Loading ...

Play interactive tourEdit tour

Analysis Report fixxing.exe

Overview

General Information

Sample Name:fixxing.exe
Analysis ID:403128
MD5:0d50c8e7c3f044099056bfb318f108c6
SHA1:538871e91c9cac38af31bd09fe456843d841f586
SHA256:91f6fc2ae99e090dad56e53c7bf258dd4f43df79ac02a11f2620c31f045fc87f
Tags:exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • fixxing.exe (PID: 5808 cmdline: 'C:\Users\user\Desktop\fixxing.exe' MD5: 0D50C8E7C3F044099056BFB318F108C6)
    • schtasks.exe (PID: 4736 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xQGPeospVmcjdT' /XML 'C:\Users\user\AppData\Local\Temp\tmp86B5.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • fixxing.exe (PID: 4700 cmdline: C:\Users\user\Desktop\fixxing.exe MD5: 0D50C8E7C3F044099056BFB318F108C6)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "cbea22e5-f897-4039-a352-cfbfd96f", "Group": "chase1", "Domain1": "45.137.22.50", "Domain2": "127.0.0.1", "Port": 4557, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.489550549.0000000005F50000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x4bbb:$x1: NanoCore.ClientPluginHost
  • 0x4be5:$x2: IClientNetworkHost
00000005.00000002.489550549.0000000005F50000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x4bbb:$x2: NanoCore.ClientPluginHost
  • 0x6a6b:$s4: PipeCreated
00000005.00000002.488981996.0000000005310000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
00000005.00000002.488981996.0000000005310000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
00000005.00000002.486030987.00000000037A9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    Click to see the 22 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    5.3.fixxing.exe.43962f5.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x605:$x1: NanoCore.ClientPluginHost
    • 0x3bd6:$x1: NanoCore.ClientPluginHost
    • 0x63e:$x2: IClientNetworkHost
    5.3.fixxing.exe.43962f5.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x605:$x2: NanoCore.ClientPluginHost
    • 0x3bd6:$x2: NanoCore.ClientPluginHost
    • 0x720:$s4: PipeCreated
    • 0x3cb4:$s4: PipeCreated
    • 0x61f:$s5: IClientLoggingHost
    • 0x3bf0:$s5: IClientLoggingHost
    5.2.fixxing.exe.42c3717.12.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1deb:$x1: NanoCore.ClientPluginHost
    • 0x1e24:$x2: IClientNetworkHost
    5.2.fixxing.exe.42c3717.12.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x1deb:$x2: NanoCore.ClientPluginHost
    • 0x1f36:$s4: PipeCreated
    • 0x1e05:$s5: IClientLoggingHost
    5.2.fixxing.exe.27d47cc.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x2dbb:$x1: NanoCore.ClientPluginHost
    • 0x2de5:$x2: IClientNetworkHost
    Click to see the 91 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\fixxing.exe, ProcessId: 4700, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
    Sigma detected: Scheduled temp file as task from temp locationShow sources
    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xQGPeospVmcjdT' /XML 'C:\Users\user\AppData\Local\Temp\tmp86B5.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xQGPeospVmcjdT' /XML 'C:\Users\user\AppData\Local\Temp\tmp86B5.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\fixxing.exe' , ParentImage: C:\Users\user\Desktop\fixxing.exe, ParentProcessId: 5808, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xQGPeospVmcjdT' /XML 'C:\Users\user\AppData\Local\Temp\tmp86B5.tmp', ProcessId: 4736

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000005.00000002.486030987.00000000037A9000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "cbea22e5-f897-4039-a352-cfbfd96f", "Group": "chase1", "Domain1": "45.137.22.50", "Domain2": "127.0.0.1", "Port": 4557, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\xQGPeospVmcjdT.exeMetadefender: Detection: 15%Perma Link
    Source: C:\Users\user\AppData\Roaming\xQGPeospVmcjdT.exeReversingLabs: Detection: 59%
    Multi AV Scanner detection for submitted fileShow sources
    Source: fixxing.exeVirustotal: Detection: 32%Perma Link
    Source: fixxing.exeMetadefender: Detection: 15%Perma Link
    Source: fixxing.exeReversingLabs: Detection: 59%
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000005.00000002.486030987.00000000037A9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.489178214.0000000005A50000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.479168192.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.487530331.0000000004352000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.481816000.0000000002751000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.225554713.00000000038E9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: fixxing.exe PID: 4700, type: MEMORY
    Source: Yara matchFile source: 5.2.fixxing.exe.5a50000.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.fixxing.exe.39f4dc8.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.37b8a20.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.5a54629.21.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.4352a0a.14.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.37b8a20.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.4357840.16.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.5a50000.20.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.fixxing.exe.39f4dc8.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.435be69.15.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.4357840.16.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.37bd049.6.raw.unpack, type: UNPACKEDPE
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\xQGPeospVmcjdT.exeJoe Sandbox ML: detected
    Machine Learning detection for sampleShow sources
    Source: fixxing.exeJoe Sandbox ML: detected
    Source: 5.2.fixxing.exe.37b8a20.7.unpackAvira: Label: TR/NanoCore.fadte
    Source: 5.2.fixxing.exe.5a50000.20.unpackAvira: Label: TR/NanoCore.fadte
    Source: 5.2.fixxing.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: fixxing.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: fixxing.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: fixxing.exe, 00000005.00000002.481888361.00000000027BD000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmp

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49724 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49727 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49728 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49732 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49735 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49736 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49737 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49741 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49742 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49748 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49750 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49751 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49752 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49753 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49756 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49757 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49758 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49759 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49761 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49762 -> 45.137.22.50:4557
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: 45.137.22.50
    Source: Malware configuration extractorURLs: 127.0.0.1
    Source: global trafficTCP traffic: 192.168.2.3:49724 -> 45.137.22.50:4557
    Source: Joe Sandbox ViewIP Address: 45.137.22.50 45.137.22.50
    Source: Joe Sandbox ViewASN Name: ROOTLAYERNETNL ROOTLAYERNETNL
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmpString found in binary or memory: http://google.com
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: fixxing.exeString found in binary or memory: https://admin.neonova.net/index.php
    Source: fixxing.exeString found in binary or memory: https://admin.neonova.net/index.phpKhttps://support.neonova.net/login.phpmhttps://calix.force.com/id
    Source: fixxing.exeString found in binary or memory: https://calix.force.com/idp/login?app=0sp70000000001i#
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
    Source: fixxing.exeString found in binary or memory: https://support.bandwidth.com/hc/en-us/restricted?return_to=https%3A%2F%2Fsupport.bandwidth.com%2Fhc
    Source: fixxing.exeString found in binary or memory: https://support.neonova.net/login.php
    Source: fixxing.exeString found in binary or memory: https://www.rtctel.com/
    Source: fixxing.exe, 00000005.00000002.486030987.00000000037A9000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000005.00000002.486030987.00000000037A9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.489178214.0000000005A50000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.479168192.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.487530331.0000000004352000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.481816000.0000000002751000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.225554713.00000000038E9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: fixxing.exe PID: 4700, type: MEMORY
    Source: Yara matchFile source: 5.2.fixxing.exe.5a50000.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.fixxing.exe.39f4dc8.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.37b8a20.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.5a54629.21.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.4352a0a.14.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.37b8a20.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.4357840.16.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.5a50000.20.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.fixxing.exe.39f4dc8.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.435be69.15.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.4357840.16.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.37bd049.6.raw.unpack, type: UNPACKEDPE

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 00000005.00000002.489550549.0000000005F50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.488981996.0000000005310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.489178214.0000000005A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.479168192.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.479168192.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.487530331.0000000004352000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.487434335.0000000004267000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.489813017.0000000006430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.481888361.00000000027BD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.225554713.00000000038E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.225554713.00000000038E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: fixxing.exe PID: 4700, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: fixxing.exe PID: 4700, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.3.fixxing.exe.43962f5.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.42c3717.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.27d47cc.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.42cc546.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.3.fixxing.exe.437c29e.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.277cec4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.42da976.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.5a50000.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.5310000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.fixxing.exe.39f4dc8.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.fixxing.exe.39f4dc8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.fixxing.exe.37b8a20.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.5f50000.23.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.27e0a14.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.4163104.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.5f50000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.5a54629.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.4163104.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.4352a0a.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.4352a0a.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.fixxing.exe.6430000.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.42c3717.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.42c3717.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.fixxing.exe.37b8a20.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.4357840.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.42da976.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.4171520.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.27d47cc.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.27d47cc.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.fixxing.exe.5a50000.20.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.4171520.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.fixxing.exe.39f4dc8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.fixxing.exe.39f4dc8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.fixxing.exe.435be69.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.fixxing.exe.27f5050.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.27f5050.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.fixxing.exe.41761bf.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.4357840.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.37bd049.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.6430000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.42cc546.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.27e0a14.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.27e0a14.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.3.fixxing.exe.43908c9.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.3.fixxing.exe.43962f5.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.3.fixxing.exe.437c29e.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 0_2_005133FA0_2_005133FA
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 0_2_027B99700_2_027B9970
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 0_2_04F1C9880_2_04F1C988
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 0_2_005137CA0_2_005137CA
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 0_2_0051379E0_2_0051379E
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 5_2_004533FA5_2_004533FA
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 5_2_05F502B05_2_05F502B0
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 5_2_04CDE4805_2_04CDE480
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 5_2_04CDE4715_2_04CDE471
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 5_2_04CDBBD45_2_04CDBBD4
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 5_2_004537CA5_2_004537CA
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 5_2_0045379E5_2_0045379E
    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\xQGPeospVmcjdT.exe 91F6FC2AE99E090DAD56E53C7BF258DD4F43DF79AC02A11F2620C31F045FC87F
    Source: fixxing.exe, 00000000.00000002.226009182.0000000003AAA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs fixxing.exe
    Source: fixxing.exe, 00000000.00000002.230620128.000000000B820000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs fixxing.exe
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs fixxing.exe
    Source: fixxing.exe, 00000000.00000002.223906091.00000000005B4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDebugger.exe: vs fixxing.exe
    Source: fixxing.exe, 00000000.00000002.230849145.000000000B910000.00000002.00000001.sdmpBinary or memory string: originalfilename vs fixxing.exe
    Source: fixxing.exe, 00000000.00000002.230849145.000000000B910000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs fixxing.exe
    Source: fixxing.exeBinary or memory string: OriginalFilename vs fixxing.exe
    Source: fixxing.exe, 00000005.00000002.489442157.0000000005CC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs fixxing.exe
    Source: fixxing.exe, 00000005.00000002.489550549.0000000005F50000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs fixxing.exe
    Source: fixxing.exe, 00000005.00000002.487279743.000000000415F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs fixxing.exe
    Source: fixxing.exe, 00000005.00000002.487279743.000000000415F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs fixxing.exe
    Source: fixxing.exe, 00000005.00000002.487279743.000000000415F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs fixxing.exe
    Source: fixxing.exe, 00000005.00000002.487279743.000000000415F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs fixxing.exe
    Source: fixxing.exe, 00000005.00000002.486030987.00000000037A9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs fixxing.exe
    Source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs fixxing.exe
    Source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs fixxing.exe
    Source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs fixxing.exe
    Source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs fixxing.exe
    Source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs fixxing.exe
    Source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs fixxing.exe
    Source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs fixxing.exe
    Source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs fixxing.exe
    Source: fixxing.exe, 00000005.00000002.487530331.0000000004352000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs fixxing.exe
    Source: fixxing.exe, 00000005.00000002.489057068.0000000005960000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs fixxing.exe
    Source: fixxing.exe, 00000005.00000002.479712416.00000000004F4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDebugger.exe: vs fixxing.exe
    Source: fixxing.exe, 00000005.00000002.488685995.0000000004DF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs fixxing.exe
    Source: fixxing.exe, 00000005.00000002.481888361.00000000027BD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs fixxing.exe
    Source: fixxing.exeBinary or memory string: OriginalFilenameDebugger.exe: vs fixxing.exe
    Source: fixxing.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: 00000005.00000002.489550549.0000000005F50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.489550549.0000000005F50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000005.00000002.488981996.0000000005310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.488981996.0000000005310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000005.00000002.489178214.0000000005A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.489178214.0000000005A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.479168192.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.479168192.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.487530331.0000000004352000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.487434335.0000000004267000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.489813017.0000000006430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.489813017.0000000006430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000005.00000002.481888361.00000000027BD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.225554713.00000000038E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.225554713.00000000038E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: fixxing.exe PID: 4700, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: fixxing.exe PID: 4700, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.3.fixxing.exe.43962f5.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.3.fixxing.exe.43962f5.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.42c3717.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.42c3717.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.27d47cc.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.27d47cc.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.42cc546.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.42cc546.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.3.fixxing.exe.437c29e.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.3.fixxing.exe.437c29e.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.277cec4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.277cec4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.42da976.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.42da976.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.5a50000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.5a50000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.5310000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.5310000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.fixxing.exe.39f4dc8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.fixxing.exe.39f4dc8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.fixxing.exe.39f4dc8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.fixxing.exe.37b8a20.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.37b8a20.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.5f50000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.5f50000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.27e0a14.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.27e0a14.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.4163104.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.4163104.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.5f50000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.5f50000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.5a54629.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.5a54629.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.4163104.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.4163104.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.4352a0a.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.4352a0a.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.4352a0a.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.fixxing.exe.6430000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.6430000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.42c3717.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.42c3717.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.42c3717.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.fixxing.exe.37b8a20.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.37b8a20.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.4357840.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.4357840.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.42da976.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.42da976.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.4171520.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.4171520.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.27d47cc.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.27d47cc.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.fixxing.exe.5a50000.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.5a50000.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.4171520.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.4171520.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.fixxing.exe.39f4dc8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.fixxing.exe.39f4dc8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.fixxing.exe.39f4dc8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.fixxing.exe.435be69.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.435be69.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.fixxing.exe.27f5050.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.27f5050.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.fixxing.exe.41761bf.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.41761bf.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.4357840.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.4357840.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.37bd049.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.37bd049.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.6430000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.6430000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.42cc546.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.42cc546.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.27e0a14.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.27e0a14.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.3.fixxing.exe.43908c9.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.3.fixxing.exe.43962f5.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.3.fixxing.exe.437c29e.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: fixxing.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: xQGPeospVmcjdT.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: 5.2.fixxing.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 5.2.fixxing.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 5.2.fixxing.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: classification engineClassification label: mal100.troj.evad.winEXE@6/8@0/1
    Source: C:\Users\user\Desktop\fixxing.exeFile created: C:\Users\user\AppData\Roaming\xQGPeospVmcjdT.exeJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeMutant created: \Sessions\1\BaseNamedObjects\CbvNEC
    Source: C:\Users\user\Desktop\fixxing.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{cbea22e5-f897-4039-a352-cfbfd96fa986}
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3412:120:WilError_01
    Source: C:\Users\user\Desktop\fixxing.exeFile created: C:\Users\user\AppData\Local\Temp\tmp86B5.tmpJump to behavior
    Source: fixxing.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\fixxing.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
    Source: fixxing.exeVirustotal: Detection: 32%
    Source: fixxing.exeMetadefender: Detection: 15%
    Source: fixxing.exeReversingLabs: Detection: 59%
    Source: C:\Users\user\Desktop\fixxing.exeFile read: C:\Users\user\Desktop\fixxing.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\fixxing.exe 'C:\Users\user\Desktop\fixxing.exe'
    Source: C:\Users\user\Desktop\fixxing.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xQGPeospVmcjdT' /XML 'C:\Users\user\AppData\Local\Temp\tmp86B5.tmp'
    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\fixxing.exeProcess created: C:\Users\user\Desktop\fixxing.exe C:\Users\user\Desktop\fixxing.exe
    Source: C:\Users\user\Desktop\fixxing.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xQGPeospVmcjdT' /XML 'C:\Users\user\AppData\Local\Temp\tmp86B5.tmp'Jump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess created: C:\Users\user\Desktop\fixxing.exe C:\Users\user\Desktop\fixxing.exeJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: fixxing.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: fixxing.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: fixxing.exe, 00000005.00000002.481888361.00000000027BD000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmp

    Data Obfuscation:

    barindex
    .NET source code contains potential unpackerShow sources
    Source: 5.2.fixxing.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 5.2.fixxing.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 5_2_04CDE349 pushad ; iretd 5_2_04CDE356
    Source: initial sampleStatic PE information: section name: .text entropy: 7.76210474352
    Source: initial sampleStatic PE information: section name: .text entropy: 7.76210474352
    Source: 5.2.fixxing.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 5.2.fixxing.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: C:\Users\user\Desktop\fixxing.exeFile created: C:\Users\user\AppData\Roaming\xQGPeospVmcjdT.exeJump to dropped file

    Boot Survival:

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
    Source: C:\Users\user\Desktop\fixxing.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xQGPeospVmcjdT' /XML 'C:\Users\user\AppData\Local\Temp\tmp86B5.tmp'

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
    Source: C:\Users\user\Desktop\fixxing.exeFile opened: C:\Users\user\Desktop\fixxing.exe:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Yara detected AntiVM3Show sources
    Source: Yara matchFile source: 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: fixxing.exe PID: 5808, type: MEMORY
    Source: Yara matchFile source: 0.2.fixxing.exe.290f5a0.1.raw.unpack, type: UNPACKEDPE
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
    Source: C:\Users\user\Desktop\fixxing.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 0_2_005136B3 sldt word ptr [eax]0_2_005136B3
    Source: C:\Users\user\Desktop\fixxing.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeWindow / User API: threadDelayed 6193Jump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeWindow / User API: threadDelayed 2951Jump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeWindow / User API: foregroundWindowGot 616Jump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeWindow / User API: foregroundWindowGot 815Jump to behavior
    Source: C:\Users\user\Desktop\fixxing.exe TID: 5936Thread sleep time: -104719s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exe TID: 6000Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exe TID: 4084Thread sleep time: -8301034833169293s >= -30000sJump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\fixxing.exeThread delayed: delay time: 104719Jump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: vmware
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: VMWARE
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
    Source: C:\Users\user\Desktop\fixxing.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Injects a PE file into a foreign processesShow sources
    Source: C:\Users\user\Desktop\fixxing.exeMemory written: C:\Users\user\Desktop\fixxing.exe base: 400000 value starts with: 4D5AJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xQGPeospVmcjdT' /XML 'C:\Users\user\AppData\Local\Temp\tmp86B5.tmp'Jump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeProcess created: C:\Users\user\Desktop\fixxing.exe C:\Users\user\Desktop\fixxing.exeJump to behavior
    Source: fixxing.exe, 00000005.00000002.484267646.0000000002B47000.00000004.00000001.sdmpBinary or memory string: Program Manager
    Source: fixxing.exe, 00000005.00000002.481635543.0000000001200000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: fixxing.exe, 00000005.00000002.481635543.0000000001200000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: fixxing.exe, 00000005.00000002.489255636.0000000005BBC000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
    Source: fixxing.exe, 00000005.00000002.484267646.0000000002B47000.00000004.00000001.sdmpBinary or memory string: Program Manager|$
    Source: fixxing.exe, 00000005.00000002.481635543.0000000001200000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: fixxing.exe, 00000005.00000002.485646851.0000000002D36000.00000004.00000001.sdmpBinary or memory string: Program ManagerF8
    Source: fixxing.exe, 00000005.00000002.481888361.00000000027BD000.00000004.00000001.sdmpBinary or memory string: Program ManagerD$&l
    Source: fixxing.exe, 00000005.00000002.484267646.0000000002B47000.00000004.00000001.sdmpBinary or memory string: Program Manager@
    Source: fixxing.exe, 00000005.00000002.489636922.00000000061EB000.00000004.00000001.sdmpBinary or memory string: Program Manager|
    Source: C:\Users\user\Desktop\fixxing.exeQueries volume information: C:\Users\user\Desktop\fixxing.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeQueries volume information: C:\Users\user\Desktop\fixxing.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

    Stealing of Sensitive Information:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000005.00000002.486030987.00000000037A9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.489178214.0000000005A50000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.479168192.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.487530331.0000000004352000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.481816000.0000000002751000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.225554713.00000000038E9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: fixxing.exe PID: 4700, type: MEMORY
    Source: Yara matchFile source: 5.2.fixxing.exe.5a50000.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.fixxing.exe.39f4dc8.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.37b8a20.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.5a54629.21.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.4352a0a.14.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.37b8a20.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.4357840.16.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.5a50000.20.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.fixxing.exe.39f4dc8.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.435be69.15.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.4357840.16.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.37bd049.6.raw.unpack, type: UNPACKEDPE

    Remote Access Functionality:

    barindex
    Detected Nanocore RatShow sources
    Source: fixxing.exeString found in binary or memory: NanoCore.ClientPluginHost
    Source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: fixxing.exe, 00000005.00000002.487530331.0000000004352000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000005.00000002.486030987.00000000037A9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.489178214.0000000005A50000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.479168192.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.487530331.0000000004352000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.481816000.0000000002751000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.225554713.00000000038E9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: fixxing.exe PID: 4700, type: MEMORY
    Source: Yara matchFile source: 5.2.fixxing.exe.5a50000.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.fixxing.exe.39f4dc8.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.37b8a20.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.5a54629.21.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.4352a0a.14.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.37b8a20.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.4357840.16.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.5a50000.20.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.fixxing.exe.39f4dc8.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.435be69.15.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.4357840.16.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.37bd049.6.raw.unpack, type: UNPACKEDPE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection112Masquerading1Input Capture11Query Registry1Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemorySecurity Software Discovery221Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion41Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion41Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    fixxing.exe32%VirustotalBrowse
    fixxing.exe18%MetadefenderBrowse
    fixxing.exe60%ReversingLabsByteCode-MSIL.Trojan.Agentesla
    fixxing.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Roaming\xQGPeospVmcjdT.exe100%Joe Sandbox ML
    C:\Users\user\AppData\Roaming\xQGPeospVmcjdT.exe18%MetadefenderBrowse
    C:\Users\user\AppData\Roaming\xQGPeospVmcjdT.exe60%ReversingLabsByteCode-MSIL.Trojan.Agentesla

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    5.2.fixxing.exe.37b8a20.7.unpack100%AviraTR/NanoCore.fadteDownload File
    5.2.fixxing.exe.5a50000.20.unpack100%AviraTR/NanoCore.fadteDownload File
    5.2.fixxing.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    45.137.22.501%VirustotalBrowse
    45.137.22.500%Avira URL Cloudsafe
    https://www.rtctel.com/0%VirustotalBrowse
    https://www.rtctel.com/0%Avira URL Cloudsafe
    127.0.0.10%VirustotalBrowse
    127.0.0.10%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    45.137.22.50true
    • 1%, Virustotal, Browse
    • Avira URL Cloud: safe
    unknown
    127.0.0.1true
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://support.bandwidth.com/hc/en-us/restricted?return_to=https%3A%2F%2Fsupport.bandwidth.com%2Fhcfixxing.exefalse
      high
      https://support.neonova.net/login.phpfixxing.exefalse
        high
        https://admin.neonova.net/index.phpfixxing.exefalse
          high
          https://www.rtctel.com/fixxing.exefalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          unknown
          https://admin.neonova.net/index.phpKhttps://support.neonova.net/login.phpmhttps://calix.force.com/idfixxing.exefalse
            high
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpfalse
              high
              https://calix.force.com/idp/login?app=0sp70000000001i#fixxing.exefalse
                high
                https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssfixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpfalse
                  high

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  45.137.22.50
                  unknownNetherlands
                  51447ROOTLAYERNETNLtrue

                  General Information

                  Joe Sandbox Version:32.0.0 Black Diamond
                  Analysis ID:403128
                  Start date:03.05.2021
                  Start time:19:47:16
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 9m 36s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Sample file name:fixxing.exe
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:27
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@6/8@0/1
                  EGA Information:Failed
                  HDC Information:Failed
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 49
                  • Number of non-executed functions: 3
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .exe
                  Warnings:
                  Show All
                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  19:48:08API Interceptor1025x Sleep call for process: fixxing.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  45.137.22.50note-mxm.exeGet hashmaliciousBrowse
                    purchase order confirmation.exeGet hashmaliciousBrowse
                      purchase order acknowledgement.exeGet hashmaliciousBrowse
                        TBBurmah Trading Co., Ltd - products inquiry .exeGet hashmaliciousBrowse
                          PURCHASE ORDER - #0022223 DATED 29042021.exeGet hashmaliciousBrowse
                            PURCHASE ORDER - #0022223, date29042021.exeGet hashmaliciousBrowse
                              B_N SAO SWIFT MT103.exeGet hashmaliciousBrowse
                                PURCHASE ORDER - #0022223 DATED 28042021.exeGet hashmaliciousBrowse
                                  Al kabous group Ltd - purchase order #04272021.exeGet hashmaliciousBrowse
                                    Mack Trading Limited - products list.exeGet hashmaliciousBrowse
                                      Kim Quy Trading - PRODUCTS LISTS.exeGet hashmaliciousBrowse

                                        Domains

                                        No context

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        ROOTLAYERNETNLnote-mxm.exeGet hashmaliciousBrowse
                                        • 45.137.22.50
                                        purchase order confirmation.exeGet hashmaliciousBrowse
                                        • 45.137.22.50
                                        purchase order acknowledgement.exeGet hashmaliciousBrowse
                                        • 45.137.22.50
                                        TBBurmah Trading Co., Ltd - products inquiry .exeGet hashmaliciousBrowse
                                        • 45.137.22.50
                                        FRIEGHT PAYMENT 41,634.20 USD..exeGet hashmaliciousBrowse
                                        • 45.137.22.107
                                        Due Invoices.exeGet hashmaliciousBrowse
                                        • 45.137.22.107
                                        PURCHASE ORDER - #0022223 DATED 29042021.exeGet hashmaliciousBrowse
                                        • 45.137.22.50
                                        PURCHASE ORDER - #0022223, date29042021.exeGet hashmaliciousBrowse
                                        • 45.137.22.50
                                        B_N SAO SWIFT MT103.exeGet hashmaliciousBrowse
                                        • 45.137.22.50
                                        PO0900009.exeGet hashmaliciousBrowse
                                        • 185.222.58.152
                                        PURCHASE ORDER - #0022223 DATED 28042021.exeGet hashmaliciousBrowse
                                        • 45.137.22.50
                                        Order ConfirmationSANQAW12NC9W03.exeGet hashmaliciousBrowse
                                        • 185.222.57.152
                                        PO MT2249C.exeGet hashmaliciousBrowse
                                        • 185.222.57.152
                                        Al kabous LtdPurchase order NO#00421876.exeGet hashmaliciousBrowse
                                        • 185.222.57.152
                                        Al kabous group Ltd - purchase order #04272021.exeGet hashmaliciousBrowse
                                        • 45.137.22.50
                                        0900000000000000000900.exeGet hashmaliciousBrowse
                                        • 185.222.58.152
                                        P08240421_CIF-Pdf.exeGet hashmaliciousBrowse
                                        • 45.137.22.123
                                        ORD-63648.exeGet hashmaliciousBrowse
                                        • 45.137.22.123
                                        FA0900009000.exeGet hashmaliciousBrowse
                                        • 185.222.58.152
                                        Packinglist&certificate of imports.exeGet hashmaliciousBrowse
                                        • 185.222.57.152

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        C:\Users\user\AppData\Roaming\xQGPeospVmcjdT.exepurchase order confirmation.exeGet hashmaliciousBrowse

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fixxing.exe.log
                                          Process:C:\Users\user\Desktop\fixxing.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:modified
                                          Size (bytes):1314
                                          Entropy (8bit):5.350128552078965
                                          Encrypted:false
                                          SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                          MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                          SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                          SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                          SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                          C:\Users\user\AppData\Local\Temp\tmp86B5.tmp
                                          Process:C:\Users\user\Desktop\fixxing.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1647
                                          Entropy (8bit):5.1976832556708175
                                          Encrypted:false
                                          SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBVqBtn:cbh47TlNQ//rydbz9I3YODOLNdq3j+
                                          MD5:711F9E16C0FBC75B09CFA0CDFD720915
                                          SHA1:F21F57A9E5ED5894D4743A3F3DE0CE3D3B9FBE3B
                                          SHA-256:1E6B7105305FAE8EC803C5669EFCE337B1207AC0B38B19AA2C3513C0D1C88D54
                                          SHA-512:59FCFAB5AB3913FBD90F5AF156C496130DB4162256E150DE2AB3E2207F239B99490AAA84F759F016FCFC6184E8E3A7479EB13C8B11D5236236094D09A5680F27
                                          Malicious:true
                                          Reputation:low
                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                          Process:C:\Users\user\Desktop\fixxing.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):1856
                                          Entropy (8bit):7.024371743172393
                                          Encrypted:false
                                          SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCr
                                          MD5:838CD9DBC78EA45A5406EAE23962086D
                                          SHA1:C8273AACDEE03AC0CDCDDBAA83F51D04D6A4203C
                                          SHA-256:6E11A62511C5BBC0413128305069B780C448684B54FAA3E8DD0B4FD3DB8C9867
                                          SHA-512:F7D25EF1FA6F50667DD6785CC774E0AA6BC52A2231FE96E7C59D14EFDFDDA076F6399288CF6EAC8EFA8A75727893432AA155DA0E392F8CD1F26C5C5871EAC6B5
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                          Process:C:\Users\user\Desktop\fixxing.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):8
                                          Entropy (8bit):3.0
                                          Encrypted:false
                                          SSDEEP:3:PCot:6ot
                                          MD5:FE39AF73DBC3CEDCDE515A5AC1E37181
                                          SHA1:7A09829329D36895F3DF3426447D30B832A83658
                                          SHA-256:05FBCBC3F0AE751B30F246D1336A6ADDC4DE211B480CAB5F34410B795D39C9FB
                                          SHA-512:1B5D97B15A9C4AAE09CC869E870ABE1F7ADDB9C584DFCAA8FDA3FFF67DEAA826CE877DBC53E74F449F9CB39A09D1D3A5FE30007327C33C9D64519AA2F592C130
                                          Malicious:true
                                          Reputation:low
                                          Preview: .vM....H
                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                          Process:C:\Users\user\Desktop\fixxing.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):40
                                          Entropy (8bit):5.153055907333276
                                          Encrypted:false
                                          SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                          MD5:4E5E92E2369688041CC82EF9650EDED2
                                          SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                          SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                          SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                          Process:C:\Users\user\Desktop\fixxing.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):327432
                                          Entropy (8bit):7.99938831605763
                                          Encrypted:true
                                          SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                          MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                          SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                          SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                          SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                          C:\Users\user\AppData\Roaming\xQGPeospVmcjdT.exe
                                          Process:C:\Users\user\Desktop\fixxing.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):730112
                                          Entropy (8bit):7.682661934320617
                                          Encrypted:false
                                          SSDEEP:12288:ctl3e+PHoCAQ1q5y/e2h3QFRiFD94KnBedBJmrRiD8pBf5rcrM:ctl3e+foC/q4oDiFJRBedOrQYpR5rm
                                          MD5:0D50C8E7C3F044099056BFB318F108C6
                                          SHA1:538871E91C9CAC38AF31BD09FE456843D841F586
                                          SHA-256:91F6FC2AE99E090DAD56E53C7BF258DD4F43DF79AC02A11F2620C31F045FC87F
                                          SHA-512:5364611735FE235A94A0339EAE7511472EEAB0B892E9E1A17DA46F23802F82C4C2B225BED37953226A1B8B84D6711F16EEE15F28254D5A4D68BC26E378B7C7AD
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: Metadefender, Detection: 18%, Browse
                                          • Antivirus: ReversingLabs, Detection: 60%
                                          Joe Sandbox View:
                                          • Filename: purchase order confirmation.exe, Detection: malicious, Browse
                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.............b-... ...@....@.. ....................................@..................................-..O....@..8....................`....................................................... ............... ..H............text...h.... ...................... ..`.rsrc...8....@......................@..@.reloc.......`......."..............@..B................D-......H........-...............:..p............................................0............(....(..........(.....o.....*.....................( ......(!......("......(#......($....*N..(....o....(%....*&..(&....*.s'........s(........s)........s*........s+........*....0...........~....o,....+..*.0...........~....o-....+..*.0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0..<........~.....(1.....,!r...p.....(2...o3...s4............~.....+..*.0......
                                          C:\Users\user\AppData\Roaming\xQGPeospVmcjdT.exe:Zone.Identifier
                                          Process:C:\Users\user\Desktop\fixxing.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:3:ggPYV:rPYV
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:true
                                          Preview: [ZoneTransfer]....ZoneId=0

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.682661934320617
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:fixxing.exe
                                          File size:730112
                                          MD5:0d50c8e7c3f044099056bfb318f108c6
                                          SHA1:538871e91c9cac38af31bd09fe456843d841f586
                                          SHA256:91f6fc2ae99e090dad56e53c7bf258dd4f43df79ac02a11f2620c31f045fc87f
                                          SHA512:5364611735fe235a94a0339eae7511472eeab0b892e9e1a17da46f23802f82c4c2b225bed37953226a1b8b84d6711f16eee15f28254d5a4d68bc26e378b7c7ad
                                          SSDEEP:12288:ctl3e+PHoCAQ1q5y/e2h3QFRiFD94KnBedBJmrRiD8pBf5rcrM:ctl3e+foC/q4oDiFJRBedOrQYpR5rm
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.............b-... ...@....@.. ....................................@................................

                                          File Icon

                                          Icon Hash:849494a4a4a4e464

                                          Static PE Info

                                          General

                                          Entrypoint:0x4a2d62
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0x608D050B [Sat May 1 07:36:43 2021 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xa2d100x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xa40000x11138.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xb60000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xa0d680xa0e00False0.853620337995data7.76210474352IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0xa40000x111380x11200False0.11155622719data5.26971437241IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xb60000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_ICON0xa41300x10828data
                                          RT_GROUP_ICON0xb49580x14data
                                          RT_VERSION0xb496c0x30cdata
                                          RT_MANIFEST0xb4c780x4bdXML 1.0 document, UTF-8 Unicode (with BOM) text

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyright
                                          Assembly Version1.0.0.0
                                          InternalNameDebugger.exe
                                          FileVersion1.0.0.0
                                          CompanyName
                                          LegalTrademarks
                                          Comments
                                          ProductNameRogueButtons
                                          ProductVersion1.0.0.0
                                          FileDescriptionRogueButtons
                                          OriginalFilenameDebugger.exe

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          05/03/21-19:48:16.892186TCP2025019ET TROJAN Possible NanoCore C2 60B497244557192.168.2.345.137.22.50
                                          05/03/21-19:48:23.328869TCP2025019ET TROJAN Possible NanoCore C2 60B497274557192.168.2.345.137.22.50
                                          05/03/21-19:48:28.259692TCP2025019ET TROJAN Possible NanoCore C2 60B497284557192.168.2.345.137.22.50
                                          05/03/21-19:48:34.313765TCP2025019ET TROJAN Possible NanoCore C2 60B497324557192.168.2.345.137.22.50
                                          05/03/21-19:48:40.300527TCP2025019ET TROJAN Possible NanoCore C2 60B497354557192.168.2.345.137.22.50
                                          05/03/21-19:48:46.350416TCP2025019ET TROJAN Possible NanoCore C2 60B497364557192.168.2.345.137.22.50
                                          05/03/21-19:48:52.395241TCP2025019ET TROJAN Possible NanoCore C2 60B497374557192.168.2.345.137.22.50
                                          05/03/21-19:48:58.513579TCP2025019ET TROJAN Possible NanoCore C2 60B497414557192.168.2.345.137.22.50
                                          05/03/21-19:49:05.642550TCP2025019ET TROJAN Possible NanoCore C2 60B497424557192.168.2.345.137.22.50
                                          05/03/21-19:49:11.743009TCP2025019ET TROJAN Possible NanoCore C2 60B497484557192.168.2.345.137.22.50
                                          05/03/21-19:49:17.725023TCP2025019ET TROJAN Possible NanoCore C2 60B497504557192.168.2.345.137.22.50
                                          05/03/21-19:49:23.741350TCP2025019ET TROJAN Possible NanoCore C2 60B497514557192.168.2.345.137.22.50
                                          05/03/21-19:49:29.790151TCP2025019ET TROJAN Possible NanoCore C2 60B497524557192.168.2.345.137.22.50
                                          05/03/21-19:49:35.792248TCP2025019ET TROJAN Possible NanoCore C2 60B497534557192.168.2.345.137.22.50
                                          05/03/21-19:49:41.791022TCP2025019ET TROJAN Possible NanoCore C2 60B497564557192.168.2.345.137.22.50
                                          05/03/21-19:49:47.805502TCP2025019ET TROJAN Possible NanoCore C2 60B497574557192.168.2.345.137.22.50
                                          05/03/21-19:49:53.947358TCP2025019ET TROJAN Possible NanoCore C2 60B497584557192.168.2.345.137.22.50
                                          05/03/21-19:49:59.949354TCP2025019ET TROJAN Possible NanoCore C2 60B497594557192.168.2.345.137.22.50
                                          05/03/21-19:50:06.047937TCP2025019ET TROJAN Possible NanoCore C2 60B497614557192.168.2.345.137.22.50
                                          05/03/21-19:50:12.307942TCP2025019ET TROJAN Possible NanoCore C2 60B497624557192.168.2.345.137.22.50

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          May 3, 2021 19:48:16.770478010 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:16.817135096 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:16.817271948 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:16.892185926 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:16.961973906 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:16.981944084 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.029064894 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.056797028 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.125231028 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.125410080 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.158269882 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.158327103 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.158365965 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.158413887 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.158423901 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.158452034 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.158452988 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.158519983 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.203636885 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.205080986 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.205136061 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.205174923 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.205235958 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.205291033 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.205348015 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.205442905 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.205492973 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.205519915 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.205658913 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.252422094 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.252463102 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.252496958 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.252538919 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.252587080 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.252592087 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.252624035 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.252628088 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.252659082 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.252687931 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.252691984 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.252717972 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.252746105 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.252747059 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.252777100 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.252808094 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.252836943 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.252852917 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.252892971 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.299448013 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.299506903 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.299546957 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.299583912 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.299655914 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.299695015 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.299710989 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.299742937 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.299782038 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.299786091 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.299789906 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.299814939 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.299853086 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.299880028 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.299890995 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.299928904 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.299963951 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.299966097 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300004005 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300050974 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300055027 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.300092936 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300118923 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.300131083 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300168991 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300206900 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300242901 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300266981 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.300281048 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.300282001 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300321102 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300368071 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300393105 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.300410032 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300447941 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300451040 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.300477982 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300538063 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.347068071 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347121954 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347157001 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347188950 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347222090 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347244024 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.347254038 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347285032 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.347295046 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347327948 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347347975 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.347352028 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347384930 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.347392082 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347428083 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347460032 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347493887 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.347495079 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347527981 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347558975 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347590923 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347603083 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.347623110 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347662926 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347698927 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347714901 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.347732067 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347753048 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.347764969 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347796917 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347814083 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.347827911 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347860098 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347901106 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347914934 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.347935915 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347968102 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.348000050 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.348000050 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.348033905 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.348038912 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.348074913 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.348088980 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.348107100 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.348140955 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.348164082 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.348174095 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.348205090 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.348237038 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.348251104 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.348268032 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.348292112 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.348308086 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.348342896 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.348375082 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.348383904 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.348408937 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.348438978 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.348457098 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.348498106 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.348512888 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.348535061 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.348557949 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.348597050 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.348632097 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.348639011 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.348663092 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.348695040 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.348720074 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.348726988 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.348751068 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.348757982 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.348788023 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.348836899 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.395670891 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.395739079 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.395797968 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.395853043 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.395885944 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.395903111 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.395941973 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.395946026 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.395982027 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.396024942 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.396029949 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.396073103 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.396109104 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.396110058 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.396148920 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.396178007 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.396187067 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.396224022 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.396244049 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.396261930 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.396300077 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.396352053 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.396358967 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.396394968 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.396426916 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.396433115 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.396471977 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.396486998 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.396512032 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.396567106 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.396581888 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.396620989 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.396661043 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.396697998 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.396708965 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.396752119 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.396764994 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.396790981 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.396828890 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.396841049 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.396867037 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.396903992 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.396920919 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.396940947 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.396967888 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.397008896 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.397013903 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.397057056 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.397093058 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.397115946 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.397131920 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.397170067 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.397186041 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.397207975 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.397244930 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.397281885 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.397296906 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.397329092 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.397327900 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.397372007 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.397439003 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.397475958 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.397504091 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.397517920 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.397526026 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.397556067 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.397593021 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.397604942 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.397629976 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.397666931 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.397680998 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.397712946 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.397743940 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.397766113 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.444526911 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.444570065 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.444607019 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.444655895 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.444699049 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.444740057 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.444781065 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.444820881 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.444861889 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.444899082 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.444937944 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.444988012 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.445033073 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.445070982 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.445110083 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.445149899 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.445182085 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.445187092 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.445202112 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.445226908 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.445266962 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.445285082 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.445314884 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.445355892 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.445369959 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.445430040 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.445468903 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.445486069 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.445512056 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.445550919 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.445578098 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.445588112 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.445626020 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.445655107 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.445662022 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.445708990 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.445722103 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.445750952 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.445777893 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.445808887 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.445816040 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.445854902 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.445890903 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.445930004 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.445966959 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.446012974 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.446038008 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.446047068 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.446053982 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.446067095 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.446091890 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.446130037 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.446156025 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.446166992 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.446203947 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.446234941 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.446243048 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.446280003 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.446326971 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.446330070 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.446369886 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.446374893 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.446623087 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.446701050 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.446731091 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.446773052 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.446799994 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.446819067 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.493550062 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.493596077 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.493633986 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.493673086 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.493701935 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.493711948 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.493748903 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.493786097 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.493786097 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.493793011 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.493824005 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.493870974 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.493891001 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.493913889 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.493952990 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.493972063 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.493989944 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.494028091 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.494035006 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.494065046 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.494102955 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.494141102 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.494148016 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.494187117 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.494190931 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.494229078 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.494266033 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.494301081 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.494304895 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.494342089 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.494355917 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.494379044 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.494415998 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.494426966 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.494452953 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.494502068 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.494502068 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.494544029 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.494580984 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.494591951 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.494618893 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.494657040 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.494693041 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.494714975 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.494729996 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.494746923 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.494767904 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.494816065 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.494846106 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.494873047 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.494883060 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.494920969 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.494931936 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.494959116 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.494996071 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.495007992 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.495033979 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.495071888 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.495083094 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.495119095 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.495161057 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.495197058 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.495208979 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.495234966 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.495240927 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.495274067 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.495310068 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.495347977 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.495358944 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.495385885 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.495397091 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.495433092 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.495464087 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.495484114 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.542469978 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.542522907 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.542552948 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.542582989 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.542613029 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.542642117 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.542670965 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.542700052 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.542707920 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.542733908 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.542737961 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.542768002 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.542779922 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.542855978 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.542885065 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.542917967 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.542921066 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.542954922 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.542958975 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.542984962 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.543015957 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.543035030 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.543045044 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.543067932 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.543075085 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.543103933 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.543133974 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.543165922 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.543170929 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.543200016 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.543205023 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.543234110 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.543263912 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.543281078 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.543294907 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.543324947 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.543327093 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.543354988 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.543380022 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.543385029 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.543477058 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:18.417334080 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:18.484678030 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:18.760689974 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:18.833235025 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:18.956085920 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:19.060642958 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:19.107223988 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:19.130968094 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:23.281069040 CEST497274557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:23.327841043 CEST45574972745.137.22.50192.168.2.3
                                          May 3, 2021 19:48:23.328030109 CEST497274557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:23.328869104 CEST497274557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:23.376048088 CEST45574972745.137.22.50192.168.2.3
                                          May 3, 2021 19:48:23.467324972 CEST497274557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:23.514195919 CEST45574972745.137.22.50192.168.2.3
                                          May 3, 2021 19:48:23.670429945 CEST497274557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:23.877723932 CEST497274557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:23.924699068 CEST45574972745.137.22.50192.168.2.3
                                          May 3, 2021 19:48:23.926311970 CEST497274557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:24.016258001 CEST45574972745.137.22.50192.168.2.3
                                          May 3, 2021 19:48:24.112873077 CEST45574972745.137.22.50192.168.2.3
                                          May 3, 2021 19:48:24.114164114 CEST497274557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:24.157716990 CEST497274557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:24.160674095 CEST45574972745.137.22.50192.168.2.3
                                          May 3, 2021 19:48:24.160828114 CEST497274557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:28.211365938 CEST497284557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:28.258042097 CEST45574972845.137.22.50192.168.2.3
                                          May 3, 2021 19:48:28.258224010 CEST497284557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:28.259691954 CEST497284557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:28.326899052 CEST45574972845.137.22.50192.168.2.3
                                          May 3, 2021 19:48:28.327907085 CEST497284557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:28.374867916 CEST45574972845.137.22.50192.168.2.3
                                          May 3, 2021 19:48:28.376140118 CEST497284557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:28.453454971 CEST45574972845.137.22.50192.168.2.3
                                          May 3, 2021 19:48:28.550158024 CEST45574972845.137.22.50192.168.2.3
                                          May 3, 2021 19:48:28.573005915 CEST497284557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:28.619771004 CEST45574972845.137.22.50192.168.2.3
                                          May 3, 2021 19:48:28.709441900 CEST497284557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:28.757961035 CEST45574972845.137.22.50192.168.2.3
                                          May 3, 2021 19:48:28.758198023 CEST497284557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:28.805217028 CEST45574972845.137.22.50192.168.2.3
                                          May 3, 2021 19:48:28.805777073 CEST497284557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:28.875566959 CEST45574972845.137.22.50192.168.2.3
                                          May 3, 2021 19:48:28.891251087 CEST497284557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:28.969295979 CEST45574972845.137.22.50192.168.2.3
                                          May 3, 2021 19:48:29.300400972 CEST497284557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:29.359740019 CEST45574972845.137.22.50192.168.2.3
                                          May 3, 2021 19:48:30.228313923 CEST497284557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:34.266362906 CEST497324557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:34.313091993 CEST45574973245.137.22.50192.168.2.3
                                          May 3, 2021 19:48:34.313220024 CEST497324557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:34.313765049 CEST497324557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:34.389452934 CEST45574973245.137.22.50192.168.2.3
                                          May 3, 2021 19:48:34.389811039 CEST497324557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:34.438950062 CEST45574973245.137.22.50192.168.2.3
                                          May 3, 2021 19:48:34.440490961 CEST497324557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:34.500380039 CEST45574973245.137.22.50192.168.2.3
                                          May 3, 2021 19:48:34.629070997 CEST45574973245.137.22.50192.168.2.3
                                          May 3, 2021 19:48:34.630012035 CEST497324557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:34.678343058 CEST45574973245.137.22.50192.168.2.3
                                          May 3, 2021 19:48:34.679424047 CEST497324557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:34.726468086 CEST45574973245.137.22.50192.168.2.3
                                          May 3, 2021 19:48:34.726651907 CEST497324557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:34.773433924 CEST45574973245.137.22.50192.168.2.3
                                          May 3, 2021 19:48:34.827572107 CEST497324557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:35.218925953 CEST497324557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:35.281584978 CEST45574973245.137.22.50192.168.2.3
                                          May 3, 2021 19:48:36.234553099 CEST497324557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:40.251111984 CEST497354557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:40.299834967 CEST45574973545.137.22.50192.168.2.3
                                          May 3, 2021 19:48:40.299937010 CEST497354557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:40.300527096 CEST497354557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:40.359622955 CEST45574973545.137.22.50192.168.2.3
                                          May 3, 2021 19:48:40.368549109 CEST45574973545.137.22.50192.168.2.3
                                          May 3, 2021 19:48:40.368864059 CEST497354557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:40.415759087 CEST45574973545.137.22.50192.168.2.3
                                          May 3, 2021 19:48:40.416959047 CEST497354557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:40.484689951 CEST45574973545.137.22.50192.168.2.3
                                          May 3, 2021 19:48:40.596818924 CEST45574973545.137.22.50192.168.2.3
                                          May 3, 2021 19:48:40.597932100 CEST497354557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:40.644526958 CEST45574973545.137.22.50192.168.2.3
                                          May 3, 2021 19:48:40.645807028 CEST497354557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:40.693213940 CEST45574973545.137.22.50192.168.2.3
                                          May 3, 2021 19:48:40.693306923 CEST497354557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:40.740211010 CEST45574973545.137.22.50192.168.2.3
                                          May 3, 2021 19:48:40.812441111 CEST497354557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:41.284380913 CEST497354557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:41.359704971 CEST45574973545.137.22.50192.168.2.3
                                          May 3, 2021 19:48:41.470489979 CEST45574973545.137.22.50192.168.2.3
                                          May 3, 2021 19:48:41.515692949 CEST497354557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:42.281903028 CEST497354557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:46.298352957 CEST497364557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:46.345510006 CEST45574973645.137.22.50192.168.2.3
                                          May 3, 2021 19:48:46.345736980 CEST497364557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:46.350415945 CEST497364557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:46.418555021 CEST45574973645.137.22.50192.168.2.3
                                          May 3, 2021 19:48:46.418848991 CEST497364557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:46.465888023 CEST45574973645.137.22.50192.168.2.3
                                          May 3, 2021 19:48:46.467170000 CEST497364557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:46.531601906 CEST45574973645.137.22.50192.168.2.3
                                          May 3, 2021 19:48:46.659058094 CEST45574973645.137.22.50192.168.2.3
                                          May 3, 2021 19:48:46.660126925 CEST497364557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:46.706686974 CEST45574973645.137.22.50192.168.2.3
                                          May 3, 2021 19:48:46.707866907 CEST497364557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:46.755242109 CEST45574973645.137.22.50192.168.2.3
                                          May 3, 2021 19:48:46.755422115 CEST497364557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:46.802326918 CEST45574973645.137.22.50192.168.2.3
                                          May 3, 2021 19:48:46.907030106 CEST497364557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:47.282202959 CEST497364557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:47.359628916 CEST45574973645.137.22.50192.168.2.3
                                          May 3, 2021 19:48:48.330310106 CEST497364557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:52.345706940 CEST497374557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:52.392358065 CEST45574973745.137.22.50192.168.2.3
                                          May 3, 2021 19:48:52.394676924 CEST497374557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:52.395241022 CEST497374557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:52.462821007 CEST45574973745.137.22.50192.168.2.3
                                          May 3, 2021 19:48:52.463264942 CEST497374557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:52.510267019 CEST45574973745.137.22.50192.168.2.3
                                          May 3, 2021 19:48:52.511888027 CEST497374557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:52.578493118 CEST45574973745.137.22.50192.168.2.3
                                          May 3, 2021 19:48:52.706269026 CEST45574973745.137.22.50192.168.2.3
                                          May 3, 2021 19:48:52.707848072 CEST497374557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:52.754319906 CEST45574973745.137.22.50192.168.2.3
                                          May 3, 2021 19:48:52.755981922 CEST497374557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:52.803185940 CEST45574973745.137.22.50192.168.2.3
                                          May 3, 2021 19:48:52.803406000 CEST497374557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:52.850164890 CEST45574973745.137.22.50192.168.2.3
                                          May 3, 2021 19:48:52.858639002 CEST497374557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:52.922168970 CEST45574973745.137.22.50192.168.2.3
                                          May 3, 2021 19:48:53.314471006 CEST497374557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:53.390985012 CEST45574973745.137.22.50192.168.2.3
                                          May 3, 2021 19:48:54.325045109 CEST497374557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:58.465172052 CEST497414557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:58.512281895 CEST45574974145.137.22.50192.168.2.3
                                          May 3, 2021 19:48:58.512465954 CEST497414557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:58.513578892 CEST497414557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:58.578809023 CEST45574974145.137.22.50192.168.2.3
                                          May 3, 2021 19:48:58.586369038 CEST45574974145.137.22.50192.168.2.3
                                          May 3, 2021 19:48:58.720326900 CEST497414557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:59.194346905 CEST497414557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:59.241555929 CEST45574974145.137.22.50192.168.2.3
                                          May 3, 2021 19:48:59.241636992 CEST497414557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:59.328674078 CEST45574974145.137.22.50192.168.2.3
                                          May 3, 2021 19:48:59.328948975 CEST497414557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:59.406554937 CEST45574974145.137.22.50192.168.2.3
                                          May 3, 2021 19:48:59.518846035 CEST45574974145.137.22.50192.168.2.3
                                          May 3, 2021 19:48:59.519985914 CEST497414557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:59.566843987 CEST45574974145.137.22.50192.168.2.3
                                          May 3, 2021 19:48:59.574207067 CEST497414557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:59.621525049 CEST45574974145.137.22.50192.168.2.3
                                          May 3, 2021 19:48:59.621725082 CEST497414557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:59.668406963 CEST45574974145.137.22.50192.168.2.3
                                          May 3, 2021 19:48:59.668637037 CEST497414557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:59.735765934 CEST45574974145.137.22.50192.168.2.3
                                          May 3, 2021 19:49:00.581423044 CEST497414557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:00.656584978 CEST45574974145.137.22.50192.168.2.3
                                          May 3, 2021 19:49:01.565052986 CEST497414557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:05.595057964 CEST497424557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:05.641798019 CEST45574974245.137.22.50192.168.2.3
                                          May 3, 2021 19:49:05.641947985 CEST497424557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:05.642549992 CEST497424557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:05.719230890 CEST45574974245.137.22.50192.168.2.3
                                          May 3, 2021 19:49:05.720273972 CEST45574974245.137.22.50192.168.2.3
                                          May 3, 2021 19:49:05.720752001 CEST497424557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:05.767779112 CEST45574974245.137.22.50192.168.2.3
                                          May 3, 2021 19:49:05.768944025 CEST497424557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:05.828605890 CEST45574974245.137.22.50192.168.2.3
                                          May 3, 2021 19:49:05.957148075 CEST45574974245.137.22.50192.168.2.3
                                          May 3, 2021 19:49:05.958215952 CEST497424557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:06.004909039 CEST45574974245.137.22.50192.168.2.3
                                          May 3, 2021 19:49:06.007742882 CEST497424557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:06.055815935 CEST45574974245.137.22.50192.168.2.3
                                          May 3, 2021 19:49:06.055933952 CEST497424557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:06.104434967 CEST45574974245.137.22.50192.168.2.3
                                          May 3, 2021 19:49:06.104598045 CEST497424557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:06.187848091 CEST45574974245.137.22.50192.168.2.3
                                          May 3, 2021 19:49:06.565538883 CEST497424557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:06.640980959 CEST45574974245.137.22.50192.168.2.3
                                          May 3, 2021 19:49:07.688267946 CEST497424557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:11.694783926 CEST497484557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:11.741528034 CEST45574974845.137.22.50192.168.2.3
                                          May 3, 2021 19:49:11.742309093 CEST497484557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:11.743009090 CEST497484557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:11.812793016 CEST45574974845.137.22.50192.168.2.3
                                          May 3, 2021 19:49:11.815994024 CEST45574974845.137.22.50192.168.2.3
                                          May 3, 2021 19:49:11.817765951 CEST497484557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:11.864820004 CEST45574974845.137.22.50192.168.2.3
                                          May 3, 2021 19:49:11.865967035 CEST497484557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:11.939759016 CEST45574974845.137.22.50192.168.2.3
                                          May 3, 2021 19:49:12.052750111 CEST45574974845.137.22.50192.168.2.3
                                          May 3, 2021 19:49:12.072514057 CEST497484557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:12.122023106 CEST45574974845.137.22.50192.168.2.3
                                          May 3, 2021 19:49:12.123713970 CEST497484557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:12.170962095 CEST45574974845.137.22.50192.168.2.3
                                          May 3, 2021 19:49:12.172885895 CEST497484557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:12.219780922 CEST45574974845.137.22.50192.168.2.3
                                          May 3, 2021 19:49:12.219858885 CEST497484557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:12.281626940 CEST45574974845.137.22.50192.168.2.3
                                          May 3, 2021 19:49:12.661355019 CEST497484557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:12.735944986 CEST45574974845.137.22.50192.168.2.3
                                          May 3, 2021 19:49:13.659804106 CEST497484557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:17.676738977 CEST497504557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:17.723964930 CEST45574975045.137.22.50192.168.2.3
                                          May 3, 2021 19:49:17.724143028 CEST497504557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:17.725023031 CEST497504557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:17.792499065 CEST45574975045.137.22.50192.168.2.3
                                          May 3, 2021 19:49:17.793121099 CEST497504557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:17.840012074 CEST45574975045.137.22.50192.168.2.3
                                          May 3, 2021 19:49:17.842123032 CEST497504557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:17.922261000 CEST45574975045.137.22.50192.168.2.3
                                          May 3, 2021 19:49:18.034928083 CEST45574975045.137.22.50192.168.2.3
                                          May 3, 2021 19:49:18.037458897 CEST497504557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:18.085649014 CEST45574975045.137.22.50192.168.2.3
                                          May 3, 2021 19:49:18.087836981 CEST497504557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:18.134871960 CEST45574975045.137.22.50192.168.2.3
                                          May 3, 2021 19:49:18.135164022 CEST497504557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:18.182164907 CEST45574975045.137.22.50192.168.2.3
                                          May 3, 2021 19:49:18.182358980 CEST497504557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:18.250878096 CEST45574975045.137.22.50192.168.2.3
                                          May 3, 2021 19:49:18.691782951 CEST497504557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:18.765944958 CEST45574975045.137.22.50192.168.2.3
                                          May 3, 2021 19:49:19.676759958 CEST497504557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:23.693123102 CEST497514557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:23.739861965 CEST45574975145.137.22.50192.168.2.3
                                          May 3, 2021 19:49:23.740040064 CEST497514557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:23.741349936 CEST497514557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:23.808156967 CEST45574975145.137.22.50192.168.2.3
                                          May 3, 2021 19:49:23.808742046 CEST497514557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:23.855678082 CEST45574975145.137.22.50192.168.2.3
                                          May 3, 2021 19:49:23.857007980 CEST497514557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:23.922178984 CEST45574975145.137.22.50192.168.2.3
                                          May 3, 2021 19:49:24.050477982 CEST45574975145.137.22.50192.168.2.3
                                          May 3, 2021 19:49:24.052931070 CEST497514557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:24.100636959 CEST45574975145.137.22.50192.168.2.3
                                          May 3, 2021 19:49:24.102054119 CEST497514557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:24.148993015 CEST45574975145.137.22.50192.168.2.3
                                          May 3, 2021 19:49:24.149090052 CEST497514557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:24.196244001 CEST45574975145.137.22.50192.168.2.3
                                          May 3, 2021 19:49:24.238115072 CEST497514557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:24.723464012 CEST497514557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:24.797137022 CEST45574975145.137.22.50192.168.2.3
                                          May 3, 2021 19:49:25.723690033 CEST497514557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:29.742060900 CEST497524557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:29.788727999 CEST45574975245.137.22.50192.168.2.3
                                          May 3, 2021 19:49:29.788985968 CEST497524557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:29.790150881 CEST497524557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:29.857013941 CEST45574975245.137.22.50192.168.2.3
                                          May 3, 2021 19:49:29.857415915 CEST497524557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:29.905774117 CEST45574975245.137.22.50192.168.2.3
                                          May 3, 2021 19:49:29.908335924 CEST497524557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:29.969928980 CEST45574975245.137.22.50192.168.2.3
                                          May 3, 2021 19:49:30.096492052 CEST45574975245.137.22.50192.168.2.3
                                          May 3, 2021 19:49:30.099517107 CEST497524557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:30.146009922 CEST45574975245.137.22.50192.168.2.3
                                          May 3, 2021 19:49:30.147502899 CEST497524557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:30.195396900 CEST45574975245.137.22.50192.168.2.3
                                          May 3, 2021 19:49:30.195631027 CEST497524557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:30.242259979 CEST45574975245.137.22.50192.168.2.3
                                          May 3, 2021 19:49:30.285614967 CEST497524557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:30.332267046 CEST45574975245.137.22.50192.168.2.3
                                          May 3, 2021 19:49:30.379403114 CEST497524557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:30.790316105 CEST497524557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:30.859709024 CEST45574975245.137.22.50192.168.2.3
                                          May 3, 2021 19:49:31.724486113 CEST497524557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:35.740400076 CEST497534557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:35.790216923 CEST45574975345.137.22.50192.168.2.3
                                          May 3, 2021 19:49:35.790572882 CEST497534557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:35.792248011 CEST497534557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:35.858736038 CEST45574975345.137.22.50192.168.2.3
                                          May 3, 2021 19:49:35.859508038 CEST497534557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:35.907668114 CEST45574975345.137.22.50192.168.2.3
                                          May 3, 2021 19:49:35.909765959 CEST497534557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:35.969073057 CEST45574975345.137.22.50192.168.2.3
                                          May 3, 2021 19:49:36.112258911 CEST45574975345.137.22.50192.168.2.3
                                          May 3, 2021 19:49:36.114608049 CEST497534557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:36.161735058 CEST45574975345.137.22.50192.168.2.3
                                          May 3, 2021 19:49:36.162955999 CEST497534557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:36.209822893 CEST45574975345.137.22.50192.168.2.3
                                          May 3, 2021 19:49:36.210014105 CEST497534557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:36.256850004 CEST45574975345.137.22.50192.168.2.3
                                          May 3, 2021 19:49:36.301562071 CEST497534557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:36.724256992 CEST497534557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:36.797244072 CEST45574975345.137.22.50192.168.2.3
                                          May 3, 2021 19:49:37.724386930 CEST497534557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:41.741190910 CEST497564557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:41.789676905 CEST45574975645.137.22.50192.168.2.3
                                          May 3, 2021 19:49:41.789916039 CEST497564557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:41.791022062 CEST497564557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:41.858362913 CEST45574975645.137.22.50192.168.2.3
                                          May 3, 2021 19:49:41.859093904 CEST497564557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:41.907438993 CEST45574975645.137.22.50192.168.2.3
                                          May 3, 2021 19:49:41.910295010 CEST497564557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:41.968988895 CEST45574975645.137.22.50192.168.2.3
                                          May 3, 2021 19:49:42.112827063 CEST45574975645.137.22.50192.168.2.3
                                          May 3, 2021 19:49:42.114022970 CEST497564557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:42.160561085 CEST45574975645.137.22.50192.168.2.3
                                          May 3, 2021 19:49:42.163024902 CEST497564557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:42.209944963 CEST45574975645.137.22.50192.168.2.3
                                          May 3, 2021 19:49:42.210181952 CEST497564557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:42.256963015 CEST45574975645.137.22.50192.168.2.3
                                          May 3, 2021 19:49:42.302030087 CEST497564557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:42.740236998 CEST497564557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:42.812809944 CEST45574975645.137.22.50192.168.2.3
                                          May 3, 2021 19:49:43.740809917 CEST497564557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:47.757268906 CEST497574557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:47.804833889 CEST45574975745.137.22.50192.168.2.3
                                          May 3, 2021 19:49:47.804976940 CEST497574557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:47.805501938 CEST497574557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:47.872925043 CEST45574975745.137.22.50192.168.2.3
                                          May 3, 2021 19:49:47.873745918 CEST497574557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:47.920773029 CEST45574975745.137.22.50192.168.2.3
                                          May 3, 2021 19:49:47.920937061 CEST497574557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:47.984623909 CEST45574975745.137.22.50192.168.2.3
                                          May 3, 2021 19:49:47.984731913 CEST497574557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:48.062855005 CEST45574975745.137.22.50192.168.2.3
                                          May 3, 2021 19:49:48.174736977 CEST45574975745.137.22.50192.168.2.3
                                          May 3, 2021 19:49:48.177459955 CEST497574557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:48.224240065 CEST45574975745.137.22.50192.168.2.3
                                          May 3, 2021 19:49:48.225841045 CEST497574557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:48.272881031 CEST45574975745.137.22.50192.168.2.3
                                          May 3, 2021 19:49:48.273008108 CEST497574557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:48.319794893 CEST45574975745.137.22.50192.168.2.3
                                          May 3, 2021 19:49:48.323235035 CEST497574557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:48.390872002 CEST45574975745.137.22.50192.168.2.3
                                          May 3, 2021 19:49:48.881428957 CEST497574557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:48.953356981 CEST45574975745.137.22.50192.168.2.3
                                          May 3, 2021 19:49:49.881874084 CEST497574557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:53.898149014 CEST497584557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:53.945559978 CEST45574975845.137.22.50192.168.2.3
                                          May 3, 2021 19:49:53.945686102 CEST497584557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:53.947357893 CEST497584557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:54.015017033 CEST45574975845.137.22.50192.168.2.3
                                          May 3, 2021 19:49:54.016402006 CEST497584557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:54.064759016 CEST45574975845.137.22.50192.168.2.3
                                          May 3, 2021 19:49:54.065902948 CEST497584557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:54.141604900 CEST45574975845.137.22.50192.168.2.3
                                          May 3, 2021 19:49:54.257632017 CEST45574975845.137.22.50192.168.2.3
                                          May 3, 2021 19:49:54.259515047 CEST497584557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:54.313504934 CEST45574975845.137.22.50192.168.2.3
                                          May 3, 2021 19:49:54.315825939 CEST497584557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:54.363162994 CEST45574975845.137.22.50192.168.2.3
                                          May 3, 2021 19:49:54.363306046 CEST497584557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:54.410259008 CEST45574975845.137.22.50192.168.2.3
                                          May 3, 2021 19:49:54.410480022 CEST497584557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:54.485557079 CEST45574975845.137.22.50192.168.2.3
                                          May 3, 2021 19:49:54.565574884 CEST45574975845.137.22.50192.168.2.3
                                          May 3, 2021 19:49:54.615540028 CEST497584557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:54.882081032 CEST497584557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:54.953322887 CEST45574975845.137.22.50192.168.2.3
                                          May 3, 2021 19:49:55.882131100 CEST497584557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:59.898327112 CEST497594557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:59.944947958 CEST45574975945.137.22.50192.168.2.3
                                          May 3, 2021 19:49:59.945045948 CEST497594557192.168.2.345.137.22.50
                                          May 3, 2021 19:49:59.949353933 CEST497594557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:00.015719891 CEST45574975945.137.22.50192.168.2.3
                                          May 3, 2021 19:50:00.016249895 CEST45574975945.137.22.50192.168.2.3
                                          May 3, 2021 19:50:00.016637087 CEST497594557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:00.063471079 CEST45574975945.137.22.50192.168.2.3
                                          May 3, 2021 19:50:00.064814091 CEST497594557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:00.140908003 CEST45574975945.137.22.50192.168.2.3
                                          May 3, 2021 19:50:00.253060102 CEST45574975945.137.22.50192.168.2.3
                                          May 3, 2021 19:50:00.264007092 CEST497594557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:00.310801029 CEST45574975945.137.22.50192.168.2.3
                                          May 3, 2021 19:50:00.312597036 CEST497594557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:00.359891891 CEST45574975945.137.22.50192.168.2.3
                                          May 3, 2021 19:50:00.360245943 CEST497594557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:00.408756971 CEST45574975945.137.22.50192.168.2.3
                                          May 3, 2021 19:50:00.412560940 CEST497594557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:00.484560013 CEST45574975945.137.22.50192.168.2.3
                                          May 3, 2021 19:50:00.944890022 CEST497594557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:01.015974045 CEST45574975945.137.22.50192.168.2.3
                                          May 3, 2021 19:50:01.944972992 CEST497594557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:05.969316006 CEST497614557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:06.017132998 CEST45574976145.137.22.50192.168.2.3
                                          May 3, 2021 19:50:06.017298937 CEST497614557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:06.047936916 CEST497614557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:06.109621048 CEST45574976145.137.22.50192.168.2.3
                                          May 3, 2021 19:50:06.114252090 CEST45574976145.137.22.50192.168.2.3
                                          May 3, 2021 19:50:06.114581108 CEST497614557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:06.161616087 CEST45574976145.137.22.50192.168.2.3
                                          May 3, 2021 19:50:06.164248943 CEST497614557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:06.234595060 CEST45574976145.137.22.50192.168.2.3
                                          May 3, 2021 19:50:06.234771967 CEST497614557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:06.312691927 CEST45574976145.137.22.50192.168.2.3
                                          May 3, 2021 19:50:06.347023964 CEST45574976145.137.22.50192.168.2.3
                                          May 3, 2021 19:50:06.349215984 CEST497614557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:06.395678043 CEST45574976145.137.22.50192.168.2.3
                                          May 3, 2021 19:50:06.398463011 CEST497614557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:06.445225954 CEST45574976145.137.22.50192.168.2.3
                                          May 3, 2021 19:50:06.445307970 CEST497614557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:06.493844986 CEST45574976145.137.22.50192.168.2.3
                                          May 3, 2021 19:50:06.538460016 CEST497614557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:07.179958105 CEST497614557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:07.250350952 CEST45574976145.137.22.50192.168.2.3
                                          May 3, 2021 19:50:08.228209019 CEST497614557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:12.259078979 CEST497624557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:12.306279898 CEST45574976245.137.22.50192.168.2.3
                                          May 3, 2021 19:50:12.306497097 CEST497624557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:12.307941914 CEST497624557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:12.375416994 CEST45574976245.137.22.50192.168.2.3
                                          May 3, 2021 19:50:12.375552893 CEST497624557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:12.388384104 CEST45574976245.137.22.50192.168.2.3
                                          May 3, 2021 19:50:12.388515949 CEST497624557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:12.453494072 CEST45574976245.137.22.50192.168.2.3
                                          May 3, 2021 19:50:12.453638077 CEST497624557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:12.500858068 CEST45574976245.137.22.50192.168.2.3
                                          May 3, 2021 19:50:12.502439976 CEST497624557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:12.578408957 CEST45574976245.137.22.50192.168.2.3
                                          May 3, 2021 19:50:12.691248894 CEST45574976245.137.22.50192.168.2.3
                                          May 3, 2021 19:50:12.692111015 CEST497624557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:12.738914013 CEST45574976245.137.22.50192.168.2.3
                                          May 3, 2021 19:50:12.740619898 CEST497624557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:12.787482977 CEST45574976245.137.22.50192.168.2.3
                                          May 3, 2021 19:50:12.787673950 CEST497624557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:12.835083008 CEST45574976245.137.22.50192.168.2.3
                                          May 3, 2021 19:50:12.882808924 CEST497624557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:13.320931911 CEST497624557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:13.391114950 CEST45574976245.137.22.50192.168.2.3
                                          May 3, 2021 19:50:17.360372066 CEST45574976245.137.22.50192.168.2.3
                                          May 3, 2021 19:50:17.414338112 CEST497624557192.168.2.345.137.22.50
                                          May 3, 2021 19:50:18.939440012 CEST45574976245.137.22.50192.168.2.3
                                          May 3, 2021 19:50:18.992599010 CEST497624557192.168.2.345.137.22.50

                                          Code Manipulations

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Start time:19:48:07
                                          Start date:03/05/2021
                                          Path:C:\Users\user\Desktop\fixxing.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\fixxing.exe'
                                          Imagebase:0x510000
                                          File size:730112 bytes
                                          MD5 hash:0D50C8E7C3F044099056BFB318F108C6
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.225554713.00000000038E9000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.225554713.00000000038E9000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.225554713.00000000038E9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          Reputation:low

                                          General

                                          Start time:19:48:11
                                          Start date:03/05/2021
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xQGPeospVmcjdT' /XML 'C:\Users\user\AppData\Local\Temp\tmp86B5.tmp'
                                          Imagebase:0x1000000
                                          File size:185856 bytes
                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Start time:19:48:11
                                          Start date:03/05/2021
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6b2800000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Start time:19:48:12
                                          Start date:03/05/2021
                                          Path:C:\Users\user\Desktop\fixxing.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\fixxing.exe
                                          Imagebase:0x450000
                                          File size:730112 bytes
                                          MD5 hash:0D50C8E7C3F044099056BFB318F108C6
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.489550549.0000000005F50000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.489550549.0000000005F50000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.488981996.0000000005310000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.488981996.0000000005310000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.486030987.00000000037A9000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.489178214.0000000005A50000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.489178214.0000000005A50000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.489178214.0000000005A50000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.479168192.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.479168192.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.479168192.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.487530331.0000000004352000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.487530331.0000000004352000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.481816000.0000000002751000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.487434335.0000000004267000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.489813017.0000000006430000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.489813017.0000000006430000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.481888361.00000000027BD000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          Reputation:low

                                          Disassembly

                                          Code Analysis

                                          Reset < >

                                            Executed Functions

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.229364138.0000000004F10000.00000040.00000001.sdmp, Offset: 04F10000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ac9817e196ab313348a8ac76621c042f8cf7c6cba5cb0cb66beae2439901c04b
                                            • Instruction ID: 8c4bb2350b248a1f50fde39597500bb86490f7c022faf940db0700c5fe1736e5
                                            • Opcode Fuzzy Hash: ac9817e196ab313348a8ac76621c042f8cf7c6cba5cb0cb66beae2439901c04b
                                            • Instruction Fuzzy Hash: 69526931B001559FDB18DF69C888AAEB7B2FF89314B158069E8169B374DB35FC42CB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 027BDD8A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.224871629.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: false
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: a689f89ee74e15be187c83a1924968066aeebcca364a043212d10f54a1cf243c
                                            • Instruction ID: 0d8cbbb67a02175b2729193122bc9bbf2650ea66d76ffe6e645b8d1cee2152fd
                                            • Opcode Fuzzy Hash: a689f89ee74e15be187c83a1924968066aeebcca364a043212d10f54a1cf243c
                                            • Instruction Fuzzy Hash: E6816CB1C093889FCB12CFA5C854ACDBFB1FF0A304F1A819BE944AB262D7349945CB55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.224871629.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: false
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 05142b41518fa5ae59070c4ab52df8f6c23775ef47639ab49489f19a8e8d60f3
                                            • Instruction ID: 2239ac2d4fe6465f368846c533f78bc943f9c11fb7c7c48e86d75c2c79fe5257
                                            • Opcode Fuzzy Hash: 05142b41518fa5ae59070c4ab52df8f6c23775ef47639ab49489f19a8e8d60f3
                                            • Instruction Fuzzy Hash: 40712570A00B058FD725DF6AC4547AAB7F1FF88318F008A2DD996DBA40DB75E8068F91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 027BDD8A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.224871629.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: false
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: e59b8e0758ab4e3e5fbc0ee5d2f19669c41b30087260e8c6b463ee2f77c2522a
                                            • Instruction ID: e1ba0ca606f1ded508e48c8f7561a9e28b3e25e1a3a7e84ba91f052f083f0404
                                            • Opcode Fuzzy Hash: e59b8e0758ab4e3e5fbc0ee5d2f19669c41b30087260e8c6b463ee2f77c2522a
                                            • Instruction Fuzzy Hash: 1151D2B1D00319DFDB25CF9AC984ADEBBB5FF49314F24812AE819AB210DB749845CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 027BDD8A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.224871629.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: false
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: d0f1159148504c97e55e3881a0345138367fc33681789c27dedcfa8a71da012d
                                            • Instruction ID: a79d49ee42e7f1f3bee36dcd9acefd26d1e1e87b292d516f6c3542bfc7614da8
                                            • Opcode Fuzzy Hash: d0f1159148504c97e55e3881a0345138367fc33681789c27dedcfa8a71da012d
                                            • Instruction Fuzzy Hash: D151C0B1D00309DFDB25CF9AC884ADEBBB5FF48314F24812AE919AB250D7749845CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 027BDD8A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.224871629.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: false
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: b8f495162b5be6b3ddf601bfd2abf65f25c17529733c4ac45d79f44bacc545c0
                                            • Instruction ID: f8749a05050a3ba09df50a5a2bfb9da7093dbfbbed06ffc64f6d6bc530312cc8
                                            • Opcode Fuzzy Hash: b8f495162b5be6b3ddf601bfd2abf65f25c17529733c4ac45d79f44bacc545c0
                                            • Instruction Fuzzy Hash: 0F51D0B1D003099FDB25CF9AD884ADEBBB1BF48314F24812AE819AB210D7749945CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,027B6D86,?,?,?,?,?), ref: 027B6E47
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.224871629.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: false
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: fc00ad85040abdd89a11d0973a130202484c2e129879bba62f9e2a48b7760b43
                                            • Instruction ID: 93b81a16cba23980b54f5430d4ffa29f8584a126d8e87cb6145a186e8c0cb09f
                                            • Opcode Fuzzy Hash: fc00ad85040abdd89a11d0973a130202484c2e129879bba62f9e2a48b7760b43
                                            • Instruction Fuzzy Hash: 3C412776900219AFCB01CF99D884ADEBFF6FF49320F15805AEA54A7360C7359954DFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 04F13F49
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.229364138.0000000004F10000.00000040.00000001.sdmp, Offset: 04F10000, based on PE: false
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 91741f4cd5c4f15f2d33c40f334de09b37d8ffeb3cf1382af0ba633857cf24be
                                            • Instruction ID: 46e09501ba052f1cc0674599bb0e4b2cdd9b7c8165804abeeeadcf5dce697688
                                            • Opcode Fuzzy Hash: 91741f4cd5c4f15f2d33c40f334de09b37d8ffeb3cf1382af0ba633857cf24be
                                            • Instruction Fuzzy Hash: 8141E5B1D04719CBDB24CF99C8847DEBBB5BF48304F208169D508AB251DB75694ACF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 04F10D91
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.229364138.0000000004F10000.00000040.00000001.sdmp, Offset: 04F10000, based on PE: false
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: dd8383e425834557f79b4bec96679c548be47036539881b9fc1d8d9f596af2a2
                                            • Instruction ID: b77fed97858ca1881102d4413a8948e1511d390b38c4b2967b344e801d876302
                                            • Opcode Fuzzy Hash: dd8383e425834557f79b4bec96679c548be47036539881b9fc1d8d9f596af2a2
                                            • Instruction Fuzzy Hash: 994147B4A00305CFDB10CF99C488AAABBF5FF88314F25C459D519AB721DB34A842CFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,027BDEA8,?,?,?,?), ref: 027BDF1D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.224871629.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: false
                                            Similarity
                                            • API ID: LongWindow
                                            • String ID:
                                            • API String ID: 1378638983-0
                                            • Opcode ID: b0adcd8d33d34c95455375581b43c9108bef78ce0aab8e7e4a3a92d7826617f0
                                            • Instruction ID: 81a8aef224851643140991a8563aacda98bca32e90746ae0bbbf4dd784a1d519
                                            • Opcode Fuzzy Hash: b0adcd8d33d34c95455375581b43c9108bef78ce0aab8e7e4a3a92d7826617f0
                                            • Instruction Fuzzy Hash: 5D219AB1804249DFCB11CF99E848BDEBFF5EF49324F05805AE458A7251C739A909CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,027B6D86,?,?,?,?,?), ref: 027B6E47
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.224871629.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: false
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 8eb1c7a9ec417960179e6c1c8c06c13937c950bde881a4a797400177a2243674
                                            • Instruction ID: f344a8dd3e53ab2263e0ca928d8880c671259c086ff12f4f3f0ef1bd29d51d28
                                            • Opcode Fuzzy Hash: 8eb1c7a9ec417960179e6c1c8c06c13937c950bde881a4a797400177a2243674
                                            • Instruction Fuzzy Hash: BB21D4B59002489FDB10CFAAD984ADEBBF8FF48324F15841AEA14B7350D374A954CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,027B6D86,?,?,?,?,?), ref: 027B6E47
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.224871629.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: false
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 175fafb85f891de2c533edda6a364fa9245cd292549b242034e50ca4ab163e3e
                                            • Instruction ID: ff31e3ae638cd223aed9cb262fd2507737aaee19d5a8cffa32309813b20334c1
                                            • Opcode Fuzzy Hash: 175fafb85f891de2c533edda6a364fa9245cd292549b242034e50ca4ab163e3e
                                            • Instruction Fuzzy Hash: 292112B5900208DFCB00CFA9D984ADEBBF8FF48324F15801AEA14A3350C738A955CFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,027BBE89,00000800,00000000,00000000), ref: 027BC09A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.224871629.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: false
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: a3c234314217c28a1d1af400d5965a39f82ae1efb602bc7a7bbac9111c484869
                                            • Instruction ID: 7d7fba5c31669123f5845ef56297f47c94d106ed088905fd64e9c9fe2eedd9db
                                            • Opcode Fuzzy Hash: a3c234314217c28a1d1af400d5965a39f82ae1efb602bc7a7bbac9111c484869
                                            • Instruction Fuzzy Hash: 421103B29042088FDB11CF9AD844BDEBBF4AF88324F01842EE915B7200C775A945CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,027BBE89,00000800,00000000,00000000), ref: 027BC09A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.224871629.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: false
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 268647676cc861469cd5d3acb5317b0e6a0e386097a0c42a701ba59701078624
                                            • Instruction ID: 6e12d44b98acb80a59a3a81ea12b5571dbbd5ccdff69706c101de9453a3e04b9
                                            • Opcode Fuzzy Hash: 268647676cc861469cd5d3acb5317b0e6a0e386097a0c42a701ba59701078624
                                            • Instruction Fuzzy Hash: 7D1100B69002098FCB11CF99D984BDEFBF4AF88324F15852ED519A7240C775A949CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,027BBBDB), ref: 027BBE0E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.224871629.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: false
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: d40105dddd988f478f3c3a5e047a8ee0d0bc9f8050f8f1317dad78558139729c
                                            • Instruction ID: 2f906fc3622235ba7129905c174e6b7600baa65ed926473d2f562947160f4936
                                            • Opcode Fuzzy Hash: d40105dddd988f478f3c3a5e047a8ee0d0bc9f8050f8f1317dad78558139729c
                                            • Instruction Fuzzy Hash: 8311EFB59006498FDB10CF9AC444BDAFBF4EF88228F11846AD919A7200D379A545CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,027BDEA8,?,?,?,?), ref: 027BDF1D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.224871629.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: false
                                            Similarity
                                            • API ID: LongWindow
                                            • String ID:
                                            • API String ID: 1378638983-0
                                            • Opcode ID: 580d4a2552457aa0ae6efdda0adf70af3554e0b0f0a67f619b0f841876b00546
                                            • Instruction ID: 3126dc221e6edacc1e49c387ab4fff4e8c2a8c2464cebf9ba8cfc3c9375a8d33
                                            • Opcode Fuzzy Hash: 580d4a2552457aa0ae6efdda0adf70af3554e0b0f0a67f619b0f841876b00546
                                            • Instruction Fuzzy Hash: DD1122B59042088FDB20CF89D588BDEBBF8EF48324F10845AE915B7300C374A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.224656808.000000000101D000.00000040.00000001.sdmp, Offset: 0101D000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2d03a5b671fde5c44cacdf5122fa2c1a9794d9f7922d41fbee21577bb8d0274c
                                            • Instruction ID: fe0fe2c81f5245926cee33d659ad72859568f8ad69f9cb803fa38aa9dd60e6c7
                                            • Opcode Fuzzy Hash: 2d03a5b671fde5c44cacdf5122fa2c1a9794d9f7922d41fbee21577bb8d0274c
                                            • Instruction Fuzzy Hash: 96210A71504244DFDB05CF94D9C8B1BBFA5FB88328F2485ADE9454B24AC33AD855C7A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.224686971.000000000102D000.00000040.00000001.sdmp, Offset: 0102D000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bfa1028e40faa6d930cd208b9e7c69e163e779bdcecffcd4c26b241e809c4d05
                                            • Instruction ID: 8db744a90868852791f2a7df8491b57b97cf2fe5996afe0f33f1c1c5efe79a13
                                            • Opcode Fuzzy Hash: bfa1028e40faa6d930cd208b9e7c69e163e779bdcecffcd4c26b241e809c4d05
                                            • Instruction Fuzzy Hash: EA212571504240DFCB11CFA4D9C0B1ABBA5FB88354F24C9ADE9894B256C33ADC46CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.224686971.000000000102D000.00000040.00000001.sdmp, Offset: 0102D000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9b91b8888baf42e3b52d5f5562a03643099ba95a68fca63211d82fad64a39f1d
                                            • Instruction ID: 4ee0d166cde8d651ae441ba7a3fbc70a0faa231081d7ef9d3bad0a74e3d34591
                                            • Opcode Fuzzy Hash: 9b91b8888baf42e3b52d5f5562a03643099ba95a68fca63211d82fad64a39f1d
                                            • Instruction Fuzzy Hash: BA2183754083809FCB12CF64D9D4715BFB1EB46214F29C5DAD8858F2A7C33A9856CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.224656808.000000000101D000.00000040.00000001.sdmp, Offset: 0101D000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
                                            • Instruction ID: bd274ec7f38fb770f795626446e9ab499646022692cc3047f370f57a09670313
                                            • Opcode Fuzzy Hash: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
                                            • Instruction Fuzzy Hash: 8C11D376404280CFCB16CF54D5C4B16BFB1FB84324F2886A9D9490B65AC33AD45ACBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.224656808.000000000101D000.00000040.00000001.sdmp, Offset: 0101D000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 315782fdb64e5a5c2b0a4144697083112e74c18cc1159ed5fe78fd913b9ad95d
                                            • Instruction ID: a5101505c1bbd900a3a7699c33b89fa955a0c936eddf1527211551a755a853ea
                                            • Opcode Fuzzy Hash: 315782fdb64e5a5c2b0a4144697083112e74c18cc1159ed5fe78fd913b9ad95d
                                            • Instruction Fuzzy Hash: DC01F7714083C4AAE7204A99CC88B6AFBDCFF41274F08855AEA445B24AE37D9844C7B1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.224656808.000000000101D000.00000040.00000001.sdmp, Offset: 0101D000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 18d062976de0fa75d5b96046c14f5240b07ed2f42493aad574670937734977ae
                                            • Instruction ID: d475b88c3ec9a80f0bd29d8453f954024516c1021688723e2f4aabe9cd7dace3
                                            • Opcode Fuzzy Hash: 18d062976de0fa75d5b96046c14f5240b07ed2f42493aad574670937734977ae
                                            • Instruction Fuzzy Hash: 3DF0C271404384AAEB208A49CC88B62FFE8EF41274F18C49AED481B286D3799844CBB0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.224871629.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b1f28ceb066608bf5214a05c0896d3e8f9a385fe691efa2d1e16846e4088df22
                                            • Instruction ID: 98978d815563f40387d0f3ebc93d31b64f7973ee67821236820cf8499af97ca8
                                            • Opcode Fuzzy Hash: b1f28ceb066608bf5214a05c0896d3e8f9a385fe691efa2d1e16846e4088df22
                                            • Instruction Fuzzy Hash: 09A14B32E0061A8FCF06DFA5C8586DEB7B2FF85304B15856AE905BB221EB35E955CF40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.223790541.0000000000512000.00000002.00020000.sdmp, Offset: 00510000, based on PE: true
                                            • Associated: 00000000.00000002.223772280.0000000000510000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.223906091.00000000005B4000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ee38c1ad27beb675a838c18232848406c2aac3f9ce13006385df34b121a5190a
                                            • Instruction ID: 1e761cca96c6508ffd7c3a4323d0c37209c5df77060a0c9dde57960cca49d427
                                            • Opcode Fuzzy Hash: ee38c1ad27beb675a838c18232848406c2aac3f9ce13006385df34b121a5190a
                                            • Instruction Fuzzy Hash: E191D76150F3C29FDB034B789CB91A6BFB0AD5721431E89DBD4C5CF0A3D218599AD722
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.223790541.0000000000512000.00000002.00020000.sdmp, Offset: 00510000, based on PE: true
                                            • Associated: 00000000.00000002.223772280.0000000000510000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.223906091.00000000005B4000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9140c4d1c8d245704a5e08e01ee8622c48c0d673e314267147297c4a39c3fdd2
                                            • Instruction ID: 621a855a7384f21de27444f40c9ce4d2a459192f985385d43cb84c5ef6bf4ebb
                                            • Opcode Fuzzy Hash: 9140c4d1c8d245704a5e08e01ee8622c48c0d673e314267147297c4a39c3fdd2
                                            • Instruction Fuzzy Hash: 083106A140E3C15FC7134B7469B15D67FB0AE6721475E84DBD0C0CF5A3E1185A9AC772
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Executed Functions

                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 04CD962E
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.488259985.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 9ee14043507fd729aff32c804382eec9472d52e957870e0dab36b0078f23433c
                                            • Instruction ID: 97090cf6131a57253c5ec42d6a85299296e5c71dc065f29046a2619cb3e95734
                                            • Opcode Fuzzy Hash: 9ee14043507fd729aff32c804382eec9472d52e957870e0dab36b0078f23433c
                                            • Instruction Fuzzy Hash: 097115B4A00B058FD764DF6AD44079ABBF2FF88314F008A2ED59AD7A50E734F9458B91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000005.00000002.488259985.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 312de4d84b04747565a6471f63b0cba3114d037edb01b701935fc98128f12714
                                            • Instruction ID: 2c7fa635e064235c953256a31470bbdec545fbae395895195e26536842fc7891
                                            • Opcode Fuzzy Hash: 312de4d84b04747565a6471f63b0cba3114d037edb01b701935fc98128f12714
                                            • Instruction Fuzzy Hash: 5C616671C093499FDB11CFA9C894ADDBFB1BF49304F25855EE405AB252D730A845CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000005.00000002.488259985.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d59cd4f62981bbb0bd04891ddadc877c17d09f6f9ed059e7e3e244e863610b39
                                            • Instruction ID: b584c6e783ab6075bcfa75b28b9ae2c65ab6596ce26f596eb193454c9e9ae92f
                                            • Opcode Fuzzy Hash: d59cd4f62981bbb0bd04891ddadc877c17d09f6f9ed059e7e3e244e863610b39
                                            • Instruction Fuzzy Hash: 695111B0C043489FDB15CFA9C880ADEBFB2BF48304F24812AE819AB251D734A945CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04CDFD0A
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.488259985.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 4bf2a76ef27dda3b333f4dc2ea4426c3ef49782a2d6dc37af417b93827a2a62f
                                            • Instruction ID: 3dff21a9da2c88f483204ebde5ce9526d4598625132fef8acf41e4f5b908cf1d
                                            • Opcode Fuzzy Hash: 4bf2a76ef27dda3b333f4dc2ea4426c3ef49782a2d6dc37af417b93827a2a62f
                                            • Instruction Fuzzy Hash: C551B0B1D04309AFDB14CF99C884ADEBBB6BF48314F24812EE919AB250D774A945CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04CDBCC6,?,?,?,?,?), ref: 04CDBD87
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.488259985.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 0791d76b02083ed6ea55d12c375769103f8f4992793f3e91207b7d7afaf2b253
                                            • Instruction ID: 9b31fa46272205ce557bb878b8781a9692ae9cce4d382a096dc662e2f90cc3e5
                                            • Opcode Fuzzy Hash: 0791d76b02083ed6ea55d12c375769103f8f4992793f3e91207b7d7afaf2b253
                                            • Instruction Fuzzy Hash: 662116B59002089FDB10CF9AD884ADEBFF5FB48314F15801AE915A3350D378A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04CDBCC6,?,?,?,?,?), ref: 04CDBD87
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.488259985.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 02b1b40b9ce5534b5d94581373f7b64aaa0d6a8eebdbd1d209b41331395c667b
                                            • Instruction ID: 931b99ac383cfb9c543758201d30120bd7bc5cb3aa5ecb1ef85fbf609e61afc1
                                            • Opcode Fuzzy Hash: 02b1b40b9ce5534b5d94581373f7b64aaa0d6a8eebdbd1d209b41331395c667b
                                            • Instruction Fuzzy Hash: 9B2123B5900208DFDF00CFA9E584ADEBBF5FB48324F15841AE918A3350D378AA54CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04CD96A9,00000800,00000000,00000000), ref: 04CD98BA
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.488259985.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 1aa4d7c63a5a64e2cfd3901956bb816fca4fbc6e658b44d80a6172966bfca1ce
                                            • Instruction ID: 0015a350aec59910f8993e0c3cc620235b974a5e02607724c748075d3c6ee876
                                            • Opcode Fuzzy Hash: 1aa4d7c63a5a64e2cfd3901956bb816fca4fbc6e658b44d80a6172966bfca1ce
                                            • Instruction Fuzzy Hash: 6F1133B69042498FDB10CF9AC844ADEFBF5EB48314F05842EE519A7200C374A944CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04CD96A9,00000800,00000000,00000000), ref: 04CD98BA
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.488259985.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 75ff2aafa89d1f21b8b6f170bc1def0c7393c0f790459699d669e075f27ab845
                                            • Instruction ID: 762c0f1ea1edf2d4e5b5291efdd6f88323ca35e41933bc6bce3c7f6e3cd6695b
                                            • Opcode Fuzzy Hash: 75ff2aafa89d1f21b8b6f170bc1def0c7393c0f790459699d669e075f27ab845
                                            • Instruction Fuzzy Hash: 411123BAD003098FDB10CF99D844ADEFBF5BB88314F15842ED529A7240C778AA45CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 04CD962E
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.488259985.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 0f88fb9577b1a984e10b702735bb23ddf0b338edf380459733cb5b69f7235acf
                                            • Instruction ID: 0d1194ae7100d9959e15f2520a4b10a5fe24bb657771993333220bc636dba34e
                                            • Opcode Fuzzy Hash: 0f88fb9577b1a984e10b702735bb23ddf0b338edf380459733cb5b69f7235acf
                                            • Instruction Fuzzy Hash: FA1110B6C006498FCB10CF9AC844BDEFBF5EF88324F15841AD519A7200C378A546CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,04CDFE28,?,?,?,?), ref: 04CDFE9D
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.488259985.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                            Similarity
                                            • API ID: LongWindow
                                            • String ID:
                                            • API String ID: 1378638983-0
                                            • Opcode ID: 960a3553ab34c75f86020d3c796b99fd1f6d4065edd13e1bd8a58097e339d956
                                            • Instruction ID: dafec77ca73ed5cc89fa800c61a55d4607150e42011dfc8bc9f6dd4f883f082e
                                            • Opcode Fuzzy Hash: 960a3553ab34c75f86020d3c796b99fd1f6d4065edd13e1bd8a58097e339d956
                                            • Instruction Fuzzy Hash: 9E1133B58002489FDB10CF99D584BDEFBF8FB48324F11841AD919A7741C378A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            APIs
                                            • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,04CDFE28,?,?,?,?), ref: 04CDFE9D
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.488259985.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                            Similarity
                                            • API ID: LongWindow
                                            • String ID:
                                            • API String ID: 1378638983-0
                                            • Opcode ID: aebab1d92c472b38b32d75d4862459590c4ec1458ca95b8ec1cdc6dd6e5c47d0
                                            • Instruction ID: ed54ae99f125ca678821e1ebdb35bc3df6d84c0d60c08270cbf4e883e053f4c0
                                            • Opcode Fuzzy Hash: aebab1d92c472b38b32d75d4862459590c4ec1458ca95b8ec1cdc6dd6e5c47d0
                                            • Instruction Fuzzy Hash: F51133B59002488FDB10CF8AD584BEFBBF8FB48324F10841AEA19A7741C374A944CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000005.00000002.489577721.0000000005F60000.00000040.00000001.sdmp, Offset: 05F50000, based on PE: true
                                            • Associated: 00000005.00000002.489550549.0000000005F50000.00000004.00000001.sdmp Download File
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 972aa40eb6c88163253f14fb86358f80c08f0cec3e20d12171637f5a5ab85269
                                            • Instruction ID: 9544cce21ba17705af33409c120ac1f9bf8651b409a4273e1a763c7f2f1c3508
                                            • Opcode Fuzzy Hash: 972aa40eb6c88163253f14fb86358f80c08f0cec3e20d12171637f5a5ab85269
                                            • Instruction Fuzzy Hash: 2F314975E042189FDB14DF69D488BADBBF9AF48714F248429E406A7350CF78A845CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000005.00000002.489577721.0000000005F60000.00000040.00000001.sdmp, Offset: 05F50000, based on PE: true
                                            • Associated: 00000005.00000002.489550549.0000000005F50000.00000004.00000001.sdmp Download File
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9ebbfd10f4fabecb8ceca3afe559c45c78094301ff694770ac8cf5b19f12b786
                                            • Instruction ID: ac20c1b87cb86e7fbb9ac9a4496d343839dabc7e0e7b4dfb11c4c9cfdf0197e2
                                            • Opcode Fuzzy Hash: 9ebbfd10f4fabecb8ceca3afe559c45c78094301ff694770ac8cf5b19f12b786
                                            • Instruction Fuzzy Hash: 1421E731B10114CFC704DB79D888A6AB7BAFFC9224B2581B9D519DB362DB34EC06C790
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000005.00000002.489577721.0000000005F60000.00000040.00000001.sdmp, Offset: 05F50000, based on PE: true
                                            • Associated: 00000005.00000002.489550549.0000000005F50000.00000004.00000001.sdmp Download File
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1b2ee553de628060cecfdaf150e3d0ced8f3f2bbfc9edf2a2fa2897a357ac3f4
                                            • Instruction ID: b694453ed5adec6d0db942e04b0d6d279a9525cf81d38cc45df4cda5d0ba66ce
                                            • Opcode Fuzzy Hash: 1b2ee553de628060cecfdaf150e3d0ced8f3f2bbfc9edf2a2fa2897a357ac3f4
                                            • Instruction Fuzzy Hash: B5218B31B142019FC725ABB6E41E6AE7AF6AFC5205F64846AE417D3B40DF3C9902CB52
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000005.00000002.481415131.0000000000CBD000.00000040.00000001.sdmp, Offset: 00CBD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6f9fa449585c33eb521c3ffdc59770da78ff40f6694aa30eec37c4216b13551d
                                            • Instruction ID: 2a8f96339701fbe1d28086ce65196cbef51ade1a7226bb84eb55171d9b2f66fb
                                            • Opcode Fuzzy Hash: 6f9fa449585c33eb521c3ffdc59770da78ff40f6694aa30eec37c4216b13551d
                                            • Instruction Fuzzy Hash: FB2145B1504244DFDB11CF54D9C0BA7BF65FB98328F248568E90B0B246D336D849DBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000005.00000002.481415131.0000000000CBD000.00000040.00000001.sdmp, Offset: 00CBD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 53c80732d00f0dbf23a86d2383ec08e7b3ac9f68a3e9f130207626f0691e8034
                                            • Instruction ID: f8a3b18492145491e4dc736e8358e2fa9d610fd7bef7da62e0a0e4b0c1331804
                                            • Opcode Fuzzy Hash: 53c80732d00f0dbf23a86d2383ec08e7b3ac9f68a3e9f130207626f0691e8034
                                            • Instruction Fuzzy Hash: FF2137B1504240DFCB01CF14D9C0BA7BBA5FB98324F24C5A9E90A4B246D336E856DBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000005.00000002.481442904.0000000000CCD000.00000040.00000001.sdmp, Offset: 00CCD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1c7a32b1e6c62a7a5e0ac136bf19b2c96696c222a98e44b1c1a2e08aafb2ae4d
                                            • Instruction ID: 915720d0c187182c02bed2b22f105efde600822d8901be119c1849ad0d50c829
                                            • Opcode Fuzzy Hash: 1c7a32b1e6c62a7a5e0ac136bf19b2c96696c222a98e44b1c1a2e08aafb2ae4d
                                            • Instruction Fuzzy Hash: DF21F571504244DFCB14CF28D9C4F16BBA5FB88314F24C9BDE80A4B246C336D847CA62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000005.00000002.489577721.0000000005F60000.00000040.00000001.sdmp, Offset: 05F50000, based on PE: true
                                            • Associated: 00000005.00000002.489550549.0000000005F50000.00000004.00000001.sdmp Download File
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b305587621095a2db88dbeddd8ae0ea6a59f4464adba738d3855ae39331ef566
                                            • Instruction ID: 4a12ca6783cdb1e865b239fc310e2dcb808af9b63f25bbda14979abe7418d579
                                            • Opcode Fuzzy Hash: b305587621095a2db88dbeddd8ae0ea6a59f4464adba738d3855ae39331ef566
                                            • Instruction Fuzzy Hash: 6E1184367041145F8708EBA8D8A49BE77EFEFC86247248429E506DB351DF36EC06C790
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000005.00000002.481442904.0000000000CCD000.00000040.00000001.sdmp, Offset: 00CCD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cd414e0bb9d7da278847dd25f3d45737b5301840a3122ce23f05ab4fe2319038
                                            • Instruction ID: d3a54e579d7b7f1b3005e8d18a2c91fab123a0e491bb0ab9eea13151410ef54b
                                            • Opcode Fuzzy Hash: cd414e0bb9d7da278847dd25f3d45737b5301840a3122ce23f05ab4fe2319038
                                            • Instruction Fuzzy Hash: 892180755093C08FCB02CF24D990B15BF71EB46314F29C5EED8498B697C33A980ACB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000005.00000002.489577721.0000000005F60000.00000040.00000001.sdmp, Offset: 05F50000, based on PE: true
                                            • Associated: 00000005.00000002.489550549.0000000005F50000.00000004.00000001.sdmp Download File
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b02c0ec5536134e3c258f5e271f53d48d6541216e81a867acc3c80526cf3fb80
                                            • Instruction ID: 8846256b19b4bfb985ecc9d547381a57769b8f9738cca674bdc0fa9988ac7d06
                                            • Opcode Fuzzy Hash: b02c0ec5536134e3c258f5e271f53d48d6541216e81a867acc3c80526cf3fb80
                                            • Instruction Fuzzy Hash: 1111B2313086119BC714A768F4545AE77AFDFC1214BA4896DE01A8BB40DF76A8028791
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000005.00000002.489577721.0000000005F60000.00000040.00000001.sdmp, Offset: 05F50000, based on PE: true
                                            • Associated: 00000005.00000002.489550549.0000000005F50000.00000004.00000001.sdmp Download File
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e8c988877bcc5de51da6ad8fddf7f126012ec25e9dcddd61140c705503a79a0d
                                            • Instruction ID: ac8352ce51ed26812c2cef60327cc91e605ba8dc87cc54f3554f6b489b3cdadc
                                            • Opcode Fuzzy Hash: e8c988877bcc5de51da6ad8fddf7f126012ec25e9dcddd61140c705503a79a0d
                                            • Instruction Fuzzy Hash: 5E119A35700601ABC724DA56D890D6AF3AFFFC9364B64C51AD45A87B90CB7AFC02CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000005.00000002.481415131.0000000000CBD000.00000040.00000001.sdmp, Offset: 00CBD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
                                            • Instruction ID: 35800a368f6c5880f89c7e0926ef37332b3331653c3f6b89badc24203255c19d
                                            • Opcode Fuzzy Hash: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
                                            • Instruction Fuzzy Hash: F011E6B6504280CFCF12CF14D5C4B56BF71FB94324F28C6A9D9050B656D336D95ACBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000005.00000002.481415131.0000000000CBD000.00000040.00000001.sdmp, Offset: 00CBD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
                                            • Instruction ID: 147f64a3e95088513ba5b9e0edad84f274b49471c24926297641365508f7b050
                                            • Opcode Fuzzy Hash: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
                                            • Instruction Fuzzy Hash: 9311D076404280CFCB12CF10D9C4B56BF71FB94324F28C6A9D8490B656D33AE95ACFA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000005.00000002.489577721.0000000005F60000.00000040.00000001.sdmp, Offset: 05F50000, based on PE: true
                                            • Associated: 00000005.00000002.489550549.0000000005F50000.00000004.00000001.sdmp Download File
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1b71038da83149078242188989404f71a40fc780418871ff2f5dc3562426a42c
                                            • Instruction ID: df497b578a9c7f259fc8811bef917d5ce75c826348be92e79c2bdf7f8e849dbc
                                            • Opcode Fuzzy Hash: 1b71038da83149078242188989404f71a40fc780418871ff2f5dc3562426a42c
                                            • Instruction Fuzzy Hash: 27119174604390AFE31AAB28E4457697BF7EF45310F508598E08A8B751CFB8BC85CB94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000005.00000002.489577721.0000000005F60000.00000040.00000001.sdmp, Offset: 05F50000, based on PE: true
                                            • Associated: 00000005.00000002.489550549.0000000005F50000.00000004.00000001.sdmp Download File
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a10149c995826f9c4d8ce8b59c7218fa85e089285f4aeb86f91b9d450a7d7b0c
                                            • Instruction ID: 0fd32c0f3462132ef0d9877bf158b860b5cfdde68604771d89833875676c6e60
                                            • Opcode Fuzzy Hash: a10149c995826f9c4d8ce8b59c7218fa85e089285f4aeb86f91b9d450a7d7b0c
                                            • Instruction Fuzzy Hash: F0F07436700A049F8364DA5EE544C57F7FAEFC9621325C96AE59EC3B24DA30F8058BA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000005.00000002.489577721.0000000005F60000.00000040.00000001.sdmp, Offset: 05F50000, based on PE: true
                                            • Associated: 00000005.00000002.489550549.0000000005F50000.00000004.00000001.sdmp Download File
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 52d194cde3fe8ce396357662facc2bed0e008bef350d6d9436f950a05ef75d7f
                                            • Instruction ID: 7cb9f9bca0f29ffc5563c24d22a160c2488048497074b91f367275b4156568d4
                                            • Opcode Fuzzy Hash: 52d194cde3fe8ce396357662facc2bed0e008bef350d6d9436f950a05ef75d7f
                                            • Instruction Fuzzy Hash: 7FD05E327180249F5B04F668A920CB832AFDF89656310009AE10BDB310DD5AAC018391
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Memory Dump Source
                                            • Source File: 00000005.00000002.489577721.0000000005F60000.00000040.00000001.sdmp, Offset: 05F50000, based on PE: true
                                            • Associated: 00000005.00000002.489550549.0000000005F50000.00000004.00000001.sdmp Download File
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 634cd0b383d4d964c44af0017dcc03a4c43cd2ce5ac2b29d3436cb2d8e64f7d6
                                            • Instruction ID: 855908249a93998c018ebeb3fed9092fc297d127d91609984081ec113e9c4388
                                            • Opcode Fuzzy Hash: 634cd0b383d4d964c44af0017dcc03a4c43cd2ce5ac2b29d3436cb2d8e64f7d6
                                            • Instruction Fuzzy Hash: C6B0923601C6049F8116EB25D929D99B66EE9022467808410E20282468ABADAE04C5E6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions