Play interactive tour

Edit tour

Analysis Report TT COPY pdf.exe

Overview

General Information

Sample Name:	TT COPY pdf.exe
Analysis ID:	402887
MD5:	5c59c6fb72b449bd3e52b628c7c46002
SHA1:	85974547f519babcdd3f8d5a68ba18930f09d46d
SHA256:	0b39f5e8244f6d24dbf99914e31907f8e560c6612544a692ec97480c5c9fe371
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:
Errors Sigma runtime error: Invalid condition: true && ! filter Rule: System File Execution Location Anomaly Sigma runtime error: Invalid condition: ( false && ! false ) or Rule: Executable Used by PlugX in Uncommon Location Sigma syntax error: Rules are missing titles Sigma runtime error: Invalid condition: false && true or Rule: Suspicious WMI Execution Sigma runtime error: Invalid condition: not false && false Rule: Using SettingSyncHost.exe as LOLBin Sigma runtime error: Invalid condition: not true && false Rule: Using SettingSyncHost.exe as LOLBin Sigma runtime error: Invalid condition: false \|\| (selection_wevtutil_binary && selection_wevtutil_command) Rule: Suspicious Eventlog Clear or Configuration Using Wevtutil Sigma runtime error: Invalid condition: false && false or Rule: Suspicious WMI Execution

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: BlueMashroom DLL Load

Sigma detected: NanoCore

Sigma detected: NotPetya Ransomware Activity

Sigma detected: QBot Process Creation

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Exchange Exploitation Activity

Sigma detected: Mustang Panda Dropper

Sigma detected: Raccine Uninstall

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Sigma detected: Windows 10 Scheduled Task SandboxEscaper 0-day

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to detect virtual machines (SMSW)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: PowerShell Script Run in AppData

Sigma detected: Suspicious Copy From or To System32

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

TT COPY pdf.exe (PID: 5640 cmdline: 'C:\Users\user\Desktop\TT COPY pdf.exe' MD5: 5C59C6FB72B449BD3E52B628C7C46002)

schtasks.exe (PID: 6160 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

TT COPY pdf.exe (PID: 6240 cmdline: C:\Users\user\Desktop\TT COPY pdf.exe MD5: 5C59C6FB72B449BD3E52B628C7C46002)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "97a824b7-e666-4a22-b2e3-fb501d91", "Group": "king", "Domain1": "23.105.131.171", "Domain2": "", "Port": 4040, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f86a5:$x1: NanoCore.ClientPluginHost 0x22aec5:$x1: NanoCore.ClientPluginHost 0x1f86e2:$x2: IClientNetworkHost 0x22af02:$x2: IClientNetworkHost 0x1fc215:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x22ea35:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1f840d:$a: NanoCore 0x1f841d:$a: NanoCore 0x1f8651:$a: NanoCore 0x1f8665:$a: NanoCore 0x1f86a5:$a: NanoCore 0x22ac2d:$a: NanoCore 0x22ac3d:$a: NanoCore 0x22ae71:$a: NanoCore 0x22ae85:$a: NanoCore 0x22aec5:$a: NanoCore 0x1f846c:$b: ClientPlugin 0x1f866e:$b: ClientPlugin 0x1f86ae:$b: ClientPlugin 0x22ac8c:$b: ClientPlugin 0x22ae8e:$b: ClientPlugin 0x22aece:$b: ClientPlugin 0x14e609:$c: ProjectData 0x1f8593:$c: ProjectData 0x22adb3:$c: ProjectData 0x1f8f9a:$d: DESCrypto 0x22b7ba:$d: DESCrypto
00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000007.00000002.522969256.0000000005830000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000007.00000002.522969256.0000000005830000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2ec5:$a: NanoCore 0x2f1e:$a: NanoCore 0x2f5b:$a: NanoCore 0x2fd4:$a: NanoCore 0x1667f:$a: NanoCore 0x16694:$a: NanoCore 0x166c9:$a: NanoCore 0x2f123:$a: NanoCore 0x2f138:$a: NanoCore 0x2f16d:$a: NanoCore 0x2f27:$b: ClientPlugin 0x2f64:$b: ClientPlugin 0x3862:$b: ClientPlugin 0x386f:$b: ClientPlugin 0x1643b:$b: ClientPlugin 0x16456:$b: ClientPlugin 0x16486:$b: ClientPlugin 0x1669d:$b: ClientPlugin 0x166d2:$b: ClientPlugin 0x2eedf:$b: ClientPlugin 0x2eefa:$b: ClientPlugin
00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
Process Memory Space: TT COPY pdf.exe PID: 6240	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16b5aa:$x1: NanoCore.ClientPluginHost 0x1b71b0:$x1: NanoCore.ClientPluginHost 0x1bcd6f:$x1: NanoCore.ClientPluginHost 0x1cdb94:$x1: NanoCore.ClientPluginHost 0x1e1d97:$x1: NanoCore.ClientPluginHost 0x16b5d0:$x2: IClientNetworkHost 0x1b71d6:$x2: IClientNetworkHost 0x1bcdb4:$x2: IClientNetworkHost 0x1cdbd9:$x2: IClientNetworkHost 0x1e1df8:$x2: IClientNetworkHost 0x1e71fd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1f516f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: TT COPY pdf.exe PID: 6240	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: TT COPY pdf.exe PID: 6240	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x15cfa9:$a: NanoCore 0x15d010:$a: NanoCore 0x15d0b3:$a: NanoCore 0x16b49c:$a: NanoCore 0x16b53d:$a: NanoCore 0x16b5aa:$a: NanoCore 0x16b66b:$a: NanoCore 0x16c53c:$a: NanoCore 0x16c58f:$a: NanoCore 0x16c5c8:$a: NanoCore 0x16c63b:$a: NanoCore 0x1acd39:$a: NanoCore 0x1b70a2:$a: NanoCore 0x1b7143:$a: NanoCore 0x1b71b0:$a: NanoCore 0x1b7271:$a: NanoCore 0x1b8142:$a: NanoCore 0x1b8195:$a: NanoCore 0x1b81ce:$a: NanoCore 0x1b8241:$a: NanoCore 0x1bcce9:$a: NanoCore
Process Memory Space: TT COPY pdf.exe PID: 5640	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x157a3d:$x1: NanoCore.ClientPluginHost 0x18a25d:$x1: NanoCore.ClientPluginHost 0x157a7a:$x2: IClientNetworkHost 0x18a29a:$x2: IClientNetworkHost 0x15b5ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x18ddcd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1577a5:$a: NanoCore 0x1577b5:$a: NanoCore 0x1579e9:$a: NanoCore 0x1579fd:$a: NanoCore 0x157a3d:$a: NanoCore 0x189fc5:$a: NanoCore 0x189fd5:$a: NanoCore 0x18a209:$a: NanoCore 0x18a21d:$a: NanoCore 0x18a25d:$a: NanoCore 0x157804:$b: ClientPlugin 0x157a06:$b: ClientPlugin 0x157a46:$b: ClientPlugin 0x18a024:$b: ClientPlugin 0x18a226:$b: ClientPlugin 0x18a266:$b: ClientPlugin 0xad9a1:$c: ProjectData 0x15792b:$c: ProjectData 0x18a14b:$c: ProjectData 0x158332:$d: DESCrypto 0x18ab52:$d: DESCrypto
7.2.TT COPY pdf.exe.3eeff1c.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
7.2.TT COPY pdf.exe.3eeff1c.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
7.2.TT COPY pdf.exe.3eeff1c.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x429ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x429ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42725:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x429ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x43fe6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x43fda:$s2: FileCommand 0x1266b:$s3: PipeExists 0x44e8b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ac42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x429d7:$s5: IClientLoggingHost
0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42715:$a: NanoCore 0x42725:$a: NanoCore 0x42959:$a: NanoCore 0x4296d:$a: NanoCore 0x429ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42774:$b: ClientPlugin 0x42976:$b: ClientPlugin 0x429b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4289b:$c: ProjectData 0x10a82:$d: DESCrypto 0x432a2:$d: DESCrypto 0x1844e:$e: KeepAlive
7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28251:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x2827e:$x2: IClientNetworkHost
7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28251:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2932c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x2826b:$s5: IClientLoggingHost
7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c28:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c55:$x2: IClientNetworkHost
7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c28:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d03:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c42:$s5: IClientLoggingHost
7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.TT COPY pdf.exe.58e4629.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
7.2.TT COPY pdf.exe.58e4629.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
7.2.TT COPY pdf.exe.58e4629.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d087:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0b4:$x2: IClientNetworkHost
7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d087:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e162:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0a1:$s5: IClientLoggingHost
7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d03d:$a: NanoCore 0x2d052:$a: NanoCore 0x2d087:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2cdf9:$b: ClientPlugin 0x2ce14:$b: ClientPlugin
7.2.TT COPY pdf.exe.5830000.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
7.2.TT COPY pdf.exe.5830000.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
7.2.TT COPY pdf.exe.58e0000.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
7.2.TT COPY pdf.exe.58e0000.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
7.2.TT COPY pdf.exe.58e0000.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.TT COPY pdf.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.TT COPY pdf.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.2.TT COPY pdf.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.TT COPY pdf.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.TT COPY pdf.exe.29fedec.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.TT COPY pdf.exe.3bc1518.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.TT COPY pdf.exe.3bc1518.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.TT COPY pdf.exe.3bc1518.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.TT COPY pdf.exe.3bc1518.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
7.2.TT COPY pdf.exe.58e0000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
7.2.TT COPY pdf.exe.58e0000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
7.2.TT COPY pdf.exe.58e0000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.TT COPY pdf.exe.2ed30a4.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
Click to see the 36 entries

Sigma Overview

System Summary:

Sigma detected: BlueMashroom DLL Load

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\TT COPY pdf.exe, ProcessId: 6240, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: NotPetya Ransomware Activity

Show sources

Source: Process started

Author: Florian Roth, Tom Ueltschi: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160

Sigma detected: QBot Process Creation

Show sources

Source: Process started

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160

Sigma detected: Exchange Exploitation Activity

Show sources

Source: Process started

Sigma detected: Mustang Panda Dropper

Show sources

Source: Process started

Author: Florian Roth, oscd.community: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160

Sigma detected: Raccine Uninstall

Show sources

Source: Process started

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Show sources

Source: Process started

Sigma detected: Windows 10 Scheduled Task SandboxEscaper 0-day

Show sources

Source: Process started

Author: Olaf Hartong: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160

Sigma detected: PowerShell Script Run in AppData

Show sources

Source: Process started

Author: Florian Roth, Jonhnathan Ribeiro, oscd.community: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160

Sigma detected: Suspicious Copy From or To System32

Show sources

Source: Process started

Author: Florian Roth, Markus Neis: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160

Sigma detected: Change Default File Association

Show sources

Source: Process started

Author: Timur Zinniatullin, oscd.community: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT COPY pdf.exe' , ParentImage: C:\Users\user\Desktop\TT COPY pdf.exe, ParentProcessId: 5640, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp', ProcessId: 6160

Sigma detected: Data Compressed - Powershell

Show sources

Source: Event Logs

Author: Timur Zinniatullin, oscd.community: Data: EventID: 4104, Source: Microsoft-Windows-PowerShell, data 0: 1, data 1: 1, data 2: # Copyright 2008, Microsoft Corporation. All rights reserved. #Common utility functions Import-LocalizedData -BindingVariable localizationString -FileName CL_LocalizationData # Function to get user troubleshooting history function Get-UserTSHistoryPath { return "${env:localappdata}\diagnostics" } # Function to get admin troubleshooting history function Get-AdminTSHistoryPath { return "${env:localappdata}\elevateddiagnostics" } # Function to get user report folder path function Get-UserReportPath { return "${env:localappdata}\Microsoft\Windows\WER\ReportQueue" } # Function to get system report folder path function Get-MachineReportPath { return "${env:AllUsersProfile}\Microsoft\Windows\WER\ReportQueue" } # Function to get threshold to check whether a folder is old function Get-ThresholdForCheckOlderFile { [int]$threshold = -1 return $threshold } # Function to get threshold for deleting WER folder function Get-ThresholdForFileDeleting() { [string]$registryEntryPath = "HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting" [string]$registryEntryName = "PurgeThreshholdValueInKB" [double]$defaultValue = 10.0 return Get-RegistryValue $registryEntryPath $registryEntryName $defaultValue } # Function to get the size of a directory in kb function Get-FolderSize([string]$folder = $(throw "No folder is specified")) { if([String]::IsNullOrEmpty($folder) -or (-not(Test-Path $folder))) { return 0 } if(-not $Global:DirectoryObject) { $Global:DirectoryObject = New-Object -comobject "Scripting.FileSystemObject" } return ($Global:DirectoryObject.GetFolder($folder).Size) / 1kb } # Function to delete a folder function Delete-Folder([string]$folder = $(throw "No folder is specified")) { if([String]::IsNullOrEmpty($folder) -or (-not(Test-Path $folder))) { return } Remove-Item -literalPath $folder -Recurse -Force } # Function to delete old folders function Delete-OldFolders($folder=$(throw "No folder is specified")) { if(($folder -eq $null) -or (-not(Test-Path $folder))) { return } [int]$threshold = Get-ThresholdForCheckOlderFile $folders = Get-ChildItem -LiteralPath ($folder.FullName) -Force | Where-Object {$_.PSIsContainer} if($folders -ne $null) { foreach($folder in $folders) { if((($folder.CreationTime).CompareTo((Get-Date).AddMonths($threshold))) -lt 0) { Delete-Folder ($folder.FullName) } else { Delete-OldFolders (Get-Item ($folder.FullName)) } } } } # Function to get registry value function Get-RegistryValue([string]$registryEntryPath = $(throw "No registry entry path is specified"), [string]$registryEntryName = $(throw "No registry entry name is specified"), [double]$defaultValue = 0.0) { [double]$registryEntryValue = $defaultValue $registryEntry = Get-ItemProperty -Path $registryEntryPath -Name $registryEntryName if($registryEntry -ne $null) { $registryEntryValue = $registryEntry.$registryEntryName } return $registryEntryValue } # Function to get the

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "97a824b7-e666-4a22-b2e3-fb501d91", "Group": "king", "Domain1": "23.105.131.171", "Domain2": "", "Port": 4040, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\kAozQG.exe

ReversingLabs: Detection: 19%

Multi AV Scanner detection for submitted file

Show sources

Source: TT COPY pdf.exe

ReversingLabs: Detection: 19%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORY
Source: Yara match	File source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.3eeff1c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.58e4629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.58e0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.58e0000.10.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\kAozQG.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: TT COPY pdf.exe

Joe Sandbox ML: detected

Source: 7.2.TT COPY pdf.exe.58e0000.10.unpack	Avira: Label: TR/NanoCore.fadte
Source: 7.2.TT COPY pdf.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: TT COPY pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: TT COPY pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdblt source: TT COPY pdf.exe, 00000007.00000002.517419378.0000000000EA2000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: TT COPY pdf.exe, 00000007.00000002.517419378.0000000000EA2000.00000004.00000020.sdmp
Source:	Binary string: System.pdb source: TT COPY pdf.exe, 00000007.00000002.523246225.0000000006400000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02738EA0
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02739E20
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02739E17
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02738E9B
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02738FCC

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49719 -> 23.105.131.171:4040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49720 -> 23.105.131.171:4040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49721 -> 23.105.131.171:4040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49724 -> 23.105.131.171:4040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49752 -> 23.105.131.171:4040

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: 23.105.131.171

Source: global traffic

TCP traffic: 192.168.2.5:49719 -> 23.105.131.171:4040

Source: Joe Sandbox View

ASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US

Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.171

Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Source: TT COPY pdf.exe, 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORY
Source: Yara match	File source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.3eeff1c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.58e4629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.58e0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.58e0000.10.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.522969256.0000000005830000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.TT COPY pdf.exe.3eeff1c.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.TT COPY pdf.exe.58e4629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.TT COPY pdf.exe.5830000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.TT COPY pdf.exe.58e0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.TT COPY pdf.exe.58e0000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.TT COPY pdf.exe.2ed30a4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth

Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_02734EB0	0_2_02734EB0
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_027347D0	0_2_027347D0
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_02735478	0_2_02735478
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_02731A07	0_2_02731A07
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_02736298	0_2_02736298
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_02736289	0_2_02736289
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_02731BA7	0_2_02731BA7
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_027398D8	0_2_027398D8
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_02731943	0_2_02731943
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_02731948	0_2_02731948
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_02735EF0	0_2_02735EF0
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_02735EE3	0_2_02735EE3
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_02734EA3	0_2_02734EA3
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_02734EAB	0_2_02734EAB
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_027347C3	0_2_027347C3
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_02736476	0_2_02736476
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_0273546B	0_2_0273546B
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_0298E6C0	0_2_0298E6C0
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_0298C3B4	0_2_0298C3B4
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_0298E6B0	0_2_0298E6B0
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B765E8	0_2_05B765E8
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B78578	0_2_05B78578
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B77728	0_2_05B77728
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B73690	0_2_05B73690
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B7F3B8	0_2_05B7F3B8
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B743E0	0_2_05B743E0
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B76DA0	0_2_05B76DA0
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B7B948	0_2_05B7B948
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B7F850	0_2_05B7F850
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B765E3	0_2_05B765E3
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B76526	0_2_05B76526
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B78573	0_2_05B78573
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B794B3	0_2_05B794B3
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B794B8	0_2_05B794B8
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B77719	0_2_05B77719
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B7A718	0_2_05B7A718
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B7A709	0_2_05B7A709
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B7A370	0_2_05B7A370
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B7A36B	0_2_05B7A36B
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B76D90	0_2_05B76D90
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B7ADC3	0_2_05B7ADC3
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B7ADC8	0_2_05B7ADC8
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 7_2_02E5E480	7_2_02E5E480
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 7_2_02E5E471	7_2_02E5E471
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 7_2_02E5BBD4	7_2_02E5BBD4

Source: TT COPY pdf.exe	Binary or memory string: OriginalFilename vs TT COPY pdf.exe
Source: TT COPY pdf.exe, 00000000.00000002.271275533.000000000BD50000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs TT COPY pdf.exe
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs TT COPY pdf.exe
Source: TT COPY pdf.exe, 00000000.00000002.271449833.000000000BE50000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs TT COPY pdf.exe
Source: TT COPY pdf.exe, 00000000.00000002.271449833.000000000BE50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs TT COPY pdf.exe
Source: TT COPY pdf.exe, 00000000.00000002.270925129.0000000005B80000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs TT COPY pdf.exe
Source: TT COPY pdf.exe	Binary or memory string: OriginalFilename vs TT COPY pdf.exe
Source: TT COPY pdf.exe, 00000007.00000002.523581187.00000000067A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs TT COPY pdf.exe
Source: TT COPY pdf.exe, 00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs TT COPY pdf.exe
Source: TT COPY pdf.exe, 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs TT COPY pdf.exe
Source: TT COPY pdf.exe, 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs TT COPY pdf.exe
Source: TT COPY pdf.exe	Binary or memory string: OriginalFilenameEventTags.exe< vs TT COPY pdf.exe

Source: TT COPY pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.522969256.0000000005830000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.522969256.0000000005830000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.TT COPY pdf.exe.3eeff1c.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.TT COPY pdf.exe.3eeff1c.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.TT COPY pdf.exe.58e4629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.TT COPY pdf.exe.58e4629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.TT COPY pdf.exe.5830000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.TT COPY pdf.exe.5830000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.TT COPY pdf.exe.58e0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.TT COPY pdf.exe.58e0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.TT COPY pdf.exe.58e0000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.TT COPY pdf.exe.58e0000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.TT COPY pdf.exe.2ed30a4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/

Source: TT COPY pdf.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: kAozQG.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 7.2.TT COPY pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.TT COPY pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.TT COPY pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/6@0/1

Source: C:\Users\user\Desktop\TT COPY pdf.exe

File created: C:\Users\user\AppData\Roaming\kAozQG.exe

Jump to behavior

Source: C:\Users\user\Desktop\TT COPY pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\gqxHOc
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6176:120:WilError_01
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{97a824b7-e666-4a22-b2e3-fb501d91b8df}

Source: C:\Users\user\Desktop\TT COPY pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmp2D06.tmp

Jump to behavior

Source: TT COPY pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\TT COPY pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\TT COPY pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\TT COPY pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: TT COPY pdf.exe

ReversingLabs: Detection: 19%

Source: C:\Users\user\Desktop\TT COPY pdf.exe

File read: C:\Users\user\Desktop\TT COPY pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TT COPY pdf.exe 'C:\Users\user\Desktop\TT COPY pdf.exe'
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process created: C:\Users\user\Desktop\TT COPY pdf.exe C:\Users\user\Desktop\TT COPY pdf.exe
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process created: C:\Users\user\Desktop\TT COPY pdf.exe C:\Users\user\Desktop\TT COPY pdf.exe	Jump to behavior

Source: C:\Users\user\Desktop\TT COPY pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\TT COPY pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: TT COPY pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: TT COPY pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdblt source: TT COPY pdf.exe, 00000007.00000002.517419378.0000000000EA2000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: TT COPY pdf.exe, 00000007.00000002.517419378.0000000000EA2000.00000004.00000020.sdmp
Source:	Binary string: System.pdb source: TT COPY pdf.exe, 00000007.00000002.523246225.0000000006400000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 7.2.TT COPY pdf.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.TT COPY pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_02731FAC push eax; ret	0_2_02731FD1
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_027314CB pushad ; ret	0_2_027315F2
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_0273054A push ecx; ret	0_2_02730561
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B7856B push cs; ret	0_2_05B78572
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B79763 push ss; ret	0_2_05B7976A
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B79761 push ss; ret	0_2_05B79762
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B771AB push es; ret	0_2_05B771B2
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B78278 push esi; retf	0_2_05B78279
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B7826E push esi; retf	0_2_05B7826F
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B7BFED pushfd ; iretd	0_2_05B7BFEE
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B76FC1 push es; ret	0_2_05B76FC2
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Code function: 0_2_05B77F23 pushfd ; ret	0_2_05B77F25

Source: initial sample	Static PE information: section name: .text entropy: 7.69430817012
Source: initial sample	Static PE information: section name: .text entropy: 7.69430817012

Source: 7.2.TT COPY pdf.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.2.TT COPY pdf.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Source: C:\Users\user\Desktop\TT COPY pdf.exe

File created: C:\Users\user\AppData\Roaming\kAozQG.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\TT COPY pdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\TT COPY pdf.exe

File opened: C:\Users\user\Desktop\TT COPY pdf.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TT COPY pdf.exe PID: 5640, type: MEMORY
Source: Yara match	File source: 0.2.TT COPY pdf.exe.29fedec.1.raw.unpack, type: UNPACKEDPE

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\TT COPY pdf.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\TT COPY pdf.exe

Code function: 0_2_0298B2D8 smsw word ptr [ecx+039D3E38h]

0_2_0298B2D8

Source: C:\Users\user\Desktop\TT COPY pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\TT COPY pdf.exe	Window / User API: threadDelayed 2509	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Window / User API: threadDelayed 7004	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Window / User API: foregroundWindowGot 958	Jump to behavior

Source: C:\Users\user\Desktop\TT COPY pdf.exe TID: 4660	Thread sleep time: -103771s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe TID: 5524	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe TID: 6368	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\TT COPY pdf.exe	Thread delayed: delay time: 103771	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: TT COPY pdf.exe, 00000007.00000002.523581187.00000000067A0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: TT COPY pdf.exe, 00000007.00000002.523581187.00000000067A0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: TT COPY pdf.exe, 00000007.00000002.523581187.00000000067A0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: TT COPY pdf.exe, 00000007.00000002.517304669.0000000000E6E000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: TT COPY pdf.exe, 00000007.00000002.523581187.00000000067A0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\TT COPY pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\TT COPY pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\TT COPY pdf.exe

Memory written: C:\Users\user\Desktop\TT COPY pdf.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Process created: C:\Users\user\Desktop\TT COPY pdf.exe C:\Users\user\Desktop\TT COPY pdf.exe			Jump to behavior

Source: TT COPY pdf.exe, 00000007.00000002.519279220.000000000311D000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: TT COPY pdf.exe, 00000007.00000002.517861757.0000000001790000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: TT COPY pdf.exe, 00000007.00000002.517861757.0000000001790000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: TT COPY pdf.exe, 00000007.00000002.517861757.0000000001790000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: TT COPY pdf.exe, 00000007.00000002.517861757.0000000001790000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: TT COPY pdf.exe, 00000007.00000002.517861757.0000000001790000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: TT COPY pdf.exe, 00000007.00000002.518432727.0000000002F7B000.00000004.00000001.sdmp	Binary or memory string: Program Manager\|$_
Source: TT COPY pdf.exe, 00000007.00000002.523210502.00000000062FE000.00000004.00000001.sdmp	Binary or memory string: lProgram Manager
Source: TT COPY pdf.exe, 00000007.00000002.518618473.0000000002FBB000.00000004.00000001.sdmp	Binary or memory string: Program ManagerHa

Source: C:\Users\user\Desktop\TT COPY pdf.exe	Queries volume information: C:\Users\user\Desktop\TT COPY pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Queries volume information: C:\Users\user\Desktop\TT COPY pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TT COPY pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\TT COPY pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORY
Source: Yara match	File source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.3eeff1c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.58e4629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.58e0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.58e0000.10.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: TT COPY pdf.exe, 00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: TT COPY pdf.exe, 00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TT COPY pdf.exe PID: 6240, type: MEMORY
Source: Yara match	File source: 0.2.TT COPY pdf.exe.3a79c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.3eeff1c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TT COPY pdf.exe.3bc1518.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.3eeff1c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.3ef4545.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.58e4629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.3eeb0e6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.58e0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TT COPY pdf.exe.3bc1518.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.TT COPY pdf.exe.58e0000.10.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection112	Masquerading1	Input Capture11	Security Software Discovery211	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion41	Security Account Manager	Virtualization/Sandbox Evasion41	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information3	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing13	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
TT COPY pdf.exe	19%	ReversingLabs	Win32.Trojan.AgentTesla
TT COPY pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\kAozQG.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\kAozQG.exe	19%	ReversingLabs	Win32.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
7.2.TT COPY pdf.exe.58e0000.10.unpack	100%	Avira	TR/NanoCore.fadte		Download File
7.2.TT COPY pdf.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
	0%	Avira URL Cloud	safe
23.105.131.171	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
23.105.131.171	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp	false		high
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	TT COPY pdf.exe, 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.105.131.171	unknown	United States		396362	LEASEWEB-USA-NYC-11US	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	402887
Start date:	03.05.2021
Start time:	15:23:19
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	TT COPY pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/6@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.1% (good quality ratio 0.1%) Quality average: 77.5% Quality standard deviation: 11.1%
HCA Information:	Successful, ratio: 98% Number of executed functions: 72 Number of non-executed functions: 22
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.
Errors:	Sigma runtime error: Invalid condition: true && ! filter Rule: System File Execution Location Anomaly Sigma runtime error: Invalid condition: ( false && ! false ) or Rule: Executable Used by PlugX in Uncommon Location Sigma syntax error: Rules are missing titles Sigma runtime error: Invalid condition: false && true or Rule: Suspicious WMI Execution Sigma runtime error: Invalid condition: not false && false Rule: Using SettingSyncHost.exe as LOLBin Sigma runtime error: Invalid condition: not true && false Rule: Using SettingSyncHost.exe as LOLBin Sigma runtime error: Invalid condition: false \|\| (selection_wevtutil_binary && selection_wevtutil_command) Rule: Suspicious Eventlog Clear or Configuration Using Wevtutil Sigma runtime error: Invalid condition: false && false or Rule: Suspicious WMI Execution

Simulations

Behavior and APIs

Time	Type	Description
15:24:22	API Interceptor	1008x Sleep call for process: TT COPY pdf.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
23.105.131.171	transfer pdf.exe	Get hash	malicious	Browse
23.105.131.171	DHLAWB# 9284880911 pdf.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LEASEWEB-USA-NYC-11US	transfer pdf.exe	Get hash	malicious	Browse	23.105.131.171
	DHLAWB# 9284880911 pdf.exe	Get hash	malicious	Browse	23.105.131.171
	PO.pdf.exe	Get hash	malicious	Browse	23.105.131.190
	PO.pdf.exe	Get hash	malicious	Browse	23.105.131.161
	PO.pdf.exe	Get hash	malicious	Browse	23.105.131.161
	SecuriteInfo.com.Trojan.Win32.Save.a.29244.exe	Get hash	malicious	Browse	23.105.131.161
	ZBgnuLqtOd.exe	Get hash	malicious	Browse	23.105.131.161
	ZE9u48l6N4.exe	Get hash	malicious	Browse	23.105.131.161
	PO copy.pdf.exe	Get hash	malicious	Browse	23.105.131.161
	invoice&packing list.pdf.exe	Get hash	malicious	Browse	23.105.131.161
	PO.PDF.exe	Get hash	malicious	Browse	23.105.131.161
	PO copy.pdf.exe	Get hash	malicious	Browse	23.105.131.161
	Ordem urgente AWB674653783- FF2453,PDF.exe	Get hash	malicious	Browse	23.105.131.132
	Remittance FormDoc.exe	Get hash	malicious	Browse	23.19.227.243
	Presupuesto de orden urgente KTX88467638,pdf.exe	Get hash	malicious	Browse	23.105.131.132
	Dringende Bestellung Zitat CTX88467638,pdf.exe	Get hash	malicious	Browse	23.105.131.132
	shipping document.exe	Get hash	malicious	Browse	23.105.131.207
	6V9espP5wD.exe	Get hash	malicious	Browse	23.105.131.195
	NVAbIqNO9h.exe	Get hash	malicious	Browse	23.105.131.209
	UUGCfhIdFD.exe	Get hash	malicious	Browse	23.105.131.228

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TT COPY pdf.exe.log Download File
Process:	C:\Users\user\Desktop\TT COPY pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmp2D06.tmp Download File
Process:	C:\Users\user\Desktop\TT COPY pdf.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1643
Entropy (8bit):	5.172308050226336
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBdYtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3q
MD5:	92AE123C43B9118A157C6477DE51F190
SHA1:	BD3D84B3C0ABF082DD803ACE91AD9F95EAA170BF
SHA-256:	4FFAFB8ABE72A998C286BFAFB3288EC2CFD1F5029DE737FE298015B781F95FF0
SHA-512:	BB94339B70FF6CE7FDD060A00DB5966162053DE2858D5206F9F1BE5F5A224410DF6987198507439ACDACAC582431867942372EB24FB8E9AC05E9CEB8FA580F35
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\TT COPY pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	928
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	24:IQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUtw:Ik/lCrwfk/lCrwfk/lCrwfk/lCrw8
MD5:	CCB690520E68EE385ACC0ACFE759AFFC
SHA1:	33F0DA3F55E5B3C5AC19B61D31471CB60BCD5C96
SHA-256:	166154225DAB5FCB79C1CA97D371B159D37B83FBC0ADABCD8EBA98FA113A7A3B
SHA-512:	AC4F3CF1F8F460745D37E6350861C2FBCDDCC1BBDE0A48FB361BFBF5B1EBF10A05F798A72CE413FCA073FF8108955353DDBCBD9D50CED6CDAE231C67A28FDDA3
Malicious:	false
Reputation:	low
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\TT COPY pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:r8:r8
MD5:	2DEDC34235C5260F4D29ECFE8E9F7C2B
SHA1:	3C68D1B9BD902EF465531028D4A212CC2D45D0EF
SHA-256:	51F73BE61DCC9973EDA643C38632AA52C5E8E63391050625D4CB5CC9789A2A01
SHA-512:	A92A0A52162300C3EAB9F971481DA753E1E8DA7845DBCF937C05C93943B815688CED61FCB77795DE1308EE1CB6C352AD51D1CABCD26A83154B81933C42313C02
Malicious:	true
Reputation:	low
Preview:	...7...H

C:\Users\user\AppData\Roaming\kAozQG.exe Download File
Process:	C:\Users\user\Desktop\TT COPY pdf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	906752
Entropy (8bit):	7.6609636801645715
Encrypted:	false
SSDEEP:	24576:Dg1zTaZViWg3XO7OJYidZ7x0oTSZikoIErs:DS/aZVHoXO72h0odgErs
MD5:	5C59C6FB72B449BD3E52B628C7C46002
SHA1:	85974547F519BABCDD3F8D5A68BA18930F09D46D
SHA-256:	0B39F5E8244F6D24DBF99914E31907F8E560C6612544A692EC97480C5C9FE371
SHA-512:	8C4B83A321E0AF75E9F3C77A10D41E005401E6747A92BBF3F251B76663267D5A6C917801AA791AF964DDB0F5740735CFBFD71BBA1A4E91DFCEDE3B132A9750FA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 19%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[.`..............P..x...\........... ........@.. ....................... ............@.....................................O........Y........................................................................... ............... ..H............text....w... ...x.................. ..`.rsrc....Y.......Z...z..............@..@.reloc..............................@..B........................H.........................................................................(....&..(......s.........s ........s!........s"........s#...........0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0...........~....o'....+...0...........~....o(....+...0..<........~.....().....,!r...p.....(...o+...s,............~.....+...0...........~.....+.."........0..&........(....r7..p~....o-...(......t$....+..*...0..&........(....rE..p~....o-...(......

C:\Users\user\AppData\Roaming\kAozQG.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\TT COPY pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.6609636801645715
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	TT COPY pdf.exe
File size:	906752
MD5:	5c59c6fb72b449bd3e52b628c7c46002
SHA1:	85974547f519babcdd3f8d5a68ba18930f09d46d
SHA256:	0b39f5e8244f6d24dbf99914e31907f8e560c6612544a692ec97480c5c9fe371
SHA512:	8c4b83a321e0af75e9f3c77a10d41e005401e6747a92bbf3f251b76663267d5a6c917801aa791af964ddb0f5740735cfbfd71bba1a4e91dfcede3b132a9750fa
SSDEEP:	24576:Dg1zTaZViWg3XO7OJYidZ7x0oTSZikoIErs:DS/aZVHoXO72h0odgErs
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[..`..............P..x...\........... ........@.. ....................... ............@................................

File Icon


Icon Hash:	1d1949485b2d1e1e

Static PE Info

General
Entrypoint:	0x4d9712
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x608FF45B [Mon May 3 13:02:19 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd96c0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xda000	0x598c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd7718	0xd7800	False	0.849151682135	data	7.69430817012	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xda000	0x598c	0x5a00	False	0.353776041667	data	4.54268336105	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe0000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xda160	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294967295, next used block 4294901502
RT_ICON	0xdb208	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4294967295, next used block 4294967295
RT_GROUP_ICON	0xdf430	0x22	data
RT_VERSION	0xdf454	0x34c	data
RT_MANIFEST	0xdf7a0	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2009 - 2021
Assembly Version	1.0.5.0
InternalName	EventTags.exe
FileVersion	1.0.5.0
CompanyName	Cendario
LegalTrademarks
Comments
ProductName	Forge Templer
ProductVersion	1.0.5.0
FileDescription	Forge Templer
OriginalFilename	EventTags.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/03/21-15:24:30.918264	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49719	4040	192.168.2.5	23.105.131.171
05/03/21-15:24:38.891607	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49720	4040	192.168.2.5	23.105.131.171
05/03/21-15:24:45.893883	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49721	4040	192.168.2.5	23.105.131.171
05/03/21-15:24:52.914072	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49724	4040	192.168.2.5	23.105.131.171
05/03/21-15:26:29.950949	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49752	4040	192.168.2.5	23.105.131.171

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2021 15:24:30.503123045 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:30.833909988 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:30.834101915 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:30.918263912 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:31.262438059 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:31.390827894 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:31.720134020 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:31.767025948 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:31.797579050 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.228486061 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.228569984 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.228790998 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.229001999 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.229042053 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.229078054 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.230318069 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.230395079 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.230513096 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.230573893 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.230597973 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.230659008 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.231997013 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.232072115 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.232079029 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.232145071 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.233521938 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.233561039 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.233608007 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.233633995 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.565164089 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.566549063 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.566694021 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.566776991 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.568584919 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.568681002 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.568696022 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.569204092 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.569262028 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.569305897 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.569802999 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.569946051 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.571118116 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.571337938 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.571425915 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.572271109 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.572540998 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.572628975 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.590037107 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.590208054 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.590271950 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.590358019 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.590512991 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.590646982 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.597157001 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.597269058 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.597349882 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.598556042 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.598632097 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.598702908 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.815001965 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.902785063 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.902865887 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.903785944 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.903841972 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.904007912 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.904066086 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.904623032 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.904685974 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.914709091 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.914766073 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.914891958 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.914963961 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.915288925 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.915338039 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.915934086 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.915982962 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.916174889 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.916230917 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.916404009 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.916452885 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.916769981 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.916840076 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.916882992 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.916929007 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.917529106 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.917582989 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.918248892 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.918337107 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.918483019 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.918533087 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.918927908 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.918986082 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.919127941 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.919198036 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.920212030 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.920274973 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.920568943 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.920620918 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.921133041 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.921190023 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.921484947 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.922159910 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.922221899 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.923301935 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.923367977 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.923499107 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.923557997 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.924253941 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.924309015 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.925126076 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.925183058 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.926604033 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.926723957 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.926851034 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.926917076 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.927531958 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.927608013 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.927803993 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.927870035 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.928527117 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.928597927 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.929542065 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.929622889 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.929764032 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.929831982 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.930408001 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.930490971 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.930584908 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.930663109 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.932060003 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.932125092 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.932152987 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.932187080 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.932337046 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.932406902 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.954335928 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.954474926 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.955322981 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.955424070 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:32.955560923 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:32.955625057 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.219868898 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.231060982 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.248445034 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.248528004 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.249018908 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.250611067 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.250670910 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.251167059 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.251509905 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.251568079 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.252839088 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.253158092 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.253223896 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.255286932 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.256781101 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.256850004 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.256861925 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.257724047 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.257777929 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.259088993 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.260638952 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.260705948 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.261280060 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.262295961 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.262355089 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.262756109 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.264816046 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.264895916 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.267373085 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.267580986 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.267657042 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.268197060 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.270430088 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.270492077 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.270904064 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.272831917 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.272890091 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.273782969 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.275029898 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.275101900 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.276736975 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.276788950 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.276849985 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.277231932 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.279508114 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.279548883 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.279566050 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.280318975 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.280365944 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.280800104 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.281836987 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.282061100 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.282979965 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.283941984 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.284013033 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.284909964 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.286278963 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.286349058 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.286963940 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.288362980 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.288418055 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.289369106 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.289601088 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.289655924 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.289875031 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.290780067 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.290846109 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.290921926 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.290976048 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.292478085 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.292551041 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.301222086 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.301456928 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.301531076 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.301534891 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.345199108 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.586038113 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.586103916 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.586183071 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.587364912 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.587749958 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.587829113 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.595901966 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.596904993 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.597013950 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.597090960 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.597878933 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.597965002 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.598011017 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.599261999 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.599342108 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.606208086 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.606790066 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.606870890 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.607106924 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.608239889 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.608302116 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.608479977 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.608746052 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.608807087 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.608977079 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.610081911 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.610192060 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.610387087 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.611156940 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.611222029 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.615863085 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.616070032 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.616137981 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.617271900 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.617434025 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.617500067 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.618119955 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.618431091 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.618489981 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.618752003 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.618948936 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.619041920 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.633291960 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.633491039 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.633582115 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.633889914 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.634166002 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.634223938 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.635173082 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.635853052 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.635941982 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.636113882 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.674386978 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.674527884 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.817575932 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.924437046 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.924554110 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.924797058 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.924869061 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.925026894 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.925091028 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.926242113 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.926321030 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.940649033 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.940741062 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.941004038 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.941076040 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.943135977 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.943196058 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.943222046 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.943255901 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.943326950 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.943408966 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.944016933 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.944093943 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.944237947 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.944302082 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.944752932 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.944824934 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.945710897 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.945795059 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.945827007 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.945903063 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.947886944 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.947962999 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.948174000 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.948236942 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.953648090 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.953728914 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.954387903 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.954464912 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.954648018 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.954722881 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.956387043 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.956491947 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.957129002 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.957218885 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.957366943 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.957489014 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.976828098 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.976993084 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.977046013 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.977092981 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.977154970 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.977231026 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.977454901 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.977565050 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.977595091 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.977679968 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.977709055 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.977807045 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.977828979 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.977921963 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.978423119 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.978588104 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.978599072 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.978678942 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.978730917 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.978813887 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.978823900 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.978943110 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.978965998 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.979051113 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.979070902 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.979154110 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.979206085 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.979295969 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:33.979357958 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:33.979449034 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:34.032279015 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:34.032409906 CEST	4040	49719	23.105.131.171	192.168.2.5
May 3, 2021 15:24:34.032532930 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:34.032593012 CEST	49719	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:38.544532061 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:38.890888929 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:38.891026020 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:38.891607046 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:39.230142117 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:39.230626106 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:39.572114944 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:39.572271109 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:39.950819969 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:39.950925112 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.354814053 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.410334110 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.410907030 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.411052942 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.411055088 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.412230968 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.412358999 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.412538052 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.412884951 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.412940025 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.413830042 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.414014101 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.414067984 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.419819117 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.420135021 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.420187950 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.534596920 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.754272938 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.754580021 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.754966974 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.755038977 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.755100012 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.755172968 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.768443108 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.768604994 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.768604994 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.768708944 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.768837929 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.768943071 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.769099951 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.769191027 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.789947987 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.790076017 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.790196896 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.790282011 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.790307999 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.790380001 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.790400028 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.790471077 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.790544033 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.790621042 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.790720940 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.790772915 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.790796041 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.790828943 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.790849924 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.790899038 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.790920973 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.790992975 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.791127920 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.791193962 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.791199923 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.791261911 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.791399002 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.791449070 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:40.791472912 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.791527987 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:40.947551966 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.083798885 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.084091902 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.084219933 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.085032940 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.085865974 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.085964918 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.086139917 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.086975098 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.087058067 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.094019890 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.094065905 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.094176054 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.096349001 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.096602917 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.096707106 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.096864939 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.102005959 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.102142096 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.105041981 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.105165958 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.105243921 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.132071972 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.133128881 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.133251905 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.133291006 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.133872032 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.133963108 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.134908915 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.134995937 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.135030985 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.135149002 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.135935068 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.136069059 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.136981964 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.137039900 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.137108088 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.137834072 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.137996912 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.138063908 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.138865948 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.139166117 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.139233112 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.139858961 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.141148090 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.141216993 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.141474009 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.141834974 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.141900063 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.142074108 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.143117905 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.143194914 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.143796921 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.144963980 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.145026922 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.145054102 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.145884037 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.145966053 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.146084070 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.154979944 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.155040026 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.155105114 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.205324888 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.440037966 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.440113068 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.440253019 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.440345049 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.440351009 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.440536976 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.440612078 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.440675020 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.440798998 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.445976973 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.446181059 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.446304083 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.446787119 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.446986914 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.447105885 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.448199987 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.450251102 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.450299978 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.450341940 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.450376034 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.450460911 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.450463057 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.450984955 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.451044083 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.451092958 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.451864958 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.451971054 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.453309059 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.453946114 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.454070091 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.454114914 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.455255985 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.455374956 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.455952883 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.473578930 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.473817110 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.473946095 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.482723951 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.482959032 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.483047962 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.483262062 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.483360052 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.484069109 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.484998941 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.485189915 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.485245943 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.486367941 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.486484051 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.486627102 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.488434076 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.488563061 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.489209890 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.489624023 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.489733934 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.489763021 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.489856958 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.489974976 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.490206957 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.491168022 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.491341114 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.491919041 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.492204905 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.492296934 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.492804050 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.494273901 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.494373083 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.494488955 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.495109081 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.495204926 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.495454073 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.495811939 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.495904922 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.498122931 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.502285004 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.502434969 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.519241095 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.553724051 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.553829908 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.781727076 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.781923056 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.784496069 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.784571886 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.784620047 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.784660101 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.812011957 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.812057972 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.812138081 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.812278986 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.812316895 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.812443018 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.812841892 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.812941074 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.812946081 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.813044071 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.813047886 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.813124895 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.813131094 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.813199997 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.813318968 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.813397884 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.813465118 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.813509941 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.813540936 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.813563108 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.813695908 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.813771009 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.813776016 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.813858986 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.813874006 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.813950062 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.814033031 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.814121962 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.814133883 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.814210892 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.814296961 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.814377069 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.814652920 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.814712048 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.814749956 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.814783096 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.815009117 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.815051079 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.815113068 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.815156937 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.815327883 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.815383911 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.815448999 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.815490961 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.840176105 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.840426922 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.840929985 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.841048956 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.841845989 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.841953993 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.842933893 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.842972040 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.843070984 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.843127012 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.844351053 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.844445944 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.844599009 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.844682932 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.845005035 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.845134974 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.846154928 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.846241951 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:41.846399069 CEST	4040	49720	23.105.131.171	192.168.2.5
May 3, 2021 15:24:41.846467018 CEST	49720	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:45.536778927 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:45.892831087 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:45.892946959 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:45.893882990 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:46.241887093 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:46.242794037 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:46.589586020 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:46.590007067 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:46.971865892 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:46.971962929 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.339601040 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.401667118 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.402502060 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.402559996 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.402595043 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.402601957 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.402641058 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.402666092 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.402684927 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.402724028 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.402769089 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.406096935 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.406160116 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.406177044 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.406327009 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.406393051 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.550920010 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.734133005 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.734266996 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.746329069 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.746516943 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.747744083 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.747849941 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.749116898 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.749224901 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.754050970 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.754131079 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.754282951 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.754340887 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.754652023 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.754713058 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.756011963 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.756130934 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.756309032 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.756364107 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.757077932 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.757283926 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.757329941 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.757379055 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.758028984 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.758085966 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.759089947 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.759166956 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.759968996 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.760025978 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.760272980 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.760349035 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.761075974 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.761194944 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.761276007 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.761329889 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.762011051 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.762084961 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.762181044 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.762255907 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.764003038 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:47.764106989 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:47.923587084 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.067787886 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.067836046 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.067960024 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.078047037 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.099770069 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.099890947 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.099905968 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.100004911 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.100091934 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.100169897 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.104979992 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.105099916 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.105185986 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.105781078 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.105851889 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.106156111 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.106443882 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.106523991 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.106693983 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.107244968 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.107290030 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.107379913 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.107745886 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.107789040 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.107938051 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.108299971 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.108350039 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.108624935 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.109236002 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.109306097 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.109400034 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.109464884 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.109512091 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.112689018 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.113491058 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.113563061 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.113712072 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.114032030 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.114084959 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.114348888 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.114459038 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.114520073 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.114599943 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.114744902 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.114840031 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.114923000 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.114995956 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.115041971 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.115142107 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.115267992 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.115313053 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.115391016 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.115509987 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.115554094 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.116533041 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.118743896 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.118838072 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.119389057 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.123797894 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.123888016 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.124406099 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.174570084 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.409765005 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.410646915 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.410806894 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.412044048 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.413081884 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.413167953 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.430260897 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.433075905 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.433172941 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.433284998 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.434803963 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.434890032 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.434994936 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.437453985 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.437536001 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.437537909 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.439801931 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.439882040 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.439908981 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.441162109 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.441231966 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.441334963 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.441531897 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.441591978 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.443088055 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.443800926 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.443869114 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.444057941 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.445095062 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.445182085 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.445666075 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.445895910 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.445954084 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.447102070 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.447757959 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.447828054 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.449151039 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.449320078 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.449410915 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.449620008 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.449868917 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.449934006 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.450659990 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.451143980 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.451301098 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.451503038 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.451792002 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.451895952 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.461944103 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.461978912 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.462048054 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.462770939 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.464245081 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.464278936 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.464317083 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.464834929 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.464890003 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.465903044 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.466003895 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.466058969 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.467317104 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.467346907 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.467401981 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.468092918 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.469275951 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.469300032 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.469341040 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.470221043 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.470290899 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.471558094 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.471776962 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.471797943 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.471831083 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.473297119 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.473361015 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.506395102 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.549601078 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.565890074 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.751880884 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.751934052 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.751971960 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.752002001 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.752002001 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.752028942 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.752068996 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.758435011 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.758491993 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.758549929 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.758589983 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.772033930 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.772095919 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.772114992 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.772169113 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.773580074 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.773606062 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.773706913 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.774530888 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.774554968 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.774666071 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.775930882 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.775954962 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.776011944 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.776917934 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.776941061 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.776992083 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.777049065 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.780459881 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.780483961 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.780522108 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.780544996 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.780664921 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.780683041 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.780710936 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.780736923 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.781816959 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.781838894 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.781883001 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.781905890 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.784378052 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.784451962 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.784600973 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.784617901 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.784744978 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.786137104 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.786161900 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.786189079 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.786215067 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.786469936 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.786488056 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.786611080 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.786784887 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.786801100 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.786835909 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.786947012 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.787842989 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.787864923 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.787982941 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.787988901 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.792464018 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.792525053 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.799280882 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.799304962 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.799341917 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.799386024 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.812227964 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.812252045 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.812299967 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.812329054 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.812560081 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.812604904 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.813443899 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.813462973 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.813503981 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.813532114 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.814564943 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.814583063 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.814625025 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.814654112 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.815937042 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.815956116 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.816008091 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.817011118 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.817028046 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.817073107 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.817094088 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.817342043 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.817430019 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.817498922 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.817539930 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.819112062 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.819164038 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:48.876167059 CEST	4040	49721	23.105.131.171	192.168.2.5
May 3, 2021 15:24:48.876224041 CEST	49721	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:52.582627058 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:52.913461924 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:52.913620949 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:52.914072037 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:53.245795012 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:53.246099949 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:53.653043032 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:53.653760910 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.021512032 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.021595955 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.412295103 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.448204994 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.448295116 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.448457003 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.479228973 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.479252100 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.479336023 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.479489088 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.479669094 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.479727030 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.479826927 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.479902983 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.479958057 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.480015993 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.480144978 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.480200052 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.582238913 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.794641018 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.794667006 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.794708967 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.794735909 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.796880007 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.796938896 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.796993971 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.797034979 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.813704967 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.813783884 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.814039946 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.814126015 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.817595959 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.817645073 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.817981005 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.818027020 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.818908930 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.818969965 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.819307089 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.819350958 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.819468021 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.819513083 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.826139927 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.826188087 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.826322079 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.826410055 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.826428890 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.826451063 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.826544046 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.826579094 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.826679945 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.826735020 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.826884031 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.826946974 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.827152014 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.827194929 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.827255011 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.827290058 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.827609062 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:54.827656031 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:54.955087900 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.131728888 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.142146111 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.142180920 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.142218113 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.143115997 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.143182993 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.143646002 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.143764973 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.143811941 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.145128965 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.145294905 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.145347118 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.151794910 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.152005911 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.152065039 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.153201103 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.153414965 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.153476954 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.156558990 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.156936884 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.156996965 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.159281969 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.160650969 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.160701990 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.160765886 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.162951946 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.163000107 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.163086891 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.163273096 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.163315058 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.163328886 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.164499044 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.164562941 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.165060043 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.167249918 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.167320967 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.167599916 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.174705029 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.174761057 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.175811052 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.178323984 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.178365946 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.178375959 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.178529978 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.178591013 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.178633928 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.178726912 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.178836107 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.178888083 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.179002047 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.179061890 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.179172039 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.179289103 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.179342985 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.179452896 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.179788113 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.179835081 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.179933071 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.180092096 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.180140018 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.180289030 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.222064972 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.485790014 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.485960007 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.486025095 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.486557961 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.487813950 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.488481998 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.511600971 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.511800051 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.512954950 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.513039112 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.513151884 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.513226986 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.513489962 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.515142918 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.515301943 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.515414000 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.515508890 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.515532970 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.515630007 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.515688896 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.515753031 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.515856028 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.515917063 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.516020060 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.516134977 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.516200066 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.517066002 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.517580032 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.518754005 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.521801949 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.525727034 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.525801897 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.525983095 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.527067900 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.528759003 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.532674074 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.533230066 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.533314943 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.538125038 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.538285971 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.538397074 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.538516998 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.538544893 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.538554907 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.538722992 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.538883924 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.538999081 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.539077997 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.539170980 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.539283037 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.540134907 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.540309906 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.540632010 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.540826082 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.540978909 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.541605949 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.541887999 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.542397976 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.542690039 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.543530941 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.543757915 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.543823004 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.545306921 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.545500994 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.545762062 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.547120094 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.547210932 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.547214031 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.547665119 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.547974110 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.547979116 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.549032927 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.549083948 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.551781893 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.566453934 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.814112902 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.814204931 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.814235926 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.814295053 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.825870991 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.825978994 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.826072931 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.826122046 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.849895954 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.849992990 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.850975990 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.851084948 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.851738930 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.851828098 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.853048086 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.853166103 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.871550083 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.871653080 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.871665001 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.871707916 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.871851921 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.871896029 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.872014999 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.872062922 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.872170925 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.872298002 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.872482061 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.872533083 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.872653008 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.872730970 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.872874975 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.872927904 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.872999907 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.873172045 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.873186111 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.873261929 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.873413086 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.873485088 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.873533010 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.873661041 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.873667955 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.873714924 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.873768091 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.873814106 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.873876095 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.873915911 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.875893116 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.876012087 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.876065969 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.876128912 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.876168013 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.886122942 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.886408091 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.886428118 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.886571884 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.886962891 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.887037992 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.887315989 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.887437105 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.887753963 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.887803078 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.887900114 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.888108015 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.889981985 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.890073061 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.890108109 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.890157938 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.891007900 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.891104937 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.891320944 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.891370058 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.892214060 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.892824888 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.893045902 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.893168926 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.893273115 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.893337965 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.902298927 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.902383089 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.902443886 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.902508974 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.902575970 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.902637005 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.902676105 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.902745962 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.902753115 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.902803898 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.903055906 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.903099060 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.903112888 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.903139114 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.903156996 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.903194904 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.903328896 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.903400898 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:55.903408051 CEST	4040	49724	23.105.131.171	192.168.2.5
May 3, 2021 15:24:55.903501034 CEST	49724	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:59.583036900 CEST	49726	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:24:59.905689955 CEST	4040	49726	23.105.131.171	192.168.2.5
May 3, 2021 15:25:00.410052061 CEST	49726	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:00.729496956 CEST	4040	49726	23.105.131.171	192.168.2.5
May 3, 2021 15:25:01.238224030 CEST	49726	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:01.566800117 CEST	4040	49726	23.105.131.171	192.168.2.5
May 3, 2021 15:25:05.583940983 CEST	49727	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:05.942023039 CEST	4040	49727	23.105.131.171	192.168.2.5
May 3, 2021 15:25:06.457421064 CEST	49727	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:06.792030096 CEST	4040	49727	23.105.131.171	192.168.2.5
May 3, 2021 15:25:07.301254034 CEST	49727	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:07.641946077 CEST	4040	49727	23.105.131.171	192.168.2.5
May 3, 2021 15:25:11.789485931 CEST	49730	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:12.109703064 CEST	4040	49730	23.105.131.171	192.168.2.5
May 3, 2021 15:25:12.614155054 CEST	49730	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:12.933541059 CEST	4040	49730	23.105.131.171	192.168.2.5
May 3, 2021 15:25:13.442406893 CEST	49730	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:13.779434919 CEST	4040	49730	23.105.131.171	192.168.2.5
May 3, 2021 15:25:17.787836075 CEST	49739	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:18.115312099 CEST	4040	49739	23.105.131.171	192.168.2.5
May 3, 2021 15:25:18.630316973 CEST	49739	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:18.950761080 CEST	4040	49739	23.105.131.171	192.168.2.5
May 3, 2021 15:25:19.458533049 CEST	49739	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:19.786350012 CEST	4040	49739	23.105.131.171	192.168.2.5
May 3, 2021 15:25:23.803769112 CEST	49740	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:24.158055067 CEST	4040	49740	23.105.131.171	192.168.2.5
May 3, 2021 15:25:24.662125111 CEST	49740	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:30.662713051 CEST	49740	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:30.991437912 CEST	4040	49740	23.105.131.171	192.168.2.5
May 3, 2021 15:25:35.008469105 CEST	49741	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:35.349014997 CEST	4040	49741	23.105.131.171	192.168.2.5
May 3, 2021 15:25:35.850743055 CEST	49741	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:36.177556992 CEST	4040	49741	23.105.131.171	192.168.2.5
May 3, 2021 15:25:36.678770065 CEST	49741	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:37.041829109 CEST	4040	49741	23.105.131.171	192.168.2.5
May 3, 2021 15:25:41.056464911 CEST	49742	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:41.382505894 CEST	4040	49742	23.105.131.171	192.168.2.5
May 3, 2021 15:25:41.898113966 CEST	49742	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:42.241900921 CEST	4040	49742	23.105.131.171	192.168.2.5
May 3, 2021 15:25:42.742337942 CEST	49742	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:43.061104059 CEST	4040	49742	23.105.131.171	192.168.2.5
May 3, 2021 15:25:47.073132038 CEST	49743	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:47.423136950 CEST	4040	49743	23.105.131.171	192.168.2.5
May 3, 2021 15:25:47.929843903 CEST	49743	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:48.254781961 CEST	4040	49743	23.105.131.171	192.168.2.5
May 3, 2021 15:25:48.757877111 CEST	49743	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:49.081481934 CEST	4040	49743	23.105.131.171	192.168.2.5
May 3, 2021 15:25:53.088042974 CEST	49745	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:53.421427011 CEST	4040	49745	23.105.131.171	192.168.2.5
May 3, 2021 15:25:53.930191040 CEST	49745	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:54.248594999 CEST	4040	49745	23.105.131.171	192.168.2.5
May 3, 2021 15:25:54.758399963 CEST	49745	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:55.083857059 CEST	4040	49745	23.105.131.171	192.168.2.5
May 3, 2021 15:25:59.182612896 CEST	49747	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:25:59.618030071 CEST	4040	49747	23.105.131.171	192.168.2.5
May 3, 2021 15:26:00.137275934 CEST	49747	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:00.473515034 CEST	4040	49747	23.105.131.171	192.168.2.5
May 3, 2021 15:26:00.993360996 CEST	49747	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:01.334481955 CEST	4040	49747	23.105.131.171	192.168.2.5
May 3, 2021 15:26:05.440119028 CEST	49748	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:05.764952898 CEST	4040	49748	23.105.131.171	192.168.2.5
May 3, 2021 15:26:06.274991035 CEST	49748	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:06.601068020 CEST	4040	49748	23.105.131.171	192.168.2.5
May 3, 2021 15:26:07.103267908 CEST	49748	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:07.432020903 CEST	4040	49748	23.105.131.171	192.168.2.5
May 3, 2021 15:26:11.452076912 CEST	49749	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:11.780996084 CEST	4040	49749	23.105.131.171	192.168.2.5
May 3, 2021 15:26:12.291157007 CEST	49749	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:12.616703033 CEST	4040	49749	23.105.131.171	192.168.2.5
May 3, 2021 15:26:13.119573116 CEST	49749	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:13.464745045 CEST	4040	49749	23.105.131.171	192.168.2.5
May 3, 2021 15:26:17.552160025 CEST	49750	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:17.876399994 CEST	4040	49750	23.105.131.171	192.168.2.5
May 3, 2021 15:26:18.385442972 CEST	49750	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:18.730798960 CEST	4040	49750	23.105.131.171	192.168.2.5
May 3, 2021 15:26:19.244971991 CEST	49750	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:19.569787025 CEST	4040	49750	23.105.131.171	192.168.2.5
May 3, 2021 15:26:23.576256990 CEST	49751	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:23.909859896 CEST	4040	49751	23.105.131.171	192.168.2.5
May 3, 2021 15:26:24.417188883 CEST	49751	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:24.759964943 CEST	4040	49751	23.105.131.171	192.168.2.5
May 3, 2021 15:26:25.260994911 CEST	49751	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:25.605818987 CEST	4040	49751	23.105.131.171	192.168.2.5
May 3, 2021 15:26:29.621803045 CEST	49752	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:29.950159073 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:29.950397968 CEST	49752	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:29.950948954 CEST	49752	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:30.316000938 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:30.344500065 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:30.344887972 CEST	49752	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:30.680224895 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:30.681049109 CEST	49752	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:31.092107058 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.125631094 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.126485109 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.126537085 CEST	49752	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:31.137404919 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.137490988 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.137564898 CEST	49752	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:31.138175011 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.138487101 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.138536930 CEST	49752	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:31.140866995 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.141443968 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.141515017 CEST	49752	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:31.142682076 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.144440889 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.144510984 CEST	49752	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:31.456634045 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.457401037 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.457474947 CEST	49752	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:31.458466053 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.459398031 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.459455967 CEST	49752	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:31.481791973 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.484503984 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.484616041 CEST	49752	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:31.484643936 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.484793901 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.484879971 CEST	49752	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:31.484950066 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.485074997 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.485125065 CEST	49752	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:31.485327959 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.486383915 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.486434937 CEST	49752	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:31.487416029 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.487631083 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.487692118 CEST	49752	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:31.502588034 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.504569054 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.504659891 CEST	49752	4040	192.168.2.5	23.105.131.171
May 3, 2021 15:26:31.505022049 CEST	4040	49752	23.105.131.171	192.168.2.5
May 3, 2021 15:26:31.506361008 CEST	4040	49752	23.105.131.171	192.168.2.5

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: TT COPY pdf.exe PID: 5640 Parent PID: 5680

General

Start time:	15:24:21
Start date:	03/05/2021
Path:	C:\Users\user\Desktop\TT COPY pdf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\TT COPY pdf.exe'
Imagebase:	0x520000
File size:	906752 bytes
MD5 hash:	5C59C6FB72B449BD3E52B628C7C46002
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.267284448.00000000039D9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.266683810.00000000029D1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6160 Parent PID: 5640

General

Start time:	15:24:25
Start date:	03/05/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kAozQG' /XML 'C:\Users\user\AppData\Local\Temp\tmp2D06.tmp'
Imagebase:	0xda0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6176 Parent PID: 6160

General

Start time:	15:24:26
Start date:	03/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: TT COPY pdf.exe PID: 6240 Parent PID: 5640

General

Start time:	15:24:26
Start date:	03/05/2021
Path:	C:\Users\user\Desktop\TT COPY pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\TT COPY pdf.exe
Imagebase:	0x8d0000
File size:	906752 bytes
MD5 hash:	5C59C6FB72B449BD3E52B628C7C46002
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.523106408.00000000058E0000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.522969256.0000000005830000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.522969256.0000000005830000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.518288271.0000000002EA1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.521801480.0000000003EE9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.516107579.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: TT COPY pdf.exe PID: 5640 Parent PID: 5680 TT COPY pdf.exeCOMMON

Executed Functions

Function 05B78578, Relevance: 4.1, Strings: 3, Instructions: 314COMMON

Download Yara Rule

Strings

<!l, xrefs: 05B78687
\.4, xrefs: 05B78716
\.4, xrefs: 05B7870F

Memory Dump Source

Source File: 00000000.00000002.270908087.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID: <!l$\.4$\.4
API String ID: 0-1537011439
Opcode ID: 0459ba49fa0f1feba03e53ab15e4fa2f1d1204be0119b2e54d3883816661ffdd
Instruction ID: 5ed4334b1943b4283bc30217d866deb6601569b8b8b24827861c42b73482f203
Opcode Fuzzy Hash: 0459ba49fa0f1feba03e53ab15e4fa2f1d1204be0119b2e54d3883816661ffdd
Instruction Fuzzy Hash: 1CD12A70D1420ADFCB04CF96C4854AEFBB3FF89301F249599E526AB254DB34AA42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05B78573, Relevance: 2.8, Strings: 2, Instructions: 305COMMON

Download Yara Rule

Strings

<!l, xrefs: 05B78687
\.4, xrefs: 05B78716

Memory Dump Source

Source File: 00000000.00000002.270908087.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID: <!l$\.4
API String ID: 0-59617138
Opcode ID: caa6dff396271f30a9a92221a63a9b39fc335da91a3270baca611aeb23935140
Instruction ID: a03430949d37ac2690e3b5525e47b55302ee0c0374ffbb002581bc104d113df3
Opcode Fuzzy Hash: caa6dff396271f30a9a92221a63a9b39fc335da91a3270baca611aeb23935140
Instruction Fuzzy Hash: 8BD1F770D1420ADFCB04CF96C5858AFFBB3FF89301B249599E526A7254DB34AA42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02734EB0, Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

qOfU, xrefs: 02735055

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID: qOfU
API String ID: 0-2712124226
Opcode ID: ebb7bc70203e0f8c61ce89751c4dfd1c5729d2525b4b647465bc0beffe15b87f
Instruction ID: 789587b7b7d4ecf1863b26b9cdbd1f6ffac07adc246942ac65535eef4da7e7d5
Opcode Fuzzy Hash: ebb7bc70203e0f8c61ce89751c4dfd1c5729d2525b4b647465bc0beffe15b87f
Instruction Fuzzy Hash: D8C13674E552089FDB04CFA4D995BDEBBB2FB89300F249129E409BB399DB34A941CF14

Uniqueness

Uniqueness Score: -1.00%

Function 02734EAB, Relevance: 1.5, Strings: 1, Instructions: 289COMMON

Download Yara Rule

Strings

qOfU, xrefs: 02735055

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID: qOfU
API String ID: 0-2712124226
Opcode ID: 4889dfb52b05ba7b5714f51608b20f3894e74f7c22fea4550c77348c48b3ad61
Instruction ID: f7531f8afffa4faece978fa1b2d3715fd3de2932ec89c9cf91f19eaee8e03845
Opcode Fuzzy Hash: 4889dfb52b05ba7b5714f51608b20f3894e74f7c22fea4550c77348c48b3ad61
Instruction Fuzzy Hash: 94C13674E552089FDB04CFA4D995BDEBBB2FB89300F249029E409BB399DB34A941CF14

Uniqueness

Uniqueness Score: -1.00%

Function 02734EA3, Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

qOfU, xrefs: 02735055

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID: qOfU
API String ID: 0-2712124226
Opcode ID: e9419f4ccbb26680a2a1393a3f9dc1e12ea28d2c7467470c54c06f19b45f102c
Instruction ID: 8f908995eca57febe6cbd062c1f14fbbd98d09411f4ee12040bf4403ecea11f3
Opcode Fuzzy Hash: e9419f4ccbb26680a2a1393a3f9dc1e12ea28d2c7467470c54c06f19b45f102c
Instruction Fuzzy Hash: C1A14774E452099FDB04CFA4D955BDEBBB2FB89300F249129E406BB399DB34AA41CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0273546B, Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

UOr, xrefs: 02735502

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID: UOr
API String ID: 0-2556223449
Opcode ID: 00a33479288c12cc0e574db1c1332557b06d9c59b2e216fc0792b2ca92ba2459
Instruction ID: 8a81ae71ce1e811cfc72cdd9479bcc0e38f9b4a288924ae77f3d677a11478519
Opcode Fuzzy Hash: 00a33479288c12cc0e574db1c1332557b06d9c59b2e216fc0792b2ca92ba2459
Instruction Fuzzy Hash: 3281F374E112199FCB08DFA5D8459EEBBB2FF88311F60902AE81AB7359DB345902CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02735478, Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

UOr, xrefs: 02735502

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID: UOr
API String ID: 0-2556223449
Opcode ID: c10fc683d7d1967a671f8117f57e631f614c8b655d4020eef53592a79879f32a
Instruction ID: d5b104f2ffb95dfceec7f8b38e4c1e3b3b7abd9a35fcd073056d88fc4057c499
Opcode Fuzzy Hash: c10fc683d7d1967a671f8117f57e631f614c8b655d4020eef53592a79879f32a
Instruction Fuzzy Hash: 7E81E274E112199FCB08DFA5D8459EEBBB2FF88310F60942AE81AB7359DB345902CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05B743E0, Relevance: .9, Instructions: 903COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270908087.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75b0fdcf8f5a6b8fa7aae8289af9b2fd8e92f4074286e71da83e577d355880e6
Instruction ID: 49c8ce38f36e42de0e2979ba60faa4ac75b6749e562d8b2fb217ef5220d328ee
Opcode Fuzzy Hash: 75b0fdcf8f5a6b8fa7aae8289af9b2fd8e92f4074286e71da83e577d355880e6
Instruction Fuzzy Hash: C8820830A046499FCF14CF68C584AAEBBF2FF89316F158599E529AB2A1D730FD41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05B73690, Relevance: .9, Instructions: 888COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270908087.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f601095627a2f775aaf41564de3f684eb66e02feee640d5aecb219e83ae3ef41
Instruction ID: 9a6e37f7347ebfe3382b90d5dbbb3586a3bc5466aeb7d79f14867548acd8a9c5
Opcode Fuzzy Hash: f601095627a2f775aaf41564de3f684eb66e02feee640d5aecb219e83ae3ef41
Instruction Fuzzy Hash: 61729070A042199FCB14DFA8C855AAEBBF2FF88305F1584A9E516EB391DB30ED41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0298E6C0, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266626611.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f46c239fa415deaf108bbc98da4e64ee4ccd609ee484292a1a583c7ff9d53e
Instruction ID: 2768d00dfb16c9a5dcaf0939d49e28613d5234dd589d2ee78ab8e02a92a82e2c
Opcode Fuzzy Hash: d8f46c239fa415deaf108bbc98da4e64ee4ccd609ee484292a1a583c7ff9d53e
Instruction Fuzzy Hash: 4112C4B1415B468BD330CF65ED9A1893BA1B745328F91420CD2E12BED9D7BE11AECF44

Uniqueness

Uniqueness Score: -1.00%

Function 05B7F3B8, Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270908087.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7a88d19ef91fa68199f6554df579f889110478cdcc6b5081b96aa71a9f1b544
Instruction ID: afe9d67530fd277fddf254400f0e663472779663cbcbb589ff4bc2b63c00a816
Opcode Fuzzy Hash: f7a88d19ef91fa68199f6554df579f889110478cdcc6b5081b96aa71a9f1b544
Instruction Fuzzy Hash: 61A11874E052099FCB04CFA9C5819AEFBF2BF89310F24C16AD419A7359DB34A942CB58

Uniqueness

Uniqueness Score: -1.00%

Function 05B76526, Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270908087.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a054e927136551dc3f7737b177c7b36580368c22a7c26a38f0051c4f25b39fa
Instruction ID: 44aa3e86d2ac3392e441de6c1099b22133a9db17d94f28c3ac1d8e10c8831fef
Opcode Fuzzy Hash: 4a054e927136551dc3f7737b177c7b36580368c22a7c26a38f0051c4f25b39fa
Instruction Fuzzy Hash: 37910375E046098FCB04CFA9D981AEDBBB2FF89310F54806AD425BB368D734A941CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0298E6B0, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266626611.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da733f1cb2164c1ceafae5e67473f5e962cf8bcafdef3d330947e33b97ca5f1
Instruction ID: df68b757b020589e2f513d7a3e5237efe3aad4077ca9e6f06084f28a9c7faa2f
Opcode Fuzzy Hash: 4da733f1cb2164c1ceafae5e67473f5e962cf8bcafdef3d330947e33b97ca5f1
Instruction Fuzzy Hash: 5EC11BB14157468BD724CF65EC8A1897BB1BB85328F51430CD1A16BED8D7BE10AECF44

Uniqueness

Uniqueness Score: -1.00%

Function 05B765E8, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270908087.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ab3df3438be438a1b6efcaa44b7e149596b061c4347a545ed43ff05afde5d40
Instruction ID: a943d50cb8a77d60ed54f8eb2b74ade9d7b563202de10cb42fbd13ac47af3de9
Opcode Fuzzy Hash: 4ab3df3438be438a1b6efcaa44b7e149596b061c4347a545ed43ff05afde5d40
Instruction Fuzzy Hash: 2E91D574E056188FDB08CFA9C9846EEFBB2FF89300F14942AD529BB268D7349905CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05B765E3, Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270908087.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8360e93df48b210b8393c3b7d0850b8b2defc29fe17fef67e654d15a0476f04b
Instruction ID: ad279e048ed0127a7bb67fa2a20a3b72df44d872ef64be2e7f4c7689acbc1b60
Opcode Fuzzy Hash: 8360e93df48b210b8393c3b7d0850b8b2defc29fe17fef67e654d15a0476f04b
Instruction Fuzzy Hash: 0591D574E056188FDB08CFA9C984ADEBBB2FF89300F14842AD525BB368D7349901CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05B7F850, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270908087.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b93f0332b25a505bbf3533e40675d903fddd5e924a41e63f39aa5e0ab534bc33
Instruction ID: 80ecbbc508b88b332f5b7284ff939c8cd00aee431d445862da42909fa41263fa
Opcode Fuzzy Hash: b93f0332b25a505bbf3533e40675d903fddd5e924a41e63f39aa5e0ab534bc33
Instruction Fuzzy Hash: 70715970E1520ADFCB04CFA9C481ABEFBF2FB89310F14C56AD525A7214D734AA418FA4

Uniqueness

Uniqueness Score: -1.00%

Function 05B76DA0, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270908087.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e39d952e6ae98574c8612e720f1bc1182febd7818dc7c42407ea9396e319b02
Instruction ID: 35945b89e6fcaabe00f9e1172989b36e66464aca952021948cc784a7ddc7c895
Opcode Fuzzy Hash: 2e39d952e6ae98574c8612e720f1bc1182febd7818dc7c42407ea9396e319b02
Instruction Fuzzy Hash: 65514970E146198FCB08CFEAC5415AEFBF2FF88340F24D56AD529B7254DB349A418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 05B76D90, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270908087.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb631d0fe9c8f6b80de6d9630272bcc720227ea73d81f4c6a570e2af7428cbea
Instruction ID: 428174ea859d864e28bde25ae17fbb4df2dd458030050aa06b2bbe23fd70c27f
Opcode Fuzzy Hash: fb631d0fe9c8f6b80de6d9630272bcc720227ea73d81f4c6a570e2af7428cbea
Instruction Fuzzy Hash: CB514B70E146198FCB08CFEAC5415AEFBF2FF89340F24D56AD419A7254D7349A41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 027347D0, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf55c8e35a6a3a77ecdd99a1a125f009916f1943f0af38afcddcc90036722d3
Instruction ID: a2a3cc81d4a80eed7541f658bd28398ef114a55a0e0f85365252e4b1209a0710
Opcode Fuzzy Hash: 9bf55c8e35a6a3a77ecdd99a1a125f009916f1943f0af38afcddcc90036722d3
Instruction Fuzzy Hash: C7418A75E15258CFCB08CFA5D9955DDFBB2FB8D300F10942AE409B7259EB389801CB68

Uniqueness

Uniqueness Score: -1.00%

Function 027347C3, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cdb46639abe119b02cc0e89b28835e1859ccaca3c8af4f276cb35a3946725b
Instruction ID: 41486e5e0d9f581cb671fb7fc9c3a85cdea0042c1567d7ba63a47e43464828e9
Opcode Fuzzy Hash: 35cdb46639abe119b02cc0e89b28835e1859ccaca3c8af4f276cb35a3946725b
Instruction Fuzzy Hash: 14419875E15218DBCB08CFA5D9955DDFBB2FF8D300F14942AE409B7268EB389801CB28

Uniqueness

Uniqueness Score: -1.00%

Function 02738EA0, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d9b8ab4d6e63287b18a651d37bc3e3a4e702662de84d08d17d372828e1275d
Instruction ID: 4f64817f2d38f716184152d427d741de662293026754d2a22fb8c0f44805b517
Opcode Fuzzy Hash: 53d9b8ab4d6e63287b18a651d37bc3e3a4e702662de84d08d17d372828e1275d
Instruction Fuzzy Hash: DC318034D5A21EDBDF16CFA5D8446FEBBF6AB4B244F105426F802F3252E7348940CA26

Uniqueness

Uniqueness Score: -1.00%

Function 05B7B948, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270908087.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcad1ff04aca5bfb685a45d06f699db082081aa774f6d3282b4f88612ee5f7b8
Instruction ID: 781255b586dfc3e9e71fa7b4c08a7d71314e4326a9e87b241ae1f0562dc1335d
Opcode Fuzzy Hash: fcad1ff04aca5bfb685a45d06f699db082081aa774f6d3282b4f88612ee5f7b8
Instruction Fuzzy Hash: 03415F71E116588BDB18CF6BCD4579EFAF3BFC8300F14C1BA951DA6218EB301A868E11

Uniqueness

Uniqueness Score: -1.00%

Function 02738E9B, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9325dc449ca2faaa4ac2172b94da1cf54a7b36899ea618e7dfd52ffcb65635
Instruction ID: 67c8acb25c020ed9703d9a475d333f440f60b57732c6c5a44b7856d79d7242fc
Opcode Fuzzy Hash: bc9325dc449ca2faaa4ac2172b94da1cf54a7b36899ea618e7dfd52ffcb65635
Instruction Fuzzy Hash: B3316D30D4A21EDBCB168BA4D8546FEBAF6AB4B244F105416F802F3282D7348940CA26

Uniqueness

Uniqueness Score: -1.00%

Function 05B77728, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270908087.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 463068a0ca5481bae227e791460a77713c81df801c10130437ebf619ef35c664
Instruction ID: 0ee1475370410fef792ebc3f8504f39a6a6c2b82e1dd229088954cff9f98ab58
Opcode Fuzzy Hash: 463068a0ca5481bae227e791460a77713c81df801c10130437ebf619ef35c664
Instruction Fuzzy Hash: C031D6B1E006188BDB18CFABD9446DEFBB3BFC8310F14C16AE409A6258DB755946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05B77719, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270908087.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65dbf989febafca4cb9d5c2180e19f75a1069486bd8b13149495ae9a119ed26
Instruction ID: 6dcd5b98e85a1db6f26ecbad2cdbee57e515df24a89eae8aefbee9619d0c2e8d
Opcode Fuzzy Hash: e65dbf989febafca4cb9d5c2180e19f75a1069486bd8b13149495ae9a119ed26
Instruction Fuzzy Hash: A3217AB1E106188BDB18CFAAD94579EFBF3AFC8300F14C16AD809A6258DB7559468F90

Uniqueness

Uniqueness Score: -1.00%

Function 02738FCC, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aead43657705d2e64fe977474a65e1cbb001ccdfb833b6aec546543c6bbc71ed
Instruction ID: 4bdde8301bdf1992e783d5318e73246b24033078f204f4aaec370c65c765b027
Opcode Fuzzy Hash: aead43657705d2e64fe977474a65e1cbb001ccdfb833b6aec546543c6bbc71ed
Instruction Fuzzy Hash: 2201A270D4929BDBDB028FA0C8945BEBF72EB07200F10154AE402FB152DB78C541DB56

Uniqueness

Uniqueness Score: -1.00%

Function 0298B901, Relevance: 6.1, APIs: 4, Instructions: 127threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0298B970
GetCurrentThread.KERNEL32 ref: 0298B9AD
GetCurrentProcess.KERNEL32 ref: 0298B9EA
GetCurrentThreadId.KERNEL32 ref: 0298BA43

Memory Dump Source

Source File: 00000000.00000002.266626611.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 90b4f97184fdb92729e922eb9c5439631f2ec3ced841ac838a8b52f269f4118f
Instruction ID: 12ae4eab0c78295742337940d444b3131b69b25a9d46ce751ce53dee28227cf0
Opcode Fuzzy Hash: 90b4f97184fdb92729e922eb9c5439631f2ec3ced841ac838a8b52f269f4118f
Instruction Fuzzy Hash: 6F5144B0E047898FDB14CFAAD5887EEBBF0AF48318F28845AE449A7350D7355945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0298B910, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0298B970
GetCurrentThread.KERNEL32 ref: 0298B9AD
GetCurrentProcess.KERNEL32 ref: 0298B9EA
GetCurrentThreadId.KERNEL32 ref: 0298BA43

Memory Dump Source

Source File: 00000000.00000002.266626611.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0d242d70969e20616d8c04a2fe42897197808c0ef77f62d8eeda539b84447361
Instruction ID: 008c7f9332b34f5ff16ec57fe6f97cf6f5717eb90a0a7907a455f173a391d951
Opcode Fuzzy Hash: 0d242d70969e20616d8c04a2fe42897197808c0ef77f62d8eeda539b84447361
Instruction Fuzzy Hash: F95145B0E047898FDB14DFAAC548BAEBBF0AF48318F288459E449B7350D7346944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0273331D, Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0273355E

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e5daf12591b9eccf5b121606b715a90b65ce8418bc292bb3f840667b9f1bc8fa
Instruction ID: 6930a14c46ff6374bde7d00f5abd1b87fef58be3ff27d32e0abeae3b1f34348f
Opcode Fuzzy Hash: e5daf12591b9eccf5b121606b715a90b65ce8418bc292bb3f840667b9f1bc8fa
Instruction Fuzzy Hash: 90915C71D00269DFDF21CFA4C881BEEBBB2BF48314F0585A9D809A7291DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02733328, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0273355E

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 511bac64d03ec91f0581772c728b8d2a7d16212c717d2a61063aa316ee7f26d3
Instruction ID: 7ebf740d8b042c0905da73afc643b6d39dc2654feda02a1df8e515b6d5520dc3
Opcode Fuzzy Hash: 511bac64d03ec91f0581772c728b8d2a7d16212c717d2a61063aa316ee7f26d3
Instruction Fuzzy Hash: FD915C71D00269DFDF21CF64C881BEEBBB2BF48314F0585A9D809A7291DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02989910, Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02989B56

Memory Dump Source

Source File: 00000000.00000002.266626611.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2c91f0de8b52c0b89848b2855fb36eac58e27a809d5ffe31a7e962f4753233ab
Instruction ID: 34fe9c62e527e34dcc03e2c98d316148890d1a2ca95ef9a27a327a6eaff738a3
Opcode Fuzzy Hash: 2c91f0de8b52c0b89848b2855fb36eac58e27a809d5ffe31a7e962f4753233ab
Instruction Fuzzy Hash: D4711370A00B058FE724EF6AC44576AB7F5BF88304F04892ED59AD7B40E775E905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0298FDDB, Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0298FF4A

Memory Dump Source

Source File: 00000000.00000002.266626611.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a3e1975016b46875d79ab68b1b1c65c3f0d6387ec53548ee6ea241070568ae32
Instruction ID: 7175fdda88868d4a70856d28b9148b97e484207f7c2252faa51766e692449351
Opcode Fuzzy Hash: a3e1975016b46875d79ab68b1b1c65c3f0d6387ec53548ee6ea241070568ae32
Instruction Fuzzy Hash: BE512471C00249EFCF11DFA5C980ACDBFB6BF48304F59816AE408AB221D7319855CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0298FE38, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0298FF4A

Memory Dump Source

Source File: 00000000.00000002.266626611.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5ece7d9a73830770fc2bdb8962253351e8acbd7b6dfbcdfee9de54ea7393da84
Instruction ID: 84a7ab6a6571563e3e4877747fbda2d6e66bace0fb5a25004c6bb86e754d22db
Opcode Fuzzy Hash: 5ece7d9a73830770fc2bdb8962253351e8acbd7b6dfbcdfee9de54ea7393da84
Instruction Fuzzy Hash: 4F41CFB1D103489FDF14DFA9C984ADEBBB5FF88314F64812AE819AB250D7749885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02732A8F, Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f5d25a5e4a6c01ece04f939f47add4aea474bbdb9e1f71150be4ad265fb3292
Instruction ID: 36ae0264b1174bcee672fc32dd02a9daf55a0ba097ad4ea8ffd5ed84c9c1ba7d
Opcode Fuzzy Hash: 1f5d25a5e4a6c01ece04f939f47add4aea474bbdb9e1f71150be4ad265fb3292
Instruction Fuzzy Hash: 4E31C0329042448FEF22CFB4C4553AEBBF0BB58224F18986ACC46AB243D7349D45CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 027330A0, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02733130

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 572b4edffd8a27e0d4b691bb2137ea305f862df30951a3929cc66ec79b541c22
Instruction ID: 64f0759bcf0324cdc74afc84d3b23a8ee5dc185e404d79a825f366c4aace4585
Opcode Fuzzy Hash: 572b4edffd8a27e0d4b691bb2137ea305f862df30951a3929cc66ec79b541c22
Instruction Fuzzy Hash: D92125719003999FCF10CFA9C884BEEBBF5FF48324F50842AE918A7251D7789944DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02733098, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02733130

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 063c289ebfd89d88d357a96c08f59efeeaf9daa20c8eff3ca97d17bf82e1c49f
Instruction ID: 835b4486245d2ab84299e8ef83204a6ca7c828778acd7697769fea731c2f9902
Opcode Fuzzy Hash: 063c289ebfd89d88d357a96c08f59efeeaf9daa20c8eff3ca97d17bf82e1c49f
Instruction Fuzzy Hash: FC2146B1D003598FCF10CFA9C9817EEBBF1BF48314F11842AE918A7250D7789954DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0298BB30, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0298BBBF

Memory Dump Source

Source File: 00000000.00000002.266626611.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 89d7a6875c8774408925426cf1afc2f0a83800dc208a74c1653add17c0e2b671
Instruction ID: 9491d62a1d888edba0080005590af8af05b74a4717d6d54d98906903ae597b36
Opcode Fuzzy Hash: 89d7a6875c8774408925426cf1afc2f0a83800dc208a74c1653add17c0e2b671
Instruction Fuzzy Hash: 7D21E3B59012489FDB10CFA9D984ADEBBF8EB48324F18841AE954B3310D374A945DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02732AFB, Relevance: 1.6, APIs: 1, Instructions: 64threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 02732B7E

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 277d5c004303932683072f27d0f75578d0278a5cbce8f817da11b9b1cecb3355
Instruction ID: bd217e12917b267e75c2b5d2b68ffce28b8aa328ad83fb8794d9b0c0ed2e3159
Opcode Fuzzy Hash: 277d5c004303932683072f27d0f75578d0278a5cbce8f817da11b9b1cecb3355
Instruction Fuzzy Hash: BC2137719003498FCB10CFAAC5847EEBBF4AF48328F55842AD919A7241DB789945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02732B00, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 02732B7E

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: e572a05217fa4eaa582561ef01c7e7de77f512487bb2a80702883d43b15202cd
Instruction ID: 91cfc6aed63792807f392ea01b05d0a401e015978e94508dbd106156b15b7c59
Opcode Fuzzy Hash: e572a05217fa4eaa582561ef01c7e7de77f512487bb2a80702883d43b15202cd
Instruction Fuzzy Hash: D12135719003498FCB10CFAAC4847EEBBF4AF48328F15842AD919A7241DB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02733190, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02733210

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 49f39f2cb147f9601a8dc8dabad4048674b1cdd1a980f747301d1e81bd963089
Instruction ID: 35f88b4f8f482bbbff7ab8c076fd1a14c98a4c5a3e9af9fee671539a106ef773
Opcode Fuzzy Hash: 49f39f2cb147f9601a8dc8dabad4048674b1cdd1a980f747301d1e81bd963089
Instruction Fuzzy Hash: D6211671D003999FCB10CFA9C980AEEBBB5FF48314F51842AE918A7250D7749944DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02733188, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02733210

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 62c9b61eb0643feadbfbfe3327cc42d8d0fd112b50a73075eda9f9367eea5373
Instruction ID: d7677e84a6d55c328bc8e6cf12eba6c610e4506902b260cf7c9f258c33de4118
Opcode Fuzzy Hash: 62c9b61eb0643feadbfbfe3327cc42d8d0fd112b50a73075eda9f9367eea5373
Instruction Fuzzy Hash: F82136B1D003998FCB10CFA9C9807EEBBB4FF48314F11842AE918B7250D7389944DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0298BB38, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0298BBBF

Memory Dump Source

Source File: 00000000.00000002.266626611.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9203011c2ec927eab496b066cca766acbe23581b62f253417455eebf9cf99a4b
Instruction ID: 7de048d075de5961906a79dd285450332c5dd1a1048bc825b3930a9d41a7e2a4
Opcode Fuzzy Hash: 9203011c2ec927eab496b066cca766acbe23581b62f253417455eebf9cf99a4b
Instruction Fuzzy Hash: 3E21E2B59002489FDB10CFA9D984ADEBBF8EB48324F14841AE914B3310D378A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02989D70, Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02989BD1,00000800,00000000,00000000), ref: 02989DE2

Memory Dump Source

Source File: 00000000.00000002.266626611.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f0d94e66101b741482ebbd9ee8c9309bacefaeaf21bacbf878d025c0387d877f
Instruction ID: bdb0358252ab4c50914ab7c56c59924b71b957102ee0bbedfc7ff4c624d68a8a
Opcode Fuzzy Hash: f0d94e66101b741482ebbd9ee8c9309bacefaeaf21bacbf878d025c0387d877f
Instruction Fuzzy Hash: 702124B29002488FDB10DF9AC484ADEFBF8AF48314F15841AE415A7310D374A549CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0298951C, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02989BD1,00000800,00000000,00000000), ref: 02989DE2

Memory Dump Source

Source File: 00000000.00000002.266626611.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 487395930aefff346ea42507be7f040e3c20383a8381ff3d67c95f0ec342e953
Instruction ID: 97cd58ca3e3cf8137f7955d7380fdf6bd66bb92959bd7db54731df876517edd3
Opcode Fuzzy Hash: 487395930aefff346ea42507be7f040e3c20383a8381ff3d67c95f0ec342e953
Instruction Fuzzy Hash: CD11D3B69003499FDB10DF9AC444AEEBBF4EF48324F15842AE915A7300D774A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05B7E188, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 05B7E1FB

Memory Dump Source

Source File: 00000000.00000002.270908087.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c1d915cb814de323b61cf665c85116c7fdf3cf6d4f46aaaaae2f0cacb3d67e8f
Instruction ID: e89721a42e22541dcd8d60335241c68e99efc1b98b81c144208c2dfe2daa7ea1
Opcode Fuzzy Hash: c1d915cb814de323b61cf665c85116c7fdf3cf6d4f46aaaaae2f0cacb3d67e8f
Instruction Fuzzy Hash: CD21E7719002599FCB10CF9AC884BDEFBF4FF48324F148469E568A7250D374A945DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02732FDB, Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0273304E

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a7b3d6fbe4cda2d3389bec7f07694ecb5f8c9e0327059c47c235528d6e3f7528
Instruction ID: 46aa62a780bbcc02d34f3d1a0e02dba5dc49653d38c389524a494c7928b04c49
Opcode Fuzzy Hash: a7b3d6fbe4cda2d3389bec7f07694ecb5f8c9e0327059c47c235528d6e3f7528
Instruction Fuzzy Hash: 6B1156719002889FCF10CFA9C944BDFBBF5EF88324F14841AE619A7250D735A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02732FE0, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0273304E

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a1ac3afc7bb9d71daef70db15557c7224939536c1964fed4ee5ff4097cbb938e
Instruction ID: 2ef8d04f96d3f9aa16ddd6ffcd8b0cbb7a8428c14933bf921291207ff3a426d1
Opcode Fuzzy Hash: a1ac3afc7bb9d71daef70db15557c7224939536c1964fed4ee5ff4097cbb938e
Instruction Fuzzy Hash: 241167719002888FCF10CFA9C844BDFBBF5EF48324F14841AE519A7250C7359944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02732413, Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0273247A

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9e9c893d77419a1d8f3e6b85704edf0dbd5afb1d8f4f44f966bdcafe8742e286
Instruction ID: 8a79bd0b89d2862ad805cdfb51ae6731b08cb9eb023124bbb7a217d66ea6d232
Opcode Fuzzy Hash: 9e9c893d77419a1d8f3e6b85704edf0dbd5afb1d8f4f44f966bdcafe8742e286
Instruction Fuzzy Hash: C4112871D003888BCB10DFAAC5447DEBBF4AB88328F15841AD559B7350D774A944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02732418, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0273247A

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 16b800b4b479ceb45d84fe68ae829b2489d43a35c8b6ba3da1d2004ea559994c
Instruction ID: 986d2f8a8c00b9c3cbdc5100daf24c3df97ebc63b9d724fb481105b10f41175d
Opcode Fuzzy Hash: 16b800b4b479ceb45d84fe68ae829b2489d43a35c8b6ba3da1d2004ea559994c
Instruction Fuzzy Hash: 43112871D003888BCB10DFAAC4447DEBBF4AB88328F158419D519B7250D774A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02738D9B, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 02738DF8

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 01e6d5e8b824f3af4b705d6230c724db96a1cdf219744d6e47a172050fd5b589
Instruction ID: 95cb9be766f78bde1fcdca92abeeb54ab77e6fc0c8c2e6dbd24df156a7332d8c
Opcode Fuzzy Hash: 01e6d5e8b824f3af4b705d6230c724db96a1cdf219744d6e47a172050fd5b589
Instruction Fuzzy Hash: 761136B58002898FCB10CF9AC585BDEBBF4EF48324F15842AE954B7340D738A944DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02732C38, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 02738465

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 00617e340263825905a4ec3a60f2946ad21ff13375d74326049d0a40b0305f3e
Instruction ID: 419fa248653a54f10b2ead5bff977a286cd06edc1efc41fbba71fd88c1574d65
Opcode Fuzzy Hash: 00617e340263825905a4ec3a60f2946ad21ff13375d74326049d0a40b0305f3e
Instruction Fuzzy Hash: DE11FEB59003889FDB10DF99C988BDEBBF8EB48324F51841AE954B7700C374A944CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 02738DA0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 02738DF8

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 60aa28aa8b732dd46d7f908a31a05cc3e27264f9592b08d39bde940306f03a34
Instruction ID: ec8fa8318f64f1cd622a93e7d0fa81076c9ef8200f5a6c45d1991e4b94ef888b
Opcode Fuzzy Hash: 60aa28aa8b732dd46d7f908a31a05cc3e27264f9592b08d39bde940306f03a34
Instruction Fuzzy Hash: 201133B18002898FCB10CF9AC544BDEBBF4EF48324F15842AE958A7340D738A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02989AF0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02989B56

Memory Dump Source

Source File: 00000000.00000002.266626611.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 641c4e51251eea482809f138e2d0e29c535669b9cb72c5b3a21f68759a9cd92c
Instruction ID: f32c6a1c625720022a93a7bf4c21b73ce60356060811157c0459c5334d872fa9
Opcode Fuzzy Hash: 641c4e51251eea482809f138e2d0e29c535669b9cb72c5b3a21f68759a9cd92c
Instruction Fuzzy Hash: 3311DFB5D006898FDB10DF9AC844BDEFBF8AB88324F15851AD829B7710D374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02738403, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 02738465

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8ea431cee57d8fd9d08325642b402ed7bbd34bcbbda0d706f3b36aa698e2d0a2
Instruction ID: 7821264bb124739c452770732aa19aac4f9b3088163a4293be57bd5eeba1c1e8
Opcode Fuzzy Hash: 8ea431cee57d8fd9d08325642b402ed7bbd34bcbbda0d706f3b36aa698e2d0a2
Instruction Fuzzy Hash: C411E2B59003899FDB20DF9AC985BDEBBF8EB48324F14841AE955B7700C374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05B7A718, Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

#X0b, xrefs: 05B7A76A

Memory Dump Source

Source File: 00000000.00000002.270908087.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID: #X0b
API String ID: 0-2375456323
Opcode ID: 91c30e4d78b9011aca90690b52e94b58fcbe425795ba3c5325e374fb3f4ca8c3
Instruction ID: 11f10209fb3b5d3d59932a7fdf745be97d744769c91c9f0c92ac1ce5d02dc77b
Opcode Fuzzy Hash: 91c30e4d78b9011aca90690b52e94b58fcbe425795ba3c5325e374fb3f4ca8c3
Instruction Fuzzy Hash: C141E974E0420E9BCB44CFA6C5815AEFBF2BF88350F24D4AAD425B7214D734AA41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05B7A709, Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

#X0b, xrefs: 05B7A76A

Memory Dump Source

Source File: 00000000.00000002.270908087.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID: #X0b
API String ID: 0-2375456323
Opcode ID: 805f583f14ccddfef43ed08d11034cb6cbe85d1fcfa7214f5af526a635de7f99
Instruction ID: c4371d2216b66d502933d9ea5e81c8e5e4788bd429613b2743323775eaffd740
Opcode Fuzzy Hash: 805f583f14ccddfef43ed08d11034cb6cbe85d1fcfa7214f5af526a635de7f99
Instruction Fuzzy Hash: C3410C74E1420A9FCB44CFA6C5815AEFBF2FF89350F24C5AAC426A7254D7349A41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02731948, Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175d80aad19cf01469fcfde9014964382f1e600bc75625b922c15030cbbd69f6
Instruction ID: a243dcd2ab4cfebbe6c25ab004478376f2477537673205752bbef3a16c70ea57
Opcode Fuzzy Hash: 175d80aad19cf01469fcfde9014964382f1e600bc75625b922c15030cbbd69f6
Instruction Fuzzy Hash: 40F14870E152598FCB14CFA9C980AAEFBF2FF89305F648169D409AB35AD7309941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02731943, Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 999a0ce0b68ca022262f0e3758ee6cfbde9b1442abd2468dc845968dc50c9d7c
Instruction ID: 5b5e5a85421ab051511235a88872c10be55df860a8fc97176c7c700f48e778ec
Opcode Fuzzy Hash: 999a0ce0b68ca022262f0e3758ee6cfbde9b1442abd2468dc845968dc50c9d7c
Instruction Fuzzy Hash: 0CF16870E152598FCB14CFA9C980AAEFBF2FF89305F648169D409AB35AD7309941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02731A07, Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 490db78b8d7cbfe47072b90a755dfb3e5eb01470cf6c9ee2a9f15f39f68226a4
Instruction ID: 27accab23b6c15d114b24ffab79a4951ffa1d22b41efce4546050b390af5538f
Opcode Fuzzy Hash: 490db78b8d7cbfe47072b90a755dfb3e5eb01470cf6c9ee2a9f15f39f68226a4
Instruction Fuzzy Hash: 0AF16874E052198FCB10DFA8C980AAEFBF2FF89305F649559E409AB356D730A941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 027398D8, Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91d4a18281cc84f0bc8d9790715d81cb237a65603e7143ec24a6224eb9ae35ff
Instruction ID: 6dd01d99ab4849d5db31d995a48b3249b0ee24c11b17814c8ed02d5ada56292b
Opcode Fuzzy Hash: 91d4a18281cc84f0bc8d9790715d81cb237a65603e7143ec24a6224eb9ae35ff
Instruction Fuzzy Hash: E1C18A71701604CFDB2AEB76C460BAAB7E7AFC8704F14446DD246CB292DB75E901CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02731BA7, Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f23bf4b22cf8ea8dfd719fbaee1f7a0a025c0f3c3e4b0dbb04945fb437db5c4
Instruction ID: 2768363c41487c63114a624ad735c5cb6bef3f0c055bc4fcdb30af2f37df479b
Opcode Fuzzy Hash: 9f23bf4b22cf8ea8dfd719fbaee1f7a0a025c0f3c3e4b0dbb04945fb437db5c4
Instruction Fuzzy Hash: D9E16A70E052598FCB14DFA8C980AAEFBF2FF89305F649559D409AB35AD7309942CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0298C3B4, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266626611.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1de8b5dff0b885e837acad76b5243dcad3391b443963287cb31017b521b2284
Instruction ID: cbf0c99a82f4ec04ca99cbb3b60edce5ddbe92625a1d8c60091bfa78e63af332
Opcode Fuzzy Hash: c1de8b5dff0b885e837acad76b5243dcad3391b443963287cb31017b521b2284
Instruction Fuzzy Hash: 88A17D32E00219CFCF19EFB5C8445AEB7B6FF84300B19816AE905AB265EB71A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02735EF0, Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcb5d9eacea7ab7363f52bd6ceaff8098c30a5160d13749a7bb1b0b077069a44
Instruction ID: d1014dbd2c9f03ab809e58ea855a536be0726fa9b46e09e8d28d93f00d8efe6f
Opcode Fuzzy Hash: bcb5d9eacea7ab7363f52bd6ceaff8098c30a5160d13749a7bb1b0b077069a44
Instruction Fuzzy Hash: 1091E5B4E0521A8FCB05CFAAD5819AEFBB2FB89300F60902AD915FB215D7349902CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02735EE3, Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 314739d1610c8a1047814a9e2dcf5a1875496b3b88a410af047d7e26fc888c14
Instruction ID: a530bd21850bbde6ba730d840304d57221da56cf4f2851976ca3f8ab45ef7186
Opcode Fuzzy Hash: 314739d1610c8a1047814a9e2dcf5a1875496b3b88a410af047d7e26fc888c14
Instruction Fuzzy Hash: 7B81F5B0E0521ACFCB05CFAAD5819AEBBB2FF89300F20902AD415FB215D7349902CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05B794B8, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270908087.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71ad2780be9686c12d81a785708defbcfc1d4b1a11d2bf6b9860acf7cbb4aaa9
Instruction ID: 24d722651f92534593ff966d79584903909d62f265f0fcd8f0efdb38bf7b6506
Opcode Fuzzy Hash: 71ad2780be9686c12d81a785708defbcfc1d4b1a11d2bf6b9860acf7cbb4aaa9
Instruction Fuzzy Hash: AB81C074A15219DFCB44CFA9C5849AEFBF2FB88310F24859AE415AB324D334AA42CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05B794B3, Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270908087.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703d66336c907faa73353322ff4b4bd84ef9eb5dc75a5c6a3896ef76e349ca10
Instruction ID: 975d17e4cc8769b8fc2536a832f9868ae7f4b7d5ee398158f4943589a1782b0c
Opcode Fuzzy Hash: 703d66336c907faa73353322ff4b4bd84ef9eb5dc75a5c6a3896ef76e349ca10
Instruction Fuzzy Hash: 0C81C074A15219DFCB44CFA9C5849AEFBF2FF88210F2485AAE415AB314D334AA42CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02736298, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 103cdcd5f46c335f05ebfaab8fcd32e51d9367cdb540b9e975cac2357cffb423
Instruction ID: 902143598b72b342bd397d0f08524911d246a0e45f8766ccdd25d723aca33418
Opcode Fuzzy Hash: 103cdcd5f46c335f05ebfaab8fcd32e51d9367cdb540b9e975cac2357cffb423
Instruction Fuzzy Hash: 456139B1E04629CBDB29CF66C84479DFBB6AFC9300F10D5AAD409B6215EB308A81CF04

Uniqueness

Uniqueness Score: -1.00%

Function 02736289, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c0da4b4ead0134f187fc5226af077f461d78d754e8ac42ddefbdb77012a56e0
Instruction ID: 6a41d7e8308be247144e7afdd2ff032fbafc3d0cc201312c74b979be46746b16
Opcode Fuzzy Hash: 6c0da4b4ead0134f187fc5226af077f461d78d754e8ac42ddefbdb77012a56e0
Instruction Fuzzy Hash: 626117B1E046298BDB29CF66C84479DFBB3BFC9300F14D5AAD419B6215EB308A81CF04

Uniqueness

Uniqueness Score: -1.00%

Function 05B7A370, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270908087.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ae951e118aa4aee03a8761dbfb52298edba69d52b655404a53b55133e6187d6
Instruction ID: 9341d81490fe56f1ac05b9305c2a9f4041027d337ec6cd20be7498d1b22c1499
Opcode Fuzzy Hash: 4ae951e118aa4aee03a8761dbfb52298edba69d52b655404a53b55133e6187d6
Instruction Fuzzy Hash: 8C6104B4E4420EDBCB54CFA9D4809AEFBB2FF49300F20855AD525B7354D734AA428F95

Uniqueness

Uniqueness Score: -1.00%

Function 05B7A36B, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270908087.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69c7f30ee6b08fc5275b5c2941145fc669a5bc2f163fb56ee6eb9ffe54c63e15
Instruction ID: 87154f3eb9b48ff5a1414e3c18eb10f7173f0ede7aad748681220372b8b7898d
Opcode Fuzzy Hash: 69c7f30ee6b08fc5275b5c2941145fc669a5bc2f163fb56ee6eb9ffe54c63e15
Instruction Fuzzy Hash: 7B510774E4420EDFCB44CFA9D4819AEFBB2FF88300F24856AD525A7354D734A6428F91

Uniqueness

Uniqueness Score: -1.00%

Function 02736476, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3619553c1c1488d3947360f227540daa3d8ef98beacb137680621d2591b7d9d2
Instruction ID: 159b5a6724178823eda69f37c6c84fc92a7b52d59d5ff9567243caea0dbf3247
Opcode Fuzzy Hash: 3619553c1c1488d3947360f227540daa3d8ef98beacb137680621d2591b7d9d2
Instruction Fuzzy Hash: 9D5118B1E5422ACADB25CF56C84479DF7B6FB99300F10D6EAD41AB2215E7309AC1CF44

Uniqueness

Uniqueness Score: -1.00%

Function 05B7ADC8, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270908087.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c66e81dd6ce6eac75cc520bc56031ddd557cc4f2efd38fb9210d36178c45d73
Instruction ID: b449c75895a427b1e092476f858bce54f8a55d469a607d4e2fd24b4a5cb2da18
Opcode Fuzzy Hash: 7c66e81dd6ce6eac75cc520bc56031ddd557cc4f2efd38fb9210d36178c45d73
Instruction Fuzzy Hash: 1B11EF71E146189BEB1CCFABD84069EFAF7BFCC200F14C17AD918A6258EB3415458F51

Uniqueness

Uniqueness Score: -1.00%

Function 02739E17, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 783b7ed70c76dd36a9db351db95230531dfef66b7b1ce7ece4d8104462c34f40
Instruction ID: 68e4a93c01b3fa49827e6a4620f2d25014ff7c4602350ef5b4398947f77c62ad
Opcode Fuzzy Hash: 783b7ed70c76dd36a9db351db95230531dfef66b7b1ce7ece4d8104462c34f40
Instruction Fuzzy Hash: 0C11CE72C44268CFCB129FA4C558BFEBBF1AB0E300F14546AD141B3292C7B88944CF68

Uniqueness

Uniqueness Score: -1.00%

Function 02739E20, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266469091.0000000002730000.00000040.00000001.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74872d2a10b43d0ace1f0baa1858cc2fd4a5a09f1acb1b703003ca7a9850cf0
Instruction ID: 56e40a7d10a674da48d7c16db137908f270b8423d64f81162effdf64b0e6d6f3
Opcode Fuzzy Hash: c74872d2a10b43d0ace1f0baa1858cc2fd4a5a09f1acb1b703003ca7a9850cf0
Instruction Fuzzy Hash: 61117C32D45258CBDB15CFA5C518BEEBBF1AB4D300F14946AD505B32A1CBB88944CF68

Uniqueness

Uniqueness Score: -1.00%

Function 05B7ADC3, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270908087.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 875125f8e34b734fc824bd24eddb257d8001bb40d1b24247bca69751f5403c92
Instruction ID: 1cc7e4bfb9fe5b0361b6796ca1ef113e77fd17580046cbbb858c4299c16ad471
Opcode Fuzzy Hash: 875125f8e34b734fc824bd24eddb257d8001bb40d1b24247bca69751f5403c92
Instruction Fuzzy Hash: F411DD71E106189BEB5CCFABD84469FFAF3BFC8200F18C17AD818A6268EB3415418F55

Uniqueness

Uniqueness Score: -1.00%

Function 0298B2D8, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266626611.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab5376855b79e5b13a8f0e30e43394ee8c7bca3760c247cb77bd0926d17973b
Instruction ID: 74b899adea0e647363f97b5a967eb48d02946ec1df309584d3bc27ac69d6f071
Opcode Fuzzy Hash: 3ab5376855b79e5b13a8f0e30e43394ee8c7bca3760c247cb77bd0926d17973b
Instruction Fuzzy Hash: A4D080B20541D15BEB010BBCCE122583D549F0169DF1D05D6E280CD0F6F799C0D55213

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: TT COPY pdf.exe PID: 6240 Parent PID: 5640 TT COPY pdf.exeCOMMON

Executed Functions

Function 02E5B6C0, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02E5B730
GetCurrentThread.KERNEL32 ref: 02E5B76D
GetCurrentProcess.KERNEL32 ref: 02E5B7AA
GetCurrentThreadId.KERNEL32 ref: 02E5B803

Memory Dump Source

Source File: 00000007.00000002.518150536.0000000002E50000.00000040.00000001.sdmp, Offset: 02E50000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 54caed48fcdc9da47f006f1a6f7809d2bae0c9e2bf05ce246c6f59f08e02e754
Instruction ID: 01f063c31d86e1ab31318bf41953a45879b2ffd89e2e0c1a93a28ad8a2c8e1ee
Opcode Fuzzy Hash: 54caed48fcdc9da47f006f1a6f7809d2bae0c9e2bf05ce246c6f59f08e02e754
Instruction Fuzzy Hash: 245154B0E006898FDB10CFAAD589B9EBBF0EF48308F24C569E419A7354D7749884CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02E5B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02E5B730
GetCurrentThread.KERNEL32 ref: 02E5B76D
GetCurrentProcess.KERNEL32 ref: 02E5B7AA
GetCurrentThreadId.KERNEL32 ref: 02E5B803

Memory Dump Source

Source File: 00000007.00000002.518150536.0000000002E50000.00000040.00000001.sdmp, Offset: 02E50000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a9120ba05125d6940ef128671b57dfface9e81141f17ceb30208f93238cd12f7
Instruction ID: ca6e1a97d0395482759f760b924e63e4742e06833e33f832ac9b5fe0c15e8f3c
Opcode Fuzzy Hash: a9120ba05125d6940ef128671b57dfface9e81141f17ceb30208f93238cd12f7
Instruction Fuzzy Hash: B45154B0E006898FDB10CFAAD548B9EBBF0AF48308F24C569E419B7354C7745888CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02E593E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02E5962E

Memory Dump Source

Source File: 00000007.00000002.518150536.0000000002E50000.00000040.00000001.sdmp, Offset: 02E50000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8b14620866da1fda618fa7082d0badf6379d5006c98a084001621a6c13c69881
Instruction ID: ee96e36afb58bfbf0bd1ea7425555f32033146020af54b544e07c3688c222e2c
Opcode Fuzzy Hash: 8b14620866da1fda618fa7082d0badf6379d5006c98a084001621a6c13c69881
Instruction Fuzzy Hash: 16713770A10B158FD724DF29D48579ABBF5FF88208F00892DD98AD7A40DB75E849CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02E5FB81, Relevance: 1.6, APIs: 1, Instructions: 122COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E5FD0A

Memory Dump Source

Source File: 00000007.00000002.518150536.0000000002E50000.00000040.00000001.sdmp, Offset: 02E50000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: bfaa8bc541847eba1786d38a1554bcdd4c719209bbd0192c4abcd9f10153d5c0
Instruction ID: 2eddf4d00e0ebf3e9b2df1f893fdd980ec9489d9175832ac0933045e5bc09d64
Opcode Fuzzy Hash: bfaa8bc541847eba1786d38a1554bcdd4c719209bbd0192c4abcd9f10153d5c0
Instruction Fuzzy Hash: 9951FEB1D103189FDF14CFA9D884ADEBBB1BF49314F24812AE819AB210D7709985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E5FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E5FD0A

Memory Dump Source

Source File: 00000007.00000002.518150536.0000000002E50000.00000040.00000001.sdmp, Offset: 02E50000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2393fb8957acefc49d808b63f70db944567b790b632c90ad05dfb2c8f3cec9d9
Instruction ID: f9a31be27d7ae341a44c821d2d4c21bffb08c740f1ba6149733ad8707ce8e23f
Opcode Fuzzy Hash: 2393fb8957acefc49d808b63f70db944567b790b632c90ad05dfb2c8f3cec9d9
Instruction Fuzzy Hash: 8F41EFB1D10318AFDF14CF99D884ADEBBB5BF89314F24812AE819AB210D7709985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E5BCF9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E5BD87

Memory Dump Source

Source File: 00000007.00000002.518150536.0000000002E50000.00000040.00000001.sdmp, Offset: 02E50000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fbd32c41c285f77011e9680d52f9f1c02506a571d192d83600ad9eca51d86c29
Instruction ID: 87a7f0e33d0c99509277b1cd3a67b278a4ca0390f196341ed67efe315a12dd07
Opcode Fuzzy Hash: fbd32c41c285f77011e9680d52f9f1c02506a571d192d83600ad9eca51d86c29
Instruction Fuzzy Hash: 8321E3B5900258AFDB10CFA9D984AEEBFF8EB48324F14841AE954A3310D374A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E5BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E5BD87

Memory Dump Source

Source File: 00000007.00000002.518150536.0000000002E50000.00000040.00000001.sdmp, Offset: 02E50000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fcc7606f15520b87c4cf9007faff6d46d49f0ccf8e3adcf0cdae10214206d007
Instruction ID: fb751e6d32a4fd8688bc3bdcb375fa81160e0e2f1880f5e269d450545fdeb673
Opcode Fuzzy Hash: fcc7606f15520b87c4cf9007faff6d46d49f0ccf8e3adcf0cdae10214206d007
Instruction Fuzzy Hash: BF21C4B5D002589FDB10CF99D584ADEBBF4EB48324F14841AE954A7310D374A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E58768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02E596A9,00000800,00000000,00000000), ref: 02E598BA

Memory Dump Source

Source File: 00000007.00000002.518150536.0000000002E50000.00000040.00000001.sdmp, Offset: 02E50000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 497e319125061b44c1d57bbb029424c5ad17a31163a2f355e1c8a90fb1312321
Instruction ID: 916a7f1753b6b0d4636ab1f28b0e7e3a5070d937b6fd61075ea1c4e5d0782f9d
Opcode Fuzzy Hash: 497e319125061b44c1d57bbb029424c5ad17a31163a2f355e1c8a90fb1312321
Instruction Fuzzy Hash: E911FFB6D002599FDB10CF9AD444BDEBBF4EB88324F04842AE919A7600C378A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02E59849, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02E596A9,00000800,00000000,00000000), ref: 02E598BA

Memory Dump Source

Source File: 00000007.00000002.518150536.0000000002E50000.00000040.00000001.sdmp, Offset: 02E50000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dc3712d5333d6c52f37551453cb30335b7122ebc7034b8d98f6b3a4ed8c9dc1a
Instruction ID: e6ae2b0713f227001d1f294042c153962dbd47a6ea1b03c55c56006390576f60
Opcode Fuzzy Hash: dc3712d5333d6c52f37551453cb30335b7122ebc7034b8d98f6b3a4ed8c9dc1a
Instruction Fuzzy Hash: A511D0B6D006599FDB10CF9AD444BDEFBF4AB88324F15842AE819A7600C378A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02E595C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02E5962E

Memory Dump Source

Source File: 00000007.00000002.518150536.0000000002E50000.00000040.00000001.sdmp, Offset: 02E50000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6701b93e37675c17154bd128cdd8a181a1556ee3a3733c506fea16f5d6185745
Instruction ID: b57c3d03cf6d87a8a3e2289b3ead3b1333201b33a5fe6d715f26e4e5e44de15b
Opcode Fuzzy Hash: 6701b93e37675c17154bd128cdd8a181a1556ee3a3733c506fea16f5d6185745
Instruction Fuzzy Hash: 1E11E0B5D006998FCB10CF9AD444BDEFBF4AF88228F15841AD829A7610D3B4A549CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E5FE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 02E5FE9D

Memory Dump Source

Source File: 00000007.00000002.518150536.0000000002E50000.00000040.00000001.sdmp, Offset: 02E50000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: c27578da7bfaba0da8007ddfa4e07d5e15b682e35115ee74553b4e96a1620e8a
Instruction ID: c0eebf3879153221c735cb0b5d98d1adb9229926ef1e3f4e478bf41674bbd217
Opcode Fuzzy Hash: c27578da7bfaba0da8007ddfa4e07d5e15b682e35115ee74553b4e96a1620e8a
Instruction Fuzzy Hash: 5C11FEB59006589FDB10CF99D589BDEBBF8EB49324F14841AE858A7700C374AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E5FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 02E5FE9D

Memory Dump Source

Source File: 00000007.00000002.518150536.0000000002E50000.00000040.00000001.sdmp, Offset: 02E50000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: e071495574df71363391b2e68bd7aa01cb1e078281827c3106565a3e3992c99a
Instruction ID: fc2910583cf6d48bf6b4c5a8aea5572c59680f7697a49255097320c989d7fd5e
Opcode Fuzzy Hash: e071495574df71363391b2e68bd7aa01cb1e078281827c3106565a3e3992c99a
Instruction Fuzzy Hash: 091112B59002489FDB10CF99D585BDFFBF8EB48324F10841AE818A7700C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0116D3B4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.517663932.000000000116D000.00000040.00000001.sdmp, Offset: 0116D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 990c813181f8ec992b30896b945f9b2ebce96370c55693c8dfc597387cd6732b
Instruction ID: ddc28d0d978fffeae296e19499ae0c7b951b5078332872b23f66e61e86196e94
Opcode Fuzzy Hash: 990c813181f8ec992b30896b945f9b2ebce96370c55693c8dfc597387cd6732b
Instruction Fuzzy Hash: 682136B1604244DFDF09CF54E8C0B6ABB69FB88324F25C569E9454B606C337E866C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0116D4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.517663932.000000000116D000.00000040.00000001.sdmp, Offset: 0116D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ed2769886206215d30005cd880c71eafe228da9425102080107055649774d30
Instruction ID: 56f053e2b51df2c05e86a4cfbdcf4dd512fa3acae1dc17a2921711dc90d4cc99
Opcode Fuzzy Hash: 1ed2769886206215d30005cd880c71eafe228da9425102080107055649774d30
Instruction Fuzzy Hash: C52136B1604244DFDF19CF44E8C0B6ABF79FB88328F258569E9454A606C336D825C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0117D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.517682404.000000000117D000.00000040.00000001.sdmp, Offset: 0117D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df7928b3d2180c1fcc071c8660b06701bbff3a39b87ea6ac1232abae725017f4
Instruction ID: 90bf22a05c605c8f5e2deefe527d5ffe9dba94e6fbc769db761bf392f98c8c50
Opcode Fuzzy Hash: df7928b3d2180c1fcc071c8660b06701bbff3a39b87ea6ac1232abae725017f4
Instruction Fuzzy Hash: 5D2103B1504248DFDF1ADF54E8C0B1ABB71EF88354F24C669D9094B346C336D846CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0117D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.517682404.000000000117D000.00000040.00000001.sdmp, Offset: 0117D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e4f306d7b8ff7fd52a5c355c4d8da6d3a06cbce92852868b53f70521677e969
Instruction ID: fa0aa7faef7be13a5f90044ca3304ec6442b37543cccc3f4a7f4118f472294ae
Opcode Fuzzy Hash: 5e4f306d7b8ff7fd52a5c355c4d8da6d3a06cbce92852868b53f70521677e969
Instruction Fuzzy Hash: 5C21CF755083848FCB07CF24D990B15BF71EF46214F28C1EAC8488B2A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0116D49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.517663932.000000000116D000.00000040.00000001.sdmp, Offset: 0116D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6ced9d0c9f6690be594cbf568882f55a05229423d0602ee79acece9868a76a
Instruction ID: 9f49d9842f629568606fcd91431599f5467e8004c43b7642cb3f83412f7a4ac7
Opcode Fuzzy Hash: 8c6ced9d0c9f6690be594cbf568882f55a05229423d0602ee79acece9868a76a
Instruction Fuzzy Hash: E511DF72904280CFDF16CF44E5C0B16BF71FB84324F2482A9D8454B617C33AD46ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0116D3AF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.517663932.000000000116D000.00000040.00000001.sdmp, Offset: 0116D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6ced9d0c9f6690be594cbf568882f55a05229423d0602ee79acece9868a76a
Instruction ID: f2b5cad7492ea497050319d02af8700b6337beba555a395d819c7182edff5b48
Opcode Fuzzy Hash: 8c6ced9d0c9f6690be594cbf568882f55a05229423d0602ee79acece9868a76a
Instruction Fuzzy Hash: 4511AF76904280CFDF16CF54E5C4B56BF71FB84324F24C6A9D8450BA56C33AE86ACBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report TT COPY pdf.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets