910 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.486797094 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.486866951 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.486907005 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.486928940 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.487159014 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.487211943 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.487261057 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.487309933 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.487324953 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.487360954 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.487363100 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.487411976 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.487463951 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.487513065 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.487565994 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.487570047 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.487653017 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.487680912 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.487714052 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.487751007 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.487776041 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.487835884 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.487873077 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.487898111 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.487946987 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.487951040 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.534754038 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.534823895 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.534883022 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.534931898 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.534956932 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.534981966 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.534998894 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.535032988 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.535075903 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.535084963 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.535135031 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.535182953 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.535234928 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.535247087 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.535284996 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.535295010 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.535336018 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.535387039 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.535393953 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.535432100 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.535485029 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.535486937 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.535537004 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.535587072 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.535605907 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.535635948 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.535687923 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.535712957 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.535737991 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.535787106 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.535808086 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.535837889 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.535887957 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.535897017 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.535938978 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.536005020 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.536066055 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.536089897 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.536144972 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.536176920 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.536201954 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.536257029 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.536307096 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.536345959 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.536351919 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.536359072 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.536410093 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.536438942 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.536478043 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.583121061 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.583194017 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.583308935 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.583342075 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.583411932 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.583467007 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.583584070 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.583604097 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.583636999 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.583653927 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.583688021 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.583738089 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.583786011 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.583802938 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.583836079 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.583849907 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.583885908 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.583935022 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.583970070 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.583982944 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.584032059 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.584041119 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.584079981 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.584129095 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.584177017 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.584183931 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.584223032 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.584225893 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.584278107 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.584326982 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.584342003 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.584376097 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.584427118 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.584427118 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.584476948 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.584526062 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.584533930 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.584573984 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.584621906 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.584623098 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.584672928 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.584722996 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.584770918 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.584806919 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.584856033 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.584870100 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.584887981 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.584937096 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.584976912 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.584990025 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.585047007 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.585108042 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.585136890 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.585160971 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.585220098 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.585275888 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.585279942 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.585340023 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.585376978 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.585448027 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.585515976 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.585561037 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.585577965 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.585639954 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.585658073 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.585700989 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.585762978 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.585822105 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.585844040 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.585885048 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.585913897 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.585946083 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.585994959 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.586065054 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.632653952 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.632703066 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.632760048 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.632813931 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.632868052 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.632904053 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.632905006 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.632965088 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.633028984 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.633055925 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.633093119 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.633145094 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.633156061 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.633234978 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.633294106 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.633307934 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.633369923 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.633440971 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.633449078 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.633496046 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.633548021 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.633598089 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.633647919 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.633660078 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.633697987 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.633708000 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.633747101 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.633797884 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.633842945 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.633850098 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.633902073 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.633909941 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.633949995 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.634001017 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.634051085 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.634052038 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.634100914 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.634109020 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.634150028 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.634198904 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.634248972 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.634251118 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.634299040 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.634304047 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.634347916 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.634397030 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.634398937 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.634444952 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.634493113 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.634541035 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.634553909 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.634589911 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.634639025 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.634639978 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.634687901 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.634701014 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.634737015 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.634795904 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.634835958 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.634886026 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.634934902 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.634949923 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.634984016 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.635032892 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.635039091 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.635082006 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.635129929 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.635178089 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.635191917 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.635227919 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.635276079 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.635282040 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.635315895 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.635344982 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.682054996 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.682101965 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.682140112 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.682173014 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.682204962 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.682214022 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.682230949 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.682254076 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.682271957 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.682286024 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.682305098 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.682337046 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.682353020 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.682368040 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.682396889 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.682425976 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.682431936 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.682476044 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.682490110 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.682514906 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.682554960 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.682595015 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.682609081 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.682634115 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.682637930 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.682672977 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.682712078 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.682735920 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.682743073 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.682789087 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.682822943 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.682841063 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.682856083 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.682863951 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.682889938 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.682921886 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.682955027 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.682955980 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.682984114 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.683005095 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.683012962 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.683044910 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.683077097 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.683109045 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.683125019 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.683140993 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.683188915 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.683199883 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.683235884 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.683274984 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.683275938 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.683315039 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.683330059 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.683341026 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.683388948 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.683422089 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.683449030 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.683455944 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.683480024 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.683516026 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.683549881 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.683582067 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.683602095 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.683614016 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.683619976 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.683645964 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.683677912 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.683701038 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.683710098 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.683743954 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.683777094 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.683778048 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.683819056 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.683832884 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.730514050 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.730539083 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.730562925 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.730587959 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.730612993 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.730633020 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.730634928 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.730657101 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.730669022 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.730676889 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.730696917 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.730696917 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.730716944 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.730722904 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.730740070 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.730756998 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.730766058 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.730782032 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.730799913 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.730807066 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.730844975 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.730856895 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.730865002 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.730886936 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.730906963 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.730916023 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.730925083 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.730951071 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.730958939 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.730974913 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.730998039 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.730999947 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.731018066 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731039047 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731056929 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731077909 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731102943 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.731116056 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731137991 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731156111 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731162071 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.731175900 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731184959 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.731201887 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731219053 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.731220007 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731245995 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731277943 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731290102 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.731296062 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731317997 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731334925 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731344938 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.731354952 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731359959 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.731375933 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731399059 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731410980 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.731412888 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731443882 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731460094 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.731466055 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731492043 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731503963 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.731513977 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731539965 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731556892 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.731563091 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731590033 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731614113 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.731614113 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731638908 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731656075 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.731661081 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731684923 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731702089 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.731709003 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731734037 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731749058 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.731756926 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731784105 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731796026 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.731806040 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731832027 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731847048 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.731857061 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731880903 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731904030 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731910944 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.731929064 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731947899 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.731952906 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731976986 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.731992960 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:57.732001066 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:57.732043982 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:58.477794886 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:58.549604893 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:58.552944899 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:58.627717018 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:58.771871090 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:58.840054035 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:58.886471987 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:58.906177044 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:58.971355915 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:58.971431017 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:59.018661976 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:59.230736017 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:59.277255058 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:59.340070963 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:59.389394045 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:59.471699953 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:59.471843004 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:59.559123039 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:07:59.565237999 CEST45574974245.137.22.50192.168.2.4
                                    May 3, 2021 15:07:59.565330982 CEST497424557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:03.609874010 CEST497474557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:03.657150030 CEST45574974745.137.22.50192.168.2.4
                                    May 3, 2021 15:08:03.657433987 CEST497474557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:03.659147978 CEST497474557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:03.721617937 CEST45574974745.137.22.50192.168.2.4
                                    May 3, 2021 15:08:03.721863031 CEST497474557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:03.727452993 CEST45574974745.137.22.50192.168.2.4
                                    May 3, 2021 15:08:03.727554083 CEST497474557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:03.799685001 CEST45574974745.137.22.50192.168.2.4
                                    May 3, 2021 15:08:03.799801111 CEST497474557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:03.847259045 CEST45574974745.137.22.50192.168.2.4
                                    May 3, 2021 15:08:03.868381977 CEST497474557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:03.943468094 CEST45574974745.137.22.50192.168.2.4
                                    May 3, 2021 15:08:04.052920103 CEST45574974745.137.22.50192.168.2.4
                                    May 3, 2021 15:08:04.055138111 CEST497474557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:04.105520964 CEST45574974745.137.22.50192.168.2.4
                                    May 3, 2021 15:08:04.153399944 CEST497474557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:04.430033922 CEST497474557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:04.477000952 CEST45574974745.137.22.50192.168.2.4
                                    May 3, 2021 15:08:04.477091074 CEST497474557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:04.523972988 CEST45574974745.137.22.50192.168.2.4
                                    May 3, 2021 15:08:04.575001955 CEST497474557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:04.718867064 CEST497474557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:04.783989906 CEST45574974745.137.22.50192.168.2.4
                                    May 3, 2021 15:08:05.686274052 CEST497474557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:05.752897024 CEST45574974745.137.22.50192.168.2.4
                                    May 3, 2021 15:08:06.685420036 CEST497474557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:10.709554911 CEST497484557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:10.756200075 CEST45574974845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:10.756310940 CEST497484557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:10.757123947 CEST497484557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:10.824151993 CEST45574974845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:10.824486971 CEST497484557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:10.871417999 CEST45574974845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:10.882919073 CEST497484557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:10.955893993 CEST45574974845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:11.069176912 CEST45574974845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:11.070735931 CEST497484557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:11.117294073 CEST45574974845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:11.118438959 CEST497484557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:11.165309906 CEST45574974845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:11.165441036 CEST497484557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:11.212300062 CEST45574974845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:11.212441921 CEST497484557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:11.284002066 CEST45574974845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:11.732542992 CEST497484557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:11.799705982 CEST45574974845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:12.732475042 CEST497484557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:16.798791885 CEST497514557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:16.849836111 CEST45574975145.137.22.50192.168.2.4
                                    May 3, 2021 15:08:16.849999905 CEST497514557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:16.850579977 CEST497514557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:16.909022093 CEST45574975145.137.22.50192.168.2.4
                                    May 3, 2021 15:08:16.920537949 CEST45574975145.137.22.50192.168.2.4
                                    May 3, 2021 15:08:16.920820951 CEST497514557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:16.968630075 CEST45574975145.137.22.50192.168.2.4
                                    May 3, 2021 15:08:16.969975948 CEST497514557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:17.034094095 CEST45574975145.137.22.50192.168.2.4
                                    May 3, 2021 15:08:17.162446976 CEST45574975145.137.22.50192.168.2.4
                                    May 3, 2021 15:08:17.163580894 CEST497514557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:17.211702108 CEST45574975145.137.22.50192.168.2.4
                                    May 3, 2021 15:08:17.212951899 CEST497514557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:17.260754108 CEST45574975145.137.22.50192.168.2.4
                                    May 3, 2021 15:08:17.260905981 CEST497514557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:17.307868004 CEST45574975145.137.22.50192.168.2.4
                                    May 3, 2021 15:08:17.404185057 CEST497514557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:17.488008976 CEST497514557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:17.550971985 CEST45574975145.137.22.50192.168.2.4
                                    May 3, 2021 15:08:17.732754946 CEST497514557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:17.800530910 CEST45574975145.137.22.50192.168.2.4
                                    May 3, 2021 15:08:18.732881069 CEST497514557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:22.754720926 CEST497534557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:22.802222967 CEST45574975345.137.22.50192.168.2.4
                                    May 3, 2021 15:08:22.802345991 CEST497534557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:22.830790997 CEST497534557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:22.893341064 CEST45574975345.137.22.50192.168.2.4
                                    May 3, 2021 15:08:22.897490025 CEST45574975345.137.22.50192.168.2.4
                                    May 3, 2021 15:08:22.897814035 CEST497534557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:22.945718050 CEST45574975345.137.22.50192.168.2.4
                                    May 3, 2021 15:08:22.946918011 CEST497534557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:23.018306971 CEST45574975345.137.22.50192.168.2.4
                                    May 3, 2021 15:08:23.131926060 CEST45574975345.137.22.50192.168.2.4
                                    May 3, 2021 15:08:23.159990072 CEST497534557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:23.206546068 CEST45574975345.137.22.50192.168.2.4
                                    May 3, 2021 15:08:23.207879066 CEST497534557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:23.254813910 CEST45574975345.137.22.50192.168.2.4
                                    May 3, 2021 15:08:23.254914999 CEST497534557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:23.301826954 CEST45574975345.137.22.50192.168.2.4
                                    May 3, 2021 15:08:23.338260889 CEST497534557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:23.409137964 CEST45574975345.137.22.50192.168.2.4
                                    May 3, 2021 15:08:23.780343056 CEST497534557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:23.846663952 CEST45574975345.137.22.50192.168.2.4
                                    May 3, 2021 15:08:24.780178070 CEST497534557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:28.816667080 CEST497544557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:28.863339901 CEST45574975445.137.22.50192.168.2.4
                                    May 3, 2021 15:08:28.863557100 CEST497544557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:28.864358902 CEST497544557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:28.932679892 CEST45574975445.137.22.50192.168.2.4
                                    May 3, 2021 15:08:28.933020115 CEST497544557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:28.979862928 CEST45574975445.137.22.50192.168.2.4
                                    May 3, 2021 15:08:28.985539913 CEST497544557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:29.049542904 CEST45574975445.137.22.50192.168.2.4
                                    May 3, 2021 15:08:29.193557978 CEST45574975445.137.22.50192.168.2.4
                                    May 3, 2021 15:08:29.197542906 CEST497544557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:29.244107962 CEST45574975445.137.22.50192.168.2.4
                                    May 3, 2021 15:08:29.249412060 CEST497544557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:29.296713114 CEST45574975445.137.22.50192.168.2.4
                                    May 3, 2021 15:08:29.297846079 CEST497544557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:29.345340967 CEST45574975445.137.22.50192.168.2.4
                                    May 3, 2021 15:08:29.389592886 CEST497544557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:29.781110048 CEST497544557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:29.846560955 CEST45574975445.137.22.50192.168.2.4
                                    May 3, 2021 15:08:30.781140089 CEST497544557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:34.799269915 CEST497584557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:34.845925093 CEST45574975845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:34.846127033 CEST497584557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:34.846801043 CEST497584557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:34.916574955 CEST45574975845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:34.918255091 CEST497584557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:34.965128899 CEST45574975845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:34.966746092 CEST497584557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:35.033845901 CEST45574975845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:35.146625042 CEST45574975845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:35.153204918 CEST497584557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:35.199615955 CEST45574975845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:35.200925112 CEST497584557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:35.247951031 CEST45574975845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:35.250135899 CEST497584557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:35.296806097 CEST45574975845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:35.405602932 CEST497584557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:35.452136993 CEST45574975845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:35.593136072 CEST497584557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:35.951751947 CEST497584557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:36.033847094 CEST45574975845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:36.907167912 CEST497584557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:40.923393011 CEST497684557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:40.970144987 CEST45574976845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:40.970303059 CEST497684557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:40.971003056 CEST497684557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:41.017981052 CEST45574976845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:41.093704939 CEST497684557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:41.140336037 CEST45574976845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:41.154597998 CEST497684557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:41.201800108 CEST45574976845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:41.201997042 CEST497684557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:41.268495083 CEST45574976845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:41.268651962 CEST497684557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:41.346478939 CEST45574976845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:41.459557056 CEST45574976845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:41.460860968 CEST497684557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:41.507379055 CEST45574976845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:41.511809111 CEST497684557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:41.558568954 CEST45574976845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:41.558690071 CEST497684557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:41.605606079 CEST45574976845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:41.608719110 CEST497684557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:41.674541950 CEST45574976845.137.22.50192.168.2.4
                                    May 3, 2021 15:08:42.187995911 CEST497684557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:46.321429968 CEST497694557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:46.368149042 CEST45574976945.137.22.50192.168.2.4
                                    May 3, 2021 15:08:46.368289948 CEST497694557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:46.397893906 CEST497694557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:46.463606119 CEST45574976945.137.22.50192.168.2.4
                                    May 3, 2021 15:08:46.464037895 CEST45574976945.137.22.50192.168.2.4
                                    May 3, 2021 15:08:46.464308977 CEST497694557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:46.511204958 CEST45574976945.137.22.50192.168.2.4
                                    May 3, 2021 15:08:46.534061909 CEST497694557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:46.604306936 CEST45574976945.137.22.50192.168.2.4
                                    May 3, 2021 15:08:46.716777086 CEST45574976945.137.22.50192.168.2.4
                                    May 3, 2021 15:08:46.718522072 CEST497694557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:46.765094995 CEST45574976945.137.22.50192.168.2.4
                                    May 3, 2021 15:08:46.766551971 CEST497694557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:46.813560009 CEST45574976945.137.22.50192.168.2.4
                                    May 3, 2021 15:08:46.814004898 CEST497694557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:46.860716105 CEST45574976945.137.22.50192.168.2.4
                                    May 3, 2021 15:08:46.870413065 CEST497694557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:46.932584047 CEST45574976945.137.22.50192.168.2.4
                                    May 3, 2021 15:08:47.298094988 CEST497694557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:47.378823042 CEST45574976945.137.22.50192.168.2.4
                                    May 3, 2021 15:08:48.440443039 CEST497694557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:52.461498976 CEST497754557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:52.508610964 CEST45574977545.137.22.50192.168.2.4
                                    May 3, 2021 15:08:52.510272026 CEST497754557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:52.510848999 CEST497754557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:52.577868938 CEST45574977545.137.22.50192.168.2.4
                                    May 3, 2021 15:08:52.578262091 CEST497754557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:52.625264883 CEST45574977545.137.22.50192.168.2.4
                                    May 3, 2021 15:08:52.662462950 CEST497754557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:52.738075018 CEST45574977545.137.22.50192.168.2.4
                                    May 3, 2021 15:08:52.850383997 CEST45574977545.137.22.50192.168.2.4
                                    May 3, 2021 15:08:52.851685047 CEST497754557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:52.898247004 CEST45574977545.137.22.50192.168.2.4
                                    May 3, 2021 15:08:52.899550915 CEST497754557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:52.946377039 CEST45574977545.137.22.50192.168.2.4
                                    May 3, 2021 15:08:52.946492910 CEST497754557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:52.993334055 CEST45574977545.137.22.50192.168.2.4
                                    May 3, 2021 15:08:53.025162935 CEST497754557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:53.097717047 CEST45574977545.137.22.50192.168.2.4
                                    May 3, 2021 15:08:53.392457962 CEST497754557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:53.473824978 CEST45574977545.137.22.50192.168.2.4
                                    May 3, 2021 15:08:54.451088905 CEST497754557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:58.471682072 CEST497764557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:58.518575907 CEST45574977645.137.22.50192.168.2.4
                                    May 3, 2021 15:08:58.518750906 CEST497764557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:58.520473003 CEST497764557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:58.587908030 CEST45574977645.137.22.50192.168.2.4
                                    May 3, 2021 15:08:58.628874063 CEST497764557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:58.676343918 CEST45574977645.137.22.50192.168.2.4
                                    May 3, 2021 15:08:58.678077936 CEST497764557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:58.748807907 CEST45574977645.137.22.50192.168.2.4
                                    May 3, 2021 15:08:58.878422976 CEST45574977645.137.22.50192.168.2.4
                                    May 3, 2021 15:08:58.881021023 CEST497764557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:58.928062916 CEST45574977645.137.22.50192.168.2.4
                                    May 3, 2021 15:08:58.943932056 CEST497764557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:58.991308928 CEST45574977645.137.22.50192.168.2.4
                                    May 3, 2021 15:08:58.995168924 CEST497764557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:59.050560951 CEST45574977645.137.22.50192.168.2.4
                                    May 3, 2021 15:08:59.050709009 CEST497764557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:59.123811007 CEST45574977645.137.22.50192.168.2.4
                                    May 3, 2021 15:08:59.455148935 CEST497764557192.168.2.445.137.22.50
                                    May 3, 2021 15:08:59.530112982 CEST45574977645.137.22.50192.168.2.4
                                    May 3, 2021 15:08:59.610277891 CEST45574977645.137.22.50192.168.2.4
                                    May 3, 2021 15:08:59.657645941 CEST497764557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:00.491035938 CEST497764557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:04.503345013 CEST497774557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:04.550029993 CEST45574977745.137.22.50192.168.2.4
                                    May 3, 2021 15:09:04.550148010 CEST497774557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:04.550870895 CEST497774557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:04.618885994 CEST45574977745.137.22.50192.168.2.4
                                    May 3, 2021 15:09:04.620438099 CEST45574977745.137.22.50192.168.2.4
                                    May 3, 2021 15:09:04.620738983 CEST497774557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:04.668224096 CEST45574977745.137.22.50192.168.2.4
                                    May 3, 2021 15:09:04.669923067 CEST497774557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:04.743839979 CEST45574977745.137.22.50192.168.2.4
                                    May 3, 2021 15:09:04.856646061 CEST45574977745.137.22.50192.168.2.4
                                    May 3, 2021 15:09:04.857681990 CEST497774557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:04.904144049 CEST45574977745.137.22.50192.168.2.4
                                    May 3, 2021 15:09:04.905441999 CEST497774557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:04.952327967 CEST45574977745.137.22.50192.168.2.4
                                    May 3, 2021 15:09:04.952409983 CEST497774557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:05.000873089 CEST45574977745.137.22.50192.168.2.4
                                    May 3, 2021 15:09:05.000961065 CEST497774557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:05.072127104 CEST45574977745.137.22.50192.168.2.4
                                    May 3, 2021 15:09:05.502480030 CEST497774557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:05.572048903 CEST45574977745.137.22.50192.168.2.4
                                    May 3, 2021 15:09:06.502576113 CEST497774557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:10.519313097 CEST497784557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:10.566062927 CEST45574977845.137.22.50192.168.2.4
                                    May 3, 2021 15:09:10.566179037 CEST497784557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:10.601120949 CEST497784557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:10.675141096 CEST45574977845.137.22.50192.168.2.4
                                    May 3, 2021 15:09:10.675663948 CEST497784557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:10.724387884 CEST45574977845.137.22.50192.168.2.4
                                    May 3, 2021 15:09:10.745717049 CEST497784557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:10.823992968 CEST45574977845.137.22.50192.168.2.4
                                    May 3, 2021 15:09:10.920845985 CEST45574977845.137.22.50192.168.2.4
                                    May 3, 2021 15:09:10.921778917 CEST497784557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:10.969243050 CEST45574977845.137.22.50192.168.2.4
                                    May 3, 2021 15:09:10.970638037 CEST497784557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:11.017699003 CEST45574977845.137.22.50192.168.2.4
                                    May 3, 2021 15:09:11.017858028 CEST497784557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:11.065234900 CEST45574977845.137.22.50192.168.2.4
                                    May 3, 2021 15:09:11.111671925 CEST497784557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:11.534389973 CEST497784557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:11.604830027 CEST45574977845.137.22.50192.168.2.4
                                    May 3, 2021 15:09:12.535032988 CEST497784557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:16.552572012 CEST497794557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:16.599427938 CEST45574977945.137.22.50192.168.2.4
                                    May 3, 2021 15:09:16.599550009 CEST497794557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:16.600739002 CEST497794557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:16.665812969 CEST45574977945.137.22.50192.168.2.4
                                    May 3, 2021 15:09:16.670677900 CEST45574977945.137.22.50192.168.2.4
                                    May 3, 2021 15:09:16.671071053 CEST497794557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:16.718170881 CEST45574977945.137.22.50192.168.2.4
                                    May 3, 2021 15:09:16.744003057 CEST497794557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:16.822098017 CEST45574977945.137.22.50192.168.2.4
                                    May 3, 2021 15:09:16.935753107 CEST45574977945.137.22.50192.168.2.4
                                    May 3, 2021 15:09:16.936800957 CEST497794557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:16.983336926 CEST45574977945.137.22.50192.168.2.4
                                    May 3, 2021 15:09:16.984597921 CEST497794557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:17.031480074 CEST45574977945.137.22.50192.168.2.4
                                    May 3, 2021 15:09:17.031610966 CEST497794557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:17.078383923 CEST45574977945.137.22.50192.168.2.4
                                    May 3, 2021 15:09:17.127799988 CEST497794557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:17.535173893 CEST497794557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:17.603338957 CEST45574977945.137.22.50192.168.2.4
                                    May 3, 2021 15:09:18.535142899 CEST497794557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:22.551435947 CEST497814557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:22.599852085 CEST45574978145.137.22.50192.168.2.4
                                    May 3, 2021 15:09:22.599942923 CEST497814557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:22.600481987 CEST497814557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:22.666038990 CEST45574978145.137.22.50192.168.2.4
                                    May 3, 2021 15:09:22.673556089 CEST45574978145.137.22.50192.168.2.4
                                    May 3, 2021 15:09:22.673824072 CEST497814557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:22.720700979 CEST45574978145.137.22.50192.168.2.4
                                    May 3, 2021 15:09:22.722285032 CEST497814557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:22.790720940 CEST45574978145.137.22.50192.168.2.4
                                    May 3, 2021 15:09:22.903985023 CEST45574978145.137.22.50192.168.2.4
                                    May 3, 2021 15:09:22.905308008 CEST497814557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:22.952270031 CEST45574978145.137.22.50192.168.2.4
                                    May 3, 2021 15:09:23.003299952 CEST497814557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:23.052721977 CEST45574978145.137.22.50192.168.2.4
                                    May 3, 2021 15:09:23.061714888 CEST497814557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:23.109848022 CEST45574978145.137.22.50192.168.2.4
                                    May 3, 2021 15:09:23.109951973 CEST497814557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:23.157284975 CEST45574978145.137.22.50192.168.2.4
                                    May 3, 2021 15:09:23.206445932 CEST497814557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:23.566359043 CEST497814557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:23.636570930 CEST45574978145.137.22.50192.168.2.4
                                    May 3, 2021 15:09:23.965430975 CEST45574978145.137.22.50192.168.2.4
                                    May 3, 2021 15:09:24.019027948 CEST497814557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:24.535285950 CEST497814557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:28.559746981 CEST497834557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:28.606230974 CEST45574978345.137.22.50192.168.2.4
                                    May 3, 2021 15:09:28.606308937 CEST497834557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:28.606933117 CEST497834557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:28.674981117 CEST45574978345.137.22.50192.168.2.4
                                    May 3, 2021 15:09:28.675311089 CEST497834557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:28.722357035 CEST45574978345.137.22.50192.168.2.4
                                    May 3, 2021 15:09:28.723890066 CEST497834557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:28.790749073 CEST45574978345.137.22.50192.168.2.4
                                    May 3, 2021 15:09:28.918828011 CEST45574978345.137.22.50192.168.2.4
                                    May 3, 2021 15:09:28.919898033 CEST497834557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:28.966799974 CEST45574978345.137.22.50192.168.2.4
                                    May 3, 2021 15:09:28.967749119 CEST497834557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:29.014578104 CEST45574978345.137.22.50192.168.2.4
                                    May 3, 2021 15:09:29.014735937 CEST497834557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:29.061451912 CEST45574978345.137.22.50192.168.2.4
                                    May 3, 2021 15:09:29.113203049 CEST497834557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:29.551548958 CEST497834557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:29.619043112 CEST45574978345.137.22.50192.168.2.4
                                    May 3, 2021 15:09:30.567126036 CEST497834557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:34.587143898 CEST497844557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:34.633774996 CEST45574978445.137.22.50192.168.2.4
                                    May 3, 2021 15:09:34.633899927 CEST497844557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:34.634980917 CEST497844557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:34.703265905 CEST45574978445.137.22.50192.168.2.4
                                    May 3, 2021 15:09:34.703588009 CEST497844557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:34.750390053 CEST45574978445.137.22.50192.168.2.4
                                    May 3, 2021 15:09:34.751821041 CEST497844557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:34.822067022 CEST45574978445.137.22.50192.168.2.4
                                    May 3, 2021 15:09:34.950031996 CEST45574978445.137.22.50192.168.2.4
                                    May 3, 2021 15:09:34.952991962 CEST497844557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:34.999568939 CEST45574978445.137.22.50192.168.2.4
                                    May 3, 2021 15:09:35.000879049 CEST497844557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:35.047626019 CEST45574978445.137.22.50192.168.2.4
                                    May 3, 2021 15:09:35.048587084 CEST497844557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:35.095300913 CEST45574978445.137.22.50192.168.2.4
                                    May 3, 2021 15:09:35.095454931 CEST497844557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:35.165857077 CEST45574978445.137.22.50192.168.2.4
                                    May 3, 2021 15:09:35.536612988 CEST497844557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:35.603353024 CEST45574978445.137.22.50192.168.2.4
                                    May 3, 2021 15:09:36.551930904 CEST497844557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:40.569341898 CEST497854557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:40.616060972 CEST45574978545.137.22.50192.168.2.4
                                    May 3, 2021 15:09:40.616146088 CEST497854557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:40.616698027 CEST497854557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:40.685306072 CEST45574978545.137.22.50192.168.2.4
                                    May 3, 2021 15:09:40.703197956 CEST497854557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:40.750245094 CEST45574978545.137.22.50192.168.2.4
                                    May 3, 2021 15:09:40.803710938 CEST497854557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:40.898313046 CEST497854557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:40.962692022 CEST45574978545.137.22.50192.168.2.4
                                    May 3, 2021 15:09:41.098551989 CEST45574978545.137.22.50192.168.2.4
                                    May 3, 2021 15:09:41.099651098 CEST497854557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:41.146125078 CEST45574978545.137.22.50192.168.2.4
                                    May 3, 2021 15:09:41.147447109 CEST497854557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:41.194262028 CEST45574978545.137.22.50192.168.2.4
                                    May 3, 2021 15:09:41.194371939 CEST497854557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:41.241158962 CEST45574978545.137.22.50192.168.2.4
                                    May 3, 2021 15:09:41.286084890 CEST497854557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:41.536798954 CEST497854557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:41.603368998 CEST45574978545.137.22.50192.168.2.4
                                    May 3, 2021 15:09:42.552629948 CEST497854557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:42.618984938 CEST45574978545.137.22.50192.168.2.4
                                    May 3, 2021 15:09:43.889004946 CEST497854557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:47.898200035 CEST497864557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:47.944992065 CEST45574978645.137.22.50192.168.2.4
                                    May 3, 2021 15:09:47.945100069 CEST497864557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:47.945631981 CEST497864557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:48.009717941 CEST45574978645.137.22.50192.168.2.4
                                    May 3, 2021 15:09:48.014010906 CEST45574978645.137.22.50192.168.2.4
                                    May 3, 2021 15:09:48.014398098 CEST497864557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:48.061234951 CEST45574978645.137.22.50192.168.2.4
                                    May 3, 2021 15:09:48.063827991 CEST497864557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:48.134711027 CEST45574978645.137.22.50192.168.2.4
                                    May 3, 2021 15:09:48.247461081 CEST45574978645.137.22.50192.168.2.4
                                    May 3, 2021 15:09:48.249445915 CEST497864557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:48.296099901 CEST45574978645.137.22.50192.168.2.4
                                    May 3, 2021 15:09:48.298747063 CEST497864557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:48.345541000 CEST45574978645.137.22.50192.168.2.4
                                    May 3, 2021 15:09:48.345757961 CEST497864557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:48.392371893 CEST45574978645.137.22.50192.168.2.4
                                    May 3, 2021 15:09:48.443006992 CEST497864557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:48.489664078 CEST45574978645.137.22.50192.168.2.4
                                    May 3, 2021 15:09:48.537452936 CEST497864557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:48.850274086 CEST497864557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:48.931550026 CEST45574978645.137.22.50192.168.2.4
                                    May 3, 2021 15:09:49.849822998 CEST497864557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:53.866709948 CEST497874557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:53.913295984 CEST45574978745.137.22.50192.168.2.4
                                    May 3, 2021 15:09:53.913397074 CEST497874557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:53.914913893 CEST497874557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:53.985088110 CEST45574978745.137.22.50192.168.2.4
                                    May 3, 2021 15:09:53.985244989 CEST497874557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:54.056425095 CEST45574978745.137.22.50192.168.2.4
                                    May 3, 2021 15:09:54.056498051 CEST497874557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:54.103586912 CEST45574978745.137.22.50192.168.2.4
                                    May 3, 2021 15:09:54.104151964 CEST497874557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:54.181329012 CEST45574978745.137.22.50192.168.2.4
                                    May 3, 2021 15:09:54.294011116 CEST45574978745.137.22.50192.168.2.4
                                    May 3, 2021 15:09:54.297250986 CEST497874557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:54.343831062 CEST45574978745.137.22.50192.168.2.4
                                    May 3, 2021 15:09:54.345511913 CEST497874557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:54.392250061 CEST45574978745.137.22.50192.168.2.4
                                    May 3, 2021 15:09:54.392937899 CEST497874557192.168.2.445.137.22.50
                                    May 3, 2021 15:09:54.439726114 CEST45574978745.137.22.50192.168.2.4
                                    May 3, 2021 15:09:54.490313053 CEST497874557192.168.2.445.137.22.50

                                    Code Manipulations

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Start time:15:07:47
                                    Start date:03/05/2021
                                    Path:C:\Users\user\Desktop\note-mxm.exe
                                    Wow64 process (32bit):true
                                    Commandline:'C:\Users\user\Desktop\note-mxm.exe'
                                    Imagebase:0xbd0000
                                    File size:724480 bytes
                                    MD5 hash:116DB2200D9BE33529615FC98907D4D8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.671855765.0000000003F79000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.671855765.0000000003F79000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.671855765.0000000003F79000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmp, Author: Joe Security
                                    Reputation:low

                                    General

                                    Start time:15:07:51
                                    Start date:03/05/2021
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fGAhpbrTQZcHeY' /XML 'C:\Users\user\AppData\Local\Temp\tmp943B.tmp'
                                    Imagebase:0x980000
                                    File size:185856 bytes
                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Start time:15:07:51
                                    Start date:03/05/2021
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff724c50000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Start time:15:07:52
                                    Start date:03/05/2021
                                    Path:C:\Users\user\Desktop\note-mxm.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\Desktop\note-mxm.exe
                                    Imagebase:0xe50000
                                    File size:724480 bytes
                                    MD5 hash:116DB2200D9BE33529615FC98907D4D8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Reputation:low

                                    Disassembly

                                    Code Analysis

                                    Reset < >

                                      Executed Functions

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.674039335.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID: ,L*l$,L*l
                                      • API String ID: 0-1682905077
                                      • Opcode ID: fc8fd15ffe9a0504b1a66cb05461c0926a57c232aa6eb5386280b8d222ff26c6
                                      • Instruction ID: ae9f34ac96228e2978f1a45f89c3d079bbfa8a8c54812682d5a08e98e19224e0
                                      • Opcode Fuzzy Hash: fc8fd15ffe9a0504b1a66cb05461c0926a57c232aa6eb5386280b8d222ff26c6
                                      • Instruction Fuzzy Hash: 8B82AD75E102299FCB15CF68D885AADBBF2FF88304F15C569E409EB359D730A942CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.674039335.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID: *c.i
                                      • API String ID: 0-2603824623
                                      • Opcode ID: 95c2057d6374b4bba6255248c36cbf6bde764070dfb44f062522e94d838604c8
                                      • Instruction ID: c8086951fc4ea6fb9a047886b9b8099cf720518b47b04b5b0d53c1b078f20c24
                                      • Opcode Fuzzy Hash: 95c2057d6374b4bba6255248c36cbf6bde764070dfb44f062522e94d838604c8
                                      • Instruction Fuzzy Hash: 2871E6B8D5010E9FDF14CFA9E585AAEBBB1FF48311F10A655D406EB254CB31AA41CF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.674039335.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fe79d06d6f05135f4da473eded44c781c04775cb171a2b706bbd811a9ee224fd
                                      • Instruction ID: c7ae3a19d3d6c1b3cdf01f5d3f6e7e182fdc89f06a4ff5c47008ce2d781b0b93
                                      • Opcode Fuzzy Hash: fe79d06d6f05135f4da473eded44c781c04775cb171a2b706bbd811a9ee224fd
                                      • Instruction Fuzzy Hash: 55D19FB4E106299FDB14DF79E885AAEB7F2FF88305F058569D405EB354DB30A902CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.674039335.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 724ffb229de28ea36f30a02a84a48ca4ab3f3d64fb024ef17f3c9fc7ab9af9b3
                                      • Instruction ID: aa863960376c7e90842a7c059fe7bbaf5927078562edfb6bbff56dcee12332a4
                                      • Opcode Fuzzy Hash: 724ffb229de28ea36f30a02a84a48ca4ab3f3d64fb024ef17f3c9fc7ab9af9b3
                                      • Instruction Fuzzy Hash: 0AD18D75E1062A8FDB14DF69E885AAEB7F2FF88305F118569D405EB354DB30A902CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 05533EF1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.674039335.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 329069469aaf1a4fc26bdb6dfde98c020ed435afbbdc3121cca1f2f5493cb0f5
                                      • Instruction ID: 9d4202753e6f92f92bb9ba92349b8df4a5a61341b0919d2c8232807c0774e8d0
                                      • Opcode Fuzzy Hash: 329069469aaf1a4fc26bdb6dfde98c020ed435afbbdc3121cca1f2f5493cb0f5
                                      • Instruction Fuzzy Hash: 77410571D0461CCFDB24CFA9C8847CEBBB5BF88308F11846AD919AB250DB755949CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 05533EF1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.674039335.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 70fb113492295ae77923126723d3490362534555f87b334f3460a25035f12815
                                      • Instruction ID: 77343ada2823b48a8494caa5d2e6a067a3716b669a17f944f98556119aaa0b21
                                      • Opcode Fuzzy Hash: 70fb113492295ae77923126723d3490362534555f87b334f3460a25035f12815
                                      • Instruction Fuzzy Hash: CC410271D0421CCBDB24CFA9C88478EFBB6BF48308F21846AD509AB250DB74694ACF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      APIs
                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 05530D91
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.674039335.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false
                                      Similarity
                                      • API ID: CallProcWindow
                                      • String ID:
                                      • API String ID: 2714655100-0
                                      • Opcode ID: 5e47f3e4b4fbb698f48492a0055695389485cc222bbe953bbf664e4ca8367125
                                      • Instruction ID: c2cac0c9a3cc077b546079ba57144e8f3563af6cf4330280a3027ee59083bccb
                                      • Opcode Fuzzy Hash: 5e47f3e4b4fbb698f48492a0055695389485cc222bbe953bbf664e4ca8367125
                                      • Instruction Fuzzy Hash: 63413AB8900309CFDB14CF99C489AAAFBF5FF88314F158859D519AB361D774A841CFA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.674039335.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID: `)l
                                      • API String ID: 0-2607251424
                                      • Opcode ID: 5a08126b3fdae83e5462362d1be225336a32089722b55589a4e7b920eb065cfe
                                      • Instruction ID: f621fbe3faeb6d6501af72e5bcd018003fb25cf45e42b6098d9e91cf2ca613da
                                      • Opcode Fuzzy Hash: 5a08126b3fdae83e5462362d1be225336a32089722b55589a4e7b920eb065cfe
                                      • Instruction Fuzzy Hash: 42814D32F111159FD718DB69DC90AAEB3A3BFC8614F1A8175E409DB765DB31DC018B90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.674039335.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID: 0-3916222277
                                      • Opcode ID: f0315c4d59989049e2bf59abd99d66c748a9237f8b9b818fd152fb0efc5f78f5
                                      • Instruction ID: 09876f6c1123559af2fbbdfb559656f4c23f878a143afeed79cd510b36b444bf
                                      • Opcode Fuzzy Hash: f0315c4d59989049e2bf59abd99d66c748a9237f8b9b818fd152fb0efc5f78f5
                                      • Instruction Fuzzy Hash: C951D071F001158FCB18CB69C885AAEBBA2FFC8615F15857AE609DB355DB30EC518790
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.668842487.0000000000BD2000.00000002.00020000.sdmp, Offset: 00BD0000, based on PE: true
                                      • Associated: 00000000.00000002.668835815.0000000000BD0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.669129732.0000000000C72000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.669181864.0000000000C74000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.669210496.0000000000C82000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c17e7a82a39ae35754924bd2633c280da4f6158d5b75285f89e05d4bca1873b9
                                      • Instruction ID: af672f44986471921f093b154a8d6cba6a7c05a95d93f3023b7752e1b1f3fef4
                                      • Opcode Fuzzy Hash: c17e7a82a39ae35754924bd2633c280da4f6158d5b75285f89e05d4bca1873b9
                                      • Instruction Fuzzy Hash: EA92455604FBC25FD7138B706A325E5FFB0AD5321435E98CBC4C18B9A3E1011AAAE776
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.674039335.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dc07b21a24ad1f60b5d03f0fb03bf8560a0312dc7252d17eba57131be9ca72b3
                                      • Instruction ID: 3dff2837999ae49c3536da06300214c2407e04345786b03108a03a5fc2693dca
                                      • Opcode Fuzzy Hash: dc07b21a24ad1f60b5d03f0fb03bf8560a0312dc7252d17eba57131be9ca72b3
                                      • Instruction Fuzzy Hash: 01025D75B041158FCB18CF69C88AA6DB7F6BF88714B1585A9E80ADB370DB35EC41CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.674039335.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 90fdf14dc5138235df7d0f2293f772ca97512b2d621dfd480b56a5f462796d00
                                      • Instruction ID: 2cb96f6516dc569a6aab20108af57fe7dd175f85d2d2e7f21cc70097f564cd90
                                      • Opcode Fuzzy Hash: 90fdf14dc5138235df7d0f2293f772ca97512b2d621dfd480b56a5f462796d00
                                      • Instruction Fuzzy Hash: 7FD1F931D2065A8ACB10EB64D990A9DF7B1FFD5204F61CB9AD5497B224EF706AC8CF40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.674039335.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 83d191cc3d11bff7df396aa5cc7da77a1fccc170c8e99ac597357735e5e13f87
                                      • Instruction ID: 9757e91dfd3e8ceb24940652618c55d54d2eb70613304dde02f9dc12c8c2a895
                                      • Opcode Fuzzy Hash: 83d191cc3d11bff7df396aa5cc7da77a1fccc170c8e99ac597357735e5e13f87
                                      • Instruction Fuzzy Hash: 6BD1E831D2065A8ACB10EB64D990A9DF7B1FFD5204F61CB9AD5497B224EF706AC8CF40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.674039335.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6a48536a1a59f0ba53ff02d8d54e5d4ec94c0c437a4eed929e19182d61bbadeb
                                      • Instruction ID: 10dfda28f2cf12165d3692b727e3272c2d3dc27bd7e20a434fcb454be4e78597
                                      • Opcode Fuzzy Hash: 6a48536a1a59f0ba53ff02d8d54e5d4ec94c0c437a4eed929e19182d61bbadeb
                                      • Instruction Fuzzy Hash: 05612A32F115259FD718DB69DC90BAEB3A3BFC8614F1AC164E4099BB65DB30EC018B90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.674039335.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 96efa7e24faaa9d88857367c1110fab1c96a9765aab815c2a0188988ec6f6383
                                      • Instruction ID: 87981299d9e45ee0d3ad47e70e56a3087caaa532ce3db1679e9557c8cdd01ba9
                                      • Opcode Fuzzy Hash: 96efa7e24faaa9d88857367c1110fab1c96a9765aab815c2a0188988ec6f6383
                                      • Instruction Fuzzy Hash: 8F311979E6110A8FDF14CBA9E481AADB7F2FF48304B54E215E01AEB254DB35E946CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%