Loading ...

Play interactive tourEdit tour

Analysis Report Copy#.exe

Overview

General Information

Sample Name:Copy#.exe
Analysis ID:403760
MD5:af64699ae611bd9008f11e0a087c4947
SHA1:42ffd0c3e267a347ec09a176fd81556bd5cd39b7
SHA256:501a63b52b27b41d2f100a37d38b3b5961b8e18298ed32104c7fc2323150eb5c
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Copy#.exe (PID: 6408 cmdline: 'C:\Users\user\Desktop\Copy#.exe' MD5: AF64699AE611BD9008F11E0A087C4947)
    • Copy#.exe (PID: 6688 cmdline: C:\Users\user\Desktop\Copy#.exe MD5: AF64699AE611BD9008F11E0A087C4947)
    • Copy#.exe (PID: 6748 cmdline: C:\Users\user\Desktop\Copy#.exe MD5: AF64699AE611BD9008F11E0A087C4947)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "1db8cd6c-75e8-4b3e-9da8-7094ff2f", "Group": "LOG101", "Domain1": "103.28.70.172", "Domain2": "103.28.70.172", "Port": 34217, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1077d:$x1: NanoCore.ClientPluginHost
  • 0x4359d:$x1: NanoCore.ClientPluginHost
  • 0x761bd:$x1: NanoCore.ClientPluginHost
  • 0x107ba:$x2: IClientNetworkHost
  • 0x435da:$x2: IClientNetworkHost
  • 0x761fa:$x2: IClientNetworkHost
  • 0x142ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x4710d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x79d2d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x104e5:$a: NanoCore
    • 0x104f5:$a: NanoCore
    • 0x10729:$a: NanoCore
    • 0x1073d:$a: NanoCore
    • 0x1077d:$a: NanoCore
    • 0x43305:$a: NanoCore
    • 0x43315:$a: NanoCore
    • 0x43549:$a: NanoCore
    • 0x4355d:$a: NanoCore
    • 0x4359d:$a: NanoCore
    • 0x75f25:$a: NanoCore
    • 0x75f35:$a: NanoCore
    • 0x76169:$a: NanoCore
    • 0x7617d:$a: NanoCore
    • 0x761bd:$a: NanoCore
    • 0x10544:$b: ClientPlugin
    • 0x10746:$b: ClientPlugin
    • 0x10786:$b: ClientPlugin
    • 0x43364:$b: ClientPlugin
    • 0x43566:$b: ClientPlugin
    • 0x435a6:$b: ClientPlugin
    Process Memory Space: Copy#.exe PID: 6408Nanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x494101:$x1: NanoCore.ClientPluginHost
    • 0x4b30f7:$x1: NanoCore.ClientPluginHost
    • 0x4d1ffe:$x1: NanoCore.ClientPluginHost
    • 0x494162:$x2: IClientNetworkHost
    • 0x4b3158:$x2: IClientNetworkHost
    • 0x4d205f:$x2: IClientNetworkHost
    • 0x499567:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x4a74d9:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x4b855d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x4c64cf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x4d7464:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x4e53d6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Process Memory Space: Copy#.exe PID: 6408JoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 1 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.Copy#.exe.660b410.8.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x42dad:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x42dea:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      1.2.Copy#.exe.660b410.8.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x42b25:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x42dad:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x443e6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x443da:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x4528b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x4b042:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      • 0x42dd7:$s5: IClientLoggingHost
      1.2.Copy#.exe.660b410.8.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        1.2.Copy#.exe.660b410.8.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0x42b15:$a: NanoCore
        • 0x42b25:$a: NanoCore
        • 0x42d59:$a: NanoCore
        • 0x42d6d:$a: NanoCore
        • 0x42dad:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x42b74:$b: ClientPlugin
        • 0x42d76:$b: ClientPlugin
        • 0x42db6:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x42c9b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x436a2:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        1.2.Copy#.exe.65d85f0.9.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 10 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Copy#.exe, ProcessId: 6748, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Copy#.exe, ProcessId: 6748, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Copy#.exe, ProcessId: 6748, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Copy#.exe, ProcessId: 6748, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 1.2.Copy#.exe.660b410.8.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "1db8cd6c-75e8-4b3e-9da8-7094ff2f", "Group": "LOG101", "Domain1": "103.28.70.172", "Domain2": "103.28.70.172", "Port": 34217, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY
        Source: Yara matchFile source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for sampleShow sources
        Source: Copy#.exeJoe Sandbox ML: detected
        Source: Copy#.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49727 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49728 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49729 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49733 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49734 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49735 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49741 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49747 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49755 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49756 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49757 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49761 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49762 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49765 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49766 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49767 -> 103.28.70.172:34217
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49768 -> 103.28.70.172:34217
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: 103.28.70.172
        Connects to many ports of the same IP (likely port scanning)Show sources
        Source: global trafficTCP traffic: 103.28.70.172 ports 34217,1,2,3,4,7
        Source: global trafficTCP traffic: 192.168.2.6:49727 -> 103.28.70.172:34217
        Source: Joe Sandbox ViewASN Name: HVC-ASUS HVC-ASUS
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172
        Source: unknownTCP traffic detected without corresponding DNS query: 103.28.70.172

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY
        Source: Yara matchFile source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\Copy#.exeCode function: 1_2_013745F01_2_013745F0
        Source: C:\Users\user\Desktop\Copy#.exeCode function: 1_2_013704901_2_01370490
        Source: C:\Users\user\Desktop\Copy#.exeCode function: 1_2_013738081_2_01373808
        Source: C:\Users\user\Desktop\Copy#.exeCode function: 1_2_01372BC81_2_01372BC8
        Source: C:\Users\user\Desktop\Copy#.exeCode function: 1_2_0137AEB31_2_0137AEB3
        Source: Copy#.exe, 00000001.00000002.380342730.0000000006424000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHIT.dll* vs Copy#.exe
        Source: Copy#.exe, 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEnjq Gqh.exe2 vs Copy#.exe
        Source: Copy#.exe, 00000001.00000000.340758822.0000000000930000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamehilal.exe, vs Copy#.exe
        Source: Copy#.exe, 00000004.00000000.356924223.00000000003F0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamehilal.exe, vs Copy#.exe
        Source: Copy#.exe, 00000006.00000003.373150693.0000000001436000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Copy#.exe
        Source: Copy#.exe, 00000006.00000000.359234712.0000000000F10000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamehilal.exe, vs Copy#.exe
        Source: Copy#.exeBinary or memory string: OriginalFilenamehilal.exe, vs Copy#.exe
        Source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: classification engineClassification label: mal100.troj.evad.winEXE@5/5@0/1
        Source: C:\Users\user\Desktop\Copy#.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Copy#.exe.logJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{1db8cd6c-75e8-4b3e-9da8-7094ff2fbff5}
        Source: Copy#.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Copy#.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeFile read: C:\Users\user\Desktop\Copy#.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Copy#.exe 'C:\Users\user\Desktop\Copy#.exe'
        Source: C:\Users\user\Desktop\Copy#.exeProcess created: C:\Users\user\Desktop\Copy#.exe C:\Users\user\Desktop\Copy#.exe
        Source: C:\Users\user\Desktop\Copy#.exeProcess created: C:\Users\user\Desktop\Copy#.exe C:\Users\user\Desktop\Copy#.exe
        Source: C:\Users\user\Desktop\Copy#.exeProcess created: C:\Users\user\Desktop\Copy#.exe C:\Users\user\Desktop\Copy#.exeJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess created: C:\Users\user\Desktop\Copy#.exe C:\Users\user\Desktop\Copy#.exeJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: Copy#.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: Copy#.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
        Source: Copy#.exeStatic file information: File size 1822208 > 1048576
        Source: Copy#.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1bc400
        Source: Copy#.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Copy#.exeStatic PE information: 0x84B8EC41 [Tue Jul 24 03:00:17 2040 UTC]
        Source: C:\Users\user\Desktop\Copy#.exeCode function: 1_2_013770CA push esp; retf 1_2_013770CB

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\Copy#.exeFile opened: C:\Users\user\Desktop\Copy#.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeCode function: 1_2_01373777 rdtsc 1_2_01373777
        Source: C:\Users\user\Desktop\Copy#.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeWindow / User API: threadDelayed 3668Jump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeWindow / User API: threadDelayed 5788Jump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeWindow / User API: foregroundWindowGot 734Jump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeWindow / User API: foregroundWindowGot 651Jump to behavior
        Source: C:\Users\user\Desktop\Copy#.exe TID: 6488Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exe TID: 6812Thread sleep time: -20291418481080494s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: Copy#.exe, 00000006.00000003.410269307.000000000141E000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJJ<)
        Source: C:\Users\user\Desktop\Copy#.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeCode function: 1_2_01373777 rdtsc 1_2_01373777
        Source: C:\Users\user\Desktop\Copy#.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\Copy#.exeMemory written: C:\Users\user\Desktop\Copy#.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess created: C:\Users\user\Desktop\Copy#.exe C:\Users\user\Desktop\Copy#.exeJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeProcess created: C:\Users\user\Desktop\Copy#.exe C:\Users\user\Desktop\Copy#.exeJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeQueries volume information: C:\Users\user\Desktop\Copy#.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeQueries volume information: C:\Users\user\Desktop\Copy#.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Copy#.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY
        Source: Yara matchFile source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: Copy#.exe, 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: Copy#.exe, 00000006.00000003.373150693.0000000001436000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY
        Source: Yara matchFile source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection111Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection111NTDSVirtualization/Sandbox Evasion21Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsTimestomp1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Copy#.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        103.28.70.1720%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        103.28.70.172true
        • Avira URL Cloud: safe
        unknown

        Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public

        IPDomainCountryFlagASNASN NameMalicious
        103.28.70.172
        unknownUnited States
        29802HVC-ASUStrue

        General Information

        Joe Sandbox Version:32.0.0 Black Diamond
        Analysis ID:403760
        Start date:04.05.2021
        Start time:11:44:31
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 8m 8s
        Hypervisor based Inspection enabled:false
        Report type:full
        Sample file name:Copy#.exe
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:25
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@5/5@0/1
        EGA Information:Failed
        HDC Information:Failed
        HCA Information:
        • Successful, ratio: 99%
        • Number of executed functions: 17
        • Number of non-executed functions: 1
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        • Found application associated with file extension: .exe
        Warnings:
        Show All
        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
        • Report size getting too big, too many NtAllocateVirtualMemory calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        11:45:39API Interceptor953x Sleep call for process: Copy#.exe modified

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASN

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        HVC-ASUS4GGwmv0AJm.exeGet hashmaliciousBrowse
        • 209.133.204.58
        10ba8cb2_by_Libranalysis.exeGet hashmaliciousBrowse
        • 23.227.206.170
        Invoice_7418340.xlsmGet hashmaliciousBrowse
        • 104.156.58.59
        Invoice_7418340.xlsmGet hashmaliciousBrowse
        • 104.156.58.59
        Invoice_7418340.xlsmGet hashmaliciousBrowse
        • 104.156.58.59
        2019-07-05-password-protected-Word-doc-with-macro-for-follow-up-malware1.docmGet hashmaliciousBrowse
        • 23.111.174.152
        2019-07-05-password-protected-Word-doc-with-macro-for-follow-up-malware1.docmGet hashmaliciousBrowse
        • 23.111.174.152
        2019-07-05-password-protected-Word-doc-with-macro-for-follow-up-malware1.docmGet hashmaliciousBrowse
        • 23.111.174.152
        aa6281eb-a31c-4e8b-a2c6-c5c03fdcbe57.exeGet hashmaliciousBrowse
        • 46.21.153.81
        SA-NQAW12n-NC9W03-pdf.exeGet hashmaliciousBrowse
        • 209.133.204.115
        o52k2obPCG.exeGet hashmaliciousBrowse
        • 66.206.3.38
        pCkqlKXv05.exeGet hashmaliciousBrowse
        • 66.206.3.38
        CNTR-NO-GLDU7267089.xlsxGet hashmaliciousBrowse
        • 209.133.204.115
        9MZjR5LtAj.exeGet hashmaliciousBrowse
        • 46.21.153.183
        Audio playback (5608701) for jsmith Nmaiom.htmGet hashmaliciousBrowse
        • 66.206.10.106
        Sales Invoice no5283.exeGet hashmaliciousBrowse
        • 209.133.204.250
        ORDER.exeGet hashmaliciousBrowse
        • 104.156.59.2
        2019-07-05-password-protected-Word-doc-with-macro-for-follow-up-malware.docmGet hashmaliciousBrowse
        • 23.111.174.152
        2019-07-05-password-protected-Word-doc-with-macro-for-follow-up-malware.docmGet hashmaliciousBrowse
        • 23.111.174.152
        2019-07-05-password-protected-Word-doc-with-macro-for-follow-up-malware.docmGet hashmaliciousBrowse
        • 23.111.174.152

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Copy#.exe.log
        Process:C:\Users\user\Desktop\Copy#.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):1039
        Entropy (8bit):5.365622957937216
        Encrypted:false
        SSDEEP:24:MLUE4Ko84qpE4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MIHKov2HKXwYHKhQnoPtHoxHhAHKzva
        MD5:338D0004A254F4F1EB5A622B3FAF7E88
        SHA1:9583DBB0574416109507127BF9B8E153690B8C46
        SHA-256:3A7D5065DF406B210D72D7A927C2DE7F5A6F83B286D2C9915EDEB9A055C8C9D8
        SHA-512:AD33C713AD2DEDDCA9A5E0ACFB0569EBA3D817AC938628DCA17194A7B5842A93A5A8D6EC9F7B587203B2C844F823576EF5570363FEFE8C84CCA182456A188068
        Malicious:true
        Reputation:moderate, very likely benign file
        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b880
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
        Process:C:\Users\user\Desktop\Copy#.exe
        File Type:data
        Category:dropped
        Size (bytes):1856
        Entropy (8bit):7.024371743172393
        Encrypted:false
        SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCr
        MD5:838CD9DBC78EA45A5406EAE23962086D
        SHA1:C8273AACDEE03AC0CDCDDBAA83F51D04D6A4203C
        SHA-256:6E11A62511C5BBC0413128305069B780C448684B54FAA3E8DD0B4FD3DB8C9867
        SHA-512:F7D25EF1FA6F50667DD6785CC774E0AA6BC52A2231FE96E7C59D14EFDFDDA076F6399288CF6EAC8EFA8A75727893432AA155DA0E392F8CD1F26C5C5871EAC6B5
        Malicious:false
        Reputation:moderate, very likely benign file
        Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Process:C:\Users\user\Desktop\Copy#.exe
        File Type:data
        Category:dropped
        Size (bytes):8
        Entropy (8bit):3.0
        Encrypted:false
        SSDEEP:3:bk8t:bk8
        MD5:5B00DB96B89970CBDDCAEBBFA6AD4D58
        SHA1:B08F9D9D8C046B29B4A560E33D88F67C2F571FB4
        SHA-256:D7C9437C80F95CCABB2F6BB0F20C3D098C2483BD3E1001026D52A4E73E1F3A69
        SHA-512:BA711E04C1443EF1F360B3F6D4765022B22FD5B83ED6109B19CFEDCC8BE5013B8FA473AF4F265DD62C4BA037E171966E33A714ED22123D0FABDA751E81617F0A
        Malicious:true
        Reputation:low
        Preview: 2y..,..H
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
        Process:C:\Users\user\Desktop\Copy#.exe
        File Type:data
        Category:dropped
        Size (bytes):40
        Entropy (8bit):5.153055907333276
        Encrypted:false
        SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
        MD5:4E5E92E2369688041CC82EF9650EDED2
        SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
        SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
        SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
        Malicious:false
        Reputation:moderate, very likely benign file
        Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
        Process:C:\Users\user\Desktop\Copy#.exe
        File Type:data
        Category:dropped
        Size (bytes):327432
        Entropy (8bit):7.99938831605763
        Encrypted:true
        SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
        MD5:7E8F4A764B981D5B82D1CC49D341E9C6
        SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
        SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
        SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
        Malicious:false
        Reputation:moderate, very likely benign file
        Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
        Entropy (8bit):2.6067081010007884
        TrID:
        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
        • Win32 Executable (generic) a (10002005/4) 49.97%
        • Generic Win/DOS Executable (2004/3) 0.01%
        • DOS Executable Generic (2002/1) 0.01%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:Copy#.exe
        File size:1822208
        MD5:af64699ae611bd9008f11e0a087c4947
        SHA1:42ffd0c3e267a347ec09a176fd81556bd5cd39b7
        SHA256:501a63b52b27b41d2f100a37d38b3b5961b8e18298ed32104c7fc2323150eb5c
        SHA512:ef23ff92afe2cb384bc978571d8e9247e611a39964002f277194fce46ec7e00d4583457d764c04ee0c62fe5c74266c79d22b92bff2d280711ff75bc774da2ad3
        SSDEEP:1536:aNEeB7PsACQwI9VaCVH/9/bT+xCsYnuW/mnPFJFWMszcazNLHLUOLlSKoaczzQ3O:a4
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A............."...0.................. ........@.. .......................@............@................................

        File Icon

        Icon Hash:00828e8e8686b000

        Static PE Info

        General

        Entrypoint:0x5be39e
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Time Stamp:0x84B8EC41 [Tue Jul 24 03:00:17 2040 UTC]
        TLS Callbacks:
        CLR (.Net) Version:v4.0.30319
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

        Entrypoint Preview

        Instruction
        jmp dword ptr [00402000h]
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x1be34c0x4f.text
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c00000x588.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1c20000xc.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x20000x1bc3a40x1bc400False0.197133181802data2.60174795099IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        .rsrc0x1c00000x5880x600False0.410807291667data4.01119485706IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0x1c20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

        Resources

        NameRVASizeTypeLanguageCountry
        RT_VERSION0x1c00a00x2fcdata
        RT_MANIFEST0x1c039c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

        Imports

        DLLImport
        mscoree.dll_CorExeMain

        Version Infos

        DescriptionData
        Translation0x0000 0x04b0
        LegalCopyrightCopyright 2021
        Assembly Version1.0.0.0
        InternalNamehilal.exe
        FileVersion1.0.0.0
        CompanyName
        LegalTrademarks
        Comments
        ProductNamehilal
        ProductVersion1.0.0.0
        FileDescriptionhilal
        OriginalFilenamehilal.exe

        Network Behavior

        Snort IDS Alerts

        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
        05/04/21-11:45:20.216550ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:45:20.251641ICMP449ICMP Time-To-Live Exceeded in Transit84.17.52.126192.168.2.6
        05/04/21-11:45:20.252957ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:45:20.290010ICMP449ICMP Time-To-Live Exceeded in Transit149.11.89.129192.168.2.6
        05/04/21-11:45:20.290792ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:45:20.326598ICMP449ICMP Time-To-Live Exceeded in Transit130.117.49.165192.168.2.6
        05/04/21-11:45:20.327880ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:45:20.368915ICMP449ICMP Time-To-Live Exceeded in Transit130.117.0.18192.168.2.6
        05/04/21-11:45:20.369301ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:45:20.415972ICMP449ICMP Time-To-Live Exceeded in Transit154.54.36.53192.168.2.6
        05/04/21-11:45:20.416454ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:45:20.463203ICMP449ICMP Time-To-Live Exceeded in Transit154.54.56.190192.168.2.6
        05/04/21-11:45:20.465748ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:45:20.517708ICMP449ICMP Time-To-Live Exceeded in Transit4.68.37.93192.168.2.6
        05/04/21-11:45:20.519187ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:45:24.405819ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:45:28.376610ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:45:32.375204ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:45:36.375067ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:45:40.375462ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:45:40.708307TCP2025019ET TROJAN Possible NanoCore C2 60B4972734217192.168.2.6103.28.70.172
        05/04/21-11:45:44.966234ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:45:46.949912TCP2025019ET TROJAN Possible NanoCore C2 60B4972834217192.168.2.6103.28.70.172
        05/04/21-11:45:48.876287ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:45:52.876793ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:45:53.291825TCP2025019ET TROJAN Possible NanoCore C2 60B4972934217192.168.2.6103.28.70.172
        05/04/21-11:45:56.877127ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:46:00.232140TCP2025019ET TROJAN Possible NanoCore C2 60B4973334217192.168.2.6103.28.70.172
        05/04/21-11:46:00.877289ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:46:04.877847ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:46:06.218768TCP2025019ET TROJAN Possible NanoCore C2 60B4973434217192.168.2.6103.28.70.172
        05/04/21-11:46:08.877883ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:46:12.885400ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:46:13.320081TCP2025019ET TROJAN Possible NanoCore C2 60B4973534217192.168.2.6103.28.70.172
        05/04/21-11:46:16.939440ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:46:20.878971ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:46:21.203480TCP2025019ET TROJAN Possible NanoCore C2 60B4974134217192.168.2.6103.28.70.172
        05/04/21-11:46:24.879134ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:46:28.187827TCP2025019ET TROJAN Possible NanoCore C2 60B4974734217192.168.2.6103.28.70.172
        05/04/21-11:46:28.879333ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:46:32.881672ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:46:34.320243TCP2025019ET TROJAN Possible NanoCore C2 60B4975534217192.168.2.6103.28.70.172
        05/04/21-11:46:37.133642ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:46:40.880997ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:46:42.572436TCP2025019ET TROJAN Possible NanoCore C2 60B4975634217192.168.2.6103.28.70.172
        05/04/21-11:46:44.880830ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:46:48.880948ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:46:49.372542TCP2025019ET TROJAN Possible NanoCore C2 60B4975734217192.168.2.6103.28.70.172
        05/04/21-11:46:52.981836ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:46:55.739945TCP2025019ET TROJAN Possible NanoCore C2 60B4976134217192.168.2.6103.28.70.172
        05/04/21-11:46:56.882094ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:47:00.881964ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:47:01.735251TCP2025019ET TROJAN Possible NanoCore C2 60B4976234217192.168.2.6103.28.70.172
        05/04/21-11:47:04.885279ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:47:08.886615ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:47:09.147477TCP2025019ET TROJAN Possible NanoCore C2 60B4976534217192.168.2.6103.28.70.172
        05/04/21-11:47:12.884610ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:47:16.614552TCP2025019ET TROJAN Possible NanoCore C2 60B4976634217192.168.2.6103.28.70.172
        05/04/21-11:47:16.884827ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:47:20.885348ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:47:23.325523TCP2025019ET TROJAN Possible NanoCore C2 60B4976734217192.168.2.6103.28.70.172
        05/04/21-11:47:24.886380ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:47:28.885885ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:47:30.326704TCP2025019ET TROJAN Possible NanoCore C2 60B4976834217192.168.2.6103.28.70.172
        05/04/21-11:47:32.888742ICMP384ICMP PING192.168.2.68.253.207.121
        05/04/21-11:47:36.886809ICMP384ICMP PING192.168.2.68.253.207.121

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        May 4, 2021 11:45:40.494663000 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:40.661083937 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:40.663245916 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:40.708307028 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:40.887003899 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:40.911681890 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.080354929 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.102931976 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.323589087 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.323632956 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.323657036 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.323682070 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.323712111 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.323748112 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.490267038 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.490307093 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.490331888 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.490355015 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.490372896 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.490380049 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.490406036 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.490417004 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.490428925 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.490452051 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.490464926 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.490500927 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.659442902 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.659480095 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.659507036 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.659532070 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.659539938 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.659557104 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.659581900 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.659605980 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.659632921 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.659657001 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.659658909 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.659683943 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.659684896 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.659709930 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.659720898 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.659734964 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.659759045 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.659769058 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.659782887 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.659806013 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.659832001 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.659833908 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.659878969 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.673305988 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.828501940 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.828531027 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.828550100 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.828569889 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.828588009 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.828607082 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.828624964 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.828648090 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.828654051 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.828681946 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.828701973 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.828711987 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.828711987 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.828738928 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.828758955 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.828768969 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.828787088 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.828809977 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.828810930 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.828835011 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.828845978 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.828866005 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.828888893 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.828897953 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.828915119 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.828938007 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.828952074 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.828958035 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.828965902 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.828986883 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.828999043 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.829014063 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.829020023 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.829041958 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.829056978 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.829071045 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.829080105 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.829101086 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.829104900 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.829128027 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.829128981 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.829150915 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.829170942 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.829184055 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.829189062 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.829200983 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.829202890 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.829227924 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.829236984 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.829256058 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.829258919 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.829276085 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.829283953 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.829340935 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.903727055 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.995735884 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.995807886 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.995846033 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.995879889 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.995914936 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.995949030 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.995950937 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.995985031 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.996012926 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.996057987 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.996098042 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.996154070 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.996243954 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.996290922 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.996330023 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.996356010 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.996364117 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.996400118 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.996401072 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.996429920 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.996485949 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.996495962 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.996539116 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.996577024 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.996609926 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.996612072 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.996639967 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.996666908 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.996695995 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.996753931 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.996784925 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.996797085 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.996855974 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.996864080 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.996898890 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.996958971 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.996993065 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.997066021 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.997103930 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.997145891 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.997149944 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.997210026 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.997220993 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.997246027 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.997281075 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.997315884 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.997318983 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.997350931 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.997379065 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.997411966 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.997489929 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.997528076 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.997564077 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.997596979 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.997625113 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.997626066 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.997653008 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.997688055 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.997689962 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.997733116 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.997755051 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.997792006 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.997813940 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.997828007 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.997879982 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.997899055 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:41.997917891 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:41.997977972 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.165591002 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.165678978 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.165749073 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.165792942 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.165806055 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.165867090 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.165925980 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.165965080 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.165997982 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.166132927 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.166197062 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.166254044 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.166285038 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.166312933 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.166373014 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.166433096 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.166493893 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.166495085 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.166498899 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.166551113 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.166615009 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.166654110 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.166677952 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.166740894 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.166800022 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.166837931 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.166857958 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.166889906 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.166913033 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.166975975 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.167009115 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.167032003 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.167094946 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.167152882 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.167186022 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.167207956 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.167237043 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.167262077 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.167318106 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.167375088 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.167407990 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.167432070 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.167467117 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.167489052 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.167555094 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.167608023 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.167646885 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.167668104 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.167721033 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.167728901 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.167789936 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.167821884 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.167855024 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.167912960 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.167952061 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.167977095 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.168035984 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.168073893 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.168092012 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.168149948 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.168207884 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.168241024 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.168263912 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.168329000 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.168368101 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.168389082 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.168427944 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.168447018 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.168504953 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.168560028 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.168790102 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.332217932 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.332246065 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.332263947 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.332279921 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.332295895 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.332313061 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.332330942 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.332385063 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.334887028 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.334909916 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.334928989 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.334948063 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.334964037 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.334980011 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.334995985 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335010052 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.335012913 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335030079 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.335031986 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335048914 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335067987 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335086107 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335097075 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.335103035 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335119009 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335135937 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335150957 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335161924 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.335167885 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335181952 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335190058 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.335195065 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335208893 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335220098 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.335222006 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335238934 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335256100 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.335258007 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335262060 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.335277081 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335292101 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335304976 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335330009 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.335367918 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.335469007 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.335472107 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335493088 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335511923 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335529089 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335536957 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.335546017 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335562944 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335578918 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335592031 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.335596085 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335613012 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335623980 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.335689068 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335716009 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335733891 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335757017 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.335779905 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335784912 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.335797071 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335810900 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.335814953 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335832119 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.335861921 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.335913897 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.498650074 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.498681068 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.498694897 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.498711109 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.498723984 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.498743057 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.498755932 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.498759985 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.498775959 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.498792887 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.498809099 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.498816967 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.498826027 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.498842001 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.498851061 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.498903990 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.498923063 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.502551079 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.502576113 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.502592087 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.502613068 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.502631903 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.502645969 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.502649069 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.502665997 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.502682924 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.502698898 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.502707005 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.502717018 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.502734900 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.502747059 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.502754927 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.502763033 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.502774000 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.502790928 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.502806902 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.502823114 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.502830982 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.502839088 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.502856970 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.502865076 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.502875090 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.502882957 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.502896070 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.502913952 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.502921104 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.502931118 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.502948046 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.502952099 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.502964973 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.502980947 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.502986908 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.502998114 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503015041 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503035069 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503041983 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.503052950 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503068924 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503078938 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.503084898 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503092051 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.503102064 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503118038 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503133059 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503139973 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.503149033 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503169060 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503173113 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.503186941 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503204107 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503211021 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.503220081 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503226995 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.503237009 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503252983 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503258944 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.503269911 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503285885 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503295898 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.503304958 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503323078 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503329992 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.503339052 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503355026 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503361940 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.503370047 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503386021 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503392935 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.503401995 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503417969 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503426075 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.503437996 CEST3421749727103.28.70.172192.168.2.6
        May 4, 2021 11:45:42.503439903 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.505779982 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:42.707007885 CEST4972734217192.168.2.6103.28.70.172
        May 4, 2021 11:45:46.782946110 CEST4972834217192.168.2.6103.28.70.172
        May 4, 2021 11:45:46.948781967 CEST3421749728103.28.70.172192.168.2.6
        May 4, 2021 11:45:46.948941946 CEST4972834217192.168.2.6103.28.70.172
        May 4, 2021 11:45:46.949912071 CEST4972834217192.168.2.6103.28.70.172
        May 4, 2021 11:45:47.126717091 CEST3421749728103.28.70.172192.168.2.6
        May 4, 2021 11:45:47.131184101 CEST4972834217192.168.2.6103.28.70.172
        May 4, 2021 11:45:47.357045889 CEST3421749728103.28.70.172192.168.2.6
        May 4, 2021 11:45:47.357142925 CEST4972834217192.168.2.6103.28.70.172
        May 4, 2021 11:45:47.525027037 CEST3421749728103.28.70.172192.168.2.6
        May 4, 2021 11:45:47.526530981 CEST4972834217192.168.2.6103.28.70.172
        May 4, 2021 11:45:47.748166084 CEST3421749728103.28.70.172192.168.2.6
        May 4, 2021 11:45:47.841115952 CEST3421749728103.28.70.172192.168.2.6
        May 4, 2021 11:45:47.894859076 CEST4972834217192.168.2.6103.28.70.172
        May 4, 2021 11:45:48.057915926 CEST4972834217192.168.2.6103.28.70.172
        May 4, 2021 11:45:48.060477972 CEST3421749728103.28.70.172192.168.2.6
        May 4, 2021 11:45:48.109833002 CEST4972834217192.168.2.6103.28.70.172
        May 4, 2021 11:45:48.279032946 CEST3421749728103.28.70.172192.168.2.6
        May 4, 2021 11:45:48.296478033 CEST4972834217192.168.2.6103.28.70.172
        May 4, 2021 11:45:48.529182911 CEST3421749728103.28.70.172192.168.2.6
        May 4, 2021 11:45:48.529293060 CEST4972834217192.168.2.6103.28.70.172
        May 4, 2021 11:45:48.695689917 CEST3421749728103.28.70.172192.168.2.6
        May 4, 2021 11:45:48.707930088 CEST4972834217192.168.2.6103.28.70.172
        May 4, 2021 11:45:48.873886108 CEST3421749728103.28.70.172192.168.2.6
        May 4, 2021 11:45:48.884434938 CEST4972834217192.168.2.6103.28.70.172
        May 4, 2021 11:45:49.006725073 CEST4972834217192.168.2.6103.28.70.172
        May 4, 2021 11:45:49.092782974 CEST3421749728103.28.70.172192.168.2.6
        May 4, 2021 11:45:49.092854023 CEST4972834217192.168.2.6103.28.70.172
        May 4, 2021 11:45:53.125206947 CEST4972934217192.168.2.6103.28.70.172
        May 4, 2021 11:45:53.290978909 CEST3421749729103.28.70.172192.168.2.6
        May 4, 2021 11:45:53.291093111 CEST4972934217192.168.2.6103.28.70.172
        May 4, 2021 11:45:53.291825056 CEST4972934217192.168.2.6103.28.70.172
        May 4, 2021 11:45:53.468472958 CEST3421749729103.28.70.172192.168.2.6
        May 4, 2021 11:45:53.468816042 CEST4972934217192.168.2.6103.28.70.172
        May 4, 2021 11:45:53.636511087 CEST3421749729103.28.70.172192.168.2.6
        May 4, 2021 11:45:53.639693975 CEST4972934217192.168.2.6103.28.70.172
        May 4, 2021 11:45:53.852684975 CEST3421749729103.28.70.172192.168.2.6
        May 4, 2021 11:45:53.946547031 CEST3421749729103.28.70.172192.168.2.6
        May 4, 2021 11:45:53.950025082 CEST4972934217192.168.2.6103.28.70.172
        May 4, 2021 11:45:54.175702095 CEST3421749729103.28.70.172192.168.2.6
        May 4, 2021 11:45:54.175853014 CEST4972934217192.168.2.6103.28.70.172
        May 4, 2021 11:45:54.342911005 CEST3421749729103.28.70.172192.168.2.6
        May 4, 2021 11:45:54.343274117 CEST4972934217192.168.2.6103.28.70.172
        May 4, 2021 11:45:54.510888100 CEST3421749729103.28.70.172192.168.2.6
        May 4, 2021 11:45:54.511044025 CEST4972934217192.168.2.6103.28.70.172
        May 4, 2021 11:45:54.680383921 CEST3421749729103.28.70.172192.168.2.6
        May 4, 2021 11:45:54.735276937 CEST4972934217192.168.2.6103.28.70.172
        May 4, 2021 11:45:54.905325890 CEST3421749729103.28.70.172192.168.2.6
        May 4, 2021 11:45:54.951702118 CEST4972934217192.168.2.6103.28.70.172
        May 4, 2021 11:45:55.034761906 CEST4972934217192.168.2.6103.28.70.172
        May 4, 2021 11:45:55.262286901 CEST3421749729103.28.70.172192.168.2.6
        May 4, 2021 11:45:56.048330069 CEST4972934217192.168.2.6103.28.70.172
        May 4, 2021 11:46:00.065324068 CEST4973334217192.168.2.6103.28.70.172
        May 4, 2021 11:46:00.231087923 CEST3421749733103.28.70.172192.168.2.6
        May 4, 2021 11:46:00.231297016 CEST4973334217192.168.2.6103.28.70.172
        May 4, 2021 11:46:00.232140064 CEST4973334217192.168.2.6103.28.70.172
        May 4, 2021 11:46:00.406559944 CEST3421749733103.28.70.172192.168.2.6
        May 4, 2021 11:46:00.406938076 CEST4973334217192.168.2.6103.28.70.172
        May 4, 2021 11:46:00.572952032 CEST3421749733103.28.70.172192.168.2.6
        May 4, 2021 11:46:00.574707985 CEST4973334217192.168.2.6103.28.70.172
        May 4, 2021 11:46:00.808065891 CEST3421749733103.28.70.172192.168.2.6
        May 4, 2021 11:46:00.868261099 CEST3421749733103.28.70.172192.168.2.6
        May 4, 2021 11:46:00.897713900 CEST4973334217192.168.2.6103.28.70.172
        May 4, 2021 11:46:01.063591957 CEST3421749733103.28.70.172192.168.2.6
        May 4, 2021 11:46:01.063766956 CEST4973334217192.168.2.6103.28.70.172
        May 4, 2021 11:46:01.277040005 CEST3421749733103.28.70.172192.168.2.6
        May 4, 2021 11:46:01.277204990 CEST4973334217192.168.2.6103.28.70.172
        May 4, 2021 11:46:01.443124056 CEST3421749733103.28.70.172192.168.2.6
        May 4, 2021 11:46:01.658205032 CEST4973334217192.168.2.6103.28.70.172
        May 4, 2021 11:46:01.825678110 CEST3421749733103.28.70.172192.168.2.6
        May 4, 2021 11:46:01.832987070 CEST4973334217192.168.2.6103.28.70.172
        May 4, 2021 11:46:02.037776947 CEST4973334217192.168.2.6103.28.70.172
        May 4, 2021 11:46:06.050376892 CEST4973434217192.168.2.6103.28.70.172
        May 4, 2021 11:46:06.218034029 CEST3421749734103.28.70.172192.168.2.6
        May 4, 2021 11:46:06.218112946 CEST4973434217192.168.2.6103.28.70.172
        May 4, 2021 11:46:06.218767881 CEST4973434217192.168.2.6103.28.70.172
        May 4, 2021 11:46:06.394413948 CEST3421749734103.28.70.172192.168.2.6
        May 4, 2021 11:46:06.394741058 CEST4973434217192.168.2.6103.28.70.172
        May 4, 2021 11:46:06.560857058 CEST3421749734103.28.70.172192.168.2.6
        May 4, 2021 11:46:06.562064886 CEST4973434217192.168.2.6103.28.70.172
        May 4, 2021 11:46:06.777594090 CEST3421749734103.28.70.172192.168.2.6
        May 4, 2021 11:46:06.867917061 CEST3421749734103.28.70.172192.168.2.6
        May 4, 2021 11:46:06.869290113 CEST4973434217192.168.2.6103.28.70.172
        May 4, 2021 11:46:07.035563946 CEST3421749734103.28.70.172192.168.2.6
        May 4, 2021 11:46:07.035648108 CEST4973434217192.168.2.6103.28.70.172
        May 4, 2021 11:46:07.259383917 CEST3421749734103.28.70.172192.168.2.6
        May 4, 2021 11:46:07.260318995 CEST4973434217192.168.2.6103.28.70.172
        May 4, 2021 11:46:07.426536083 CEST3421749734103.28.70.172192.168.2.6
        May 4, 2021 11:46:07.470791101 CEST4973434217192.168.2.6103.28.70.172
        May 4, 2021 11:46:07.636590004 CEST3421749734103.28.70.172192.168.2.6
        May 4, 2021 11:46:07.689528942 CEST4973434217192.168.2.6103.28.70.172
        May 4, 2021 11:46:08.019167900 CEST4973434217192.168.2.6103.28.70.172
        May 4, 2021 11:46:08.247242928 CEST3421749734103.28.70.172192.168.2.6
        May 4, 2021 11:46:09.034097910 CEST4973434217192.168.2.6103.28.70.172
        May 4, 2021 11:46:13.101078033 CEST4973534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:13.267443895 CEST3421749735103.28.70.172192.168.2.6
        May 4, 2021 11:46:13.267826080 CEST4973534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:13.320080996 CEST4973534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:13.496292114 CEST3421749735103.28.70.172192.168.2.6
        May 4, 2021 11:46:13.498230934 CEST4973534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:13.664177895 CEST3421749735103.28.70.172192.168.2.6
        May 4, 2021 11:46:13.668524981 CEST4973534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:13.896138906 CEST3421749735103.28.70.172192.168.2.6
        May 4, 2021 11:46:13.956926107 CEST3421749735103.28.70.172192.168.2.6
        May 4, 2021 11:46:14.002643108 CEST4973534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:14.137296915 CEST4973534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:14.168540955 CEST3421749735103.28.70.172192.168.2.6
        May 4, 2021 11:46:14.169245958 CEST4973534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:14.335062981 CEST3421749735103.28.70.172192.168.2.6
        May 4, 2021 11:46:14.337426901 CEST4973534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:14.504559994 CEST3421749735103.28.70.172192.168.2.6
        May 4, 2021 11:46:14.549448967 CEST4973534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:14.666063070 CEST4973534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:14.715387106 CEST3421749735103.28.70.172192.168.2.6
        May 4, 2021 11:46:14.768259048 CEST4973534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:14.880565882 CEST3421749735103.28.70.172192.168.2.6
        May 4, 2021 11:46:15.168106079 CEST4973534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:15.396131039 CEST3421749735103.28.70.172192.168.2.6
        May 4, 2021 11:46:16.350682020 CEST4973534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:21.035976887 CEST4974134217192.168.2.6103.28.70.172
        May 4, 2021 11:46:21.202408075 CEST3421749741103.28.70.172192.168.2.6
        May 4, 2021 11:46:21.202533960 CEST4974134217192.168.2.6103.28.70.172
        May 4, 2021 11:46:21.203480005 CEST4974134217192.168.2.6103.28.70.172
        May 4, 2021 11:46:21.381694078 CEST3421749741103.28.70.172192.168.2.6
        May 4, 2021 11:46:21.382281065 CEST4974134217192.168.2.6103.28.70.172
        May 4, 2021 11:46:21.548856974 CEST3421749741103.28.70.172192.168.2.6
        May 4, 2021 11:46:21.552341938 CEST4974134217192.168.2.6103.28.70.172
        May 4, 2021 11:46:21.772722006 CEST3421749741103.28.70.172192.168.2.6
        May 4, 2021 11:46:21.851043940 CEST3421749741103.28.70.172192.168.2.6
        May 4, 2021 11:46:21.893850088 CEST4974134217192.168.2.6103.28.70.172
        May 4, 2021 11:46:21.895390034 CEST4974134217192.168.2.6103.28.70.172
        May 4, 2021 11:46:22.060405970 CEST3421749741103.28.70.172192.168.2.6
        May 4, 2021 11:46:22.060621977 CEST4974134217192.168.2.6103.28.70.172
        May 4, 2021 11:46:22.116507053 CEST3421749741103.28.70.172192.168.2.6
        May 4, 2021 11:46:22.116616011 CEST4974134217192.168.2.6103.28.70.172
        May 4, 2021 11:46:22.272658110 CEST3421749741103.28.70.172192.168.2.6
        May 4, 2021 11:46:22.272772074 CEST4974134217192.168.2.6103.28.70.172
        May 4, 2021 11:46:22.282932997 CEST3421749741103.28.70.172192.168.2.6
        May 4, 2021 11:46:22.331362009 CEST4974134217192.168.2.6103.28.70.172
        May 4, 2021 11:46:22.439317942 CEST3421749741103.28.70.172192.168.2.6
        May 4, 2021 11:46:22.487643003 CEST4974134217192.168.2.6103.28.70.172
        May 4, 2021 11:46:22.973006964 CEST4974134217192.168.2.6103.28.70.172
        May 4, 2021 11:46:23.186158895 CEST3421749741103.28.70.172192.168.2.6
        May 4, 2021 11:46:23.988430023 CEST4974134217192.168.2.6103.28.70.172
        May 4, 2021 11:46:28.004657030 CEST4974734217192.168.2.6103.28.70.172
        May 4, 2021 11:46:28.170461893 CEST3421749747103.28.70.172192.168.2.6
        May 4, 2021 11:46:28.170659065 CEST4974734217192.168.2.6103.28.70.172
        May 4, 2021 11:46:28.187827110 CEST4974734217192.168.2.6103.28.70.172
        May 4, 2021 11:46:28.364110947 CEST3421749747103.28.70.172192.168.2.6
        May 4, 2021 11:46:28.364491940 CEST4974734217192.168.2.6103.28.70.172
        May 4, 2021 11:46:28.532699108 CEST3421749747103.28.70.172192.168.2.6
        May 4, 2021 11:46:28.570060015 CEST4974734217192.168.2.6103.28.70.172
        May 4, 2021 11:46:28.788407087 CEST3421749747103.28.70.172192.168.2.6
        May 4, 2021 11:46:28.872875929 CEST3421749747103.28.70.172192.168.2.6
        May 4, 2021 11:46:28.874691010 CEST4974734217192.168.2.6103.28.70.172
        May 4, 2021 11:46:29.040453911 CEST3421749747103.28.70.172192.168.2.6
        May 4, 2021 11:46:29.040554047 CEST4974734217192.168.2.6103.28.70.172
        May 4, 2021 11:46:29.272597075 CEST3421749747103.28.70.172192.168.2.6
        May 4, 2021 11:46:29.272736073 CEST4974734217192.168.2.6103.28.70.172
        May 4, 2021 11:46:29.438540936 CEST3421749747103.28.70.172192.168.2.6
        May 4, 2021 11:46:29.438633919 CEST4974734217192.168.2.6103.28.70.172
        May 4, 2021 11:46:29.604322910 CEST3421749747103.28.70.172192.168.2.6
        May 4, 2021 11:46:29.644464970 CEST4974734217192.168.2.6103.28.70.172
        May 4, 2021 11:46:30.020636082 CEST4974734217192.168.2.6103.28.70.172
        May 4, 2021 11:46:34.037074089 CEST4975534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:34.205513000 CEST3421749755103.28.70.172192.168.2.6
        May 4, 2021 11:46:34.212302923 CEST4975534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:34.320242882 CEST4975534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:34.495615959 CEST3421749755103.28.70.172192.168.2.6
        May 4, 2021 11:46:34.551081896 CEST4975534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:34.717829943 CEST3421749755103.28.70.172192.168.2.6
        May 4, 2021 11:46:34.772306919 CEST4975534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:34.806303978 CEST4975534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:35.036369085 CEST3421749755103.28.70.172192.168.2.6
        May 4, 2021 11:46:35.112493992 CEST3421749755103.28.70.172192.168.2.6
        May 4, 2021 11:46:35.162354946 CEST4975534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:35.328933001 CEST3421749755103.28.70.172192.168.2.6
        May 4, 2021 11:46:35.379384041 CEST4975534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:35.463236094 CEST4975534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:35.676846027 CEST3421749755103.28.70.172192.168.2.6
        May 4, 2021 11:46:35.676913977 CEST4975534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:35.844712019 CEST3421749755103.28.70.172192.168.2.6
        May 4, 2021 11:46:35.895005941 CEST4975534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:36.063539982 CEST3421749755103.28.70.172192.168.2.6
        May 4, 2021 11:46:36.113836050 CEST4975534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:37.212765932 CEST4975534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:37.431938887 CEST3421749755103.28.70.172192.168.2.6
        May 4, 2021 11:46:38.222958088 CEST4975534217192.168.2.6103.28.70.172
        May 4, 2021 11:46:42.240839005 CEST4975634217192.168.2.6103.28.70.172
        May 4, 2021 11:46:42.407918930 CEST3421749756103.28.70.172192.168.2.6
        May 4, 2021 11:46:42.408200026 CEST4975634217192.168.2.6103.28.70.172
        May 4, 2021 11:46:42.572436094 CEST4975634217192.168.2.6103.28.70.172
        May 4, 2021 11:46:42.748887062 CEST3421749756103.28.70.172192.168.2.6
        May 4, 2021 11:46:42.749428034 CEST4975634217192.168.2.6103.28.70.172
        May 4, 2021 11:46:42.915596008 CEST3421749756103.28.70.172192.168.2.6
        May 4, 2021 11:46:42.917509079 CEST4975634217192.168.2.6103.28.70.172
        May 4, 2021 11:46:43.143054008 CEST3421749756103.28.70.172192.168.2.6
        May 4, 2021 11:46:43.195600986 CEST4975634217192.168.2.6103.28.70.172
        May 4, 2021 11:46:43.216344118 CEST3421749756103.28.70.172192.168.2.6
        May 4, 2021 11:46:43.270842075 CEST4975634217192.168.2.6103.28.70.172
        May 4, 2021 11:46:43.361649990 CEST3421749756103.28.70.172192.168.2.6
        May 4, 2021 11:46:43.363035917 CEST4975634217192.168.2.6103.28.70.172
        May 4, 2021 11:46:43.583157063 CEST3421749756103.28.70.172192.168.2.6
        May 4, 2021 11:46:43.583239079 CEST4975634217192.168.2.6103.28.70.172
        May 4, 2021 11:46:43.749332905 CEST3421749756103.28.70.172192.168.2.6
        May 4, 2021 11:46:43.801970005 CEST4975634217192.168.2.6103.28.70.172
        May 4, 2021 11:46:43.967952967 CEST3421749756103.28.70.172192.168.2.6
        May 4, 2021 11:46:44.020694017 CEST4975634217192.168.2.6103.28.70.172
        May 4, 2021 11:46:44.193005085 CEST4975634217192.168.2.6103.28.70.172
        May 4, 2021 11:46:44.424319029 CEST3421749756103.28.70.172192.168.2.6
        May 4, 2021 11:46:45.177647114 CEST4975634217192.168.2.6103.28.70.172
        May 4, 2021 11:46:49.194750071 CEST4975734217192.168.2.6103.28.70.172
        May 4, 2021 11:46:49.362504005 CEST3421749757103.28.70.172192.168.2.6
        May 4, 2021 11:46:49.362606049 CEST4975734217192.168.2.6103.28.70.172
        May 4, 2021 11:46:49.372541904 CEST4975734217192.168.2.6103.28.70.172
        May 4, 2021 11:46:49.547581911 CEST3421749757103.28.70.172192.168.2.6
        May 4, 2021 11:46:49.547946930 CEST4975734217192.168.2.6103.28.70.172
        May 4, 2021 11:46:49.714507103 CEST3421749757103.28.70.172192.168.2.6
        May 4, 2021 11:46:49.716270924 CEST4975734217192.168.2.6103.28.70.172
        May 4, 2021 11:46:49.941557884 CEST3421749757103.28.70.172192.168.2.6
        May 4, 2021 11:46:50.016661882 CEST3421749757103.28.70.172192.168.2.6
        May 4, 2021 11:46:50.017755985 CEST4975734217192.168.2.6103.28.70.172
        May 4, 2021 11:46:50.185226917 CEST3421749757103.28.70.172192.168.2.6
        May 4, 2021 11:46:50.186439991 CEST4975734217192.168.2.6103.28.70.172
        May 4, 2021 11:46:50.355011940 CEST3421749757103.28.70.172192.168.2.6
        May 4, 2021 11:46:50.355221033 CEST4975734217192.168.2.6103.28.70.172
        May 4, 2021 11:46:50.526565075 CEST3421749757103.28.70.172192.168.2.6
        May 4, 2021 11:46:50.568145037 CEST4975734217192.168.2.6103.28.70.172
        May 4, 2021 11:46:51.194546938 CEST4975734217192.168.2.6103.28.70.172
        May 4, 2021 11:46:51.226335049 CEST3421749757103.28.70.172192.168.2.6
        May 4, 2021 11:46:51.226694107 CEST4975734217192.168.2.6103.28.70.172
        May 4, 2021 11:46:55.539767027 CEST4976134217192.168.2.6103.28.70.172
        May 4, 2021 11:46:55.707010984 CEST3421749761103.28.70.172192.168.2.6
        May 4, 2021 11:46:55.707246065 CEST4976134217192.168.2.6103.28.70.172
        May 4, 2021 11:46:55.739944935 CEST4976134217192.168.2.6103.28.70.172
        May 4, 2021 11:46:55.922482967 CEST3421749761103.28.70.172192.168.2.6
        May 4, 2021 11:46:55.923223972 CEST4976134217192.168.2.6103.28.70.172
        May 4, 2021 11:46:56.091438055 CEST3421749761103.28.70.172192.168.2.6
        May 4, 2021 11:46:56.114336014 CEST4976134217192.168.2.6103.28.70.172
        May 4, 2021 11:46:56.344202995 CEST3421749761103.28.70.172192.168.2.6
        May 4, 2021 11:46:56.401793957 CEST3421749761103.28.70.172192.168.2.6
        May 4, 2021 11:46:56.420573950 CEST4976134217192.168.2.6103.28.70.172
        May 4, 2021 11:46:56.586694002 CEST3421749761103.28.70.172192.168.2.6
        May 4, 2021 11:46:56.586946011 CEST4976134217192.168.2.6103.28.70.172
        May 4, 2021 11:46:56.813375950 CEST3421749761103.28.70.172192.168.2.6
        May 4, 2021 11:46:56.813687086 CEST4976134217192.168.2.6103.28.70.172
        May 4, 2021 11:46:56.980967999 CEST3421749761103.28.70.172192.168.2.6
        May 4, 2021 11:46:57.021881104 CEST4976134217192.168.2.6103.28.70.172
        May 4, 2021 11:46:57.189043999 CEST3421749761103.28.70.172192.168.2.6
        May 4, 2021 11:46:57.240737915 CEST4976134217192.168.2.6103.28.70.172
        May 4, 2021 11:46:57.538551092 CEST4976134217192.168.2.6103.28.70.172
        May 4, 2021 11:47:01.568308115 CEST4976234217192.168.2.6103.28.70.172
        May 4, 2021 11:47:01.734150887 CEST3421749762103.28.70.172192.168.2.6
        May 4, 2021 11:47:01.734299898 CEST4976234217192.168.2.6103.28.70.172
        May 4, 2021 11:47:01.735250950 CEST4976234217192.168.2.6103.28.70.172
        May 4, 2021 11:47:01.914467096 CEST3421749762103.28.70.172192.168.2.6
        May 4, 2021 11:47:01.939379930 CEST4976234217192.168.2.6103.28.70.172
        May 4, 2021 11:47:02.106256008 CEST3421749762103.28.70.172192.168.2.6
        May 4, 2021 11:47:02.117259979 CEST4976234217192.168.2.6103.28.70.172
        May 4, 2021 11:47:02.339482069 CEST3421749762103.28.70.172192.168.2.6
        May 4, 2021 11:47:02.403331995 CEST3421749762103.28.70.172192.168.2.6
        May 4, 2021 11:47:02.435650110 CEST4976234217192.168.2.6103.28.70.172
        May 4, 2021 11:47:02.601501942 CEST3421749762103.28.70.172192.168.2.6
        May 4, 2021 11:47:02.602248907 CEST4976234217192.168.2.6103.28.70.172
        May 4, 2021 11:47:02.823844910 CEST3421749762103.28.70.172192.168.2.6
        May 4, 2021 11:47:02.823926926 CEST4976234217192.168.2.6103.28.70.172
        May 4, 2021 11:47:02.993042946 CEST3421749762103.28.70.172192.168.2.6
        May 4, 2021 11:47:03.035316944 CEST4976234217192.168.2.6103.28.70.172
        May 4, 2021 11:47:03.200880051 CEST3421749762103.28.70.172192.168.2.6
        May 4, 2021 11:47:03.252605915 CEST4976234217192.168.2.6103.28.70.172
        May 4, 2021 11:47:03.537872076 CEST4976234217192.168.2.6103.28.70.172
        May 4, 2021 11:47:03.761409998 CEST3421749762103.28.70.172192.168.2.6
        May 4, 2021 11:47:04.796132088 CEST4976234217192.168.2.6103.28.70.172
        May 4, 2021 11:47:08.980510950 CEST4976534217192.168.2.6103.28.70.172
        May 4, 2021 11:47:09.146239042 CEST3421749765103.28.70.172192.168.2.6
        May 4, 2021 11:47:09.146387100 CEST4976534217192.168.2.6103.28.70.172
        May 4, 2021 11:47:09.147476912 CEST4976534217192.168.2.6103.28.70.172
        May 4, 2021 11:47:09.323021889 CEST3421749765103.28.70.172192.168.2.6
        May 4, 2021 11:47:09.323818922 CEST4976534217192.168.2.6103.28.70.172
        May 4, 2021 11:47:09.489855051 CEST3421749765103.28.70.172192.168.2.6
        May 4, 2021 11:47:09.491282940 CEST4976534217192.168.2.6103.28.70.172
        May 4, 2021 11:47:09.717798948 CEST3421749765103.28.70.172192.168.2.6
        May 4, 2021 11:47:09.768923044 CEST3421749765103.28.70.172192.168.2.6
        May 4, 2021 11:47:09.770235062 CEST4976534217192.168.2.6103.28.70.172
        May 4, 2021 11:47:09.935915947 CEST3421749765103.28.70.172192.168.2.6
        May 4, 2021 11:47:09.946608067 CEST4976534217192.168.2.6103.28.70.172
        May 4, 2021 11:47:10.114104033 CEST3421749765103.28.70.172192.168.2.6
        May 4, 2021 11:47:10.114243031 CEST4976534217192.168.2.6103.28.70.172
        May 4, 2021 11:47:10.281725883 CEST3421749765103.28.70.172192.168.2.6
        May 4, 2021 11:47:10.336491108 CEST4976534217192.168.2.6103.28.70.172
        May 4, 2021 11:47:11.079051018 CEST4976534217192.168.2.6103.28.70.172
        May 4, 2021 11:47:11.306041002 CEST3421749765103.28.70.172192.168.2.6
        May 4, 2021 11:47:12.434612989 CEST4976534217192.168.2.6103.28.70.172
        May 4, 2021 11:47:16.447415113 CEST4976634217192.168.2.6103.28.70.172
        May 4, 2021 11:47:16.613451004 CEST3421749766103.28.70.172192.168.2.6
        May 4, 2021 11:47:16.613682032 CEST4976634217192.168.2.6103.28.70.172
        May 4, 2021 11:47:16.614552021 CEST4976634217192.168.2.6103.28.70.172
        May 4, 2021 11:47:16.791137934 CEST3421749766103.28.70.172192.168.2.6
        May 4, 2021 11:47:16.791480064 CEST4976634217192.168.2.6103.28.70.172
        May 4, 2021 11:47:16.963675976 CEST3421749766103.28.70.172192.168.2.6
        May 4, 2021 11:47:16.964858055 CEST4976634217192.168.2.6103.28.70.172
        May 4, 2021 11:47:17.197518110 CEST3421749766103.28.70.172192.168.2.6
        May 4, 2021 11:47:17.197734118 CEST4976634217192.168.2.6103.28.70.172
        May 4, 2021 11:47:17.260298967 CEST3421749766103.28.70.172192.168.2.6
        May 4, 2021 11:47:17.305839062 CEST4976634217192.168.2.6103.28.70.172
        May 4, 2021 11:47:17.363671064 CEST3421749766103.28.70.172192.168.2.6
        May 4, 2021 11:47:17.363773108 CEST4976634217192.168.2.6103.28.70.172
        May 4, 2021 11:47:17.587316990 CEST3421749766103.28.70.172192.168.2.6
        May 4, 2021 11:47:17.587382078 CEST4976634217192.168.2.6103.28.70.172
        May 4, 2021 11:47:17.757102013 CEST3421749766103.28.70.172192.168.2.6
        May 4, 2021 11:47:17.805844069 CEST4976634217192.168.2.6103.28.70.172
        May 4, 2021 11:47:17.971626043 CEST3421749766103.28.70.172192.168.2.6
        May 4, 2021 11:47:18.024894953 CEST4976634217192.168.2.6103.28.70.172
        May 4, 2021 11:47:18.134895086 CEST4976634217192.168.2.6103.28.70.172
        May 4, 2021 11:47:18.358211994 CEST3421749766103.28.70.172192.168.2.6
        May 4, 2021 11:47:19.142196894 CEST4976634217192.168.2.6103.28.70.172
        May 4, 2021 11:47:23.156090021 CEST4976734217192.168.2.6103.28.70.172
        May 4, 2021 11:47:23.324278116 CEST3421749767103.28.70.172192.168.2.6
        May 4, 2021 11:47:23.324500084 CEST4976734217192.168.2.6103.28.70.172
        May 4, 2021 11:47:23.325522900 CEST4976734217192.168.2.6103.28.70.172
        May 4, 2021 11:47:23.503930092 CEST3421749767103.28.70.172192.168.2.6
        May 4, 2021 11:47:23.504220963 CEST4976734217192.168.2.6103.28.70.172
        May 4, 2021 11:47:23.670726061 CEST3421749767103.28.70.172192.168.2.6
        May 4, 2021 11:47:23.677161932 CEST4976734217192.168.2.6103.28.70.172
        May 4, 2021 11:47:23.900583029 CEST3421749767103.28.70.172192.168.2.6
        May 4, 2021 11:47:23.977350950 CEST3421749767103.28.70.172192.168.2.6
        May 4, 2021 11:47:23.978491068 CEST4976734217192.168.2.6103.28.70.172
        May 4, 2021 11:47:24.186270952 CEST3421749767103.28.70.172192.168.2.6
        May 4, 2021 11:47:24.186381102 CEST4976734217192.168.2.6103.28.70.172
        May 4, 2021 11:47:24.352807045 CEST3421749767103.28.70.172192.168.2.6
        May 4, 2021 11:47:24.367736101 CEST4976734217192.168.2.6103.28.70.172
        May 4, 2021 11:47:24.534261942 CEST3421749767103.28.70.172192.168.2.6
        May 4, 2021 11:47:24.534449100 CEST4976734217192.168.2.6103.28.70.172
        May 4, 2021 11:47:24.701121092 CEST3421749767103.28.70.172192.168.2.6
        May 4, 2021 11:47:24.743974924 CEST4976734217192.168.2.6103.28.70.172
        May 4, 2021 11:47:25.135617018 CEST4976734217192.168.2.6103.28.70.172
        May 4, 2021 11:47:25.358959913 CEST3421749767103.28.70.172192.168.2.6
        May 4, 2021 11:47:26.135524035 CEST4976734217192.168.2.6103.28.70.172
        May 4, 2021 11:47:30.157567978 CEST4976834217192.168.2.6103.28.70.172
        May 4, 2021 11:47:30.326014042 CEST3421749768103.28.70.172192.168.2.6
        May 4, 2021 11:47:30.326141119 CEST4976834217192.168.2.6103.28.70.172
        May 4, 2021 11:47:30.326704025 CEST4976834217192.168.2.6103.28.70.172
        May 4, 2021 11:47:30.503613949 CEST3421749768103.28.70.172192.168.2.6
        May 4, 2021 11:47:30.544409037 CEST4976834217192.168.2.6103.28.70.172
        May 4, 2021 11:47:30.547252893 CEST4976834217192.168.2.6103.28.70.172
        May 4, 2021 11:47:30.713908911 CEST3421749768103.28.70.172192.168.2.6
        May 4, 2021 11:47:30.714979887 CEST4976834217192.168.2.6103.28.70.172
        May 4, 2021 11:47:30.941488028 CEST3421749768103.28.70.172192.168.2.6
        May 4, 2021 11:47:31.007030964 CEST3421749768103.28.70.172192.168.2.6
        May 4, 2021 11:47:31.057004929 CEST4976834217192.168.2.6103.28.70.172
        May 4, 2021 11:47:31.223725080 CEST3421749768103.28.70.172192.168.2.6
        May 4, 2021 11:47:31.245486021 CEST4976834217192.168.2.6103.28.70.172
        May 4, 2021 11:47:31.472654104 CEST3421749768103.28.70.172192.168.2.6
        May 4, 2021 11:47:31.472826958 CEST4976834217192.168.2.6103.28.70.172
        May 4, 2021 11:47:31.553088903 CEST3421749768103.28.70.172192.168.2.6
        May 4, 2021 11:47:31.604085922 CEST4976834217192.168.2.6103.28.70.172
        May 4, 2021 11:47:31.691437960 CEST3421749768103.28.70.172192.168.2.6
        May 4, 2021 11:47:31.770558119 CEST3421749768103.28.70.172192.168.2.6
        May 4, 2021 11:47:31.822705984 CEST4976834217192.168.2.6103.28.70.172
        May 4, 2021 11:47:32.593926907 CEST4976834217192.168.2.6103.28.70.172
        May 4, 2021 11:47:32.823216915 CEST3421749768103.28.70.172192.168.2.6
        May 4, 2021 11:47:35.501282930 CEST3421749768103.28.70.172192.168.2.6
        May 4, 2021 11:47:35.541712046 CEST4976834217192.168.2.6103.28.70.172

        Code Manipulations

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        Behavior

        Click to jump to process

        System Behavior

        General

        Start time:11:45:27
        Start date:04/05/2021
        Path:C:\Users\user\Desktop\Copy#.exe
        Wow64 process (32bit):true
        Commandline:'C:\Users\user\Desktop\Copy#.exe'
        Imagebase:0x770000
        File size:1822208 bytes
        MD5 hash:AF64699AE611BD9008F11E0A087C4947
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Yara matches:
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        Reputation:low

        General

        Start time:11:45:35
        Start date:04/05/2021
        Path:C:\Users\user\Desktop\Copy#.exe
        Wow64 process (32bit):false
        Commandline:C:\Users\user\Desktop\Copy#.exe
        Imagebase:0x230000
        File size:1822208 bytes
        MD5 hash:AF64699AE611BD9008F11E0A087C4947
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low

        General

        Start time:11:45:36
        Start date:04/05/2021
        Path:C:\Users\user\Desktop\Copy#.exe
        Wow64 process (32bit):true
        Commandline:C:\Users\user\Desktop\Copy#.exe
        Imagebase:0xd50000
        File size:1822208 bytes
        MD5 hash:AF64699AE611BD9008F11E0A087C4947
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Reputation:low

        Disassembly

        Code Analysis

        Reset < >

          Executed Functions

          Memory Dump Source
          • Source File: 00000001.00000002.364577311.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: bca0d32f49fe057865fc9f6ab4100eb229c3e82390e01435a026c7f8ad13ba84
          • Instruction ID: 2c8bd7032ff98e78528cc9d9f894fdb068e90d88c94b9194fdcddcb07f7e4b67
          • Opcode Fuzzy Hash: bca0d32f49fe057865fc9f6ab4100eb229c3e82390e01435a026c7f8ad13ba84
          • Instruction Fuzzy Hash: 1B729E70A00119DFDB25DFA8C884AAEBBF6BF88308F158569E505EB361DB38DC41DB51
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000001.00000002.364577311.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: f1a71315235257fc7b22493b51ca46696686a2010fc25feb73e2d2310938bf35
          • Instruction ID: 579c6aac7da5ba53ffb0033429995a895ddd921731de722cf1520bdf78b0d670
          • Opcode Fuzzy Hash: f1a71315235257fc7b22493b51ca46696686a2010fc25feb73e2d2310938bf35
          • Instruction Fuzzy Hash: 78328B31A00209DFCB25DF69C884AAEBBF1BF89318F158959E949DB3A1D734EC41DB50
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000001.00000002.364577311.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: b091bbb7b654566bcbeada3da81bc915e02e27376ed4cbe9630026f2b39d015c
          • Instruction ID: f51290eb152d591e5d68762e78a9377cbfe73b86fc4267bdac319818011e89f1
          • Opcode Fuzzy Hash: b091bbb7b654566bcbeada3da81bc915e02e27376ed4cbe9630026f2b39d015c
          • Instruction Fuzzy Hash: E9D11975E00218CFCB15CFACC584AADBBF6BF89318B1A8499E555AB361C739EC41CB50
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000001.00000002.364577311.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: efaab6ea5b7e8af6e8a518a754ff501d2fd46d326e335091ad04a0d96fbce9b8
          • Instruction ID: ed8b2bf9d61a6c1eecf88f6965ded5b0bbd91c9ccd808b4eec7c3816ef755f6b
          • Opcode Fuzzy Hash: efaab6ea5b7e8af6e8a518a754ff501d2fd46d326e335091ad04a0d96fbce9b8
          • Instruction Fuzzy Hash: 57910870B002058FDB25DB78C8947AFFBB2EF84318F188929E4159B786DB799C45C790
          Uniqueness

          Uniqueness Score: -1.00%

          Memory Dump Source
          • Source File: 00000001.00000002.364577311.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: f09cf910d30c7ea2a100449981e078bd06be247e2e95373b0fffa49680c2f916
          • Instruction ID: e9c5ab4b4b0530cf68ee3199743cff0f5a2185983a929544648d4eb23cff3bcb
          • Opcode Fuzzy Hash: f09cf910d30c7ea2a100449981e078bd06be247e2e95373b0fffa49680c2f916
          • Instruction Fuzzy Hash: 1A719F75B001148FDB18EF74C855B7EB6BBABC8304F158428E906AB395DF389D069BA1
          Uniqueness

          Uniqueness Score: -1.00%

          APIs
          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0137D57E
          Memory Dump Source
          • Source File: 00000001.00000002.364577311.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
          Similarity
          • API ID: CreateProcess
          • String ID:
          • API String ID: 963392458-0
          • Opcode ID: 9b9efa529f23513717b0b3e1befe22f1e29f41f4ced3645919e68bd2cb269361
          • Instruction ID: 932e5056d9416d0e20276c0f577ff55262adeb206bebb2179c8c800d0903fa0f
          • Opcode Fuzzy Hash: 9b9efa529f23513717b0b3e1befe22f1e29f41f4ced3645919e68bd2cb269361
          • Instruction Fuzzy Hash: 45A17F71D00219CFEB20DFA9C8817EEBBB2BF44318F158169E949B7240DB789985CF91
          Uniqueness

          Uniqueness Score: -1.00%

          APIs
          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0137D57E
          Memory Dump Source
          • Source File: 00000001.00000002.364577311.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
          Similarity
          • API ID: CreateProcess
          • String ID:
          • API String ID: 963392458-0
          • Opcode ID: 8d8461cbd28edf32569980a70d4645bb90ead424349284781d08583195a8827b
          • Instruction ID: d967d8b898c623ce5935abbed47e712908be3cf3b2d56391478d90f9145f0b43
          • Opcode Fuzzy Hash: 8d8461cbd28edf32569980a70d4645bb90ead424349284781d08583195a8827b
          • Instruction Fuzzy Hash: CC916E71D00219CFDB20DFA9C8817EDBBB2BF48318F158569E949B7240DB789985CF91
          Uniqueness

          Uniqueness Score: -1.00%

          APIs
          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0137CB50
          Memory Dump Source
          • Source File: 00000001.00000002.364577311.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
          Similarity
          • API ID: MemoryProcessWrite
          • String ID:
          • API String ID: 3559483778-0
          • Opcode ID: e6d64952a3342b16e6bc0a65542fde55fef055b09ea7ddfc11e82b506048d6c0
          • Instruction ID: f3ea4cb4c307ddff7b87b47f35c948f6179159215fb5c9f9fdacc9f268630fc1
          • Opcode Fuzzy Hash: e6d64952a3342b16e6bc0a65542fde55fef055b09ea7ddfc11e82b506048d6c0
          • Instruction Fuzzy Hash: EA2146719003599FCF10DFA9C880BEEBBB1FF48314F148429E959A7241C7789944DBA0
          Uniqueness

          Uniqueness Score: -1.00%

          APIs
          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0137CB50
          Memory Dump Source
          • Source File: 00000001.00000002.364577311.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
          Similarity
          • API ID: MemoryProcessWrite
          • String ID:
          • API String ID: 3559483778-0
          • Opcode ID: 6ef11a6cbdf80eb6922c9f2128a78884bb91d61a887046fa087e152aff01d72b
          • Instruction ID: 064ef2af189c41903665cb62e406c9a26d7fc9785a92714913fe8ff603ac36db
          • Opcode Fuzzy Hash: 6ef11a6cbdf80eb6922c9f2128a78884bb91d61a887046fa087e152aff01d72b
          • Instruction Fuzzy Hash: 612124719003599FCF10DFAAC884BEEBBF5FF48314F14842AE919A7240D7789944DBA1
          Uniqueness

          Uniqueness Score: -1.00%

          APIs
          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0137CE30
          Memory Dump Source
          • Source File: 00000001.00000002.364577311.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
          Similarity
          • API ID: MemoryProcessRead
          • String ID:
          • API String ID: 1726664587-0
          • Opcode ID: f9a41b55f207c8f61d9da3c3b5c2f6dc4a64905c5e45445ea16d4849288a9e1b
          • Instruction ID: 4d51177c68226535f04148cfd1d28550c067e13cb6df5aa6751da4f2c67d7bd3
          • Opcode Fuzzy Hash: f9a41b55f207c8f61d9da3c3b5c2f6dc4a64905c5e45445ea16d4849288a9e1b
          • Instruction Fuzzy Hash: 5B2136B1C003599FCB10DFAAC880AEEBBF5FF48314F55842EE559A7250D738A944CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          APIs
          • SetThreadContext.KERNELBASE(?,00000000), ref: 0137BF9E
          Memory Dump Source
          • Source File: 00000001.00000002.364577311.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
          Similarity
          • API ID: ContextThread
          • String ID:
          • API String ID: 1591575202-0
          • Opcode ID: b3424178799ba6583575ddc5d634e34447ff3a67beaec53de05cb871fda04ef4
          • Instruction ID: 89e46b0ff8cb501cc0216b82afd51d5ae350979420fc7f1232389a054db1c1a8
          • Opcode Fuzzy Hash: b3424178799ba6583575ddc5d634e34447ff3a67beaec53de05cb871fda04ef4
          • Instruction Fuzzy Hash: 99214871D002498FCB10DFAAC4847EEBBF4EF88328F54842DE559A7241DB789949CFA1
          Uniqueness

          Uniqueness Score: -1.00%

          APIs
          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0137CE30
          Memory Dump Source
          • Source File: 00000001.00000002.364577311.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
          Similarity
          • API ID: MemoryProcessRead
          • String ID:
          • API String ID: 1726664587-0
          • Opcode ID: 10dc8eed87e59a078c0841c10810413baeb8d321d72ab3132ba53105b62c659b
          • Instruction ID: 49b39854ffced6d57c5dea7f7ea6dcaae6dcd88292da663f9428436a9b45d8b2
          • Opcode Fuzzy Hash: 10dc8eed87e59a078c0841c10810413baeb8d321d72ab3132ba53105b62c659b
          • Instruction Fuzzy Hash: 162125B1C003599FCB10DFAAC880AEEBBF5FF48324F51842EE559A7250D7389944CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          APIs
          • SetThreadContext.KERNELBASE(?,00000000), ref: 0137BF9E
          Memory Dump Source
          • Source File: 00000001.00000002.364577311.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
          Similarity
          • API ID: ContextThread
          • String ID:
          • API String ID: 1591575202-0
          • Opcode ID: d7df8e49491867866c3209952d3bd1e4736ce365f86394f2de92af3158700686
          • Instruction ID: 17cbac8890e45d0e6b74bdc12b7cc849ebe57adcb773ac99e07f92c23d75b6a6
          • Opcode Fuzzy Hash: d7df8e49491867866c3209952d3bd1e4736ce365f86394f2de92af3158700686
          • Instruction Fuzzy Hash: 9E2139719002088FDB10DFAAC4847EEBBF4EF88218F54842DE519A7240DB789948CFA1
          Uniqueness

          Uniqueness Score: -1.00%

          APIs
          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0137C86E
          Memory Dump Source
          • Source File: 00000001.00000002.364577311.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 454f21ce2d4914cdbb17d56df5b5c82fc473a3f3b1b42b4a38aeabe94f507d48
          • Instruction ID: 9b982d9fe9f20ba6f293bdea061a697a6592485eb8c7431014540fd664e87edb
          • Opcode Fuzzy Hash: 454f21ce2d4914cdbb17d56df5b5c82fc473a3f3b1b42b4a38aeabe94f507d48
          • Instruction Fuzzy Hash: E62136719002499BCB10DFAAC844BDEBFF5EF89328F148419E519A7250D7359944CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          APIs
          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0137C86E
          Memory Dump Source
          • Source File: 00000001.00000002.364577311.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: ea8f1bbf298738419394cb93a628a294d20b94e82cac0f799b6c53d98367213b
          • Instruction ID: a1a0eef5fe19d7e17d8e1100d1e70352381b0b3723bc5a9842a665c82a83fec1
          • Opcode Fuzzy Hash: ea8f1bbf298738419394cb93a628a294d20b94e82cac0f799b6c53d98367213b
          • Instruction Fuzzy Hash: E51126719002499FCB10DFAAC844BDFBBF5EF88328F148419E519A7250D7799944CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          APIs
          Memory Dump Source
          • Source File: 00000001.00000002.364577311.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
          Similarity
          • API ID: ResumeThread
          • String ID:
          • API String ID: 947044025-0
          • Opcode ID: 6a6a7809c872194e86280744ef74b1700fca8e1c9fe72bdf171e47ab170c90a7
          • Instruction ID: 6091c2d349e6adfa7f98803446b33caf8ec8a507c022c38e7534738d9c316b76
          • Opcode Fuzzy Hash: 6a6a7809c872194e86280744ef74b1700fca8e1c9fe72bdf171e47ab170c90a7
          • Instruction Fuzzy Hash: B5115B71D043498BDB10DFAAC4447EEFBF5AF89228F25841DD559A7240CB789544CFA1
          Uniqueness

          Uniqueness Score: -1.00%

          APIs
          Memory Dump Source
          • Source File: 00000001.00000002.364577311.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
          Similarity
          • API ID: ResumeThread
          • String ID:
          • API String ID: 947044025-0
          • Opcode ID: a714268c857fca9f62491b191f3a818c5be33be6d0da54391b7ac3e6a1998971
          • Instruction ID: b9b7d808ed76ac804124ca9fdab3cab3c65c6f8bfa563d0a6d14b2073b08dcdf
          • Opcode Fuzzy Hash: a714268c857fca9f62491b191f3a818c5be33be6d0da54391b7ac3e6a1998971
          • Instruction Fuzzy Hash: F01128B1D002488BCB10DFAAC4447EEFBF5AF88228F25841ED519A7240DB78A944CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Non-executed Functions

          Memory Dump Source
          • Source File: 00000001.00000002.364577311.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 85f8ba8dc36fe8a2b8027a420aab34e8aed90dc01cf5800c6e9d2da45d8c28b8
          • Instruction ID: ef1691067dd7d0b4d7aa00984c0632ecee6178d0823d27867ad96cce0ee4b509
          • Opcode Fuzzy Hash: 85f8ba8dc36fe8a2b8027a420aab34e8aed90dc01cf5800c6e9d2da45d8c28b8
          • Instruction Fuzzy Hash: 85116D34320155CFD7A58F3DC499A647FE4FF09B28B0640A9E546CB772CA69DC018B50
          Uniqueness

          Uniqueness Score: -1.00%