Play interactive tour

Edit tour

Windows Analysis Report gXcRJ8123G.exe

Overview

General Information

Sample Name:	gXcRJ8123G.exe
Analysis ID:	452188
MD5:	767e1c497ff0d617de66c2d8ece44c49
SHA1:	118e1e764cd05b98c631bb9a5687acae94f208e1
SHA256:	f84b3abd9e10ed3595fb957ba10f2c222fa6ac99605bbfd768cc65ee4f59e6e8
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Yara detected Nanocore RAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

gXcRJ8123G.exe (PID: 1700 cmdline: 'C:\Users\user\Desktop\gXcRJ8123G.exe' MD5: 767E1C497FF0D617DE66C2D8ECE44C49)

schtasks.exe (PID: 6092 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp28BF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 4108 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2C3B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 3700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

gXcRJ8123G.exe (PID: 1872 cmdline: C:\Users\user\Desktop\gXcRJ8123G.exe 0 MD5: 767E1C497FF0D617DE66C2D8ECE44C49)

dhcpmon.exe (PID: 2944 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 767E1C497FF0D617DE66C2D8ECE44C49)

dhcpmon.exe (PID: 5700 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 767E1C497FF0D617DE66C2D8ECE44C49)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "03e670ce-e449-4fbc-8c90-b68dc609", "Group": "Scammer", "Domain1": "188.141.118.122", "Domain2": "188.141.118.122", "Port": 6666, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
gXcRJ8123G.exe	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
gXcRJ8123G.exe	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
gXcRJ8123G.exe	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
gXcRJ8123G.exe	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x23ba3:$a: NanoCore 0x23bfc:$a: NanoCore 0x23c39:$a: NanoCore 0x23cb2:$a: NanoCore 0x23c05:$b: ClientPlugin 0x23c42:$b: ClientPlugin 0x24540:$b: ClientPlugin 0x2454d:$b: ClientPlugin 0x1b919:$e: KeepAlive 0x2408d:$g: LogClientMessage 0x2400d:$i: get_Connected 0x15bd5:$j: #=q 0x15c05:$j: #=q 0x15c41:$j: #=q 0x15c69:$j: #=q 0x15c99:$j: #=q 0x15cc9:$j: #=q 0x15cf9:$j: #=q 0x15d29:$j: #=q 0x15d45:$j: #=q 0x15d75:$j: #=q
00000007.00000002.368916384.0000000003E71000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.368916384.0000000003E71000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49a6d:$a: NanoCore 0x49ac6:$a: NanoCore 0x49b03:$a: NanoCore 0x49b7c:$a: NanoCore 0x5d227:$a: NanoCore 0x5d23c:$a: NanoCore 0x5d271:$a: NanoCore 0x76213:$a: NanoCore 0x76228:$a: NanoCore 0x7625d:$a: NanoCore 0x49acf:$b: ClientPlugin 0x49b0c:$b: ClientPlugin 0x4a40a:$b: ClientPlugin 0x4a417:$b: ClientPlugin 0x5cfe3:$b: ClientPlugin 0x5cffe:$b: ClientPlugin 0x5d02e:$b: ClientPlugin 0x5d245:$b: ClientPlugin 0x5d27a:$b: ClientPlugin 0x75fcf:$b: ClientPlugin 0x75fea:$b: ClientPlugin
00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000000.331597446.0000000000062000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000000.331597446.0000000000062000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000000.331597446.0000000000062000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000006.00000002.346521938.0000000000392000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000002.346521938.0000000000392000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.346521938.0000000000392000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000006.00000002.348658355.0000000003981000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.348658355.0000000003981000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49a6d:$a: NanoCore 0x49ac6:$a: NanoCore 0x49b03:$a: NanoCore 0x49b7c:$a: NanoCore 0x5d227:$a: NanoCore 0x5d23c:$a: NanoCore 0x5d271:$a: NanoCore 0x76213:$a: NanoCore 0x76228:$a: NanoCore 0x7625d:$a: NanoCore 0x49acf:$b: ClientPlugin 0x49b0c:$b: ClientPlugin 0x4a40a:$b: ClientPlugin 0x4a417:$b: ClientPlugin 0x5cfe3:$b: ClientPlugin 0x5cffe:$b: ClientPlugin 0x5d02e:$b: ClientPlugin 0x5d245:$b: ClientPlugin 0x5d27a:$b: ClientPlugin 0x75fcf:$b: ClientPlugin 0x75fea:$b: ClientPlugin
00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1552:$a: NanoCore 0x1577:$a: NanoCore 0x15d0:$a: NanoCore 0x1176d:$a: NanoCore 0x11793:$a: NanoCore 0x117ef:$a: NanoCore 0x1e644:$a: NanoCore 0x1e69d:$a: NanoCore 0x1e6d0:$a: NanoCore 0x1e8fc:$a: NanoCore 0x1e978:$a: NanoCore 0x1ef91:$a: NanoCore 0x1f0da:$a: NanoCore 0x1f5ae:$a: NanoCore 0x1f895:$a: NanoCore 0x1f8ac:$a: NanoCore 0x24e4a:$a: NanoCore 0x24ec4:$a: NanoCore 0x29a61:$a: NanoCore 0x2ae1b:$a: NanoCore 0x2ae65:$a: NanoCore
00000006.00000000.332506578.0000000000392000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000000.332506578.0000000000392000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000000.332506578.0000000000392000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000007.00000002.368877575.0000000002E71000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.368877575.0000000002E71000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x23ba3:$a: NanoCore 0x23bfc:$a: NanoCore 0x23c39:$a: NanoCore 0x23cb2:$a: NanoCore 0x23c05:$b: ClientPlugin 0x23c42:$b: ClientPlugin 0x24540:$b: ClientPlugin 0x2454d:$b: ClientPlugin 0x1b919:$e: KeepAlive 0x2408d:$g: LogClientMessage 0x2400d:$i: get_Connected 0x15bd5:$j: #=q 0x15c05:$j: #=q 0x15c41:$j: #=q 0x15c69:$j: #=q 0x15c99:$j: #=q 0x15cc9:$j: #=q 0x15cf9:$j: #=q 0x15d29:$j: #=q 0x15d45:$j: #=q 0x15d75:$j: #=q
00000007.00000002.367686754.0000000000782000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.367686754.0000000000782000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.367686754.0000000000782000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000000.324690560.0000000000642000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000000.324690560.0000000000642000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000000.324690560.0000000000642000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x23a03:$a: NanoCore 0x23a5c:$a: NanoCore 0x23a99:$a: NanoCore 0x23b12:$a: NanoCore 0x23a65:$b: ClientPlugin 0x23aa2:$b: ClientPlugin 0x243a0:$b: ClientPlugin 0x243ad:$b: ClientPlugin 0x1b779:$e: KeepAlive 0x23eed:$g: LogClientMessage 0x23e6d:$i: get_Connected 0x15a35:$j: #=q 0x15a65:$j: #=q 0x15aa1:$j: #=q 0x15ac9:$j: #=q 0x15af9:$j: #=q 0x15b29:$j: #=q 0x15b59:$j: #=q 0x15b89:$j: #=q 0x15ba5:$j: #=q 0x15bd5:$j: #=q
00000005.00000002.346446290.0000000003641000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.346446290.0000000003641000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49a6d:$a: NanoCore 0x49ac6:$a: NanoCore 0x49b03:$a: NanoCore 0x49b7c:$a: NanoCore 0x5d227:$a: NanoCore 0x5d23c:$a: NanoCore 0x5d271:$a: NanoCore 0x76213:$a: NanoCore 0x76228:$a: NanoCore 0x7625d:$a: NanoCore 0x49acf:$b: ClientPlugin 0x49b0c:$b: ClientPlugin 0x4a40a:$b: ClientPlugin 0x4a417:$b: ClientPlugin 0x5cfe3:$b: ClientPlugin 0x5cffe:$b: ClientPlugin 0x5d02e:$b: ClientPlugin 0x5d245:$b: ClientPlugin 0x5d27a:$b: ClientPlugin 0x75fcf:$b: ClientPlugin 0x75fea:$b: ClientPlugin
Process Memory Space: gXcRJ8123G.exe PID: 1700	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xcff89:$x1: NanoCore.ClientPluginHost 0xda8a3:$x1: NanoCore.ClientPluginHost 0xed41e:$x1: NanoCore.ClientPluginHost 0xefe08:$x1: NanoCore.ClientPluginHost 0xf325d:$x1: NanoCore.ClientPluginHost 0xf5e48:$x1: NanoCore.ClientPluginHost 0xfc8f7:$x1: NanoCore.ClientPluginHost 0xff6d5:$x1: NanoCore.ClientPluginHost 0x104530:$x1: NanoCore.ClientPluginHost 0x110d0a:$x1: NanoCore.ClientPluginHost 0x12c6aa:$x1: NanoCore.ClientPluginHost 0x13b065:$x1: NanoCore.ClientPluginHost 0x2da647:$x1: NanoCore.ClientPluginHost 0xcffcb:$x2: IClientNetworkHost 0xda8e8:$x2: IClientNetworkHost 0xed47b:$x2: IClientNetworkHost 0xefe65:$x2: IClientNetworkHost 0xf60b4:$x2: IClientNetworkHost 0xff732:$x2: IClientNetworkHost 0x104556:$x2: IClientNetworkHost 0x110d30:$x2: IClientNetworkHost
Process Memory Space: gXcRJ8123G.exe PID: 1700	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: gXcRJ8123G.exe PID: 1700	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xcff4c:$a: NanoCore 0xcff89:$a: NanoCore 0xd0012:$a: NanoCore 0xd53aa:$a: NanoCore 0xd53cd:$a: NanoCore 0xd5422:$a: NanoCore 0xda865:$a: NanoCore 0xda8a3:$a: NanoCore 0xda92f:$a: NanoCore 0xe52cc:$a: NanoCore 0xe52f0:$a: NanoCore 0xe5348:$a: NanoCore 0xecf64:$a: NanoCore 0xed005:$a: NanoCore 0xed068:$a: NanoCore 0xed41e:$a: NanoCore 0xed4fa:$a: NanoCore 0xedf67:$a: NanoCore 0xee14c:$a: NanoCore 0xee19b:$a: NanoCore 0xee1ee:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 5700	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf6af:$x1: NanoCore.ClientPluginHost 0x1b872:$x1: NanoCore.ClientPluginHost 0x3b81d:$x1: NanoCore.ClientPluginHost 0x413dc:$x1: NanoCore.ClientPluginHost 0x52782:$x1: NanoCore.ClientPluginHost 0x77f28:$x1: NanoCore.ClientPluginHost 0xf269:$x2: IClientNetworkHost 0x1b8d3:$x2: IClientNetworkHost 0x3b843:$x2: IClientNetworkHost 0x41421:$x2: IClientNetworkHost 0x527c7:$x2: IClientNetworkHost 0x77f4e:$x2: IClientNetworkHost 0xa0bb:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x20cd8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2ec4a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 5700	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 5700	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xbebd:$a: NanoCore 0xce64:$a: NanoCore 0xeaeb:$a: NanoCore 0xebe9:$a: NanoCore 0xf6af:$a: NanoCore 0x1b377:$a: NanoCore 0x1b393:$a: NanoCore 0x1b4ee:$a: NanoCore 0x1b4fd:$a: NanoCore 0x1b7d6:$a: NanoCore 0x1b802:$a: NanoCore 0x1b872:$a: NanoCore 0x2b2b4:$a: NanoCore 0x2b2c6:$a: NanoCore 0x2b302:$a: NanoCore 0x3b70f:$a: NanoCore 0x3b7b0:$a: NanoCore 0x3b81d:$a: NanoCore 0x3b8de:$a: NanoCore 0x3c7af:$a: NanoCore 0x3c802:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 2944	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf341:$x1: NanoCore.ClientPluginHost 0x1e859:$x1: NanoCore.ClientPluginHost 0x2f638:$x1: NanoCore.ClientPluginHost 0x351f7:$x1: NanoCore.ClientPluginHost 0x4659d:$x1: NanoCore.ClientPluginHost 0x55e5b:$x1: NanoCore.ClientPluginHost 0xf677:$x2: IClientNetworkHost 0x1e87f:$x2: IClientNetworkHost 0x2f65e:$x2: IClientNetworkHost 0x3523c:$x2: IClientNetworkHost 0x465e2:$x2: IClientNetworkHost 0x55ebc:$x2: IClientNetworkHost 0xa48d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5b2c1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x69233:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 2944	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 2944	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc2b9:$a: NanoCore 0xc99b:$a: NanoCore 0xe78c:$a: NanoCore 0xeea9:$a: NanoCore 0xf341:$a: NanoCore 0x118a5:$a: NanoCore 0x1192b:$a: NanoCore 0x11a30:$a: NanoCore 0x1e74b:$a: NanoCore 0x1e7ec:$a: NanoCore 0x1e859:$a: NanoCore 0x1e91a:$a: NanoCore 0x1f7eb:$a: NanoCore 0x1f83e:$a: NanoCore 0x1f877:$a: NanoCore 0x1f8ea:$a: NanoCore 0x214df:$a: NanoCore 0x21867:$a: NanoCore 0x21899:$a: NanoCore 0x218dd:$a: NanoCore 0x21917:$a: NanoCore
Process Memory Space: gXcRJ8123G.exe PID: 1872	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe9b0:$x1: NanoCore.ClientPluginHost 0x147e9:$x1: NanoCore.ClientPluginHost 0x4b735:$x1: NanoCore.ClientPluginHost 0x587fe:$x1: NanoCore.ClientPluginHost 0x5e3bd:$x1: NanoCore.ClientPluginHost 0x6f763:$x1: NanoCore.ClientPluginHost 0xede0:$x2: IClientNetworkHost 0x1484a:$x2: IClientNetworkHost 0x4b75b:$x2: IClientNetworkHost 0x58824:$x2: IClientNetworkHost 0x5e402:$x2: IClientNetworkHost 0x6f7a8:$x2: IClientNetworkHost 0xa2cf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x19c4f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x27bc1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: gXcRJ8123G.exe PID: 1872	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: gXcRJ8123G.exe PID: 1872	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xbffa:$a: NanoCore 0xc06f:$a: NanoCore 0xe4e1:$a: NanoCore 0xe592:$a: NanoCore 0xe9b0:$a: NanoCore 0x142ee:$a: NanoCore 0x1430a:$a: NanoCore 0x14465:$a: NanoCore 0x14474:$a: NanoCore 0x1474d:$a: NanoCore 0x14779:$a: NanoCore 0x147e9:$a: NanoCore 0x2422b:$a: NanoCore 0x2423d:$a: NanoCore 0x24279:$a: NanoCore 0x3e6f7:$a: NanoCore 0x3e78f:$a: NanoCore 0x3e8a7:$a: NanoCore 0x4b627:$a: NanoCore 0x4b6c8:$a: NanoCore 0x4b735:$a: NanoCore
Click to see the 41 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.3.gXcRJ8123G.exe.420dc45.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x3bd6:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
0.3.gXcRJ8123G.exe.420dc45.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x3bd6:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x3cb4:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost 0x3bf0:$s5: IClientLoggingHost
5.2.gXcRJ8123G.exe.36930ed.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24170:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x2419d:$x2: IClientNetworkHost
5.2.gXcRJ8123G.exe.36930ed.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24170:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2524b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2418a:$s5: IClientLoggingHost
5.2.gXcRJ8123G.exe.36930ed.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.0.dhcpmon.exe.390000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.0.dhcpmon.exe.390000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.0.dhcpmon.exe.390000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.0.dhcpmon.exe.390000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.2.dhcpmon.exe.29a3dc4.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
6.2.dhcpmon.exe.29a3dc4.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
7.2.dhcpmon.exe.3ebeac4.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
7.2.dhcpmon.exe.3ebeac4.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
7.2.dhcpmon.exe.3ebeac4.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.gXcRJ8123G.exe.41f3bee.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
0.3.gXcRJ8123G.exe.41f3bee.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
7.2.dhcpmon.exe.3ec30ed.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24170:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x2419d:$x2: IClientNetworkHost
7.2.dhcpmon.exe.3ec30ed.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24170:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2524b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2418a:$s5: IClientLoggingHost
7.2.dhcpmon.exe.3ec30ed.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.gXcRJ8123G.exe.60000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.0.gXcRJ8123G.exe.60000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.0.gXcRJ8123G.exe.60000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.0.gXcRJ8123G.exe.60000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.2.dhcpmon.exe.39c9c8e.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5cf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5fc:$x2: IClientNetworkHost
6.2.dhcpmon.exe.39c9c8e.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5cf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6aa:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5e9:$s5: IClientLoggingHost
6.2.dhcpmon.exe.39c9c8e.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.dhcpmon.exe.39c9c8e.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d585:$a: NanoCore 0x2d59a:$a: NanoCore 0x2d5cf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d341:$b: ClientPlugin 0x2d35c:$b: ClientPlugin
7.2.dhcpmon.exe.2e93dc4.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
7.2.dhcpmon.exe.2e93dc4.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
6.2.dhcpmon.exe.390000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.dhcpmon.exe.390000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.2.dhcpmon.exe.390000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.dhcpmon.exe.390000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.dhcpmon.exe.3ebeac4.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28799:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287c6:$x2: IClientNetworkHost
7.2.dhcpmon.exe.3ebeac4.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28799:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29874:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287b3:$s5: IClientLoggingHost
7.2.dhcpmon.exe.3ebeac4.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.dhcpmon.exe.39ceac4.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28799:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287c6:$x2: IClientNetworkHost
6.2.dhcpmon.exe.39ceac4.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28799:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29874:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287b3:$s5: IClientLoggingHost
6.2.dhcpmon.exe.39ceac4.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.dhcpmon.exe.39ceac4.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
6.2.dhcpmon.exe.39ceac4.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
6.2.dhcpmon.exe.39ceac4.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.dhcpmon.exe.3eb9c8e.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5cf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5fc:$x2: IClientNetworkHost
7.2.dhcpmon.exe.3eb9c8e.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5cf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6aa:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5e9:$s5: IClientLoggingHost
7.2.dhcpmon.exe.3eb9c8e.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.dhcpmon.exe.3eb9c8e.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d585:$a: NanoCore 0x2d59a:$a: NanoCore 0x2d5cf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d341:$b: ClientPlugin 0x2d35c:$b: ClientPlugin
5.2.gXcRJ8123G.exe.368eac4.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28799:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287c6:$x2: IClientNetworkHost
5.2.gXcRJ8123G.exe.368eac4.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28799:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29874:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287b3:$s5: IClientLoggingHost
5.2.gXcRJ8123G.exe.368eac4.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.gXcRJ8123G.exe.2663c24.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
5.2.gXcRJ8123G.exe.2663c24.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
5.2.gXcRJ8123G.exe.368eac4.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
5.2.gXcRJ8123G.exe.368eac4.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
5.2.gXcRJ8123G.exe.368eac4.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.dhcpmon.exe.780000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.dhcpmon.exe.780000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.2.dhcpmon.exe.780000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.dhcpmon.exe.780000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.0.gXcRJ8123G.exe.640000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.0.gXcRJ8123G.exe.640000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.0.gXcRJ8123G.exe.640000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.0.gXcRJ8123G.exe.640000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.2.dhcpmon.exe.39d30ed.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24170:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x2419d:$x2: IClientNetworkHost
6.2.dhcpmon.exe.39d30ed.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24170:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2524b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2418a:$s5: IClientLoggingHost
6.2.dhcpmon.exe.39d30ed.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.gXcRJ8123G.exe.60000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.gXcRJ8123G.exe.60000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.2.gXcRJ8123G.exe.60000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.gXcRJ8123G.exe.60000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.0.dhcpmon.exe.780000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.0.dhcpmon.exe.780000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.0.dhcpmon.exe.780000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.0.dhcpmon.exe.780000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.2.gXcRJ8123G.exe.3689c8e.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5cf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5fc:$x2: IClientNetworkHost
5.2.gXcRJ8123G.exe.3689c8e.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5cf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6aa:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5e9:$s5: IClientLoggingHost
5.2.gXcRJ8123G.exe.3689c8e.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.gXcRJ8123G.exe.3689c8e.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d585:$a: NanoCore 0x2d59a:$a: NanoCore 0x2d5cf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d341:$b: ClientPlugin 0x2d35c:$b: ClientPlugin
0.3.gXcRJ8123G.exe.4208219.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0x7c31:$a: NanoCore 0x7cab:$a: NanoCore 0xc848:$a: NanoCore 0xdc02:$a: NanoCore 0xdc4c:$a: NanoCore 0xe8a6:$a: NanoCore 0x1766e:$a: NanoCore 0x17758:$a: NanoCore 0x185cf:$a: NanoCore 0x1f706:$a: NanoCore 0x1f750:$a: NanoCore
0.3.gXcRJ8123G.exe.420dc45.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2205:$a: NanoCore 0x227f:$a: NanoCore 0x6e1c:$a: NanoCore 0x81d6:$a: NanoCore 0x8220:$a: NanoCore 0x8e7a:$a: NanoCore 0x11c42:$a: NanoCore 0x11d2c:$a: NanoCore 0x12ba3:$a: NanoCore 0x19cda:$a: NanoCore 0x19d24:$a: NanoCore 0x19f0e:$a: NanoCore 0x2178a:$a: NanoCore 0x217eb:$a: NanoCore 0x2182e:$a: NanoCore 0x2186e:$a: NanoCore 0x21aaa:$a: NanoCore 0x21b4a:$a: NanoCore 0x22322:$a: NanoCore 0x22915:$a: NanoCore 0x22a66:$a: NanoCore
0.3.gXcRJ8123G.exe.41f3bee.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a56:$a: NanoCore 0x15aaf:$a: NanoCore 0x15ae2:$a: NanoCore 0x15d0e:$a: NanoCore 0x15d8a:$a: NanoCore 0x163a3:$a: NanoCore 0x164ec:$a: NanoCore 0x169c0:$a: NanoCore 0x16ca7:$a: NanoCore 0x16cbe:$a: NanoCore 0x1c25c:$a: NanoCore 0x1c2d6:$a: NanoCore 0x20e73:$a: NanoCore 0x2222d:$a: NanoCore 0x22277:$a: NanoCore 0x22ed1:$a: NanoCore 0x2bc99:$a: NanoCore 0x2bd83:$a: NanoCore
Click to see the 75 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gXcRJ8123G.exe, ProcessId: 1700, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gXcRJ8123G.exe, ProcessId: 1700, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gXcRJ8123G.exe, ProcessId: 1700, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gXcRJ8123G.exe, ProcessId: 1700, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: gXcRJ8123G.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7

Found malware configuration

Show sources

Source: 00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "03e670ce-e449-4fbc-8c90-b68dc609", "Group": "Scammer", "Domain1": "188.141.118.122", "Domain2": "188.141.118.122", "Port": 6666, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for domain / URL

Show sources

Source: 188.141.118.122

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Virustotal: Detection: 84%			Perma Link
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 100%

Multi AV Scanner detection for submitted file

Show sources

Source: gXcRJ8123G.exe	Virustotal: Detection: 84%			Perma Link
Source: gXcRJ8123G.exe	ReversingLabs: Detection: 100%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: gXcRJ8123G.exe, type: SAMPLE
Source: Yara match	File source: 5.2.gXcRJ8123G.exe.36930ed.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3ebeac4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3ec30ed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dhcpmon.exe.39c9c8e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3ebeac4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dhcpmon.exe.39ceac4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dhcpmon.exe.39ceac4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3eb9c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gXcRJ8123G.exe.368eac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gXcRJ8123G.exe.368eac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.gXcRJ8123G.exe.640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dhcpmon.exe.39d30ed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gXcRJ8123G.exe.3689c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.368916384.0000000003E71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.331597446.0000000000062000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.346521938.0000000000392000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.348658355.0000000003981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.332506578.0000000000392000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.368877575.0000000002E71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.367686754.0000000000782000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.324690560.0000000000642000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.346446290.0000000003641000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gXcRJ8123G.exe PID: 1700, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5700, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 2944, type: MEMORY
Source: Yara match	File source: Process Memory Space: gXcRJ8123G.exe PID: 1872, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

Machine Learning detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: gXcRJ8123G.exe

Joe Sandbox ML: detected

Source: 5.0.gXcRJ8123G.exe.60000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.dhcpmon.exe.780000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.2.gXcRJ8123G.exe.60000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.2.dhcpmon.exe.390000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.0.gXcRJ8123G.exe.640000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.0.dhcpmon.exe.390000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.dhcpmon.exe.780000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: gXcRJ8123G.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: C:\Users\user\Desktop\gXcRJ8123G.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: 188.141.118.122

Source: global traffic

TCP traffic: 192.168.2.6:49718 -> 188.141.118.122:6666

Source: Joe Sandbox View

ASN Name: LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding

Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122
Source: unknown	TCP traffic detected without corresponding DNS query: 188.141.118.122

Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp

String found in binary or memory: http://google.com

Source: gXcRJ8123G.exe, 00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: gXcRJ8123G.exe, type: SAMPLE
Source: Yara match	File source: 5.2.gXcRJ8123G.exe.36930ed.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3ebeac4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3ec30ed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dhcpmon.exe.39c9c8e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3ebeac4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dhcpmon.exe.39ceac4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dhcpmon.exe.39ceac4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3eb9c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gXcRJ8123G.exe.368eac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gXcRJ8123G.exe.368eac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.gXcRJ8123G.exe.640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dhcpmon.exe.39d30ed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gXcRJ8123G.exe.3689c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.368916384.0000000003E71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.331597446.0000000000062000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.346521938.0000000000392000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.348658355.0000000003981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.332506578.0000000000392000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.368877575.0000000002E71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.367686754.0000000000782000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.324690560.0000000000642000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.346446290.0000000003641000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gXcRJ8123G.exe PID: 1700, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5700, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 2944, type: MEMORY
Source: Yara match	File source: Process Memory Space: gXcRJ8123G.exe PID: 1872, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: gXcRJ8123G.exe, type: SAMPLE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: gXcRJ8123G.exe, type: SAMPLE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.gXcRJ8123G.exe.420dc45.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.gXcRJ8123G.exe.36930ed.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.dhcpmon.exe.29a3dc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.3ebeac4.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.gXcRJ8123G.exe.41f3bee.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.3ec30ed.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.0.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.dhcpmon.exe.39c9c8e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.dhcpmon.exe.39c9c8e.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dhcpmon.exe.2e93dc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dhcpmon.exe.3ebeac4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.dhcpmon.exe.39ceac4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.dhcpmon.exe.39ceac4.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.3eb9c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.3eb9c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.gXcRJ8123G.exe.368eac4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.gXcRJ8123G.exe.2663c24.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.gXcRJ8123G.exe.368eac4.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.dhcpmon.exe.39d30ed.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.gXcRJ8123G.exe.3689c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.gXcRJ8123G.exe.3689c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.gXcRJ8123G.exe.4208219.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.gXcRJ8123G.exe.420dc45.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.gXcRJ8123G.exe.41f3bee.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.368916384.0000000003E71000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000000.331597446.0000000000062000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000000.331597446.0000000000062000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.346521938.0000000000392000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.346521938.0000000000392000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.348658355.0000000003981000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000000.332506578.0000000000392000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000000.332506578.0000000000392000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.368877575.0000000002E71000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.367686754.0000000000782000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.367686754.0000000000782000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000000.324690560.0000000000642000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000000.324690560.0000000000642000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.346446290.0000000003641000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: gXcRJ8123G.exe PID: 1700, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: gXcRJ8123G.exe PID: 1700, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 5700, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 5700, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 2944, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 2944, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: gXcRJ8123G.exe PID: 1872, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: gXcRJ8123G.exe PID: 1872, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Code function: 5_2_0006524A	5_2_0006524A
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Code function: 5_2_048323A0	5_2_048323A0
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Code function: 5_2_04832FA8	5_2_04832FA8
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Code function: 5_2_04833850	5_2_04833850
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Code function: 5_2_0483306F	5_2_0483306F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 6_2_0039524A	6_2_0039524A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 6_2_04B82FA8	6_2_04B82FA8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 6_2_04B823A0	6_2_04B823A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 6_2_04B83850	6_2_04B83850
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 6_2_04B8306F	6_2_04B8306F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_0078524A	7_2_0078524A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_04F723A0	7_2_04F723A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_04F72FA8	7_2_04F72FA8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_04F73850	7_2_04F73850
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_04F7306F	7_2_04F7306F

Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs gXcRJ8123G.exe
Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs gXcRJ8123G.exe
Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs gXcRJ8123G.exe
Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs gXcRJ8123G.exe
Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs gXcRJ8123G.exe
Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs gXcRJ8123G.exe
Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs gXcRJ8123G.exe
Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs gXcRJ8123G.exe
Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs gXcRJ8123G.exe
Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs gXcRJ8123G.exe
Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs gXcRJ8123G.exe
Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs gXcRJ8123G.exe
Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs gXcRJ8123G.exe
Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs gXcRJ8123G.exe
Source: gXcRJ8123G.exe, 00000005.00000002.346847668.0000000004950000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs gXcRJ8123G.exe
Source: gXcRJ8123G.exe, 00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs gXcRJ8123G.exe
Source: gXcRJ8123G.exe, 00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs gXcRJ8123G.exe
Source: gXcRJ8123G.exe, 00000005.00000002.346446290.0000000003641000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs gXcRJ8123G.exe

Source: gXcRJ8123G.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: gXcRJ8123G.exe, type: SAMPLE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: gXcRJ8123G.exe, type: SAMPLE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: gXcRJ8123G.exe, type: SAMPLE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.gXcRJ8123G.exe.420dc45.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.gXcRJ8123G.exe.420dc45.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.gXcRJ8123G.exe.36930ed.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.gXcRJ8123G.exe.36930ed.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.dhcpmon.exe.29a3dc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.dhcpmon.exe.29a3dc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dhcpmon.exe.3ebeac4.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.3ebeac4.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.gXcRJ8123G.exe.41f3bee.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.gXcRJ8123G.exe.41f3bee.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dhcpmon.exe.3ec30ed.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.3ec30ed.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.0.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.0.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.0.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.dhcpmon.exe.39c9c8e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.dhcpmon.exe.39c9c8e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.dhcpmon.exe.39c9c8e.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dhcpmon.exe.2e93dc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.2e93dc4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dhcpmon.exe.3ebeac4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.3ebeac4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.dhcpmon.exe.39ceac4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.dhcpmon.exe.39ceac4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.dhcpmon.exe.39ceac4.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.dhcpmon.exe.39ceac4.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dhcpmon.exe.3eb9c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.3eb9c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dhcpmon.exe.3eb9c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.gXcRJ8123G.exe.368eac4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.gXcRJ8123G.exe.368eac4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.gXcRJ8123G.exe.2663c24.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.gXcRJ8123G.exe.2663c24.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.gXcRJ8123G.exe.368eac4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.gXcRJ8123G.exe.368eac4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.dhcpmon.exe.39d30ed.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.dhcpmon.exe.39d30ed.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.0.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.gXcRJ8123G.exe.3689c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.gXcRJ8123G.exe.3689c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.gXcRJ8123G.exe.3689c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.gXcRJ8123G.exe.4208219.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.gXcRJ8123G.exe.420dc45.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.gXcRJ8123G.exe.41f3bee.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.368916384.0000000003E71000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000000.331597446.0000000000062000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000000.331597446.0000000000062000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.346521938.0000000000392000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.346521938.0000000000392000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.348658355.0000000003981000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000000.332506578.0000000000392000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000000.332506578.0000000000392000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.368877575.0000000002E71000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.367686754.0000000000782000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.367686754.0000000000782000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000000.324690560.0000000000642000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000000.324690560.0000000000642000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.346446290.0000000003641000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: gXcRJ8123G.exe PID: 1700, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: gXcRJ8123G.exe PID: 1700, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 5700, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 5700, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 2944, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 2944, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: gXcRJ8123G.exe PID: 1872, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: gXcRJ8123G.exe PID: 1872, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: gXcRJ8123G.exe	Static PE information: Section: .rsrc ZLIB complexity 1.00026633523
Source: dhcpmon.exe.0.dr	Static PE information: Section: .rsrc ZLIB complexity 1.00026633523

Source: gXcRJ8123G.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: gXcRJ8123G.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: gXcRJ8123G.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: dhcpmon.exe.0.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: dhcpmon.exe.0.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 6.0.dhcpmon.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.0.dhcpmon.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.0.dhcpmon.exe.780000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.dhcpmon.exe.780000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.dhcpmon.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.2.dhcpmon.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: gXcRJ8123G.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: gXcRJ8123G.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.2.dhcpmon.exe.780000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.2.dhcpmon.exe.780000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.gXcRJ8123G.exe.60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.2.gXcRJ8123G.exe.60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.0.gXcRJ8123G.exe.60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.0.gXcRJ8123G.exe.60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/12@0/1

Source: C:\Users\user\Desktop\gXcRJ8123G.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\gXcRJ8123G.exe

File created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A

Jump to behavior

Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{03e670ce-e449-4fbc-8c90-b68dc609b5fe}
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3700:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2576:120:WilError_01

Source: C:\Users\user\Desktop\gXcRJ8123G.exe

File created: C:\Users\user\AppData\Local\Temp\tmp28BF.tmp

Jump to behavior

Source: gXcRJ8123G.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\gXcRJ8123G.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: gXcRJ8123G.exe	Virustotal: Detection: 84%
Source: gXcRJ8123G.exe	ReversingLabs: Detection: 100%

Source: C:\Users\user\Desktop\gXcRJ8123G.exe

File read: C:\Users\user\Desktop\gXcRJ8123G.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\gXcRJ8123G.exe 'C:\Users\user\Desktop\gXcRJ8123G.exe'
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp28BF.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2C3B.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\gXcRJ8123G.exe C:\Users\user\Desktop\gXcRJ8123G.exe 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp28BF.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2C3B.tmp'	Jump to behavior

Source: C:\Users\user\Desktop\gXcRJ8123G.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\gXcRJ8123G.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: gXcRJ8123G.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\gXcRJ8123G.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: gXcRJ8123G.exe, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: gXcRJ8123G.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.0.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.gXcRJ8123G.exe.60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.gXcRJ8123G.exe.60000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.gXcRJ8123G.exe.60000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.gXcRJ8123G.exe.60000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.dhcpmon.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.dhcpmon.exe.390000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.dhcpmon.exe.390000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.dhcpmon.exe.390000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.dhcpmon.exe.780000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.dhcpmon.exe.780000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.dhcpmon.exe.780000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.dhcpmon.exe.780000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: gXcRJ8123G.exe, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: gXcRJ8123G.exe, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: dhcpmon.exe.0.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: dhcpmon.exe.0.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 0.0.gXcRJ8123G.exe.640000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 5.0.gXcRJ8123G.exe.60000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.0.gXcRJ8123G.exe.60000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 5.2.gXcRJ8123G.exe.60000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.2.gXcRJ8123G.exe.60000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 6.2.dhcpmon.exe.390000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 6.2.dhcpmon.exe.390000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 6.0.dhcpmon.exe.390000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 6.0.dhcpmon.exe.390000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.2.dhcpmon.exe.780000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.2.dhcpmon.exe.780000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.0.dhcpmon.exe.780000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.0.dhcpmon.exe.780000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\gXcRJ8123G.exe

File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\gXcRJ8123G.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp28BF.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\gXcRJ8123G.exe

File opened: C:\Users\user\Desktop\gXcRJ8123G.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\gXcRJ8123G.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Window / User API: foregroundWindowGot 587			Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Window / User API: foregroundWindowGot 632			Jump to behavior

Source: C:\Users\user\Desktop\gXcRJ8123G.exe TID: 1296	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe TID: 2680	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe TID: 2924	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 400	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2272	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\gXcRJ8123G.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\gXcRJ8123G.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\gXcRJ8123G.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp28BF.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2C3B.tmp'			Jump to behavior

Source: gXcRJ8123G.exe, 00000000.00000003.359467385.000000000626D000.00000004.00000001.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\gXcRJ8123G.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\gXcRJ8123G.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: gXcRJ8123G.exe, type: SAMPLE
Source: Yara match	File source: 5.2.gXcRJ8123G.exe.36930ed.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3ebeac4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3ec30ed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dhcpmon.exe.39c9c8e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3ebeac4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dhcpmon.exe.39ceac4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dhcpmon.exe.39ceac4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3eb9c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gXcRJ8123G.exe.368eac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gXcRJ8123G.exe.368eac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.gXcRJ8123G.exe.640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dhcpmon.exe.39d30ed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gXcRJ8123G.exe.3689c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.368916384.0000000003E71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.331597446.0000000000062000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.346521938.0000000000392000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.348658355.0000000003981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.332506578.0000000000392000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.368877575.0000000002E71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.367686754.0000000000782000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.324690560.0000000000642000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.346446290.0000000003641000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gXcRJ8123G.exe PID: 1700, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5700, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 2944, type: MEMORY
Source: Yara match	File source: Process Memory Space: gXcRJ8123G.exe PID: 1872, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: gXcRJ8123G.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: gXcRJ8123G.exe, 00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000007.00000002.368916384.0000000003E71000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: gXcRJ8123G.exe	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: gXcRJ8123G.exe, type: SAMPLE
Source: Yara match	File source: 5.2.gXcRJ8123G.exe.36930ed.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3ebeac4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3ec30ed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dhcpmon.exe.39c9c8e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dhcpmon.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3ebeac4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dhcpmon.exe.39ceac4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dhcpmon.exe.39ceac4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.3eb9c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gXcRJ8123G.exe.368eac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gXcRJ8123G.exe.368eac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.gXcRJ8123G.exe.640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.dhcpmon.exe.39d30ed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gXcRJ8123G.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.dhcpmon.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gXcRJ8123G.exe.3689c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.368916384.0000000003E71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.331597446.0000000000062000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.346521938.0000000000392000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.348658355.0000000003981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.332506578.0000000000392000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.368877575.0000000002E71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.367686754.0000000000782000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.324690560.0000000000642000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.346446290.0000000003641000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gXcRJ8123G.exe PID: 1700, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5700, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 2944, type: MEMORY
Source: Yara match	File source: Process Memory Space: gXcRJ8123G.exe PID: 1872, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Scheduled Task/Job1	Process Injection12	Masquerading2	Input Capture11	Query Registry1	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Security Software Discovery11	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection12	NTDS	Virtualization/Sandbox Evasion21	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	System Information Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing12	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
gXcRJ8123G.exe	84%	Virustotal		Browse
gXcRJ8123G.exe	100%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoCore
gXcRJ8123G.exe	100%	Avira	TR/Dropper.MSIL.Gen7
gXcRJ8123G.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Avira	TR/Dropper.MSIL.Gen7
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	84%	Virustotal		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoCore

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.0.gXcRJ8123G.exe.60000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
7.2.dhcpmon.exe.780000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
5.2.gXcRJ8123G.exe.60000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
6.2.dhcpmon.exe.390000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
0.0.gXcRJ8123G.exe.640000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
6.0.dhcpmon.exe.390000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
7.0.dhcpmon.exe.780000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
188.141.118.122	6%	Virustotal		Browse
188.141.118.122	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
188.141.118.122	true	6%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://google.com	gXcRJ8123G.exe, 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.141.118.122	unknown	Ireland		6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	452188
Start date:	21.07.2021
Start time:	23:02:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	gXcRJ8123G.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@10/12@0/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 196 Number of non-executed functions: 4
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:03:05	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\gXcRJ8123G.exe" s>$(Arg0)
23:03:05	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
23:03:05	API Interceptor	1032x Sleep call for process: gXcRJ8123G.exe modified
23:03:07	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	xjYvqOne1t	Get hash	malicious	Browse	31.5.149.216
	iUmNR6tkEd	Get hash	malicious	Browse	178.202.206.19
	eAtDhymLzp	Get hash	malicious	Browse	213.93.27.100
	ehn0f1d63M	Get hash	malicious	Browse	213.126.201.232
	zhPAQB7FPV	Get hash	malicious	Browse	145.252.248.205
	wy2BysBF1U	Get hash	malicious	Browse	86.49.148.244
	jhUxzb7jPW	Get hash	malicious	Browse	91.119.249.10
	dFwIxBbz2d	Get hash	malicious	Browse	89.101.120.139
	7f8BlPBZMS	Get hash	malicious	Browse	213.126.148.27
	9bCnBwR693.exe	Get hash	malicious	Browse	78.45.53.24
	nRjbMQ5Jua.exe	Get hash	malicious	Browse	84.117.126.143
	Vk3A1yJJMg	Get hash	malicious	Browse	83.103.130.246
	rnQYDw7A4G	Get hash	malicious	Browse	95.76.74.163
	Af1Fnq4I4G	Get hash	malicious	Browse	88.146.165.84
	395d6gwkWK	Get hash	malicious	Browse	213.126.201.255
	wZ6O9wSQ4e	Get hash	malicious	Browse	86.49.196.177
	b8oaj84zgz	Get hash	malicious	Browse	77.251.162.101
	eubqHHIQkc	Get hash	malicious	Browse	88.153.34.82
	popsmoke.mpsl	Get hash	malicious	Browse	62.195.46.186
	popsmoke.mpsl	Get hash	malicious	Browse	62.143.241.216

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Users\user\Desktop\gXcRJ8123G.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	207872
Entropy (8bit):	7.450095771993313
Encrypted:	false
SSDEEP:	6144:sLV6Bta6dtJmakIM5KcGLYiO5C3e6s7338vSa:sLV6BtpmkjYiOS1k3Ta
MD5:	767E1C497FF0D617DE66C2D8ECE44C49
SHA1:	118E1E764CD05B98C631BB9A5687ACAE94F208E1
SHA-256:	F84B3ABD9E10ED3595FB957BA10F2C222FA6AC99605BBFD768CC65EE4F59E6E8
SHA-512:	F24ACF37C91C0FBFB02C17566D5B9D3FF548BD414D11F343AB56B4105D257721FC54C57254D3078AE30D4EC54D403EB5AF3E50A648B4B1F8C579D745F50B492C
Malicious:	true
Yara Hits:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 84%, Browse Antivirus: ReversingLabs, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................b........... ........@.. ......................................................................8...W.... ..._........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc...._... ...`..................@..@................t.......H...........T............................................................0..Q........o5........o6....-.&......3+..+.... ....3......1..... 2.... ....3.... ............0..E.......s7....-(&s8....-&&s9....,$&s:........s;.............+.....+.....+.....0..........~....o<.....0..........~....o=.....0..........~....o>.....0..........~....o?.....0..........~....o@.....0.............-.&(A...&+...0..$.......~B........-.(...+.-.&+..B...+.~B....0.............-.&(A...&+...0..

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\gXcRJ8123G.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\gXcRJ8123G.exe.log Download File
Process:	C:\Users\user\Desktop\gXcRJ8123G.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	true
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmp28BF.tmp Download File
Process:	C:\Users\user\Desktop\gXcRJ8123G.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1303
Entropy (8bit):	5.115734872180681
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0V5lxtn:cbk4oL600QydbQxIYODOLedq3kj
MD5:	447A6AD04F7E1B9672E3B07786B1524A
SHA1:	043FAD6383FA97E1E4BCD0917B113EDAF35550C9
SHA-256:	55F70B35DB53C7218954340D87AFB1EDC889BE378C0327036BF947251A361AEB
SHA-512:	2546986CD9D35408C2D89834711E40129A4C8EAB75BC5A1C4051B68CB27446D60CAA19A0F1C5EB1421B6F4495E20A4CC1F96CF9446625E15424A7C293B173A0C
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp2C3B.tmp Download File
Process:	C:\Users\user\Desktop\gXcRJ8123G.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\gXcRJ8123G.exe
File Type:	data
Category:	dropped
Size (bytes):	1736
Entropy (8bit):	7.094528505897445
Encrypted:	false
SSDEEP:	48:Ik/t3FmH8Uk/t3FmH8Uk/t3FmH8Uk/t3FmH8Uk/t3FmH8Uk/t3FmH8Uk/t3FmH8L:ft3Ucrt3Ucrt3Ucrt3Ucrt3Ucrt3Ucr9
MD5:	C9A901CEF4675F82D1F8407B7E1DA172
SHA1:	03480F0CAFD5689E41D7509DF92AE700B78D1693
SHA-256:	61488189C23B604117304C41F02C5E722985D264CCAC36D3DFA0589C8D5AD1C7
SHA-512:	8A02A9BF579D8C1464C4245AB21836604878E90B4EDEFCDE5A8D5D25872FC1DCE1CB82D72C9406DC24DE6CC1982C9A8204CAA798CD8BF06D47EBA60096865319
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.\|...@HkG....G..OV..........pz...."....r...w&&\|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.\|&.wGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.\|...@HkG....G..OV..........pz...."....r...w&&\|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.\|&.wGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.\|...@HkG....G..OV..........pz...."....r...w&&\|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.\|&.wGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.\|...@HkG....G..OV..........pz...."....r...w&&\|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.\|&.wGj.h\.3.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\gXcRJ8123G.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:qF8t:q6
MD5:	AB1EF4A9F831D79EE720D72C90642ECE
SHA1:	9246DF20EE6CEBB1852A3774A7ED42A17ED8EEF0
SHA-256:	0305722508F8C58572086CD7F3718E2382D189EA7FF6020283354FEB9F110DCC
SHA-512:	058DFE6F015846BB70F6DF9E5C17CA4958C0202DC98283ABE0105236AC2A316A6547A09D1A725FE35008CE4C42099F6C8D5726E2867166C90A2BB312B32D7541
Malicious:	true
Preview:	...].L.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak Download File
Process:	C:\Users\user\Desktop\gXcRJ8123G.exe
File Type:	data
Category:	modified
Size (bytes):	24
Entropy (8bit):	4.501629167387823
Encrypted:	false
SSDEEP:	3:9bzY6oRDIvYk:RzWDI3
MD5:	ACD3FB4310417DC77FE06F15B0E353E6
SHA1:	80E7002E655EB5765FDEB21114295CB96AD9D5EB
SHA-256:	DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
SHA-512:	DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
Malicious:	false
Preview:	9iH...}Z.4..f..J".C;"a

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin Download File
Process:	C:\Users\user\Desktop\gXcRJ8123G.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	5.320159765557392
Encrypted:	false
SSDEEP:	3:9bzY6oRDIvYVsRLY6oRDT6P2bfVn1:RzWDIfRWDT621
MD5:	BB0F9B9992809E733EFFF8B0E562CFD6
SHA1:	F0BAB3CF73A04F5A689E6AFC764FEE9276992742
SHA-256:	C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
SHA-512:	AE4280AA460DC1C0301D458A3A443F6884A0BE37481737B2ADAFD72C33C55F09BED88ED239C91FE6F19CA137AC3CD7C9B8454C21D3F8E759687F701C8B3C7A16
Malicious:	false
Preview:	9iH...}Z.4..f..J".C;"a9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Users\user\Desktop\gXcRJ8123G.exe
File Type:	data
Category:	dropped
Size (bytes):	433688
Entropy (8bit):	7.999519077450246
Encrypted:	true
SSDEEP:	12288:dcRKtiKlC1FGhWjoORvi5oCILR9Eax5uoj:KRCiKECCGoD9Eaioj
MD5:	D2D87B1E9F691E38698A9683C9E213C1
SHA1:	87FAA25A212348CCD20567929D52A0ADE5BE07CE
SHA-256:	4115C31136A8A8F4642D3F5E7032A248381FCF36B047CFD911F974600F140039
SHA-512:	541F3C4C9CA97C085065FA5881D9A336F0BE474C90D1C65379CA7CB7F084B6496ED52A61F9133FD29DE5DB57C2B1F2CC302498579C5A158F823612EAC248C5DC
Malicious:	false
Preview:	.........O.......\8..5N..`S.]..[r.$>.\.#v&..$.......Z.i..M.Mn5.@..@...3.R..Y...}>C.b....Z........K..^.d...Z...K.#...dn$e ..XP.^.#.......V...dB.Kn.Y.c..-k....M.D...Q.S..R.X.........._...Zz...#.=<.V.NHZq.h..ON..oq.:...,7H....../..Q..R.u6.."....<.`..z.5b($..9.CF.F1...o?.h.}....;Ay....kL}7...I.-.}..D&...C....%.J..+..1.5.a..Ih....s........G..?..9^0e...p..FCvNt.e...B/...y.h.G.0..o,Q.2[..........e.P8.....yr.....Q....../..S..m.......\.wA.a1.]...oW........PY..h....f:.....Ss.....\.8...@R._A...M..X....V.f).]z..u{.z-....W...NaT+.&:...1.D../.7..\.S..z..!.....#..F.d.......m'..........6.2....:H...bd].._......}.n.=...l.7%r.>...B.Q.K..q...Ex.6.6....P..^...i...Mx...;g...,t..fCd.\.b....e{.\...Y=4......+..T....j}..\|66g.s...z...Y.kTi..?Xy...5\...SO..W.U.3A.$.l..{.D...no.E..v.2.:..a..hdhO..t.w.k..T\|Po.....D?..mG.[.2.;....+...8.6.h!..w.3...w.o.....\|....f.v.to.B.{`o..a.....f.cu..........?......"...u..EA...^)W..z..jtU{^......5#....y.s.......e.l..&...%...

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Users\user\Desktop\gXcRJ8123G.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.361768795973195
Encrypted:	false
SSDEEP:	3:oNN2+WCkf+0Cn:oNN2RCf0C
MD5:	57727D13BAD31F90F435367844801B81
SHA1:	BCE921899C2A359675AE9ACF8AA9C7181A03EA20
SHA-256:	ABC4C5E92B977739708223B5A0EE20A2898D3065997A991094C2360654B4EF8F
SHA-512:	FFCD3E598E062EF47F3087E3956E2A3C2DB02B1CE32463D9665FFC458C5C3D9EF1394BC8852733C258FE4592B7ED2CC600E7BF6FB716AE9A6A39C645B06ED687
Malicious:	false
Preview:	C:\Users\user\Desktop\gXcRJ8123G.exe

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.450095771993313
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	gXcRJ8123G.exe
File size:	207872
MD5:	767e1c497ff0d617de66c2d8ece44c49
SHA1:	118e1e764cd05b98c631bb9a5687acae94f208e1
SHA256:	f84b3abd9e10ed3595fb957ba10f2c222fa6ac99605bbfd768cc65ee4f59e6e8
SHA512:	f24acf37c91c0fbfb02c17566d5b9d3ff548bd414d11f343ab56b4105d257721fc54c57254d3078ae30d4ec54d403eb5af3e50a648b4b1f8c579d745f50b492c
SSDEEP:	6144:sLV6Bta6dtJmakIM5KcGLYiO5C3e6s7338vSa:sLV6BtpmkjYiOS1k3Ta
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................b........... ........@.. .....................................................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x41e792
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:
Time Stamp:	0x54E927A1 [Sun Feb 22 00:49:37 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e738	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x22000	0x15fc8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x20000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1c798	0x1c800	False	0.594512404057	data	6.59805438752	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.reloc	0x20000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x22000	0x15fc8	0x16000	False	1.00026633523	data	7.99757268531	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_RCDATA	0x22058	0x15f70	TIM image, Pixel at (52285,41708) Size=36322x50574

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 21, 2021 23:03:06.178333998 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.247365952 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.247837067 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.289177895 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.391777992 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.391905069 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.443742037 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.444065094 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.498539925 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.498625994 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.560504913 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.560714006 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.662353992 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.662599087 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.770725012 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.770801067 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.770895958 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.770941973 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.775173903 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.775227070 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.775302887 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.775433064 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.775475979 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.775541067 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.776097059 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.776139021 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.776207924 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.776416063 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.776463032 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.776503086 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.776515961 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.776550055 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.776586056 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.831844091 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.833868027 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.834003925 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.837975979 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.838001013 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.838094950 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.838504076 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.838521957 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.838593006 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.838840961 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.838859081 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.838934898 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.838972092 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.838989973 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.839066982 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.839087963 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.839500904 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.839584112 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.839595079 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.839610100 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.839703083 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.840676069 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.840696096 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.840754032 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.841499090 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.841520071 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.841619968 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.842583895 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.843199015 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.843283892 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.855494022 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.893522024 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.893874884 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.893980980 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.894598961 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.894661903 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.894746065 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.901660919 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.901768923 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.901994944 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.902069092 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.902393103 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.902549982 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.902578115 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.902760983 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.902935982 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.902961016 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.903002024 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.903017998 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.903064966 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.903182030 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.903204918 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.903238058 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.903249025 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.903302908 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.903414965 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.903518915 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.903527975 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.903733969 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.903753042 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.903812885 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.903834105 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.903856993 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.903881073 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.903918028 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.903985023 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.904026031 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.904105902 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.904122114 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.904625893 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.904680014 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.904700041 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.904745102 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.904761076 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.904839993 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.905111074 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.905145884 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.905219078 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.905524969 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.905596018 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.906208038 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.906241894 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.906331062 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.906352997 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.906776905 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.906809092 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.906843901 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.906891108 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.906939030 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.906944036 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.907043934 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.907124996 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.907208920 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.907253981 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.907286882 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.907336950 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.907366037 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.907413006 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.907449007 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.925450087 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.925508976 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.925548077 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.925908089 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.925960064 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.956770897 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.956968069 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.957494974 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.957511902 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.957575083 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.957609892 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.958585978 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.958713055 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.958944082 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.959022999 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.959049940 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.959114075 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.962162971 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.962198019 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.962321043 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.965766907 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.965888977 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.965938091 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.966032982 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.966479063 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.966501951 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.966618061 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.966630936 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.966734886 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.967015028 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.967065096 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.967092991 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.967107058 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.967154026 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.967175961 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.967180014 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.967232943 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.968084097 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.968128920 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.968203068 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.968317986 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.968358040 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.968394995 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.968420982 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.968442917 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.968449116 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.968509912 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.968569994 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.968614101 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.968642950 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.968698978 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.968703985 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.968707085 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.968794107 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.968900919 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.968961000 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.969037056 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.969053984 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.969106913 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.969237089 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.969281912 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.969337940 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.971025944 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.971090078 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.971127033 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.971155882 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.971276045 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.971318960 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.971345901 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.971385956 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.971407890 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.971658945 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.971703053 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.971741915 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.971774101 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.972234011 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.972268105 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.972292900 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.972345114 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.973109961 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.973217010 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.987597942 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.987616062 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.987710953 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.991497993 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.991589069 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.991638899 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:06.992291927 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:06.992372036 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.022087097 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.022165060 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.022239923 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.022269011 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.022496939 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.022622108 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.026732922 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.026768923 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.026973963 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.028425932 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.029254913 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.029371023 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.030062914 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.032557964 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.032680988 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.033328056 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.033366919 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.033412933 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.033452988 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.033529043 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.033637047 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.033677101 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.033711910 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.033847094 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.033896923 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.034267902 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.034311056 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.034360886 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.034379959 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.034416914 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.034440994 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.034475088 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.034528017 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.034528971 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.034821987 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.034859896 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.034897089 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.034945011 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.035024881 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.035106897 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.035180092 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.035216093 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.035248995 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.035487890 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.035527945 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.035604000 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.035640955 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.035685062 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.035746098 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.035984993 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.036062002 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.036101103 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.036271095 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.036590099 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.037271023 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.037293911 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.037317038 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.037345886 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.037360907 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.037398100 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.037791967 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.038450003 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.038487911 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.038543940 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.052995920 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.053149939 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.053255081 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.055500031 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.055742979 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.056713104 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.056915998 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.056968927 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.085205078 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.085283995 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.085340977 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.089160919 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.089173079 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.089299917 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.089718103 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.089776993 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.090266943 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.090348005 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.090656042 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.090677977 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.090761900 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.094850063 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.094892979 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.094919920 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.094966888 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.095030069 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.095293045 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.095413923 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.095427990 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.095473051 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.095514059 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.095556021 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.095865011 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.095920086 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.095997095 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.096020937 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.096074104 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.096111059 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.098856926 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.098917961 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.099267006 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.099334955 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.099366903 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.099406958 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.100119114 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.100177050 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.100243092 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.100264072 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.100286961 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.100333929 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.100487947 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.100512028 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.100534916 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.100575924 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.100579023 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.100606918 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.100615025 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.100649118 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.101265907 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.101320028 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.101336956 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.101356030 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.101421118 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.101459980 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.101475000 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.101515055 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.101605892 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.101646900 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.101677895 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.101716042 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.101732016 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.101773977 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.101874113 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.101918936 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.101928949 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.101965904 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.101969957 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.101996899 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.102021933 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.102046967 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.102083921 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.102087975 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.102139950 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.102149963 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.102263927 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.102540016 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.102858067 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.102880001 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.102919102 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.102957010 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.117831945 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.118052006 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.118273973 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.118351936 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.118530989 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.118639946 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.119498014 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.119569063 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.119963884 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.120035887 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.144968987 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.145195961 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.145569086 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.145625114 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.145997047 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.146022081 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.146061897 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.151191950 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.151221991 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.151299953 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.151645899 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.151829958 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.151850939 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.151879072 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.152029991 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.152329922 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.152375937 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.152384996 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.152523994 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.153031111 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.155057907 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.155087948 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.155225039 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.157407999 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.157439947 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.157480001 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.157532930 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.157891035 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.158004999 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.158065081 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.158087015 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.158107042 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.158190966 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.158433914 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.158514023 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.158581972 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.158606052 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.159003973 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.159112930 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.159169912 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.159804106 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.160202026 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.160375118 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.160444975 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.160545111 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.160934925 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.161005020 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.161292076 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.161771059 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.161797047 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.161858082 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.161998034 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.163239956 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.163297892 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.163322926 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.163346052 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.163367987 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.163388968 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.163410902 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.163434029 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.163460016 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.163480043 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.163502932 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.163522959 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.163542032 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.163641930 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.164022923 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.164074898 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.164150000 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.164185047 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.164439917 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.164681911 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.164915085 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.164988041 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.165066957 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.165719032 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.166201115 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.166297913 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.166625023 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.166646957 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.166717052 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.255234003 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.493628025 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.605962038 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.606121063 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.712939978 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.736884117 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:07.839929104 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:07.920775890 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:08.040638924 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:08.040724993 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:08.141907930 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:08.145214081 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:08.256195068 CEST	6666	49718	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:08.265048027 CEST	49718	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:12.314593077 CEST	49722	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:12.378041029 CEST	6666	49722	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:12.378175974 CEST	49722	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:12.378618002 CEST	49722	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:12.485177040 CEST	6666	49722	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:12.485259056 CEST	49722	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:12.578212023 CEST	6666	49722	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:12.578486919 CEST	49722	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:12.640475035 CEST	6666	49722	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:12.640664101 CEST	49722	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:12.744791031 CEST	6666	49722	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:12.744894028 CEST	49722	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:12.851922989 CEST	6666	49722	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:12.851990938 CEST	49722	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:12.941083908 CEST	6666	49722	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:12.972063065 CEST	49722	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:13.035734892 CEST	6666	49722	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:13.035866022 CEST	49722	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:13.141829014 CEST	6666	49722	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:13.142024040 CEST	49722	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:13.203788996 CEST	6666	49722	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:13.216067076 CEST	49722	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:13.275618076 CEST	6666	49722	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:13.275899887 CEST	49722	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:13.382129908 CEST	6666	49722	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:13.382236004 CEST	49722	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:13.486491919 CEST	6666	49722	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:13.486601114 CEST	49722	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:13.591192961 CEST	6666	49722	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:13.591896057 CEST	49722	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:13.694669962 CEST	6666	49722	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:13.694760084 CEST	49722	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:13.798178911 CEST	6666	49722	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:13.798309088 CEST	49722	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:13.904763937 CEST	6666	49722	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:13.904891014 CEST	49722	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:14.006359100 CEST	6666	49722	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:14.006500959 CEST	49722	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:14.108242035 CEST	6666	49722	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:14.108648062 CEST	49722	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:14.212862015 CEST	6666	49722	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:14.213001966 CEST	49722	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:14.262129068 CEST	49722	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:14.313471079 CEST	6666	49722	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:14.313623905 CEST	49722	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:18.343492985 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:18.404333115 CEST	6666	49725	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:18.404514074 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:18.405232906 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:18.510503054 CEST	6666	49725	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:18.510791063 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:18.581496000 CEST	6666	49725	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:18.581882000 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:18.688286066 CEST	6666	49725	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:18.688473940 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:18.751368046 CEST	6666	49725	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:18.792937040 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:18.942724943 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:19.045922995 CEST	6666	49725	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:19.046117067 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:19.145359039 CEST	6666	49725	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:19.145540953 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:19.205017090 CEST	6666	49725	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:19.246052980 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:19.310256004 CEST	6666	49725	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:19.355472088 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:19.506887913 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:19.605042934 CEST	6666	49725	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:19.605222940 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:19.665754080 CEST	6666	49725	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:19.665862083 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:19.727279902 CEST	6666	49725	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:19.727358103 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:19.833774090 CEST	6666	49725	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:19.833874941 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:19.934832096 CEST	6666	49725	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:19.935019970 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:20.039572001 CEST	6666	49725	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:20.039654970 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:20.144886017 CEST	6666	49725	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:20.144995928 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:20.241507053 CEST	6666	49725	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:20.241627932 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:20.343511105 CEST	6666	49725	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:20.343612909 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:20.440273046 CEST	6666	49725	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:20.449898958 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:20.560111046 CEST	6666	49725	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:20.560234070 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:20.663665056 CEST	6666	49725	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:20.663769960 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:20.767827988 CEST	6666	49725	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:20.778403044 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:20.840755939 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:20.880706072 CEST	6666	49725	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:20.880773067 CEST	49725	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:24.860951900 CEST	49726	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:24.930131912 CEST	6666	49726	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:24.931790113 CEST	49726	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:24.937777042 CEST	49726	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:25.051816940 CEST	6666	49726	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:25.052647114 CEST	49726	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:25.095591068 CEST	6666	49726	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:25.095717907 CEST	49726	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:25.159368992 CEST	6666	49726	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:25.159452915 CEST	49726	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:25.224879026 CEST	6666	49726	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:25.248219967 CEST	49726	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:25.357801914 CEST	6666	49726	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:25.358009100 CEST	49726	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:25.460541964 CEST	6666	49726	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:25.460653067 CEST	49726	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:25.549911022 CEST	6666	49726	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:25.550087929 CEST	49726	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:25.614495039 CEST	6666	49726	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:25.614629984 CEST	49726	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:25.719355106 CEST	6666	49726	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:25.719440937 CEST	49726	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:25.783682108 CEST	6666	49726	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:25.783796072 CEST	49726	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:25.846952915 CEST	6666	49726	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:25.847053051 CEST	49726	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:25.955724955 CEST	6666	49726	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:25.981436014 CEST	49726	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:26.087301970 CEST	6666	49726	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:26.087374926 CEST	49726	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:26.197572947 CEST	6666	49726	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:26.200077057 CEST	49726	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:26.303236008 CEST	6666	49726	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:26.303800106 CEST	49726	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:26.412425995 CEST	6666	49726	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:26.434582949 CEST	49726	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:26.537717104 CEST	6666	49726	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:26.538723946 CEST	49726	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:26.648169041 CEST	6666	49726	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:26.648328066 CEST	49726	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:26.749828100 CEST	6666	49726	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:26.749924898 CEST	49726	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:26.809545040 CEST	49726	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:26.854893923 CEST	6666	49726	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:26.854971886 CEST	49726	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:30.842241049 CEST	49729	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:30.906636000 CEST	6666	49729	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:30.906800032 CEST	49729	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:30.907411098 CEST	49729	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:30.981250048 CEST	6666	49729	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:30.981950998 CEST	49729	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:31.066293001 CEST	6666	49729	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:31.067500114 CEST	49729	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:31.127999067 CEST	6666	49729	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:31.131192923 CEST	49729	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:31.169342995 CEST	49729	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:31.230361938 CEST	6666	49729	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:31.230523109 CEST	49729	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:35.303688049 CEST	49730	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:35.370557070 CEST	6666	49730	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:35.370750904 CEST	49730	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:35.381093025 CEST	49730	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:35.500211000 CEST	6666	49730	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:35.500324011 CEST	49730	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:35.543868065 CEST	6666	49730	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:35.544001102 CEST	49730	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:35.602473021 CEST	6666	49730	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:35.602552891 CEST	49730	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:35.669955015 CEST	6666	49730	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:35.670069933 CEST	49730	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:35.776041031 CEST	6666	49730	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:35.776159048 CEST	49730	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:35.883369923 CEST	6666	49730	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:35.883496046 CEST	49730	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:35.967991114 CEST	6666	49730	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:35.969010115 CEST	49730	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:36.031528950 CEST	6666	49730	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:36.031651974 CEST	49730	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:36.133608103 CEST	6666	49730	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:36.439443111 CEST	49730	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:36.500626087 CEST	6666	49730	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:36.503180981 CEST	49730	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:36.568325043 CEST	6666	49730	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:36.577231884 CEST	49730	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:36.677452087 CEST	6666	49730	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:36.677578926 CEST	49730	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:36.777009964 CEST	6666	49730	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:36.795109034 CEST	49730	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:36.899939060 CEST	6666	49730	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:37.129548073 CEST	49730	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:37.230303049 CEST	6666	49730	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:37.230479002 CEST	49730	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:37.333657980 CEST	6666	49730	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:37.664120913 CEST	49730	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:37.777784109 CEST	6666	49730	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:37.777962923 CEST	49730	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:37.880163908 CEST	6666	49730	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:37.880285025 CEST	49730	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:37.980720997 CEST	6666	49730	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:37.980856895 CEST	49730	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:38.013578892 CEST	49730	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:42.054075956 CEST	49731	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:42.116740942 CEST	6666	49731	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:42.117201090 CEST	49731	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:42.117773056 CEST	49731	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:42.233611107 CEST	6666	49731	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:42.234222889 CEST	49731	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:42.271003962 CEST	6666	49731	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:42.271215916 CEST	49731	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:42.341620922 CEST	6666	49731	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:42.341929913 CEST	49731	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:42.406627893 CEST	6666	49731	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:42.451160908 CEST	49731	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:42.462995052 CEST	49731	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:42.565426111 CEST	6666	49731	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:42.565655947 CEST	49731	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:42.671519995 CEST	6666	49731	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:42.671937943 CEST	49731	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:42.771087885 CEST	6666	49731	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:42.780762911 CEST	49731	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:42.849059105 CEST	6666	49731	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:42.850275040 CEST	49731	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:42.953520060 CEST	6666	49731	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:42.953800917 CEST	49731	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:43.018198013 CEST	6666	49731	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:43.030987978 CEST	49731	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:43.094108105 CEST	6666	49731	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:43.138777018 CEST	49731	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:43.178904057 CEST	49731	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:43.287606001 CEST	6666	49731	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:43.288120985 CEST	49731	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:43.392781019 CEST	6666	49731	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:43.435893059 CEST	49731	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:43.541397095 CEST	6666	49731	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:43.541584015 CEST	49731	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:43.646195889 CEST	6666	49731	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:43.646312952 CEST	49731	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:43.750483036 CEST	6666	49731	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:43.750628948 CEST	49731	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:43.858189106 CEST	6666	49731	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:43.881906986 CEST	49731	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:43.981745958 CEST	6666	49731	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:43.984989882 CEST	49731	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:44.089462042 CEST	6666	49731	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:44.141720057 CEST	49731	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:48.156120062 CEST	49739	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:48.216692924 CEST	6666	49739	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:48.216878891 CEST	49739	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:48.217602968 CEST	49739	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:48.324348927 CEST	6666	49739	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:48.324461937 CEST	49739	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:48.366267920 CEST	6666	49739	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:48.366379976 CEST	49739	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:48.427475929 CEST	6666	49739	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:48.427833080 CEST	49739	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:48.488886118 CEST	6666	49739	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:48.499203920 CEST	49739	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:48.598486900 CEST	6666	49739	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:48.598819971 CEST	49739	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:48.688009977 CEST	6666	49739	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:48.688186884 CEST	49739	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:48.750277042 CEST	6666	49739	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:48.750415087 CEST	49739	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:48.853692055 CEST	6666	49739	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:48.853830099 CEST	49739	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:48.919296980 CEST	6666	49739	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:48.919528961 CEST	49739	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:48.983654022 CEST	6666	49739	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:48.984783888 CEST	49739	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:49.090301991 CEST	6666	49739	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:49.090919018 CEST	49739	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:49.195739985 CEST	6666	49739	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:49.233566046 CEST	49739	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:49.336771011 CEST	6666	49739	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:49.336883068 CEST	49739	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:49.438843012 CEST	6666	49739	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:49.497098923 CEST	49739	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:49.603735924 CEST	6666	49739	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:49.624109030 CEST	49739	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:49.723890066 CEST	6666	49739	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:49.724023104 CEST	49739	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:49.826881886 CEST	6666	49739	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:49.826994896 CEST	49739	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:49.932291031 CEST	6666	49739	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:49.958683014 CEST	49739	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:50.059762001 CEST	6666	49739	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:50.093322039 CEST	49739	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:50.171184063 CEST	49739	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:50.196433067 CEST	6666	49739	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:50.196566105 CEST	49739	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:54.204835892 CEST	49745	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:54.274661064 CEST	6666	49745	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:54.274940014 CEST	49745	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:54.275429010 CEST	49745	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:54.380089998 CEST	6666	49745	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:54.380259037 CEST	49745	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:54.426239967 CEST	6666	49745	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:54.426476002 CEST	49745	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:54.486274004 CEST	6666	49745	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:54.486493111 CEST	49745	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:54.529443026 CEST	6666	49745	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:54.551855087 CEST	6666	49745	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:54.553250074 CEST	49745	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:54.652587891 CEST	6666	49745	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:54.653089046 CEST	49745	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:54.754297018 CEST	6666	49745	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:54.754431009 CEST	49745	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:54.759175062 CEST	6666	49745	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:54.811579943 CEST	49745	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:54.814610958 CEST	6666	49745	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:54.814763069 CEST	49745	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:54.918782949 CEST	6666	49745	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:54.919059992 CEST	49745	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:54.977900982 CEST	6666	49745	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:54.978336096 CEST	49745	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:55.039408922 CEST	6666	49745	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:55.039573908 CEST	49745	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:55.146219015 CEST	6666	49745	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:55.148163080 CEST	49745	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:55.253093958 CEST	6666	49745	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:55.253227949 CEST	49745	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:55.351699114 CEST	6666	49745	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:55.354129076 CEST	49745	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:55.451606989 CEST	6666	49745	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:55.451935053 CEST	49745	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:55.549721003 CEST	6666	49745	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:55.552140951 CEST	49745	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:55.655395031 CEST	6666	49745	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:55.655693054 CEST	49745	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:55.761585951 CEST	6666	49745	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:55.802470922 CEST	49745	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:55.904830933 CEST	6666	49745	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:55.905294895 CEST	49745	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:56.004031897 CEST	6666	49745	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:56.004497051 CEST	49745	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:03:56.109663963 CEST	6666	49745	188.141.118.122	192.168.2.6
Jul 21, 2021 23:03:56.140995026 CEST	49745	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:00.156898975 CEST	49749	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:00.222456932 CEST	6666	49749	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:00.222656965 CEST	49749	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:00.273367882 CEST	49749	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:00.382242918 CEST	6666	49749	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:00.382375956 CEST	49749	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:00.439016104 CEST	6666	49749	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:00.439140081 CEST	49749	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:00.482162952 CEST	6666	49749	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:00.482294083 CEST	49749	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:00.542674065 CEST	6666	49749	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:00.542929888 CEST	49749	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:00.646637917 CEST	6666	49749	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:00.646869898 CEST	49749	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:00.750582933 CEST	6666	49749	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:00.750670910 CEST	49749	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:00.848709106 CEST	6666	49749	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:00.848855019 CEST	49749	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:00.909105062 CEST	6666	49749	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:00.909264088 CEST	49749	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:01.010056973 CEST	6666	49749	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:01.010198116 CEST	49749	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:01.069523096 CEST	6666	49749	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:01.069665909 CEST	49749	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:01.126055956 CEST	6666	49749	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:01.140543938 CEST	49749	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:01.241159916 CEST	6666	49749	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:01.306896925 CEST	49749	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:01.411202908 CEST	6666	49749	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:01.411354065 CEST	49749	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:01.511171103 CEST	6666	49749	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:01.511429071 CEST	49749	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:01.615164042 CEST	6666	49749	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:01.615257978 CEST	49749	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:01.721503019 CEST	6666	49749	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:01.766077995 CEST	49749	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:01.869997978 CEST	6666	49749	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:01.870301008 CEST	49749	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:01.982476950 CEST	6666	49749	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:01.982580900 CEST	49749	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:02.093858957 CEST	6666	49749	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:02.093939066 CEST	49749	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:02.188007116 CEST	49749	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:02.192487955 CEST	6666	49749	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:02.193383932 CEST	49749	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:06.205302954 CEST	49752	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:06.273586035 CEST	6666	49752	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:06.273798943 CEST	49752	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:06.275342941 CEST	49752	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:06.381443977 CEST	6666	49752	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:06.381591082 CEST	49752	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:06.434340000 CEST	6666	49752	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:06.434487104 CEST	49752	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:06.488468885 CEST	6666	49752	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:06.488723040 CEST	49752	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:06.542284012 CEST	6666	49752	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:06.553493023 CEST	6666	49752	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:06.553605080 CEST	49752	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:06.661246061 CEST	6666	49752	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:06.661503077 CEST	49752	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:06.771205902 CEST	6666	49752	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:06.771306992 CEST	49752	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:06.861095905 CEST	6666	49752	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:06.887953997 CEST	49752	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:06.950500011 CEST	6666	49752	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:06.950819969 CEST	49752	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:07.061379910 CEST	6666	49752	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:07.061480045 CEST	49752	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:07.125324965 CEST	6666	49752	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:07.125516891 CEST	49752	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:07.192608118 CEST	6666	49752	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:07.234591961 CEST	49752	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:07.235439062 CEST	49752	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:07.344014883 CEST	6666	49752	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:07.344194889 CEST	49752	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:07.449039936 CEST	6666	49752	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:07.454201937 CEST	49752	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:07.560616970 CEST	6666	49752	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:07.594264030 CEST	49752	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:07.708281994 CEST	6666	49752	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:07.708424091 CEST	49752	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:07.816220045 CEST	6666	49752	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:07.816365004 CEST	49752	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:07.917191982 CEST	6666	49752	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:07.938632965 CEST	49752	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:08.045227051 CEST	6666	49752	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:08.045768976 CEST	49752	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:08.141304970 CEST	49752	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:08.149823904 CEST	6666	49752	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:08.149900913 CEST	49752	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:12.196408033 CEST	49753	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:12.260932922 CEST	6666	49753	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:12.261148930 CEST	49753	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:12.261842966 CEST	49753	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:12.373233080 CEST	6666	49753	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:12.373389006 CEST	49753	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:12.426776886 CEST	6666	49753	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:12.426867008 CEST	49753	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:12.478698969 CEST	6666	49753	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:12.478904963 CEST	49753	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:12.532561064 CEST	6666	49753	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:12.532782078 CEST	49753	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:12.544512987 CEST	6666	49753	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:12.594343901 CEST	49753	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:12.631887913 CEST	6666	49753	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:12.632045031 CEST	49753	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:12.735502005 CEST	6666	49753	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:12.735735893 CEST	49753	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:12.838196039 CEST	6666	49753	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:12.838453054 CEST	49753	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:12.896277905 CEST	6666	49753	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:12.896655083 CEST	49753	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:12.998344898 CEST	6666	49753	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:13.003372908 CEST	49753	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:13.064071894 CEST	6666	49753	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:13.094783068 CEST	49753	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:13.161761999 CEST	6666	49753	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:13.203845978 CEST	49753	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:13.235682964 CEST	49753	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:13.336915016 CEST	6666	49753	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:13.337244987 CEST	49753	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:13.437602043 CEST	6666	49753	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:13.454626083 CEST	49753	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:13.558404922 CEST	6666	49753	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:13.558653116 CEST	49753	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:13.656919956 CEST	6666	49753	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:13.657038927 CEST	49753	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:13.762145996 CEST	6666	49753	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:13.782460928 CEST	49753	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:13.880475044 CEST	6666	49753	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:13.880594015 CEST	49753	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:13.982709885 CEST	6666	49753	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:14.001200914 CEST	49753	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:14.063875914 CEST	49753	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:14.104943991 CEST	6666	49753	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:14.105082035 CEST	49753	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:18.080845118 CEST	49754	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:18.154150963 CEST	6666	49754	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:18.154329062 CEST	49754	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:18.155051947 CEST	49754	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:18.266705036 CEST	6666	49754	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:18.266894102 CEST	49754	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:18.300833941 CEST	6666	49754	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:18.301064014 CEST	49754	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:18.371376038 CEST	6666	49754	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:18.371722937 CEST	49754	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:18.435812950 CEST	6666	49754	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:18.436038971 CEST	49754	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:18.536130905 CEST	6666	49754	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:18.536339998 CEST	49754	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:18.640433073 CEST	6666	49754	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:18.640650988 CEST	49754	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:18.733238935 CEST	6666	49754	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:18.735470057 CEST	49754	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:18.798683882 CEST	6666	49754	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:18.799103975 CEST	49754	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:18.903527975 CEST	6666	49754	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:18.903722048 CEST	49754	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:18.967480898 CEST	6666	49754	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:18.967737913 CEST	49754	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:19.031244993 CEST	6666	49754	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:19.031538010 CEST	49754	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:19.136022091 CEST	6666	49754	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:19.157915115 CEST	49754	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:19.257636070 CEST	6666	49754	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:19.283138990 CEST	49754	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:19.391105890 CEST	6666	49754	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:19.391419888 CEST	49754	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:19.500650883 CEST	6666	49754	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:19.501446009 CEST	49754	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:19.608561993 CEST	6666	49754	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:19.608681917 CEST	49754	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:19.710618973 CEST	6666	49754	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:19.710772038 CEST	49754	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:19.814482927 CEST	6666	49754	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:19.814631939 CEST	49754	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:19.922648907 CEST	6666	49754	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:19.939014912 CEST	49754	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:20.003335953 CEST	49754	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:20.049905062 CEST	6666	49754	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:20.050087929 CEST	49754	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:24.019186974 CEST	49755	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:24.085805893 CEST	6666	49755	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:24.086076021 CEST	49755	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:24.086925983 CEST	49755	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:24.192001104 CEST	6666	49755	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:24.192109108 CEST	49755	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:24.247256041 CEST	6666	49755	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:24.247431993 CEST	49755	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:24.296427011 CEST	6666	49755	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:24.296602011 CEST	49755	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:24.356844902 CEST	6666	49755	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:24.356975079 CEST	49755	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:24.362526894 CEST	6666	49755	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:24.412425041 CEST	49755	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:24.461728096 CEST	6666	49755	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:24.718568087 CEST	49755	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:24.823882103 CEST	6666	49755	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:24.827073097 CEST	49755	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:24.912617922 CEST	6666	49755	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:24.912975073 CEST	49755	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:24.973941088 CEST	6666	49755	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:24.974108934 CEST	49755	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:25.077317953 CEST	6666	49755	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:25.077518940 CEST	49755	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:25.142066002 CEST	6666	49755	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:25.142447948 CEST	49755	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:25.204550982 CEST	6666	49755	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:25.251674891 CEST	49755	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:25.829149008 CEST	49755	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:25.932777882 CEST	6666	49755	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:25.933088064 CEST	49755	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:26.033401012 CEST	6666	49755	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:26.033541918 CEST	49755	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:26.132070065 CEST	6666	49755	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:26.132145882 CEST	49755	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:26.236114979 CEST	6666	49755	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:26.237135887 CEST	49755	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:26.339327097 CEST	6666	49755	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:26.339431047 CEST	49755	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:26.438076019 CEST	6666	49755	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:26.440311909 CEST	49755	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:26.555804014 CEST	6666	49755	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:26.555943012 CEST	49755	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:26.660662889 CEST	6666	49755	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:26.660793066 CEST	49755	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:26.721276999 CEST	49755	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:26.764058113 CEST	6666	49755	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:26.764151096 CEST	49755	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:30.738290071 CEST	49756	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:30.804748058 CEST	6666	49756	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:30.804964066 CEST	49756	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:30.805609941 CEST	49756	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:30.915976048 CEST	6666	49756	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:30.940274954 CEST	49756	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:30.962035894 CEST	6666	49756	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:30.962234974 CEST	49756	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:31.045581102 CEST	6666	49756	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:31.045789003 CEST	49756	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:31.106553078 CEST	6666	49756	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:31.110683918 CEST	49756	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:31.212671041 CEST	6666	49756	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:31.212953091 CEST	49756	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:31.313582897 CEST	6666	49756	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:31.313930035 CEST	49756	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:31.375516891 CEST	6666	49756	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:31.375886917 CEST	49756	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:31.478559017 CEST	6666	49756	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:31.478728056 CEST	49756	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:31.541520119 CEST	6666	49756	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:31.541722059 CEST	49756	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:31.607384920 CEST	6666	49756	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:31.607528925 CEST	49756	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:31.709867954 CEST	6666	49756	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:31.710031033 CEST	49756	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:31.809526920 CEST	6666	49756	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:31.809659004 CEST	49756	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:31.915535927 CEST	6666	49756	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:31.915638924 CEST	49756	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:32.022703886 CEST	6666	49756	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:32.050199032 CEST	49756	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:32.152091026 CEST	6666	49756	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:32.152206898 CEST	49756	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:32.256475925 CEST	6666	49756	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:32.256576061 CEST	49756	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:32.360608101 CEST	6666	49756	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:32.362411022 CEST	49756	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:32.468389034 CEST	6666	49756	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:32.487262964 CEST	49756	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:32.593657970 CEST	6666	49756	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:32.593786955 CEST	49756	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:32.699815989 CEST	6666	49756	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:32.705714941 CEST	49756	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:36.723407984 CEST	49762	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:36.790287971 CEST	6666	49762	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:36.790438890 CEST	49762	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:36.791188955 CEST	49762	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:36.899339914 CEST	6666	49762	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:36.899509907 CEST	49762	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:36.952270031 CEST	6666	49762	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:36.952559948 CEST	49762	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:37.007008076 CEST	6666	49762	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:37.007245064 CEST	49762	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:37.055469990 CEST	6666	49762	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:37.056057930 CEST	49762	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:37.068425894 CEST	6666	49762	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:37.112932920 CEST	49762	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:37.155462027 CEST	6666	49762	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:37.155770063 CEST	49762	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:37.258930922 CEST	6666	49762	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:37.259115934 CEST	49762	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:37.347515106 CEST	6666	49762	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:37.347697020 CEST	49762	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:37.412911892 CEST	6666	49762	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:37.413180113 CEST	49762	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:37.513322115 CEST	6666	49762	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:37.513484001 CEST	49762	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:37.568526030 CEST	6666	49762	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:37.597058058 CEST	49762	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:37.657740116 CEST	6666	49762	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:37.712285995 CEST	49762	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:37.737690926 CEST	49762	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:37.838335991 CEST	6666	49762	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:37.838479996 CEST	49762	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:37.939866066 CEST	6666	49762	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:37.940700054 CEST	49762	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:38.048341990 CEST	6666	49762	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:38.048449039 CEST	49762	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:38.155352116 CEST	6666	49762	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:38.155450106 CEST	49762	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:38.253879070 CEST	6666	49762	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:38.284956932 CEST	49762	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:38.390155077 CEST	6666	49762	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:38.390248060 CEST	49762	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:38.496471882 CEST	6666	49762	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:38.503310919 CEST	49762	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:38.566171885 CEST	49762	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:38.601109028 CEST	6666	49762	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:38.601244926 CEST	49762	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:42.583405972 CEST	49763	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:42.646476984 CEST	6666	49763	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:42.646704912 CEST	49763	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:42.647535086 CEST	49763	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:42.758156061 CEST	6666	49763	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:42.758223057 CEST	49763	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:42.815043926 CEST	6666	49763	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:42.815223932 CEST	49763	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:42.865343094 CEST	6666	49763	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:42.865581989 CEST	49763	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:42.926415920 CEST	6666	49763	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:42.929729939 CEST	49763	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:43.035505056 CEST	6666	49763	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:43.035590887 CEST	49763	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:43.134918928 CEST	6666	49763	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:43.135307074 CEST	49763	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:43.199990034 CEST	6666	49763	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:43.200217962 CEST	49763	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:43.315392971 CEST	6666	49763	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:43.315635920 CEST	49763	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:43.378501892 CEST	6666	49763	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:43.394895077 CEST	49763	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:43.460711002 CEST	6666	49763	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:43.503271103 CEST	49763	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:43.535321951 CEST	49763	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:43.642056942 CEST	6666	49763	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:43.642297029 CEST	49763	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:43.747920990 CEST	6666	49763	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:43.748045921 CEST	49763	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:43.857836008 CEST	6666	49763	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:43.863203049 CEST	49763	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:43.971214056 CEST	6666	49763	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:43.971497059 CEST	49763	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:44.078140974 CEST	6666	49763	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:44.078308105 CEST	49763	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:44.179094076 CEST	6666	49763	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:44.191422939 CEST	49763	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:44.297158957 CEST	6666	49763	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:44.297288895 CEST	49763	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:44.406308889 CEST	6666	49763	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:44.410054922 CEST	49763	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:44.521152020 CEST	6666	49763	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:44.535016060 CEST	49763	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:48.544430017 CEST	49764	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:48.608923912 CEST	6666	49764	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:48.609888077 CEST	49764	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:48.609910011 CEST	49764	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:48.712141991 CEST	6666	49764	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:48.732856035 CEST	49764	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:48.756644011 CEST	6666	49764	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:48.756834984 CEST	49764	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:48.840898991 CEST	6666	49764	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:48.841989994 CEST	49764	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:48.900758982 CEST	6666	49764	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:48.902937889 CEST	49764	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:49.006953001 CEST	6666	49764	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:49.021750927 CEST	49764	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:49.114908934 CEST	6666	49764	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:49.115160942 CEST	49764	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:49.178683043 CEST	6666	49764	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:49.178891897 CEST	49764	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:49.284703970 CEST	6666	49764	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:49.284873009 CEST	49764	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:49.346169949 CEST	6666	49764	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:49.352240086 CEST	49764	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:49.416367054 CEST	6666	49764	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:49.416570902 CEST	49764	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:49.517627001 CEST	6666	49764	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:49.543804884 CEST	49764	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:49.647953987 CEST	6666	49764	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:49.665180922 CEST	49764	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:49.766144991 CEST	6666	49764	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:49.781178951 CEST	49764	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:49.882229090 CEST	6666	49764	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:49.882457972 CEST	49764	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:49.990149975 CEST	6666	49764	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:49.990310907 CEST	49764	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:50.089359999 CEST	6666	49764	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:50.089636087 CEST	49764	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:50.190041065 CEST	6666	49764	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:50.190265894 CEST	49764	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:50.300470114 CEST	6666	49764	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:50.352086067 CEST	49764	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:50.459151030 CEST	6666	49764	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:50.459278107 CEST	49764	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:50.552967072 CEST	49764	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:50.559530020 CEST	6666	49764	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:50.559658051 CEST	49764	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:54.562524080 CEST	49765	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:54.633470058 CEST	6666	49765	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:54.633734941 CEST	49765	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:54.635054111 CEST	49765	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:54.741472960 CEST	6666	49765	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:54.748050928 CEST	49765	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:54.796720028 CEST	6666	49765	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:54.796979904 CEST	49765	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:54.848515987 CEST	6666	49765	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:54.848934889 CEST	49765	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:54.914100885 CEST	6666	49765	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:54.914349079 CEST	49765	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:55.020309925 CEST	6666	49765	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:55.020564079 CEST	49765	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:55.128146887 CEST	6666	49765	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:55.130516052 CEST	49765	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:55.234311104 CEST	6666	49765	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:55.234488010 CEST	49765	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:55.238667011 CEST	6666	49765	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:55.279020071 CEST	49765	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:55.296350002 CEST	6666	49765	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:55.298544884 CEST	49765	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:55.402442932 CEST	6666	49765	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:55.402671099 CEST	49765	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:55.467931986 CEST	6666	49765	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:55.468061924 CEST	49765	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:55.533217907 CEST	6666	49765	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:55.533379078 CEST	49765	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:55.641165018 CEST	6666	49765	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:55.654687881 CEST	49765	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:55.759792089 CEST	6666	49765	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:55.760040045 CEST	49765	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:55.865628958 CEST	6666	49765	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:55.865861893 CEST	49765	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:55.970818996 CEST	6666	49765	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:55.971084118 CEST	49765	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:56.081012964 CEST	6666	49765	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:56.092086077 CEST	49765	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:56.194686890 CEST	6666	49765	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:56.194992065 CEST	49765	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:56.299695969 CEST	6666	49765	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:56.299845934 CEST	49765	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:56.401709080 CEST	6666	49765	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:56.438446045 CEST	49765	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:04:56.545888901 CEST	6666	49765	188.141.118.122	192.168.2.6
Jul 21, 2021 23:04:56.670183897 CEST	49765	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:00.688455105 CEST	49766	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:00.757085085 CEST	6666	49766	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:00.757301092 CEST	49766	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:00.757996082 CEST	49766	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:00.869940996 CEST	6666	49766	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:00.870184898 CEST	49766	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:00.909481049 CEST	6666	49766	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:00.909615993 CEST	49766	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:00.972424984 CEST	6666	49766	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:00.972599030 CEST	49766	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:01.036134958 CEST	6666	49766	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:01.039525032 CEST	49766	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:01.137598038 CEST	6666	49766	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:01.139020920 CEST	49766	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:01.235349894 CEST	6666	49766	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:01.235574007 CEST	49766	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:01.300892115 CEST	6666	49766	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:01.301136017 CEST	49766	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:01.413594007 CEST	6666	49766	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:01.413789988 CEST	49766	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:01.478363037 CEST	6666	49766	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:01.498728991 CEST	49766	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:01.561584949 CEST	6666	49766	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:01.607815027 CEST	49766	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:01.640045881 CEST	49766	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:01.738431931 CEST	6666	49766	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:01.738681078 CEST	49766	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:01.837882042 CEST	6666	49766	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:01.858283043 CEST	49766	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:01.961580992 CEST	6666	49766	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:01.961798906 CEST	49766	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:02.067329884 CEST	6666	49766	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:02.067445993 CEST	49766	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:02.176187992 CEST	6666	49766	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:02.186783075 CEST	49766	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:02.289613962 CEST	6666	49766	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:02.289743900 CEST	49766	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:02.395823002 CEST	6666	49766	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:02.404831886 CEST	49766	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:02.510215998 CEST	6666	49766	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:02.510576963 CEST	49766	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:02.592542887 CEST	49766	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:02.614398003 CEST	6666	49766	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:02.614497900 CEST	49766	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:06.608777046 CEST	49767	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:06.672780991 CEST	6666	49767	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:06.672884941 CEST	49767	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:06.673557997 CEST	49767	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:06.785502911 CEST	6666	49767	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:06.821387053 CEST	6666	49767	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:06.821742058 CEST	49767	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:06.890532970 CEST	6666	49767	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:06.891258001 CEST	49767	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:06.993156910 CEST	6666	49767	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:07.099301100 CEST	6666	49767	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:07.099802971 CEST	49767	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:07.156719923 CEST	6666	49767	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:07.157351017 CEST	49767	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:07.216942072 CEST	6666	49767	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:07.217139959 CEST	49767	6666	192.168.2.6	188.141.118.122
Jul 21, 2021 23:05:07.277728081 CEST	6666	49767	188.141.118.122	192.168.2.6
Jul 21, 2021 23:05:07.326803923 CEST	49767	6666	192.168.2.6	188.141.118.122

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: gXcRJ8123G.exe PID: 1700 Parent PID: 5768

General

Start time:	23:03:02
Start date:	21/07/2021
Path:	C:\Users\user\Desktop\gXcRJ8123G.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\gXcRJ8123G.exe'
Imagebase:	0x640000
File size:	207872 bytes
MD5 hash:	767E1C497FF0D617DE66C2D8ECE44C49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: NanoCore, Description: unknown, Source: 00000000.00000003.335010168.00000000041EB000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000000.324690560.0000000000642000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000000.324690560.0000000000642000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000000.324690560.0000000000642000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6092 Parent PID: 1700

General

Start time:	23:03:03
Start date:	21/07/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp28BF.tmp'
Imagebase:	0x1030000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 2576 Parent PID: 6092

General

Start time:	23:03:03
Start date:	21/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 4108 Parent PID: 1700

General

Start time:	23:03:04
Start date:	21/07/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2C3B.tmp'
Imagebase:	0x1030000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3700 Parent PID: 4108

General

Start time:	23:03:04
Start date:	21/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: gXcRJ8123G.exe PID: 1872 Parent PID: 936

General

Start time:	23:03:05
Start date:	21/07/2021
Path:	C:\Users\user\Desktop\gXcRJ8123G.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\gXcRJ8123G.exe 0
Imagebase:	0x60000
File size:	207872 bytes
MD5 hash:	767E1C497FF0D617DE66C2D8ECE44C49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.331597446.0000000000062000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.331597446.0000000000062000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000000.331597446.0000000000062000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.346411950.0000000002641000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.346446290.0000000003641000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.346446290.0000000003641000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 2944 Parent PID: 936

General

Start time:	23:03:05
Start date:	21/07/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0x7ff614b90000
File size:	207872 bytes
MD5 hash:	767E1C497FF0D617DE66C2D8ECE44C49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000002.348559232.0000000002981000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.346521938.0000000000392000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.346521938.0000000000392000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000002.346521938.0000000000392000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.348658355.0000000003981000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000002.348658355.0000000003981000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000000.332506578.0000000000392000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000000.332506578.0000000000392000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000000.332506578.0000000000392000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 84%, Virustotal, Browse Detection: 100%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 5700 Parent PID: 3440

General

Start time:	23:03:15
Start date:	21/07/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0x780000
File size:	207872 bytes
MD5 hash:	767E1C497FF0D617DE66C2D8ECE44C49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000000.352570827.0000000000782000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.368916384.0000000003E71000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.368916384.0000000003E71000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.368877575.0000000002E71000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.368877575.0000000002E71000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.367686754.0000000000782000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.367686754.0000000000782000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.367686754.0000000000782000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: gXcRJ8123G.exe PID: 1872 Parent PID: 936 gXcRJ8123G.exeCOMMON

Executed Functions

Function 04833850, Relevance: 2.0, Strings: 1, Instructions: 737COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 04833F9D

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID: >_Ir
API String ID: 0-3386957151
Opcode ID: adf5bd44ec11be82d65ccb8bbba362db9f042984ff17d226863edf4fe6949f4d
Instruction ID: 082481afdc8baa87d591bb06a8187676e40ca7a9cf59493db82913e1208e3e33
Opcode Fuzzy Hash: adf5bd44ec11be82d65ccb8bbba362db9f042984ff17d226863edf4fe6949f4d
Instruction Fuzzy Hash: 6142C271A04209CFCB05CF68C884969BBF2FF85305B158AAAE919DB252D771FD41CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 048323A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14da086c0872c7ff672580c1b678f977444ca0554aa9605f15e7e49badb6a77a
Instruction ID: 3a40f666fbcba09864b994e7d8556fd4aef1d252876d7413b48cd18a87facf19
Opcode Fuzzy Hash: 14da086c0872c7ff672580c1b678f977444ca0554aa9605f15e7e49badb6a77a
Instruction Fuzzy Hash: B712E230E04215CFC724DF29C99066DBBF2BF8530AF148AADD416DB255EB74A886DF80

Uniqueness

Uniqueness Score: -1.00%

Function 04832FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8563b4f2971cc7141046972c814ddd8ea305db850da8542042c90c6c16a74596
Instruction ID: d7b7a3a9e8c44a1c91cf97509508cd861df04197bd14f5e797075f19e014e41d
Opcode Fuzzy Hash: 8563b4f2971cc7141046972c814ddd8ea305db850da8542042c90c6c16a74596
Instruction Fuzzy Hash: 09818E31F011159BD718EB69D890A6EBBE3AFC8311F2A8575E815EB355DE31EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 04830980, Relevance: 5.2, Strings: 4, Instructions: 169COMMON

Download Yara Rule

Strings

X1kr, xrefs: 04830A98
X1kr, xrefs: 04830AA2
X1kr, xrefs: 04830A50
X1kr, xrefs: 04830A5A

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID: X1kr$X1kr$X1kr$X1kr
API String ID: 0-2451847431
Opcode ID: 63736f1df03e816b3b7b0841a0be9ba610f7d8d7343d18f9898a185a10f4002d
Instruction ID: 8cb31c57b706ba588b1a4f77821f893a7d243dc6877998f8cd322f794d3ccf1f
Opcode Fuzzy Hash: 63736f1df03e816b3b7b0841a0be9ba610f7d8d7343d18f9898a185a10f4002d
Instruction Fuzzy Hash: C4510431B08144DFDB14DBA8D85476EB7E2AF8670AF204AAAE542DB794DB30BC05C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 048309A9, Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

X1kr, xrefs: 04830A98
X1kr, xrefs: 04830AA2
X1kr, xrefs: 04830A50
X1kr, xrefs: 04830A5A

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID: X1kr$X1kr$X1kr$X1kr
API String ID: 0-2451847431
Opcode ID: a012e4f7c09892f2bf82c5a7605702848af35db4717ef98a434faffff07c169b
Instruction ID: 7f8cfc64b9d9ace3c94965f7f6fa38f65581ce35267cc8e539a0f9acc45005f6
Opcode Fuzzy Hash: a012e4f7c09892f2bf82c5a7605702848af35db4717ef98a434faffff07c169b
Instruction Fuzzy Hash: 41417E35B001049FCB04DFA9D898A6EBBF6FF85305F258569E5169B3A4CB70BC06CB84

Uniqueness

Uniqueness Score: -1.00%

Function 048302E8, Relevance: 2.7, Strings: 2, Instructions: 170COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 04830537
`5kr, xrefs: 048303A5

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID: :@Dr$`5kr
API String ID: 0-2548079215
Opcode ID: 156004a63da32ddb33575a8ee5f10a63e5507db9796c722dd3ef1412ba531555
Instruction ID: 9111c85eae2ee002254f2a3b25d3d1f97445eb82b67a90b0059e2dc3ca1ac226
Opcode Fuzzy Hash: 156004a63da32ddb33575a8ee5f10a63e5507db9796c722dd3ef1412ba531555
Instruction Fuzzy Hash: C251A030B05205CFDB08DF68C450B6E7BF2AF8A705F148969D506EB3A5EB71AC01DB92

Uniqueness

Uniqueness Score: -1.00%

Function 04832D58, Relevance: 2.6, Strings: 2, Instructions: 133COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 04832DA5
, xrefs: 04832E76

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID: $>_Ir
API String ID: 0-1787506450
Opcode ID: c370e7b74b62d2fa2647d1394c11df9fe9cb595f26fe0a5c28157a809d44de1d
Instruction ID: 40e9b6d7585d3448497ba4566f444a1f40ecd1b7d5e131b2b11308d221c28b51
Opcode Fuzzy Hash: c370e7b74b62d2fa2647d1394c11df9fe9cb595f26fe0a5c28157a809d44de1d
Instruction Fuzzy Hash: 9741B631F082198FCB10DF69C8415BEBBA2ABC131AB25CEB6D416DB646D635F842D7C1

Uniqueness

Uniqueness Score: -1.00%

Function 04830682, Relevance: 2.6, Strings: 2, Instructions: 126COMMON

Download Yara Rule

Strings

Z]r^, xrefs: 048306A1, 048306A6
Y]r^, xrefs: 04830702, 04830707

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID: Z]r^$Y]r^
API String ID: 0-854466355
Opcode ID: a57e87a36dfe5feffffd7e9e7a664a6d60736a5100c6480d8d08429f5182225a
Instruction ID: 4efa8d5b9b2e49680780f5c4e7ddfd1b97e313a53c7d38d195f5a4ff8babb490
Opcode Fuzzy Hash: a57e87a36dfe5feffffd7e9e7a664a6d60736a5100c6480d8d08429f5182225a
Instruction Fuzzy Hash: DB41513072C2008BC7146FB8ED2C66D7BA6AF8171AB54466EF502C72B9DFB15C41AB91

Uniqueness

Uniqueness Score: -1.00%

Function 048312A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

$ghr, xrefs: 04831349

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 225b9a14200e6988e0d815108d24c7bb9fe39c306c3d73ad777f83435a7813bf
Instruction ID: 03c7895b3b538a20f107391d4dd82bc1503073b87e60bee73aee3b24d2b8fa2a
Opcode Fuzzy Hash: 225b9a14200e6988e0d815108d24c7bb9fe39c306c3d73ad777f83435a7813bf
Instruction Fuzzy Hash: 8F221A34A00605CFC764DF28C494A6ABBF2FF89344F108A99D85A9B759DB34BD85CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0095AA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0095AAB1

Memory Dump Source

Source File: 00000005.00000002.345771753.000000000095A000.00000040.00000001.sdmp, Offset: 0095A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 481fd491d9f79698dc27a94590fae28759f3246c633c60f869f07c4c1ddabad2
Instruction ID: 49492b9a277a867e5013d6a42b9663d192f36d7a9880eaa68d8c2fbcb6f2d7b2
Opcode Fuzzy Hash: 481fd491d9f79698dc27a94590fae28759f3246c633c60f869f07c4c1ddabad2
Instruction Fuzzy Hash: 1C31B172544384AFE722CB25CC45FA7BFBCEF06710F0885ABED819B152D264A809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 049700F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0497019D

Memory Dump Source

Source File: 00000005.00000002.346869234.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 21942b58798b00ce3cf74e27135d780ff7d2eea69a465b14f31da456fe180580
Instruction ID: a562daf33a6362baa3c273d0a2302d14beafbecbc137f9c08af1b0033cdb6fc9
Opcode Fuzzy Hash: 21942b58798b00ce3cf74e27135d780ff7d2eea69a465b14f31da456fe180580
Instruction Fuzzy Hash: 3A318F71509780AFE712CF25DC85F56FFF8EF06610F0884AAE9848B292D375A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0095AAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,052E1D9B,00000000,00000000,00000000,00000000), ref: 0095ABB4

Memory Dump Source

Source File: 00000005.00000002.345771753.000000000095A000.00000040.00000001.sdmp, Offset: 0095A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: d988bb46bc1be72e77e318856b739fd504d41e9c714ab6381fc29f0ed6731446
Instruction ID: 8852bb1f6e7a5ae8a9c74718f0e0ed3249c225845f7b4267c4620e4049f87699
Opcode Fuzzy Hash: d988bb46bc1be72e77e318856b739fd504d41e9c714ab6381fc29f0ed6731446
Instruction Fuzzy Hash: 8231C472108384AFD722CB25CC44F62BFFCEF06310F08859AE985CB152D260E948CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0095AF50, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 0095AFEA

Memory Dump Source

Source File: 00000005.00000002.345771753.000000000095A000.00000040.00000001.sdmp, Offset: 0095A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: b695f79c93cc1dda9b2dce639b71dac7131ad550eecd8c7504d079b09b3f6714
Instruction ID: 0667d729ec1e30ee28370f2e3bca0bc5b86968982a4b2320b74a83d043cc6a10
Opcode Fuzzy Hash: b695f79c93cc1dda9b2dce639b71dac7131ad550eecd8c7504d079b09b3f6714
Instruction Fuzzy Hash: 3521B67154D7C06FD3138B259C51B22BFB8EF87A10F0A81DBED84CB553D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0095AA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0095AAB1

Memory Dump Source

Source File: 00000005.00000002.345771753.000000000095A000.00000040.00000001.sdmp, Offset: 0095A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 560bef117aa93d98389e6e5bce0b236a98872da865f3fe551a55ddc9e8808e67
Instruction ID: 2ee7bba9d172790fd51ccfa1d93a1b0ffc298e8f52a8754a2eb100d4026d0c2a
Opcode Fuzzy Hash: 560bef117aa93d98389e6e5bce0b236a98872da865f3fe551a55ddc9e8808e67
Instruction Fuzzy Hash: 8C21CF72500604AEE721DB15CC84F6BFBECEF04710F14855AEE419B241D674E808CB76

Uniqueness

Uniqueness Score: -1.00%

Function 0497012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0497019D

Memory Dump Source

Source File: 00000005.00000002.346869234.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 27cb6a93dd9d6bef9d879b911103d2f4c468255f82f4a70865daa0cef2fdd11f
Instruction ID: 6bca4e1a2007fa45f356fa83ff69c7c29d532a01d4ea1c095ca120f19781dd8c
Opcode Fuzzy Hash: 27cb6a93dd9d6bef9d879b911103d2f4c468255f82f4a70865daa0cef2fdd11f
Instruction Fuzzy Hash: D1218B71600240AFE720DF25DD85F6AFBE8EF05760F1884AAED498B281E7B1E504CB75

Uniqueness

Uniqueness Score: -1.00%

Function 0095AB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,052E1D9B,00000000,00000000,00000000,00000000), ref: 0095ABB4

Memory Dump Source

Source File: 00000005.00000002.345771753.000000000095A000.00000040.00000001.sdmp, Offset: 0095A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1ce1f497d8207f1c8594cdd5db9c89ba9df2b2a33e15cd02167439e919baa855
Instruction ID: 6bdb647de09683c729a2226a79263881cdefcd0257717e7eb3b92eea868c51ab
Opcode Fuzzy Hash: 1ce1f497d8207f1c8594cdd5db9c89ba9df2b2a33e15cd02167439e919baa855
Instruction Fuzzy Hash: 47216D71600604AFE720CE26DC80F66FBECEF04711F14866AED459B251D6B4E808CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 0095B7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0095B841

Memory Dump Source

Source File: 00000005.00000002.345771753.000000000095A000.00000040.00000001.sdmp, Offset: 0095A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 684ab97046e08aba6793e9b27ae45067a12697bef71b415da4bf9a65062f4088
Instruction ID: 529577d16ec8eff020e4c5eab773bff43114d9ad0f07d23865f830bab60e545d
Opcode Fuzzy Hash: 684ab97046e08aba6793e9b27ae45067a12697bef71b415da4bf9a65062f4088
Instruction Fuzzy Hash: 9A2190714097C09FDB128B21DC51AA2BFB4EF17310F0D84DAEDC44F163D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0095A51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0095A58A

Memory Dump Source

Source File: 00000005.00000002.345771753.000000000095A000.00000040.00000001.sdmp, Offset: 0095A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6cb59fd002446a72dcc0b3f79b5ca12904b1bf8f7d889c6d1362a7dc343b2ca1
Instruction ID: 830074a61b1311fadd9808e78314fef1996bf3d7f1a10d232e68014c3de777ae
Opcode Fuzzy Hash: 6cb59fd002446a72dcc0b3f79b5ca12904b1bf8f7d889c6d1362a7dc343b2ca1
Instruction Fuzzy Hash: 2611B471409380AFDB228F51DC44E62FFF8EF4A310F0885DEEE858B152D275A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0095BB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0095BBB9

Memory Dump Source

Source File: 00000005.00000002.345771753.000000000095A000.00000040.00000001.sdmp, Offset: 0095A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c390605882e23a44082bf1cd02a533959da0fcb1749e828a8e5656a2a4b1591e
Instruction ID: 3b490a1b6da23916e8a46bf845de60dc4627fa96ae7dfbfd2f073dda854204bd
Opcode Fuzzy Hash: c390605882e23a44082bf1cd02a533959da0fcb1749e828a8e5656a2a4b1591e
Instruction Fuzzy Hash: 6D11D3355097C0AFDB228F25CC45B52FFB4EF16220F0884DEED858B563D275A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0095BE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0095BE70

Memory Dump Source

Source File: 00000005.00000002.345771753.000000000095A000.00000040.00000001.sdmp, Offset: 0095A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 5cbd6c16a4e4a191921d8608aaa7450e9df92ee6cfe96350bdbfbf2e4f18ff3b
Instruction ID: 1d9100511f95d1fd4f3afb69fab7d59a0cb9a360b88a641145e5a35bb46bd65a
Opcode Fuzzy Hash: 5cbd6c16a4e4a191921d8608aaa7450e9df92ee6cfe96350bdbfbf2e4f18ff3b
Instruction Fuzzy Hash: 6E117C754093C0AFD7128B259C45B61BFB4EF47624F0984DAED888F263D2A5680CCB62

Uniqueness

Uniqueness Score: -1.00%

Function 0095B71E, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 0095B78A

Memory Dump Source

Source File: 00000005.00000002.345771753.000000000095A000.00000040.00000001.sdmp, Offset: 0095A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 12e2501ad78167c59b23f9cf20ede9de61e8e6751155647065e01acb185eb382
Instruction ID: eb7756d89d9d9a4faff3dbf198eb47ba075eff82568b396aaf202a03f95a8dbe
Opcode Fuzzy Hash: 12e2501ad78167c59b23f9cf20ede9de61e8e6751155647065e01acb185eb382
Instruction Fuzzy Hash: 0D119031404380AFDB22CF55DC44A52FFF4EF49310F08849EEE858B522D375A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0095BEB4, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 0095BF0C

Memory Dump Source

Source File: 00000005.00000002.345771753.000000000095A000.00000040.00000001.sdmp, Offset: 0095A000, based on PE: false

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 7713346da8bdb430c5c4a6da9d04c54925e02f61779392b14738c38903da3cc2
Instruction ID: 4ea2746d6595538a49a94afe3d8ef2dc790b5f5536fdc99cf18ad6d3975d089f
Opcode Fuzzy Hash: 7713346da8bdb430c5c4a6da9d04c54925e02f61779392b14738c38903da3cc2
Instruction Fuzzy Hash: DA117071505384AFD711CF26DC85B96BFE8EF46220F0884EAED49CF256D274E948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0095A75B, Relevance: 1.6, APIs: 1, Instructions: 52comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0095A7BC

Memory Dump Source

Source File: 00000005.00000002.345771753.000000000095A000.00000040.00000001.sdmp, Offset: 0095A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: da18e594dd0ac641d01b2ee1eb6808264fc96230e511ac836a82cd80bacc81ff
Instruction ID: 4f7270661a18afe7c6b5be75ec400f74b3dd4e945c4420bd6d6b92e41a84ef18
Opcode Fuzzy Hash: da18e594dd0ac641d01b2ee1eb6808264fc96230e511ac836a82cd80bacc81ff
Instruction Fuzzy Hash: 681182714493849FD711CF25DC45B52BFB4EF46220F0984EBED458F253D2759948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0095A8CC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 0095A926

Memory Dump Source

Source File: 00000005.00000002.345771753.000000000095A000.00000040.00000001.sdmp, Offset: 0095A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: c994dce9491c91c72ebcbf0c1eed30ae4e63cc9f0dacdf2807857a04405bf114
Instruction ID: 043efe974520a9beb68fc062349aad6ba3fb9ff4e61aa678c42ed331e1121a01
Opcode Fuzzy Hash: c994dce9491c91c72ebcbf0c1eed30ae4e63cc9f0dacdf2807857a04405bf114
Instruction Fuzzy Hash: B1117C31409784AFD721CF15DC85A52FFF4EF06320F09859AEE894B262C275A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0095BED2, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 0095BF0C

Memory Dump Source

Source File: 00000005.00000002.345771753.000000000095A000.00000040.00000001.sdmp, Offset: 0095A000, based on PE: false

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 2467969aee8dbbf40e82c9738e1af81c7b7ac530e6fb75f576ec37643fe028a8
Instruction ID: 413608dc6ecff8834b2256bb0f7af6e15194de0155b4e84bcd5a89278374f501
Opcode Fuzzy Hash: 2467969aee8dbbf40e82c9738e1af81c7b7ac530e6fb75f576ec37643fe028a8
Instruction Fuzzy Hash: EF015E716006449FDB10DF2ADC85766FB98EF04721F1884AADD49CB646D7B4E808CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0095A546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0095A58A

Memory Dump Source

Source File: 00000005.00000002.345771753.000000000095A000.00000040.00000001.sdmp, Offset: 0095A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0c03118cca7196f6ed2cfaefaaafdf79867c012f6301258f50c729b7155d610c
Instruction ID: e92b9a7cf2288653663baf3f4b3235d7642c72255119b45cf600abbc4442977b
Opcode Fuzzy Hash: 0c03118cca7196f6ed2cfaefaaafdf79867c012f6301258f50c729b7155d610c
Instruction Fuzzy Hash: 19016D31400704EFDB21CF55D844B56FFE4EF08721F18C9AAEE494B615D2B5A419DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0095B746, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 0095B78A

Memory Dump Source

Source File: 00000005.00000002.345771753.000000000095A000.00000040.00000001.sdmp, Offset: 0095A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 2bc2e69cc39df3e809d255a76dee1fcbab855f76078d4763544c5dc92788b93f
Instruction ID: 3f9d2f1bc79c27fc4295b013fa2758dc3280433ce2be5847fa1d07e231483260
Opcode Fuzzy Hash: 2bc2e69cc39df3e809d255a76dee1fcbab855f76078d4763544c5dc92788b93f
Instruction Fuzzy Hash: 21015B31400600AFDB21CF55D844B66FFE4EF48721F1889AAEE494AA16D3B5A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0095AF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 0095AFEA

Memory Dump Source

Source File: 00000005.00000002.345771753.000000000095A000.00000040.00000001.sdmp, Offset: 0095A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 79dc231a011bf2a79b040a3ffec1ad8daae60cc97d58754e0b94b067f3cf8f44
Instruction ID: e6968de1f2d7ee3560947d6c1c6ee43d22a2cafba6d340229a6bfa9bd6c36483
Opcode Fuzzy Hash: 79dc231a011bf2a79b040a3ffec1ad8daae60cc97d58754e0b94b067f3cf8f44
Instruction Fuzzy Hash: 2E018F71500600ABD210DF16DC82F26FBA8FB88A20F14815AED084B741E371B515CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 0095BB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0095BBB9

Memory Dump Source

Source File: 00000005.00000002.345771753.000000000095A000.00000040.00000001.sdmp, Offset: 0095A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8fad97b7df3a9d324fce9119a48420c4b1ef3e798b6462c8caad4f94b0fe8df4
Instruction ID: b43fc4a29772fa6371a9c0517d29ec59a3a28732e216efbdece0b06cf8155437
Opcode Fuzzy Hash: 8fad97b7df3a9d324fce9119a48420c4b1ef3e798b6462c8caad4f94b0fe8df4
Instruction Fuzzy Hash: 4B01BC35500700DFDB20CF16D885B66FFA4EF04321F18C4AEEE4A8B626C3B5A418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0095A78A, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0095A7BC

Memory Dump Source

Source File: 00000005.00000002.345771753.000000000095A000.00000040.00000001.sdmp, Offset: 0095A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: bdc4964afc48f52c281109b26733a5e9d9eb5359e27269d77e1e0744d8dae96e
Instruction ID: 2cbbd8d1a1afbe809007854e0e662ecaa9d4c4e2976465b241701e5fac728dfa
Opcode Fuzzy Hash: bdc4964afc48f52c281109b26733a5e9d9eb5359e27269d77e1e0744d8dae96e
Instruction Fuzzy Hash: DE01AD748002449FDB10CF16D885766FFE8EF08321F18C5AADE488F206D2B9A408CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0095B806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0095B841

Memory Dump Source

Source File: 00000005.00000002.345771753.000000000095A000.00000040.00000001.sdmp, Offset: 0095A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2f96e1892b4b23ae72df3c71d614bb7b3eeb29e9624ee8a2ebce908e503a0009
Instruction ID: 955a43d2de891b40ec96d675a85038ec027a9ddc53b72d6afc688af8769c7f5f
Opcode Fuzzy Hash: 2f96e1892b4b23ae72df3c71d614bb7b3eeb29e9624ee8a2ebce908e503a0009
Instruction Fuzzy Hash: AA018F31400744DFDB20CF16D885B66FFA4EF14721F18D49ADE490B226D3B5A418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0095A8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 0095A926

Memory Dump Source

Source File: 00000005.00000002.345771753.000000000095A000.00000040.00000001.sdmp, Offset: 0095A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: c31d5dd466cdd272776a5608bc88936dcbc8d3af39fc7770c1bb0e9f83cc454f
Instruction ID: 6f4340dd610f01675ffebaf1cccf4bd32aae54a9e9169ae7f6e8f6ba2b1e3584
Opcode Fuzzy Hash: c31d5dd466cdd272776a5608bc88936dcbc8d3af39fc7770c1bb0e9f83cc454f
Instruction Fuzzy Hash: D101D131400704DFDB20CF06D885B62FFA4EF09721F18C5AADE4A0B216C2B5A818DF72

Uniqueness

Uniqueness Score: -1.00%

Function 0095BE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0095BE70

Memory Dump Source

Source File: 00000005.00000002.345771753.000000000095A000.00000040.00000001.sdmp, Offset: 0095A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: f92803ab3b484ee0c90ba78c6ceab18fe8b50c25aabde4cbea178a495ceb3600
Instruction ID: cb835e55ad8b51e3c64c284774c31357db76a16d8e39173847fe1ba5c3564f0f
Opcode Fuzzy Hash: f92803ab3b484ee0c90ba78c6ceab18fe8b50c25aabde4cbea178a495ceb3600
Instruction Fuzzy Hash: 09F0A435904644DFD710CF16D886765FFA4EF04721F18C4AADE494B216D3B9A40CDBA2

Uniqueness

Uniqueness Score: -1.00%

Function 048320D0, Relevance: 1.4, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

r*+, xrefs: 0483230F

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 389cb6f4cbd24ac56812214d3deee1299a0b3decba6f097377c953e432e41e00
Instruction ID: 743ec9477d7cc7c7e8688180af9a80c03048443bc7f4989711a5a88f1befc9fe
Opcode Fuzzy Hash: 389cb6f4cbd24ac56812214d3deee1299a0b3decba6f097377c953e432e41e00
Instruction Fuzzy Hash: 78716130B08209DFCB44DFA8C99167EBBB1FF45305F108AAAD502D72A5E774AD41DB92

Uniqueness

Uniqueness Score: -1.00%

Function 04831458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$ghr, xrefs: 048314C7

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: ca5dd49565326e268e4e11aaa21e93724808499b8dcfde0b20b35496830ff3fc
Instruction ID: 218c4c7ab5b5ab81a8de879c0027b60e4ead5347f971b8b302bd733edc426d74
Opcode Fuzzy Hash: ca5dd49565326e268e4e11aaa21e93724808499b8dcfde0b20b35496830ff3fc
Instruction Fuzzy Hash: 6F51F434A00218CFCB54EF64C894B9DBBB2BF49345F1045EAD80AAB369DB34AD85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04831292, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

$ghr, xrefs: 04831349

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: db768887b565306ca5bf93c72a3eaef8563524ed9fb237b559df863e72891309
Instruction ID: 50fc5e6d708244f75d540e18db24826af6460d1eb7b99a2f3034bdf1ebb05c76
Opcode Fuzzy Hash: db768887b565306ca5bf93c72a3eaef8563524ed9fb237b559df863e72891309
Instruction Fuzzy Hash: 9B412834A04218CFCB54DF68C894B9DBBB1BF4A344F0045AAD44AEB355DB30AD85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00952477, Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.345767431.0000000000952000.00000040.00000001.sdmp, Offset: 00952000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f53a10047dced90d68c8a4ed3d97807135d826ce3e5511377f9a5206b8a7f6
Instruction ID: 58acb3c03582d62e6ad0dd0b3617a726dbe660cd581857c1189cb0307e3aa6f4
Opcode Fuzzy Hash: b9f53a10047dced90d68c8a4ed3d97807135d826ce3e5511377f9a5206b8a7f6
Instruction Fuzzy Hash: 6AB16CA191E3C69ECB07DB3658796957F725E23312B0E00CBD8C1CB0B3E119494ECB6A

Uniqueness

Uniqueness Score: -1.00%

Function 04830BC0, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8089c4e2c49489eede7e4f9469b43c1e6cc4f44b2abc811d22ee3463e5c9c94
Instruction ID: 91e0a5ca3685187fad1461ea3bd1d4fb7615296df47f6c81c5e776c26a817d3d
Opcode Fuzzy Hash: a8089c4e2c49489eede7e4f9469b43c1e6cc4f44b2abc811d22ee3463e5c9c94
Instruction Fuzzy Hash: 8341E331B051088FCB058F2CC414AAE7BE6AFC6711F15856AE906EF3A5DEB1AC0697D1

Uniqueness

Uniqueness Score: -1.00%

Function 04832BF8, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 775251f3bdfc44c4e321ffd21b5483def6789601daf425fbd29ec5de60924e50
Instruction ID: 6975ca3258a39f1b0e411118bb258ff0953f6dc39b4a17aadf3d52d28805b2ee
Opcode Fuzzy Hash: 775251f3bdfc44c4e321ffd21b5483def6789601daf425fbd29ec5de60924e50
Instruction Fuzzy Hash: 5241173470D299CFC71187289894A797FE4AF4260AB098BEBD056CF2A2D365AC07D7D1

Uniqueness

Uniqueness Score: -1.00%

Function 048302DA, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7253703d6de40a50394e296d64e941cdc2f47a2c0af773aa0be3ded137d13f31
Instruction ID: 1d5ae60304d8002c652dfab84dfe8c50af237617526de43771b0fe8471f242f6
Opcode Fuzzy Hash: 7253703d6de40a50394e296d64e941cdc2f47a2c0af773aa0be3ded137d13f31
Instruction Fuzzy Hash: F7416B30B01205CFDB18CF68C490BAE7BB2EF8A716F144969D502EB3A5DB71AC40DB91

Uniqueness

Uniqueness Score: -1.00%

Function 048325DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac9f3ba55009410878714c897aaf090fc2e29768ce05b3cb54638a8cea0065f
Instruction ID: 042c972674b4bf98689a2eb2acbf4a0d68982fa1b1cb5aee4e367edd090c0b19
Opcode Fuzzy Hash: dac9f3ba55009410878714c897aaf090fc2e29768ce05b3cb54638a8cea0065f
Instruction Fuzzy Hash: 3031AB30E14249CFDB60DF66C85064ABBF2BF85319F20DA6DC0159B265EBB4A589DF80

Uniqueness

Uniqueness Score: -1.00%

Function 048321E8, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0a0341e0333ca16d0701493e1945a8f4c0759ec245d89b95de4284c635444f4
Instruction ID: 7e78dbfd63756c25783cb18c86b1a1c9f2c1c325f63518b3e8f2e45fda1dcb39
Opcode Fuzzy Hash: e0a0341e0333ca16d0701493e1945a8f4c0759ec245d89b95de4284c635444f4
Instruction Fuzzy Hash: 63316430E08209CFCB44DFA8C8547BDBBB1FF45309F104A9AD402D72A1E770AA45DB92

Uniqueness

Uniqueness Score: -1.00%

Function 04834190, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eabb71513386379e65f367bc7afa3adbdc9d0b9f585b00ecdf038d04bce3a136
Instruction ID: 45a60c17584ce57d3a7c54fe78d522274e346a5a2a74a31ddb96569b2dc33c61
Opcode Fuzzy Hash: eabb71513386379e65f367bc7afa3adbdc9d0b9f585b00ecdf038d04bce3a136
Instruction Fuzzy Hash: FC110A71B042198BDB14EBB9D8045BF7AB6AFD5745F110B3ED507D7280EEB0A84097E2

Uniqueness

Uniqueness Score: -1.00%

Function 048321F8, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ad27988ca657fef7c4f216656949ea03e16ad68958121e39fc8430022ade6f
Instruction ID: d278ee04900507d18c84363bb13c0b1b2999f45636f5aec1e985a0e95dd5686e
Opcode Fuzzy Hash: 43ad27988ca657fef7c4f216656949ea03e16ad68958121e39fc8430022ade6f
Instruction Fuzzy Hash: 24213230E08209DFCB44DFA8C9556BDBBB1BB45305F104A9AD402D7291EB71AA44DB92

Uniqueness

Uniqueness Score: -1.00%

Function 022F0845, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.345890394.00000000022F0000.00000040.00000040.sdmp, Offset: 022F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7260cbf2160b20679a6963a8f3361a1bec8715adaaa6f3c775ab9480313bfd54
Instruction ID: 558c6ef74f12b20ba7deb0790026fe27a8afd47fd9e070df39ad6eb304f9f5fa
Opcode Fuzzy Hash: 7260cbf2160b20679a6963a8f3361a1bec8715adaaa6f3c775ab9480313bfd54
Instruction Fuzzy Hash: 88218B3410E3C19FD7138B20C860B15BFB1AF47604F2985EAD8898B6A3C33A8806CB52

Uniqueness

Uniqueness Score: -1.00%

Function 022F087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.345890394.00000000022F0000.00000040.00000040.sdmp, Offset: 022F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e8ce6b316462077ca6577800a2d7e04b94b17cea5d50b392dc8c553a7eecde
Instruction ID: 9afb6845c0f547c08fecb5a73affdd3d6accf84b4b726ab3a06c4c97ffd7234c
Opcode Fuzzy Hash: 61e8ce6b316462077ca6577800a2d7e04b94b17cea5d50b392dc8c553a7eecde
Instruction Fuzzy Hash: 85110634214384DFE755CBA4C544F26FBD1AB88B08F24C9ACEA490B64BC777D803CA91

Uniqueness

Uniqueness Score: -1.00%

Function 04832390, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bce51cce9f371d91c26f6dca6d73ffb2d529fee9ed4a6d0c222bea65114e223
Instruction ID: 561dbcea06cb51c4cfd6e537967828dba5285826c6bfee896b636c5adf3294e5
Opcode Fuzzy Hash: 2bce51cce9f371d91c26f6dca6d73ffb2d529fee9ed4a6d0c222bea65114e223
Instruction Fuzzy Hash: 60115170E08259DFC714DF59C850AAEBFB1BB4430AF104AADD506E7354EBB02842DF91

Uniqueness

Uniqueness Score: -1.00%

Function 048311DF, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3d887db9b6348708d86e442457395ad6af1bce5c2af1c2e69ed28f54f122a3
Instruction ID: 66546b3091a0b02a35fe414217f47051660b9eee73e538a9cb43164ad7623a6e
Opcode Fuzzy Hash: 1c3d887db9b6348708d86e442457395ad6af1bce5c2af1c2e69ed28f54f122a3
Instruction Fuzzy Hash: 1E118E35308280CFC705DB28D4689697FE6AF86A0671546EBD042CB2A7DB65AC09D792

Uniqueness

Uniqueness Score: -1.00%

Function 048305BA, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1120c1f4dff9b371b55d922206e0cb8d79b87c70442a2f6fd1e7f7f7e0c6d22b
Instruction ID: e3b2943a30d69ebfa8e0205624a2376ba0b1b06cc597c3c81aab35e0ec61b90a
Opcode Fuzzy Hash: 1120c1f4dff9b371b55d922206e0cb8d79b87c70442a2f6fd1e7f7f7e0c6d22b
Instruction Fuzzy Hash: 0F01AFB17082240BCB49A73D94217BF669B5BC6745B68012EE106EB3CAEEB49C0343D6

Uniqueness

Uniqueness Score: -1.00%

Function 048305C8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 252f8f65cd908bca8bcc6ab720f2daffda9cf669c3ecab7a171ced9799f9f307
Instruction ID: 5f61a28937709b49cc0e97840b228bb7bc229c8ac0eba70ddff8925e80dad2c5
Opcode Fuzzy Hash: 252f8f65cd908bca8bcc6ab720f2daffda9cf669c3ecab7a171ced9799f9f307
Instruction Fuzzy Hash: 0FF0B47170422407CA48767D941177F62CF9BCAB51794452EE106DF3C8DEB09C0313D6

Uniqueness

Uniqueness Score: -1.00%

Function 04831209, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03b26edc62f980ea081ccfb5d5eea82b5abf81ffda19021e7c5c7c145a582b4a
Instruction ID: 829bd39c04e712d9b37a750f75bff5079857a5dc51f424d347c2d30cd7019871
Opcode Fuzzy Hash: 03b26edc62f980ea081ccfb5d5eea82b5abf81ffda19021e7c5c7c145a582b4a
Instruction Fuzzy Hash: 4C01B134304000CFC704EB2CD058A697BE6BFC5706B1446AAE002CB7B5DFB19C09CB81

Uniqueness

Uniqueness Score: -1.00%

Function 022F05CF, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.345890394.00000000022F0000.00000040.00000040.sdmp, Offset: 022F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e8c83989901bebac65de83ac78d48b1dd88e3dd038769ceb251010f854bdf4
Instruction ID: a21738cf951d253d50657756b322c87ec17fbab842234f7a37803d9f7c04cfb0
Opcode Fuzzy Hash: 72e8c83989901bebac65de83ac78d48b1dd88e3dd038769ceb251010f854bdf4
Instruction Fuzzy Hash: C801D6755097806FD7128B16AC41862FFB8EF86620709C4DFED898B612D165A909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 04831218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad5f82ee09bb00d27c911abc0c9f0b6d3e708521f0d7f238cea943e585a7ac2
Instruction ID: 621695407d8dfb76d2bd97689f981cc5ca6512b43c88df299f85a5e5c5bb5f09
Opcode Fuzzy Hash: 2ad5f82ee09bb00d27c911abc0c9f0b6d3e708521f0d7f238cea943e585a7ac2
Instruction Fuzzy Hash: D301D130304004CBC704EB2CC04896DBBEABFC5B16B2046AAE406CB7B5DFB1AC0997C1

Uniqueness

Uniqueness Score: -1.00%

Function 048311B7, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c37c752828595efb3b1848988186f3e0776392db1ab8cedd9c0ed89b24cb356
Instruction ID: 2680df41576ae64241663e6932a1345a2b0c4e0dce94a4aaae994e1d8fafa363
Opcode Fuzzy Hash: 9c37c752828595efb3b1848988186f3e0776392db1ab8cedd9c0ed89b24cb356
Instruction Fuzzy Hash: 6F01D138304144CFC745EB2CD04C4A87FE6BF8660671846EAD446CFB3ADB70AD098B81

Uniqueness

Uniqueness Score: -1.00%

Function 04830918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65dc8ccdd8d87b2d98e01f39cb38b6eeb9d83e2fba0c01a2170aaf6d0d4fac0a
Instruction ID: 3f9d37515fef4ebc685391794e9390bf5c02e5d5cd87004f761940a15156aebc
Opcode Fuzzy Hash: 65dc8ccdd8d87b2d98e01f39cb38b6eeb9d83e2fba0c01a2170aaf6d0d4fac0a
Instruction Fuzzy Hash: CAE0EC31F2521C979B1059F59C105AFB7A997C6659F004E67DF07D7308F970684152D1

Uniqueness

Uniqueness Score: -1.00%

Function 04834180, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 222406e6bb2f0b86a0700b4081db3340aa502f6ddcb0294fda0217e1a67d99b9
Instruction ID: 69506fe50b34a8d3cce964e52637a48b6eea303aa6e807e80ee3a3a8778b7acb
Opcode Fuzzy Hash: 222406e6bb2f0b86a0700b4081db3340aa502f6ddcb0294fda0217e1a67d99b9
Instruction Fuzzy Hash: 9EF05C30B192589ECB205B786C044EF7FA5DBD554AB010B2FD806C2100F6F054144A91

Uniqueness

Uniqueness Score: -1.00%

Function 022F0938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.345890394.00000000022F0000.00000040.00000040.sdmp, Offset: 022F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: fe984c230058f64fe6c1a38d36cdbc765f23c03b866e9c9d510ba58ad290b7cf
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: 9CF01D35104645DFC315DF40D540B15FBA2EB89B18F24C6ADE9490B756C337D913DA81

Uniqueness

Uniqueness Score: -1.00%

Function 04830908, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a968337e252653ef69578e1c1637123a550aa1a4feee327161bff33e18447e
Instruction ID: 7b06ac302e5fa0e3f1703a8e047b346e4cf98262c342b7a44c89c59de5b50835
Opcode Fuzzy Hash: 25a968337e252653ef69578e1c1637123a550aa1a4feee327161bff33e18447e
Instruction Fuzzy Hash: 81F0E930B1D2988FD711DBB84C6066F7FA54B86209F040A5B9D43D7349E5A45C4192C1

Uniqueness

Uniqueness Score: -1.00%

Function 022F05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.345890394.00000000022F0000.00000040.00000040.sdmp, Offset: 022F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeac50ff78a3ba59817d30e67adf883e1b6847c6affd6c919af9c07d9c5a3ecd
Instruction ID: d52ba5ee8dd1f2e3175be6efd98fcabce253d15d05cbaed8f4e64a51ee4685f2
Opcode Fuzzy Hash: eeac50ff78a3ba59817d30e67adf883e1b6847c6affd6c919af9c07d9c5a3ecd
Instruction Fuzzy Hash: C3E09276640B008BD650CF0BEC41462F7E8EB88630B18C47FDC0D8B700E175B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 04830650, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae6654cde107a4875cad884f1059cb5459e8cff792be875e86cfa65cc0b1b88
Instruction ID: 22df4c2bef60dfbdecba4c2315e369c9649416980a6ce9d1cc52ac0761881808
Opcode Fuzzy Hash: 2ae6654cde107a4875cad884f1059cb5459e8cff792be875e86cfa65cc0b1b88
Instruction Fuzzy Hash: 6AD05E7159E3D88FC30357B02C354A97F304E9320A70589AFC482DA4ABE56A5456AB62

Uniqueness

Uniqueness Score: -1.00%

Function 0483016F, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f991f91a74780c3239f974d92d9279cc32de51f0768596fbf607466c16baa89
Instruction ID: ad13eef530176c43eadc093e21a75202d21cb962ec99901fb425ce36aaa92ed8
Opcode Fuzzy Hash: 2f991f91a74780c3239f974d92d9279cc32de51f0768596fbf607466c16baa89
Instruction Fuzzy Hash: 7BE02B357493008FCB055730E86559C3B219F83121704067EC473C77E1EB7AC486CA00

Uniqueness

Uniqueness Score: -1.00%

Function 04832D20, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aef6c192ed4fdd98c383638772ce1d88b892b64183d0d8d672882e49eab699d
Instruction ID: f83f0838c4cac3941e6b518da463da97c37eb79147d09d61825fd314cf5369f4
Opcode Fuzzy Hash: 4aef6c192ed4fdd98c383638772ce1d88b892b64183d0d8d672882e49eab699d
Instruction Fuzzy Hash: 0AD0A73038C24CAEE79283586C34FA53B505B1870BF040AD6D14ADB1E7E950B0106981

Uniqueness

Uniqueness Score: -1.00%

Function 009523F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.345767431.0000000000952000.00000040.00000001.sdmp, Offset: 00952000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e72d983962c625211f9f394057c30e70a61c08f869350a5be156c06af9f405
Instruction ID: 2f00058a12ba650674e674643d56b20e70aa413338ebfc1894ebd35ff1019003
Opcode Fuzzy Hash: e0e72d983962c625211f9f394057c30e70a61c08f869350a5be156c06af9f405
Instruction Fuzzy Hash: 89D05E79219A818FD326CF1CC1A8B953B98AB52B05F4644FDEC008B673C368D985D200

Uniqueness

Uniqueness Score: -1.00%

Function 048302A1, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b3ab8c804bafc522bd5a39e7fca7fc26944eab5d283976b8e047891657cf9c1
Instruction ID: 60233d148606c2c81893cac1c457f32733d0d8f349dfdecacd718373dbe30afe
Opcode Fuzzy Hash: 9b3ab8c804bafc522bd5a39e7fca7fc26944eab5d283976b8e047891657cf9c1
Instruction Fuzzy Hash: 77D01735309604CFC361DB18E8A0A857BE1BB81205B408A0DE49687A98C770BC059B45

Uniqueness

Uniqueness Score: -1.00%

Function 009523BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.345767431.0000000000952000.00000040.00000001.sdmp, Offset: 00952000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09e6953668c725b5b18d745a46044c22fe38ea9ea681f5268cf03d25fd1b7b6
Instruction ID: 697c70098bf4c3799ebb98255d901e9eba68b17cde1edf39a1bf8041418c51dc
Opcode Fuzzy Hash: b09e6953668c725b5b18d745a46044c22fe38ea9ea681f5268cf03d25fd1b7b6
Instruction Fuzzy Hash: F0D05E342002818BC715DB0DC594F5937D8AB42B01F0644E8AC008F662C3B8DC85C600

Uniqueness

Uniqueness Score: -1.00%

Function 04830180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e2202453d20d0c082a22c6c111bfdcf9ba20cc0418ca360340663c195a52c16
Instruction ID: 45ce5d1ac7d4cb5501d9069f88b936538f59d6f31471db667e845cd043ed3033
Opcode Fuzzy Hash: 9e2202453d20d0c082a22c6c111bfdcf9ba20cc0418ca360340663c195a52c16
Instruction Fuzzy Hash: 7AD01238214304CFCB082BB0F41942833AAAB8A206300087EE81787764EFB6E881DA44

Uniqueness

Uniqueness Score: -1.00%

Function 04830660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e7504bd0237bec5b2012d7277c10d9025af4e1bfd354075303e65e17e6a63d
Instruction ID: cfcc93aaa507cb0bf74ae4612fd325087d30e5fc5954cdfb0620cf6e725510fb
Opcode Fuzzy Hash: 41e7504bd0237bec5b2012d7277c10d9025af4e1bfd354075303e65e17e6a63d
Instruction Fuzzy Hash: 54C02B7014D30CCFC20427B02C04439B20896C330F300CD36C4026003DBD72B471B891

Uniqueness

Uniqueness Score: -1.00%

Function 04832EC0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51898e4c08e73de2e78cc821f18e975c7bc396e2ecc6c2f43a914d5d05cfebba
Instruction ID: 28d1019244fc1d16c91dfb1fe8e4a12d883796df5f9d4b51309192defb31339f
Opcode Fuzzy Hash: 51898e4c08e73de2e78cc821f18e975c7bc396e2ecc6c2f43a914d5d05cfebba
Instruction Fuzzy Hash: 4BB0123021C2090F17405BB12C09A12338C474080635005A4D80CC0001F590E0903180

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0006524A, Relevance: .6, Instructions: 585COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.345462814.0000000000062000.00000002.00020000.sdmp, Offset: 00060000, based on PE: true

Associated: 00000005.00000002.345455983.0000000000060000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.345487954.0000000000082000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8098e29a36d30d9914beb125c3c34926cfb2a16b1f5591641f6e75a409070f65
Instruction ID: 55fa7a6674d7d499a0b5e3256f6558ca69d96a92c2a3eddfe435638ec4d9b27e
Opcode Fuzzy Hash: 8098e29a36d30d9914beb125c3c34926cfb2a16b1f5591641f6e75a409070f65
Instruction Fuzzy Hash: 4A32646144F7C14FD7635B788CB86A17FB1AE6321474E49CBC0C1CF4A3EA19591AC722

Uniqueness

Uniqueness Score: -1.00%

Function 0483306F, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.346588670.0000000004830000.00000040.00000001.sdmp, Offset: 04830000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7efd69c08a4167d7c7bbc96dcd35a764b490b623d607b31e722c56d41c743156
Instruction ID: d3a510f9c98c74e205e80e6e1083f6a236a90e74591e48b9f20557a4465c199a
Opcode Fuzzy Hash: 7efd69c08a4167d7c7bbc96dcd35a764b490b623d607b31e722c56d41c743156
Instruction Fuzzy Hash: 16518F72F015159BD718DB6DC990A5EBBE3AFC8311F2A8575E405DB3A9DE30EC018B80

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dhcpmon.exe PID: 2944 Parent PID: 936 dhcpmon.exeCOMMON

Executed Functions

Function 04B83850, Relevance: 2.0, Strings: 1, Instructions: 758COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 04B83F9D

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID: >_Ir
API String ID: 0-3386957151
Opcode ID: b696096e52d3c3684f82af9913daf6c1f557baac74114f34329f4588a09106b2
Instruction ID: 325c7d520282dfa8608a5518a60345f30fa31f076743cba53685a9b2bf0b32ab
Opcode Fuzzy Hash: b696096e52d3c3684f82af9913daf6c1f557baac74114f34329f4588a09106b2
Instruction Fuzzy Hash: 7D42D071A04216CFCB04DF68C8949AEBBF2FF85710B1985AAD9159F252D772FC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04B823A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc5c6d11692ee35ce2b39a11e8d4d0943117d8b6d2e20d0566b23463b159be6
Instruction ID: f75a914e120fac4a35f8c821c744b9372289086793c8e34c695e11a261ca36d1
Opcode Fuzzy Hash: ecc5c6d11692ee35ce2b39a11e8d4d0943117d8b6d2e20d0566b23463b159be6
Instruction Fuzzy Hash: 7E129930A04255CFCB28EF69C58466DBBF2FF88304F2485EED416AB255EB74A846DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04B82FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb758dfee4904ebd64df45361724ca8badcb089d40ad22fdf474e04ebfbae4ec
Instruction ID: 8cb0dacd9a012652ee4f5170426296b592314551184e0fa25998090d6b15979c
Opcode Fuzzy Hash: cb758dfee4904ebd64df45361724ca8badcb089d40ad22fdf474e04ebfbae4ec
Instruction Fuzzy Hash: 89818E31F001159BDB18EB69D890A6EBBE3EFC4710F2A84B9D815AB355DE31EC01DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04B809A5, Relevance: 5.2, Strings: 4, Instructions: 174COMMON

Download Yara Rule

Strings

X1kr, xrefs: 04B80A98
X1kr, xrefs: 04B80A50
X1kr, xrefs: 04B80A5A
X1kr, xrefs: 04B80AA2

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID: X1kr$X1kr$X1kr$X1kr
API String ID: 0-2451847431
Opcode ID: 7e745cd29c551f6810653005d20f73450828c8e30b12cefba03b36524f8ca788
Instruction ID: 81f33e7ef9d6169ff2af58d21cbfc42fc602693ae128731dcb7c44d6a09da438
Opcode Fuzzy Hash: 7e745cd29c551f6810653005d20f73450828c8e30b12cefba03b36524f8ca788
Instruction Fuzzy Hash: 1251C531B04251DFCB15BFA4D854AAEB7F2EFC4344F2285AED5169B250DB30AC0ADB81

Uniqueness

Uniqueness Score: -1.00%

Function 04B802E8, Relevance: 2.7, Strings: 2, Instructions: 221COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 04B80537
`5kr, xrefs: 04B803A5

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID: :@Dr$`5kr
API String ID: 0-2548079215
Opcode ID: 1480048f336e20175ab4018987bcfa30dde7fbbbd9202dd4278fc48eb49397de
Instruction ID: f36e50b6289bd00a244bd08a0533b3afc78b77bd8e59c8490d24cfede628c037
Opcode Fuzzy Hash: 1480048f336e20175ab4018987bcfa30dde7fbbbd9202dd4278fc48eb49397de
Instruction Fuzzy Hash: B6719230B052019FDB09EB68C4506AE7BB3EFC9750F1580AED506AB395DF71AC06DB92

Uniqueness

Uniqueness Score: -1.00%

Function 04B82D58, Relevance: 2.6, Strings: 2, Instructions: 134COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 04B82DA5
, xrefs: 04B82E76

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID: $>_Ir
API String ID: 0-1787506450
Opcode ID: 8d2dde7002c9bff105c08236bf8cc4bb2e003fa2c38aa442fcd2776e98304658
Instruction ID: 82f76f8e69f019baf21645e8c6ead307fa44ac298b0875a1dd92464b9982ed87
Opcode Fuzzy Hash: 8d2dde7002c9bff105c08236bf8cc4bb2e003fa2c38aa442fcd2776e98304658
Instruction Fuzzy Hash: 1241C330F04215CBDB18EF69C8805BEBBA2EBC1216B24CCEED416DB605D631F852C785

Uniqueness

Uniqueness Score: -1.00%

Function 04B812A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

$ghr, xrefs: 04B81349

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 310f795d17b41cec8443fd06ceac500c647b00944f7c716fa4744c85d5c7945e
Instruction ID: 0f1168eba9841ec8e3c717548e3683656100876c6978f20c6e2351870c15ccd9
Opcode Fuzzy Hash: 310f795d17b41cec8443fd06ceac500c647b00944f7c716fa4744c85d5c7945e
Instruction Fuzzy Hash: CB22D434A04605CFC724EF28C594A6ABBF2FF88304B10859AD85A9B756DB34BD86CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0246AA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0246AAB1

Memory Dump Source

Source File: 00000006.00000002.347462064.000000000246A000.00000040.00000001.sdmp, Offset: 0246A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d5c3891b9ac927da0371293e325ff0c401313f9e28e99800025bc0a7ecc3b576
Instruction ID: 230b6f834edeca7da42bfd1e625ed1b3a8af36c971a664dbb8824c410b5de2c6
Opcode Fuzzy Hash: d5c3891b9ac927da0371293e325ff0c401313f9e28e99800025bc0a7ecc3b576
Instruction Fuzzy Hash: DA31D472544784AFE7228F25CC45FA7BFACEF06710F08849BED809B252D265A809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0246AAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,0E6BB092,00000000,00000000,00000000,00000000), ref: 0246ABB4

Memory Dump Source

Source File: 00000006.00000002.347462064.000000000246A000.00000040.00000001.sdmp, Offset: 0246A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 644664a47368c5813667deab3e923bf161945ac94d4f57b9ff551f9ee10ad577
Instruction ID: 4a83d04d1a8b3713df1602df862063e5cb11adcca3a7eefdceae7e5a865e398a
Opcode Fuzzy Hash: 644664a47368c5813667deab3e923bf161945ac94d4f57b9ff551f9ee10ad577
Instruction Fuzzy Hash: 2131B371108784AFD722CB25CC44F63BFB8EF06710F08849BE9859B253D360E448CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04BE00F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE ref: 04BE019D

Memory Dump Source

Source File: 00000006.00000002.349049866.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 54129302184af3e66dcf9a4bf561f47e996bcd07c6b4e09f9dc4a1d6d064196f
Instruction ID: c09766e0a63dfd62745e8f1583cade1b581207103ae1a33e1acafa9c87c84ff3
Opcode Fuzzy Hash: 54129302184af3e66dcf9a4bf561f47e996bcd07c6b4e09f9dc4a1d6d064196f
Instruction Fuzzy Hash: 533181715097806FE712DF25DC45F56FFE8EF46210F08849AE9848F292D375E909C762

Uniqueness

Uniqueness Score: -1.00%

Function 0246AF50, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 0246AFEA

Memory Dump Source

Source File: 00000006.00000002.347462064.000000000246A000.00000040.00000001.sdmp, Offset: 0246A000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: efc3ef8525084393c6e164f61d9283757184a1da2acd406a1d1509348985bc83
Instruction ID: 36c6fd89a7f22c82ebe0c5c2417e4d160fbb4e1635b48e781907fbf2bf315fe1
Opcode Fuzzy Hash: efc3ef8525084393c6e164f61d9283757184a1da2acd406a1d1509348985bc83
Instruction Fuzzy Hash: 6A21D67144D7C06FD3138B259C51B22BFB4EF87A10F0A81DBE884CB653D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0246AA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0246AAB1

Memory Dump Source

Source File: 00000006.00000002.347462064.000000000246A000.00000040.00000001.sdmp, Offset: 0246A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 0ea6f62fc5eae694b8a7da842a31deddc1fd842de234363112c8b50b6aa82878
Instruction ID: 74eb18f95565230ce8e17e9bd8aaa6300a6f36a6a5689f127bd8864ab71eecd2
Opcode Fuzzy Hash: 0ea6f62fc5eae694b8a7da842a31deddc1fd842de234363112c8b50b6aa82878
Instruction Fuzzy Hash: 9F21CF72500704AEE7219F25CC84F6BFBECEF04710F14855BEE459A241D661E8498B72

Uniqueness

Uniqueness Score: -1.00%

Function 04BE012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE ref: 04BE019D

Memory Dump Source

Source File: 00000006.00000002.349049866.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: ab647f9000687931e6bf2d633886b86cc6a23c011d6343c7b6bc866b2b07f09e
Instruction ID: 38df83684113ff683a937368a644f323ca85dd3d19f12340fb2fe7e28ba168f6
Opcode Fuzzy Hash: ab647f9000687931e6bf2d633886b86cc6a23c011d6343c7b6bc866b2b07f09e
Instruction Fuzzy Hash: 8B218071604200AFE720DF26DD45B6AFBE8EF45710F1484AAED858F241E7B1E505CB76

Uniqueness

Uniqueness Score: -1.00%

Function 0246AB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,0E6BB092,00000000,00000000,00000000,00000000), ref: 0246ABB4

Memory Dump Source

Source File: 00000006.00000002.347462064.000000000246A000.00000040.00000001.sdmp, Offset: 0246A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5e455fdf2e34d70cc012f789b6f78967323d615762a81c7a227018ad45155b04
Instruction ID: 93ce2e25313c62fc51ea14ea0f5761bdeb567045ad29507fe9c5304c2f700682
Opcode Fuzzy Hash: 5e455fdf2e34d70cc012f789b6f78967323d615762a81c7a227018ad45155b04
Instruction Fuzzy Hash: EE214D75600A04AFE720CE25DC85F67FBECEF05B10F14856BEA459B251D760E449CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0246A51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0246A58A

Memory Dump Source

Source File: 00000006.00000002.347462064.000000000246A000.00000040.00000001.sdmp, Offset: 0246A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 94d38ed37a99a0378e32e4e46d7274c6cc242621e740fc63a167cb30c4a67470
Instruction ID: 4962a23814174a20b37633a5e5c86c7baadfc97beeb6d7b3d65c4d8e4d92b10d
Opcode Fuzzy Hash: 94d38ed37a99a0378e32e4e46d7274c6cc242621e740fc63a167cb30c4a67470
Instruction Fuzzy Hash: ED117271409780AFDB228F55DC44B62FFF4EF4A210F0884DAEE898B252D375A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0246B7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0246B841

Memory Dump Source

Source File: 00000006.00000002.347462064.000000000246A000.00000040.00000001.sdmp, Offset: 0246A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 94d857851032ef01d8f064c1a3d80114488c13baaed0e0fa16f3fa99c8e4e928
Instruction ID: 4103d9a9edc85ee51e9f8baa738f088b15bb524ce7400eeb12859cc7c0b90dab
Opcode Fuzzy Hash: 94d857851032ef01d8f064c1a3d80114488c13baaed0e0fa16f3fa99c8e4e928
Instruction Fuzzy Hash: 2B2190714097C09FDB228B25DC54AA2BFB0EF17314F0D84DAEDC44F263D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0246BB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0246BBB9

Memory Dump Source

Source File: 00000006.00000002.347462064.000000000246A000.00000040.00000001.sdmp, Offset: 0246A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1baf327025bb9943d78f82534f316eb15c52b9d8915cb81970e64794b911c049
Instruction ID: 9569b52af18cf2cd97c9533beebdf0247c657ed7f4d539332c595bcc4399326e
Opcode Fuzzy Hash: 1baf327025bb9943d78f82534f316eb15c52b9d8915cb81970e64794b911c049
Instruction Fuzzy Hash: 2211D0355097C0AFDB228F25DC45B52FFB4EF06220F0884DFED858B663D265A858DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0246BE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0246BE70

Memory Dump Source

Source File: 00000006.00000002.347462064.000000000246A000.00000040.00000001.sdmp, Offset: 0246A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: d6bffe5e1b445950cd1551e6b2889414f60add0b6a6bdfc2e34ba5b0cf4cb202
Instruction ID: 8f75f4c903b1a7e7a80c4c9edf71494491254e1641347f12de933bf25f53bb41
Opcode Fuzzy Hash: d6bffe5e1b445950cd1551e6b2889414f60add0b6a6bdfc2e34ba5b0cf4cb202
Instruction Fuzzy Hash: 5C117C758093C0AFD7228B25DC44B62BFB4DF47624F0980DBED888F263D2656848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0246B71E, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 0246B78A

Memory Dump Source

Source File: 00000006.00000002.347462064.000000000246A000.00000040.00000001.sdmp, Offset: 0246A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 4787ddde30d56fde55b52fd8471af413c0534826fe63b0b9e6e092875031b01e
Instruction ID: be1c6e90611db48adeeca24a41b2bbdc38073cae4d32d2043d4b9f2d3511d963
Opcode Fuzzy Hash: 4787ddde30d56fde55b52fd8471af413c0534826fe63b0b9e6e092875031b01e
Instruction Fuzzy Hash: CF11A231404780AFDB228F64DC44B52FFF4EF49310F08849EEE898B622D375A458CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0246BEB4, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 0246BF0C

Memory Dump Source

Source File: 00000006.00000002.347462064.000000000246A000.00000040.00000001.sdmp, Offset: 0246A000, based on PE: false

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 41249e8d268e2136ba50237c773513d06bd4fe176d83753f2fd2736489de0c94
Instruction ID: c300a8dfd3c8662564f0f8ed066d50ae27206044e1baa40d9c5f7cd7d7bfe636
Opcode Fuzzy Hash: 41249e8d268e2136ba50237c773513d06bd4fe176d83753f2fd2736489de0c94
Instruction Fuzzy Hash: 06118F715053809FD715CF25DC85B66BFE8EF46220F0884AAED89DB252D274A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0246A75B, Relevance: 1.6, APIs: 1, Instructions: 52comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0246A7BC

Memory Dump Source

Source File: 00000006.00000002.347462064.000000000246A000.00000040.00000001.sdmp, Offset: 0246A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 3bf0f57cba8522773a0ed39ec735d6c2de3e24f6a10e49689de0c88cfa13ed59
Instruction ID: 0e8df7ae6532b8724645cf3dc3a7c87fdaa6bd328b9158c1eb7836e88cd13650
Opcode Fuzzy Hash: 3bf0f57cba8522773a0ed39ec735d6c2de3e24f6a10e49689de0c88cfa13ed59
Instruction Fuzzy Hash: 561190714497849FD7118F25DC45B52BFB4EF02220F0880DBDD498F253D275A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0246A8CC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0246A926

Memory Dump Source

Source File: 00000006.00000002.347462064.000000000246A000.00000040.00000001.sdmp, Offset: 0246A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 7a664b6a6a4c9a3da2c784611da767c9ada3f0539c65bcba69067af49afbed7a
Instruction ID: 2f352be9c1ec2c8951c919d223b47a7f3a7529a44821be56a94a9a0b2b7542b0
Opcode Fuzzy Hash: 7a664b6a6a4c9a3da2c784611da767c9ada3f0539c65bcba69067af49afbed7a
Instruction Fuzzy Hash: 46117C31409784AFD7218F15DC89B52FFF4EF06220F09C49AEE895B262C375A858CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0246BED2, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 0246BF0C

Memory Dump Source

Source File: 00000006.00000002.347462064.000000000246A000.00000040.00000001.sdmp, Offset: 0246A000, based on PE: false

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 3041940e8bb4c6f33920ff6a2842a835e382736d957ec508dc79f4667e748f2a
Instruction ID: a6bbb9268141a473c8ef75b008c1507f24c70ad64a1f9d7872dabab942456ebc
Opcode Fuzzy Hash: 3041940e8bb4c6f33920ff6a2842a835e382736d957ec508dc79f4667e748f2a
Instruction Fuzzy Hash: 2B019271A006009FD714CF29D889766FB98DF00224F08C0ABDD49DB352D6B4D448CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0246B746, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 0246B78A

Memory Dump Source

Source File: 00000006.00000002.347462064.000000000246A000.00000040.00000001.sdmp, Offset: 0246A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 0ec1e6d3b64b683d136cf24f608d1fdc2babb21f7fc0f6e774053a61e598646a
Instruction ID: 98a7adc042f94618c179fe46956be814c368c67149748cf23118eb61444f8db0
Opcode Fuzzy Hash: 0ec1e6d3b64b683d136cf24f608d1fdc2babb21f7fc0f6e774053a61e598646a
Instruction Fuzzy Hash: 08016D31400A00EFDB218F55D848B66FFE4EF08721F08C5AADE899B612D3B5A458DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0246A546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0246A58A

Memory Dump Source

Source File: 00000006.00000002.347462064.000000000246A000.00000040.00000001.sdmp, Offset: 0246A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 853e76e1d482a9d4cbe0696de796b4d64c91d5cf41450b6f00bbd2bdbecb44fe
Instruction ID: 1bdc05cbf86dde56ac8e44bd6382ce37947c9776351e362e7b641098e710dfda
Opcode Fuzzy Hash: 853e76e1d482a9d4cbe0696de796b4d64c91d5cf41450b6f00bbd2bdbecb44fe
Instruction Fuzzy Hash: BB015B31400B00EFDB21CF55D848B66FFE4EF08720F08C59ADE895A612D375A458DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0246AF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 0246AFEA

Memory Dump Source

Source File: 00000006.00000002.347462064.000000000246A000.00000040.00000001.sdmp, Offset: 0246A000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f4107cc9312d3dfe36ff53aab378806db3ef4bcf42fb07bdd14bf8d06e4eb799
Instruction ID: c1fb29c92dddd0b6030c7a7dde7780d0396b9cde76145b919be793a83e0b61a4
Opcode Fuzzy Hash: f4107cc9312d3dfe36ff53aab378806db3ef4bcf42fb07bdd14bf8d06e4eb799
Instruction Fuzzy Hash: 7B01A271500600ABD210DF16DC82F36FBA8FB88B20F14815AED084B741E371F915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0246BB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0246BBB9

Memory Dump Source

Source File: 00000006.00000002.347462064.000000000246A000.00000040.00000001.sdmp, Offset: 0246A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 89aefbeee806f44996aaf337c225a7dd05917668ab8035e84439f371331b2df2
Instruction ID: f75b20b60d0ca159559f57ab5ad765ca1092233c632d28422e456a5268938055
Opcode Fuzzy Hash: 89aefbeee806f44996aaf337c225a7dd05917668ab8035e84439f371331b2df2
Instruction Fuzzy Hash: C701B135500700DFDB208F15DC45B66FFA0EF04724F08C09BDD499BA26C3B1A459CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0246A78A, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0246A7BC

Memory Dump Source

Source File: 00000006.00000002.347462064.000000000246A000.00000040.00000001.sdmp, Offset: 0246A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: cbcf1af0af4d453635d4f84b2c115c4cc3b834ea4ae7c9c70eeb884e03494879
Instruction ID: cda990d723dfc1e2535f10562357972e04567145c8b400e2214d8a4ad496cbbf
Opcode Fuzzy Hash: cbcf1af0af4d453635d4f84b2c115c4cc3b834ea4ae7c9c70eeb884e03494879
Instruction Fuzzy Hash: C6018B74800A409FDB20DF19D889766FFA4EF04221F18C0ABDE489B302D2B5A548CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0246B806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0246B841

Memory Dump Source

Source File: 00000006.00000002.347462064.000000000246A000.00000040.00000001.sdmp, Offset: 0246A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f63b85e49b6bcc8e83f042dd07fbf8ef54b39b09a7f7daadc5e5f9868c32dba7
Instruction ID: e8cbac2d0f21525ad7db632b2986542b865ce23d74dba0d5c2f827900d11dd69
Opcode Fuzzy Hash: f63b85e49b6bcc8e83f042dd07fbf8ef54b39b09a7f7daadc5e5f9868c32dba7
Instruction Fuzzy Hash: 83018F31900744DFDB208F55D888B66FFA0EF04724F18C49BDE895B222D3B5A458CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0246A8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0246A926

Memory Dump Source

Source File: 00000006.00000002.347462064.000000000246A000.00000040.00000001.sdmp, Offset: 0246A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 371d09033e1875bee1e463493c643a5e1c67e72788fc1f5bddb33756c2cbebe8
Instruction ID: a0e3fac2c09139206cb964dc323be403b493e7ad6e9a82a855442964938e0585
Opcode Fuzzy Hash: 371d09033e1875bee1e463493c643a5e1c67e72788fc1f5bddb33756c2cbebe8
Instruction Fuzzy Hash: BB01AD31800B04DFDB208F15D889762FFA0EF05720F18C4ABDE8A1B312C3B5A849CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0246BE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0246BE70

Memory Dump Source

Source File: 00000006.00000002.347462064.000000000246A000.00000040.00000001.sdmp, Offset: 0246A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 62d6beb07d99f7ffe54b1947db4fb97025de57a1b4dd684c4c86025f580d7ebb
Instruction ID: 611058feb3e1ce90aa111eba6c4b7e50224b8255eb45e3348c909373f4c01c48
Opcode Fuzzy Hash: 62d6beb07d99f7ffe54b1947db4fb97025de57a1b4dd684c4c86025f580d7ebb
Instruction Fuzzy Hash: A4F0AF35904644DFDB209F59D889762FFA0EF04724F18C0ABDE499B312D3B9A448CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04B81458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$ghr, xrefs: 04B814C7

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 55623468acc4a83106e77a1fd1dce122585ebddc83208ffd591d78cf5931b4e6
Instruction ID: eab555da039170a1c5aedcfa859519f61b9fa8f1fa5f4d6c6d1053ee39077bab
Opcode Fuzzy Hash: 55623468acc4a83106e77a1fd1dce122585ebddc83208ffd591d78cf5931b4e6
Instruction Fuzzy Hash: 6551C534A05214CFDB54EF68C894B99BBB2BF88304F1040EAD40AAB365DB75AD85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04B81292, Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

$ghr, xrefs: 04B81349

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: bec875b5d0f61884a6e6876b3d70e4c393eb3563604f0983802feefecaaee629
Instruction ID: 665b15256421b05ab328587c689a0dc6dc7b41f8eb04670645cce716e315945a
Opcode Fuzzy Hash: bec875b5d0f61884a6e6876b3d70e4c393eb3563604f0983802feefecaaee629
Instruction Fuzzy Hash: F9410534A05218DFCB54EF68D884BADBBB2BF49304F1040EAD44AAB355DB30AD86DF51

Uniqueness

Uniqueness Score: -1.00%

Function 04B821F8, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 04B8230F

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 4495e1b5dea091303d85e0ffac7fab9d5a560a64e7652083e8d515c74e1b0a8b
Instruction ID: 2ef47b4dab17b5d71ff78b4ed89bcfc202a410cf1e5c81653d4816d0ff9360a1
Opcode Fuzzy Hash: 4495e1b5dea091303d85e0ffac7fab9d5a560a64e7652083e8d515c74e1b0a8b
Instruction Fuzzy Hash: F441C830E08209DFDF48EFA5C5596AEBBB1FB44300F1084EED412A72A4E775AA45DF52

Uniqueness

Uniqueness Score: -1.00%

Function 04B82BF8, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c0e9b1ddc59d205053d6fddbb4ccb53056ada461247edc04d7faf32cf92514
Instruction ID: d52e1dcfa76a3d4d24417158c2c4bef0e6b68d5d7869ceee0834be368628933d
Opcode Fuzzy Hash: 48c0e9b1ddc59d205053d6fddbb4ccb53056ada461247edc04d7faf32cf92514
Instruction Fuzzy Hash: E141133460D3D58FC31E673884945B97FB4AF93210B1985EFD096CF5A3D661AC0ADB11

Uniqueness

Uniqueness Score: -1.00%

Function 04B80BC0, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f25282fc466de55e56fb006a8d5b0871bc0544f156ef3012284fe25e86a38843
Instruction ID: 9945a42e15a0dfd2103a886c5fb2a043966fe03ad77aa8881aadc0621cbe7cf1
Opcode Fuzzy Hash: f25282fc466de55e56fb006a8d5b0871bc0544f156ef3012284fe25e86a38843
Instruction Fuzzy Hash: 0041C331B051048FC715AF69C4146AE7BE6AFC5350F1680AAE906AF291DEB1AC0ADB91

Uniqueness

Uniqueness Score: -1.00%

Function 04B80682, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cab1af744a66e1a8a40f55b6b54ed798c55fc3b8e9e50203d6926b1d2df4290
Instruction ID: 5fd38f98e327af8f0c6e8eecc4f1df2c6c7fae3406d325479fb1e4283d609ed7
Opcode Fuzzy Hash: 2cab1af744a66e1a8a40f55b6b54ed798c55fc3b8e9e50203d6926b1d2df4290
Instruction Fuzzy Hash: CF416C30B842008BD3087F78E95C56E7B66EFD034179549BAE523CB2A4DFB04C19CB96

Uniqueness

Uniqueness Score: -1.00%

Function 04B802DA, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b8f25c19b5973b4ae68a4ed30afbba542d4ecd4d1ac313d62eedef99ac3ad02
Instruction ID: cac6a4ac621ec3cc4b5fbf0abd794dda9334699d972c0801a2934543ec99bcbf
Opcode Fuzzy Hash: 0b8f25c19b5973b4ae68a4ed30afbba542d4ecd4d1ac313d62eedef99ac3ad02
Instruction Fuzzy Hash: 50417030B00605CFDB54EF68C0A0BAE7BB2EF89750F1640ADD502AB3A1DB71AC49DB51

Uniqueness

Uniqueness Score: -1.00%

Function 04B820D0, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f4dd4bdb37a9135e330398ee97531cd615362e95d8ec963692b4b0d57c27918
Instruction ID: f732b9278c41156c4dcec2cb3c662b267aca9b97825f9fea89547330837a10f6
Opcode Fuzzy Hash: 8f4dd4bdb37a9135e330398ee97531cd615362e95d8ec963692b4b0d57c27918
Instruction Fuzzy Hash: C5315030B08245DFDB09FFA8C89167E7BB5EF85300B2184EAD5069B295EB70AC52C791

Uniqueness

Uniqueness Score: -1.00%

Function 04B80006, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee8ed3e94d6448e80ab8bdb198fe0e7baa6bfde93aed02c290f4d4d33b482865
Instruction ID: 4fb9ed864ebea260bd7cecdd05de075e0145c8e466e827a50625d471ecf79210
Opcode Fuzzy Hash: ee8ed3e94d6448e80ab8bdb198fe0e7baa6bfde93aed02c290f4d4d33b482865
Instruction Fuzzy Hash: D831A17060D3C5DFC706FB7488684597FB6BE82600B0A44DFD592CB29BEA745819DB13

Uniqueness

Uniqueness Score: -1.00%

Function 04B821E8, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47827c06e5bfe6c398b3f8dc9b5c79f5bfdc8fd4c72c24d02f40bd5b760c458d
Instruction ID: 17baa725041c1acf4f9cb374e53bb186085a94f3fb9e424b6ed7ba01644a2749
Opcode Fuzzy Hash: 47827c06e5bfe6c398b3f8dc9b5c79f5bfdc8fd4c72c24d02f40bd5b760c458d
Instruction Fuzzy Hash: 47310B30E08249DFCF48EFA4C1556BDBBB1EF45300F1049EEC442AB2A1E671A945DF52

Uniqueness

Uniqueness Score: -1.00%

Function 04B825DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 278164bbe8847d41737bf26786ac17b8652381a6fb8d6ce6d41db4cddab8a58f
Instruction ID: e4f52df09a772fa7d7fd97b63a72a973f5a0fa98f3a6d90dfcd257abfb55221b
Opcode Fuzzy Hash: 278164bbe8847d41737bf26786ac17b8652381a6fb8d6ce6d41db4cddab8a58f
Instruction Fuzzy Hash: 19315834E00285CBDB68EF65D54465ABFA2FF84314F20C5EEC015AF254EBB4A48ADF81

Uniqueness

Uniqueness Score: -1.00%

Function 04B84190, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62373292ac3b9bd3d87f474551c4fd488c3ac4cca0ab8a11993ea858e690706a
Instruction ID: b87359cf16265a47dd26ce8ec47266ae0bccf5aa2acee7ee42fff3b4d0886dfa
Opcode Fuzzy Hash: 62373292ac3b9bd3d87f474551c4fd488c3ac4cca0ab8a11993ea858e690706a
Instruction Fuzzy Hash: 0811E171B142169BDB18FBB9D8045BFBAA6EFD4340F51057F850797280FEB0A844D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 04B808B2, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37bcd1889f6d182c43f7e4f94c809110c44235b1019a67d99a5513b609c3c2d
Instruction ID: 6bd0be8163add974643ebc1f6d60822c80e2b2218dc895136e6fb69a3ed4f92d
Opcode Fuzzy Hash: f37bcd1889f6d182c43f7e4f94c809110c44235b1019a67d99a5513b609c3c2d
Instruction Fuzzy Hash: F2117131B093948FD31177B858905AF7F768FD239070745EFC9829B252D9605C4BD391

Uniqueness

Uniqueness Score: -1.00%

Function 04B84180, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95e556c6280b935c13cb8f7c551b1bbcea71a63cb19aed0c1feb3754a86c6084
Instruction ID: 91b04c9b0dd69604747dc702246498df8383f84e38aff50112e4ab256e74a9bc
Opcode Fuzzy Hash: 95e556c6280b935c13cb8f7c551b1bbcea71a63cb19aed0c1feb3754a86c6084
Instruction Fuzzy Hash: B5113671B182669ACF14FBB4A8015FFBFB6AFD5340F0106AF890287141FD71A818C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0263087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.347626171.0000000002630000.00000040.00000040.sdmp, Offset: 02630000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb9c2d79048a0023921d4dcfe32b91621896cf8dbfde1f79bd99a14c6f770a1
Instruction ID: 552e53dd980231ae819a9ff379d7abd74cda38d476e8c56638ec4f3a4f7b3cd2
Opcode Fuzzy Hash: bdb9c2d79048a0023921d4dcfe32b91621896cf8dbfde1f79bd99a14c6f770a1
Instruction Fuzzy Hash: 75112934204384DFE706CB14C940B26BBD5EB88708F24C99CE9490B783C777D807CA91

Uniqueness

Uniqueness Score: -1.00%

Function 04B82390, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c032cec33dfdb44b64a70808b2ca866908038ed79ce1c3ef4450de33a33eb03
Instruction ID: 639de8b356962922e991d5e7bae6693d0638d5a315b057432090ea5e84b4d8ab
Opcode Fuzzy Hash: 7c032cec33dfdb44b64a70808b2ca866908038ed79ce1c3ef4450de33a33eb03
Instruction Fuzzy Hash: F4113D70A0924ADFD75CAFA8C9516AE7FB1EF86300F1440EDC642A7641EA712842EB61

Uniqueness

Uniqueness Score: -1.00%

Function 04B811DF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a65a20ef1113a7d0e08eb81f78b5d8ede90ed690e6a5d48cedbfce1727b7843
Instruction ID: 6128072de21739b773ffcf8b156ffdac0dcb8e5c324342883fbadb1f1a984821
Opcode Fuzzy Hash: 9a65a20ef1113a7d0e08eb81f78b5d8ede90ed690e6a5d48cedbfce1727b7843
Instruction Fuzzy Hash: 6311A53030D280CFCB05AB2CD4548697FF6AFC620071541EFD442CB6B6DE65AC0ADB92

Uniqueness

Uniqueness Score: -1.00%

Function 04B805BA, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2aac6f2105de68ed00ca38e741b9f8da9b03f022bdd3f42b82dc0543c5e87c
Instruction ID: 186fc2bb654c6a47320a5b02e8394938dfe25281b1129ce849f94db49cfb0314
Opcode Fuzzy Hash: dd2aac6f2105de68ed00ca38e741b9f8da9b03f022bdd3f42b82dc0543c5e87c
Instruction Fuzzy Hash: D20122617081200BCA4AB77D94612FF2B9B8FC668076801AFD246EF384DEB44C039BD3

Uniqueness

Uniqueness Score: -1.00%

Function 04B81209, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b2a056acd4359f7496a0ae94ef2bae9a62d34fda8e851dd11f9ad6a22418b2b
Instruction ID: f1845d33636830f668ee51115d083b067b4d857116a0de21ef72b07a1b8e52c7
Opcode Fuzzy Hash: 7b2a056acd4359f7496a0ae94ef2bae9a62d34fda8e851dd11f9ad6a22418b2b
Instruction Fuzzy Hash: 57017530309140CFCB04AB6CD058869BFE5BFC621071541FED546CB776DEA5AC0ADB82

Uniqueness

Uniqueness Score: -1.00%

Function 026305CF, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.347626171.0000000002630000.00000040.00000040.sdmp, Offset: 02630000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a0f1e7360bd8b977380e184af096f72435b6ff37568107b76dddd590dca5e0
Instruction ID: c7e34f003a3b9bbbc03bb93c3a24c776c842ce8004fe2d707d9a325fc232104d
Opcode Fuzzy Hash: 64a0f1e7360bd8b977380e184af096f72435b6ff37568107b76dddd590dca5e0
Instruction Fuzzy Hash: 5A01DB715487805FC7128F16EC40893FFF8DF4623070980ABED898B212D1757909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04B81218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a3a32999c2e3c164896911df4b9d99ed30b4338b25f460fbe4c80cbb7cf7e3
Instruction ID: ee5a1267f53cfda0aed27ee02df5100bff8f1c6aa66ee585aa9c583c629007d0
Opcode Fuzzy Hash: 70a3a32999c2e3c164896911df4b9d99ed30b4338b25f460fbe4c80cbb7cf7e3
Instruction Fuzzy Hash: 4F011230305010CBCA44AB2CD0589697BEABFC5710B1441EEE506CB775DFB5AC0ADB81

Uniqueness

Uniqueness Score: -1.00%

Function 04B80918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab7f3012e9a4c6ca58e2dbe41cef97324ec2896924db28ffb44248b1f8e22fff
Instruction ID: 8ce07f8c48f4f5372b09bc66d4178cc912438a20eb8f65b104b3ee882c6825ce
Opcode Fuzzy Hash: ab7f3012e9a4c6ca58e2dbe41cef97324ec2896924db28ffb44248b1f8e22fff
Instruction Fuzzy Hash: C6E0E532F152189ADB107AFCD8015AFBBA9D7D52D0F0244AB9B17A3200F970680AD6D1

Uniqueness

Uniqueness Score: -1.00%

Function 02630938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.347626171.0000000002630000.00000040.00000040.sdmp, Offset: 02630000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 16ea4c565fee55756a58c021d8b80d699f380c15c6fdfe75a26b62e5be418731
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: 81F01D35108644DFC706DF00D540B16FBA2EB89718F24C6ADE9490B752C337D813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 026305F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.347626171.0000000002630000.00000040.00000040.sdmp, Offset: 02630000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d834afb65d043f39a661168a77ee09b15787009d064477cac59fb1823972324c
Instruction ID: df0a9695fb31471c291430b68b09f0f78b7af0841ab3abe49759c1581f5c9857
Opcode Fuzzy Hash: d834afb65d043f39a661168a77ee09b15787009d064477cac59fb1823972324c
Instruction Fuzzy Hash: EFE06D76A40A008B9650CF0AEC41462F798EB88630B18C06FDC4D8B701E175B9048EA5

Uniqueness

Uniqueness Score: -1.00%

Function 04B802A1, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3c4961b27349fc30c9d43417439740f4ba1256b4fe681b65ef267e3c2950831
Instruction ID: 9f95dbaec56171b3c317ef488eb6a7fbbe70ee5a2e52f78658c8bed4df37e9a2
Opcode Fuzzy Hash: c3c4961b27349fc30c9d43417439740f4ba1256b4fe681b65ef267e3c2950831
Instruction Fuzzy Hash: 2DE01231609640CFC291AB65D6A14D57FB5EF46510316898ED4D747955C6607C0BDB00

Uniqueness

Uniqueness Score: -1.00%

Function 04B82D20, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4655ba283b79cc59a015aef2edfd5764386e75678979197f362eb3c3d5ca235f
Instruction ID: 0895ece15b7b53d9fbea1b62d1f79b16cffe155836f7ae7ffe16c917d074911a
Opcode Fuzzy Hash: 4655ba283b79cc59a015aef2edfd5764386e75678979197f362eb3c3d5ca235f
Instruction Fuzzy Hash: 2CD05E3038D2C0AED79E22A4582ABF43F308B5B205F1908DB90CA9F0D7A4426006F301

Uniqueness

Uniqueness Score: -1.00%

Function 04B8016F, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d09e1236f07612451ddeebc520eb77ac29bafe383b5988a6b2fbf62ff9aa99f
Instruction ID: 82ad4ff9d1fc9634b2c98ad21fc688d1ec452572ae0c2c03f89b77e6d478e68d
Opcode Fuzzy Hash: 4d09e1236f07612451ddeebc520eb77ac29bafe383b5988a6b2fbf62ff9aa99f
Instruction Fuzzy Hash: 61E0C2726053008FCB191730A0691AC3B32AF921213050AB9C477C77D1DA36889BCA00

Uniqueness

Uniqueness Score: -1.00%

Function 04B80650, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44daa6f5f5ed360dbbe736374a976a038abe9ba36ea354716d585dc346eb7db4
Instruction ID: f4e41f9522ecc25fe28d2a63f61c8180952f4563080b5497e52b762234222370
Opcode Fuzzy Hash: 44daa6f5f5ed360dbbe736374a976a038abe9ba36ea354716d585dc346eb7db4
Instruction Fuzzy Hash: 22D05E7158E3C08EC356637028250F87F22CE9311970588EAD8D156427D52668ABEB12

Uniqueness

Uniqueness Score: -1.00%

Function 024623F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.347450778.0000000002462000.00000040.00000001.sdmp, Offset: 02462000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a48de49c3b65c5a691cacf41c27741af9d7ba4e597d0b6d2881e781c323fd46a
Instruction ID: 44e3cdec8c279ac0a032bcc8650cb829ac207eb9701d6a9dc6f0de94a6590682
Opcode Fuzzy Hash: a48de49c3b65c5a691cacf41c27741af9d7ba4e597d0b6d2881e781c323fd46a
Instruction Fuzzy Hash: 5FD05B752156915FD316CA1CC16CB753B94AF51B04F4644FEEC008BB63C754D581D101

Uniqueness

Uniqueness Score: -1.00%

Function 024623BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.347450778.0000000002462000.00000040.00000001.sdmp, Offset: 02462000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be19e4eba330c7a5dbe7f9fdb7c4bb6e08f8266b50f0d8b46f679b6032a24c19
Instruction ID: 6852020c16a92827903b84640e93e7ea433bc4139691abc05376d38c08d9f3bf
Opcode Fuzzy Hash: be19e4eba330c7a5dbe7f9fdb7c4bb6e08f8266b50f0d8b46f679b6032a24c19
Instruction Fuzzy Hash: FFD05E342002818BC715DB1CC598F6A37D4AB41B04F0A44EAAC00CB762C3E4D8C1C600

Uniqueness

Uniqueness Score: -1.00%

Function 04B80180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9156fdfddd89a41b941d498b4472ab2d3bc2b6fcc3f42bc6395fda1c9571b8
Instruction ID: 00dbadd20371334212af595f98efb0b2174a54d95b630c7bed7c9294c2527344
Opcode Fuzzy Hash: 1a9156fdfddd89a41b941d498b4472ab2d3bc2b6fcc3f42bc6395fda1c9571b8
Instruction Fuzzy Hash: 6ED01231640304CFCB1C2BB0E01882833AAAF886063410CBCD9268B740EF36E8A5CA04

Uniqueness

Uniqueness Score: -1.00%

Function 04B80660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d98efc4750c028fcc2db0dcf976b1f5045a6ac729356e4d4a49d0372baa287a
Instruction ID: 1ea270502a1c8b07e599d90587bb8a8229333bc0958c2ea20a8cb2e18574d348
Opcode Fuzzy Hash: 6d98efc4750c028fcc2db0dcf976b1f5045a6ac729356e4d4a49d0372baa287a
Instruction Fuzzy Hash: 57C02B30185304CEC20836706804439B308DAC2301341C8798411201249D32B475E951

Uniqueness

Uniqueness Score: -1.00%

Function 04B82EC0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9f0c8a057640287f432b797dc3f16eba091f32e3b9baa4c497c9de35fada37
Instruction ID: 2fda15b2377beb28f32363476ae8cfa0866f1e12be1b6f58bc605573d4569edb
Opcode Fuzzy Hash: 4f9f0c8a057640287f432b797dc3f16eba091f32e3b9baa4c497c9de35fada37
Instruction Fuzzy Hash: 8BB012302442080B27446AB52808E12338CC64041634008E49C1CC0400F510E0B06144

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04B80D93, Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

0jr, xrefs: 04B80F8E
X1kr, xrefs: 04B80F1C
,:kr, xrefs: 04B80E38
:@Dr, xrefs: 04B810CB

Memory Dump Source

Source File: 00000006.00000002.348950767.0000000004B80000.00000040.00000001.sdmp, Offset: 04B80000, based on PE: false

Similarity

API ID:
String ID: ,:kr$0jr$:@Dr$X1kr
API String ID: 0-1245831938
Opcode ID: 2799cceeccbc8bcdb53d6cb7793d09b407dc8bc081c913d692bd00a4f2729dd1
Instruction ID: 44a540153c02093df010e5b98a4c29f0e0f56aa2dd25abe851c799a0116c95d1
Opcode Fuzzy Hash: 2799cceeccbc8bcdb53d6cb7793d09b407dc8bc081c913d692bd00a4f2729dd1
Instruction Fuzzy Hash: 72B19570A08344CFD3A4DF789160B6ABFE2FBD4704F50596EE5498B399DF7598428B02

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dhcpmon.exe PID: 5700 Parent PID: 3440 dhcpmon.exeCOMMON

Executed Functions

Function 04F73850, Relevance: 2.0, Strings: 1, Instructions: 761COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 04F73F9D

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID: >_Ir
API String ID: 0-3386957151
Opcode ID: 64e2f9885bcdde72911890125176c053f15d84be29fc9ca85b2a20f9331ae8bd
Instruction ID: 1d6d13fee2df983465ff5174b79e80c31f2adbd8a1203d6e560c0c73a4c6962f
Opcode Fuzzy Hash: 64e2f9885bcdde72911890125176c053f15d84be29fc9ca85b2a20f9331ae8bd
Instruction Fuzzy Hash: 0452E272A00215DFCB15CF58C8809ADBBB2FF84310B1985ABE9099F256D735FD42DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04F723A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c87be1777c81c6b6752f21cf8f9b8d77d8b3264e636601f36cbbb709ce6965b3
Instruction ID: fcf49560d8df559085ec2aac26a3c4b8229cd07d2c467e94ed0be9c909e70c1b
Opcode Fuzzy Hash: c87be1777c81c6b6752f21cf8f9b8d77d8b3264e636601f36cbbb709ce6965b3
Instruction Fuzzy Hash: D712CE31E04225CFD724DF69C88066EBBF2BF84314F1681AAD446AB245EB79E847CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04F72FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7259e47b66a2209c65a9aa7a31922177791cdf5f5889753f7691619798aaa70a
Instruction ID: 33009aed2a38d33e24b451f7ce92cbc1785fc5155dd73883e25a537a84c28e5c
Opcode Fuzzy Hash: 7259e47b66a2209c65a9aa7a31922177791cdf5f5889753f7691619798aaa70a
Instruction Fuzzy Hash: 51817072F00115ABD718DB69D850A6EBBE3AFC4314F2A8176D805EB359DE35EC02DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04F709A0, Relevance: 5.2, Strings: 4, Instructions: 176COMMON

Download Yara Rule

Strings

X1kr, xrefs: 04F70A5A
X1kr, xrefs: 04F70A50
X1kr, xrefs: 04F70A98
X1kr, xrefs: 04F70AA2

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID: X1kr$X1kr$X1kr$X1kr
API String ID: 0-2451847431
Opcode ID: 60c353ab1f4c88b7bc39a43105c19eb7533415db9308ad0dd13083b089468d81
Instruction ID: 769c3dfdc5a53f367696577c2d01bd531f4e37d751957515ac515e38d3b6c686
Opcode Fuzzy Hash: 60c353ab1f4c88b7bc39a43105c19eb7533415db9308ad0dd13083b089468d81
Instruction Fuzzy Hash: 0451A431B04215DFCB14AF68D854AAEB7F2FF84704F21856AE546DB254DF35AE02CB84

Uniqueness

Uniqueness Score: -1.00%

Function 04F702E8, Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 04F70537
`5kr, xrefs: 04F703A5

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID: :@Dr$`5kr
API String ID: 0-2548079215
Opcode ID: c319c6d454a5055ddaedc0a984f50d5b8cecda2ba6e0d1443fd9e26951ac2586
Instruction ID: cd65c9f6686ad231fe7eba1e1353c8ad0ab4dabbc426179127cbd8553a8a6e5a
Opcode Fuzzy Hash: c319c6d454a5055ddaedc0a984f50d5b8cecda2ba6e0d1443fd9e26951ac2586
Instruction Fuzzy Hash: 7E517D31F05205CFDB48DF68C460A6E7BF2AF89710F15806AD546AB3A1EF79AC02DB51

Uniqueness

Uniqueness Score: -1.00%

Function 04F70682, Relevance: 2.6, Strings: 2, Instructions: 139COMMON

Download Yara Rule

Strings

Zq^, xrefs: 04F706A1, 04F706A6
Yq^, xrefs: 04F70702, 04F70707

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID: Zq^$Yq^
API String ID: 0-2195490495
Opcode ID: 67f0d53f60e749e11b0beafcbecd9b0a880a4f9ad38b990e136299c415018afe
Instruction ID: 44dae1e649929ad260e4e1d76c973a46ea9c2110eb84c631ab5364c2eb28bca1
Opcode Fuzzy Hash: 67f0d53f60e749e11b0beafcbecd9b0a880a4f9ad38b990e136299c415018afe
Instruction Fuzzy Hash: FF415F31A08201CFC7257F38E85856D3B66BF90311725456AF4C2C72ADDF7A5C428BA6

Uniqueness

Uniqueness Score: -1.00%

Function 04F72D58, Relevance: 2.6, Strings: 2, Instructions: 134COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 04F72DA5
, xrefs: 04F72E76

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID: $>_Ir
API String ID: 0-1787506450
Opcode ID: 3aee497b428b8078d322c4135fa9a20ae52112b7ce870c7dc22b5cedee04c033
Instruction ID: 8865b7a3f529cbe5c28b9c98e759fb483d529b75b777772c083b62de55820025
Opcode Fuzzy Hash: 3aee497b428b8078d322c4135fa9a20ae52112b7ce870c7dc22b5cedee04c033
Instruction Fuzzy Hash: 8741C231F04215CBCB20DF69C8809BEB7B2EBC0314B26C8BBD5569B645D639F8438B81

Uniqueness

Uniqueness Score: -1.00%

Function 04F712A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

$ghr, xrefs: 04F71349

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 6302e387eb05360db0504b3d16c60e651a36566c14d26aa2bb8c3471af0e3412
Instruction ID: 67cea81a39106e0b8f166297cd462202e54f6077ba6f26f611c52c61d308c8bd
Opcode Fuzzy Hash: 6302e387eb05360db0504b3d16c60e651a36566c14d26aa2bb8c3471af0e3412
Instruction Fuzzy Hash: 1822F334A00615CFC724DF28C580A6ABBF2FF89300B14869AD85AAB756DB34BD46CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0107AA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0107AAB1

Memory Dump Source

Source File: 00000007.00000002.368067755.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 95b2bf019640ce84606c16542839d5de08377a95e878639af473b6953e0bee48
Instruction ID: 686ce5068822f6038ebb89121de69dfafe0e876d26093db87a890b0d67405c6b
Opcode Fuzzy Hash: 95b2bf019640ce84606c16542839d5de08377a95e878639af473b6953e0bee48
Instruction Fuzzy Hash: CB31A072544384AFE7228B25CC45FA7BFECEF06710F0885ABED819B152D264A809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050900F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0509019D

Memory Dump Source

Source File: 00000007.00000002.369178482.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: a018be4668b52ec492fa189fd0ee15c910acf28dfca2764c5c8f4c7b7e9febf9
Instruction ID: 8b7d3a1ef40eadaa45351bf2adf179123d53585564dabee32359c4be5c9e3e1d
Opcode Fuzzy Hash: a018be4668b52ec492fa189fd0ee15c910acf28dfca2764c5c8f4c7b7e9febf9
Instruction Fuzzy Hash: 34319371509780AFE712CB25DC45F56FFE8EF06210F18849AE984CB292D375A909C761

Uniqueness

Uniqueness Score: -1.00%

Function 0107AAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,E7F2B1C2,00000000,00000000,00000000,00000000), ref: 0107ABB4

Memory Dump Source

Source File: 00000007.00000002.368067755.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e369f851f497ca3c4d169e124f2b7ba2fde35bc6446c90e36389695e13868e78
Instruction ID: bd3741932e35110baf6956ae4c3a4c0a6e30aba896fc392971e2a4a59306e163
Opcode Fuzzy Hash: e369f851f497ca3c4d169e124f2b7ba2fde35bc6446c90e36389695e13868e78
Instruction Fuzzy Hash: CD319371609384AFE722CB25CC44FA6BFFCEF06720F1884DAE9858B153D264E549CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0107AF50, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 0107AFEA

Memory Dump Source

Source File: 00000007.00000002.368067755.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 524dd28cc8e3472fed318815f4d30b8a562abc93462e97bf5e7a2b92efa3d2d9
Instruction ID: 3fc92278e40e14f1f09b519452503d44215d888be82cb9fce4882c6ba5f7a08b
Opcode Fuzzy Hash: 524dd28cc8e3472fed318815f4d30b8a562abc93462e97bf5e7a2b92efa3d2d9
Instruction Fuzzy Hash: D821B67154D3C06FD3138B259C51B22BFB8EF87A10F0A81DBED84CB553D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0107AA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0107AAB1

Memory Dump Source

Source File: 00000007.00000002.368067755.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 3a4757b96be884cba79760868911bc86feacec8d986c8980688c3e23a79eed15
Instruction ID: e974d485f82a7a6035663bbf9702e54a12d4ebb24cd022c1967df238184253fd
Opcode Fuzzy Hash: 3a4757b96be884cba79760868911bc86feacec8d986c8980688c3e23a79eed15
Instruction Fuzzy Hash: 69218E72600604AEE7219B19CD85F6BFBECEF04720F18855AEE859B241D664E8088BB5

Uniqueness

Uniqueness Score: -1.00%

Function 0509012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0509019D

Memory Dump Source

Source File: 00000007.00000002.369178482.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 872646437b9b97bf564abc0f6e799f85102919bcb1f103a26eeec0af40450c5c
Instruction ID: 4ea38180841e5ff4d01469e2bc35a50734fee171d2acd6bdf4072d6fe7737a24
Opcode Fuzzy Hash: 872646437b9b97bf564abc0f6e799f85102919bcb1f103a26eeec0af40450c5c
Instruction Fuzzy Hash: 2A21CF71604200AFEB24DF25DC89F6AFBE8EF04710F18846AED458B245E770E504CB75

Uniqueness

Uniqueness Score: -1.00%

Function 0107AB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,E7F2B1C2,00000000,00000000,00000000,00000000), ref: 0107ABB4

Memory Dump Source

Source File: 00000007.00000002.368067755.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5ffc3ebddfc690c945fe691f8234d99670ba77effae5d5460f1dacee775e9dbe
Instruction ID: f08bc2b456215fd7657b2d9c0a3e567c0806d8f446283f4d854f94f50c6b3020
Opcode Fuzzy Hash: 5ffc3ebddfc690c945fe691f8234d99670ba77effae5d5460f1dacee775e9dbe
Instruction Fuzzy Hash: 79218171604604EFE721CF19CC84F6BFBECEF04720F18849AEE859B252D660E408CA75

Uniqueness

Uniqueness Score: -1.00%

Function 0107A51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0107A58A

Memory Dump Source

Source File: 00000007.00000002.368067755.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 799d15b4dc98bca6d5a821bb47fcfedf14e2278b00b8cc4955be29a60b5e8553
Instruction ID: a267150050a97ef592bf67278f8f19e4f866b17a7d7fc3148097683b49ef4820
Opcode Fuzzy Hash: 799d15b4dc98bca6d5a821bb47fcfedf14e2278b00b8cc4955be29a60b5e8553
Instruction Fuzzy Hash: DC117271409380AFDB228F55DC44A62FFF8EF4A220F0884DAEE858B152D275A518DB71

Uniqueness

Uniqueness Score: -1.00%

Function 0107B7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0107B841

Memory Dump Source

Source File: 00000007.00000002.368067755.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c7c6127edcd62ea7cd002ca29a8c10aada2bbac3b99530b202c8cefb9f1091fb
Instruction ID: 2bc5edfa176d9f26884e58ef007cceceee7e47ebfdde033dd52eca5635163062
Opcode Fuzzy Hash: c7c6127edcd62ea7cd002ca29a8c10aada2bbac3b99530b202c8cefb9f1091fb
Instruction Fuzzy Hash: 6B219A724093C09FDB128B25DC50AA2BFB0AF0B224F0D84DAEDC44F163D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0107BB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0107BBB9

Memory Dump Source

Source File: 00000007.00000002.368067755.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6fc99006f4b9fc1c52ee9597ec2f574292933e9a155ed6573dbb17d3b259e9f6
Instruction ID: 0853aac613a77ebdb83dc54da9c28a20130b1a1953b0a6b079b8d495b1a68f6d
Opcode Fuzzy Hash: 6fc99006f4b9fc1c52ee9597ec2f574292933e9a155ed6573dbb17d3b259e9f6
Instruction Fuzzy Hash: 2C11D0355093C0AFDB228F25CC45B52FFB4EF06220F0884DEED858B563D265A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 050904EF, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05090550

Memory Dump Source

Source File: 00000007.00000002.369178482.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: de3064d4d805682f01887bff58e1f2358061c9689ab01b94eb0e28678b39d93b
Instruction ID: 811c8f01a05ed358a317e7a20193e27c421e8a37f0dea230ae805fd7fdcb7534
Opcode Fuzzy Hash: de3064d4d805682f01887bff58e1f2358061c9689ab01b94eb0e28678b39d93b
Instruction Fuzzy Hash: 9E119371509384AFDB168F25DC95B52BFB8EF06220F1880DBED458F653D2759418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0107BE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0107BE70

Memory Dump Source

Source File: 00000007.00000002.368067755.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 11b6544b722578e3671dbcf10adaeac41c537dd0259d44d7b46db0bfaff6d37f
Instruction ID: 37b7515ac2b8ecfe12a120837dccbe9d7b33b8bdaeeda012494202ec7930dfde
Opcode Fuzzy Hash: 11b6544b722578e3671dbcf10adaeac41c537dd0259d44d7b46db0bfaff6d37f
Instruction Fuzzy Hash: 26118E758093C0AFD7138B25DC44B61BFB4DF47624F0984DAED848F263D2756808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0107B71E, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 0107B78A

Memory Dump Source

Source File: 00000007.00000002.368067755.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: e29f743635aa740c002bf8584db363b37d67775b06964abaf279b8848d233656
Instruction ID: f50c156ee501abe4bf25dd0623d79b16b9ed9fe8f9216727e05a53d0051f9a85
Opcode Fuzzy Hash: e29f743635aa740c002bf8584db363b37d67775b06964abaf279b8848d233656
Instruction Fuzzy Hash: EB11AF32408380AFDB228F64DC44A52FFF4FF4A320F08849EEE858B522D375A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0107A75B, Relevance: 1.6, APIs: 1, Instructions: 52comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0107A7BC

Memory Dump Source

Source File: 00000007.00000002.368067755.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6deaf0287e6118855787c8d6fe9642aec083ef3d97a44fc362ba293e9468c3e6
Instruction ID: 83eb94abe51397f6ef65406581665e91771cf76c21d0aab02c67f404d5b755dd
Opcode Fuzzy Hash: 6deaf0287e6118855787c8d6fe9642aec083ef3d97a44fc362ba293e9468c3e6
Instruction Fuzzy Hash: EB119D71809384AFD7128F25DC44B52BFB4EF02220F0880EAED858F253D279A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0107A8CC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 0107A926

Memory Dump Source

Source File: 00000007.00000002.368067755.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 33f69bd6dcac728afab5a6149fa9883a41a902850dadb09072000009fd96fe5f
Instruction ID: 8853a8355a36c2dada9d9471d1f257b140b54433e05f3a82208a5dd4cadc7819
Opcode Fuzzy Hash: 33f69bd6dcac728afab5a6149fa9883a41a902850dadb09072000009fd96fe5f
Instruction Fuzzy Hash: 6811AC35509784AFC7228F15DC85A52FFF4EF06220F09C4DAEE858B262D275A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0107B746, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 0107B78A

Memory Dump Source

Source File: 00000007.00000002.368067755.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 4b02a9a84f9cc8f61954eb6de06c5a387d3f09d064a0fb31c33c335ebb069780
Instruction ID: 7d90701742c85121073e654be270926082c6f277624d1c663ca5cee9f8f26e97
Opcode Fuzzy Hash: 4b02a9a84f9cc8f61954eb6de06c5a387d3f09d064a0fb31c33c335ebb069780
Instruction Fuzzy Hash: E3016D31800640EFDB218F55D844B56FFE4FF08720F18C5AADE894B612D275A418DF72

Uniqueness

Uniqueness Score: -1.00%

Function 0107A546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0107A58A

Memory Dump Source

Source File: 00000007.00000002.368067755.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cb15af54a5225b27cb43e16124a244e4aa77d85cb94fbd7b21a4b05b075bc023
Instruction ID: ac00a32dec68008fe76b2bf1190a7b6ee294f10fc74ea42fa01aa18baf3d4b3b
Opcode Fuzzy Hash: cb15af54a5225b27cb43e16124a244e4aa77d85cb94fbd7b21a4b05b075bc023
Instruction Fuzzy Hash: 37016D31900640EFDB218F55D844B5AFFE4EF08720F18C59ADE894B612D375A418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0509051E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05090550

Memory Dump Source

Source File: 00000007.00000002.369178482.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 5748370048f420f193168ef68a55d0deda538af3b44f453e66c35a4e9ff79d81
Instruction ID: 5c7b76ec7e2b0de008178c8eed08839d74bc43b04bc9f8d90c917e5efb0401aa
Opcode Fuzzy Hash: 5748370048f420f193168ef68a55d0deda538af3b44f453e66c35a4e9ff79d81
Instruction Fuzzy Hash: 6301B171500640DFDB54CF19E88976AFFD4EF04220F18C0AADD498B206D275A408DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0107AF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 0107AFEA

Memory Dump Source

Source File: 00000007.00000002.368067755.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 87806c722d9df6b7b5180af7bb33c9471dcd2c656d469fb4811027837fe4d5b3
Instruction ID: 65d213e084876c2ad3d868112fa7a76b67aff571242c44def449af9d426c5bf0
Opcode Fuzzy Hash: 87806c722d9df6b7b5180af7bb33c9471dcd2c656d469fb4811027837fe4d5b3
Instruction Fuzzy Hash: 51016275600600ABD614DF16DC86F26FBA8FB88B20F14815AED085B741E375F515CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0107BB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0107BBB9

Memory Dump Source

Source File: 00000007.00000002.368067755.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 27e4120d826c6502208c07eea9337e9ce39f3e02b614281561eb43269d56300f
Instruction ID: c3c9c59575921119754ce7709403b2133e91c3c0c63c10b88f3371dec640bf11
Opcode Fuzzy Hash: 27e4120d826c6502208c07eea9337e9ce39f3e02b614281561eb43269d56300f
Instruction Fuzzy Hash: F901D435900640DFDB218F19D844B66FFE4EF04320F18C09EDD854B626D2B1E418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0107A78A, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0107A7BC

Memory Dump Source

Source File: 00000007.00000002.368067755.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 3c02daed7e940c91a7f9277b0fb875a2df0e5cff1d421eaa75cc6c1eda994e95
Instruction ID: 96867695babea5443f6bfeeff0bb78a603d980105f4d867f5652c274f137273f
Opcode Fuzzy Hash: 3c02daed7e940c91a7f9277b0fb875a2df0e5cff1d421eaa75cc6c1eda994e95
Instruction Fuzzy Hash: 82018F74A04240DFDB10CF19D88475AFFE4EF04220F18C0AADD498B202D2B5A404CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0107B806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0107B841

Memory Dump Source

Source File: 00000007.00000002.368067755.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b573a486f72fa862442ef3bd82c461bb3a5308a611b50ac78832c1b93f764c0b
Instruction ID: 3218861c0c3216bfb88402d3c5ec5c524a1679d3f7fe3c3f1349a48f70481774
Opcode Fuzzy Hash: b573a486f72fa862442ef3bd82c461bb3a5308a611b50ac78832c1b93f764c0b
Instruction Fuzzy Hash: 4901A231900644DFDB618F15D884B66FFE0EF08720F18C09ADE894B222D275A418DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0107A8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 0107A926

Memory Dump Source

Source File: 00000007.00000002.368067755.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: b467cd56b77c24f0ff1bf1589f96a8e6f510fa70fb8e2e49433677420168f8a1
Instruction ID: 4d3497526e014994bed61fc27d0dc5ace3a88286c0786f0f035b43d45c99986a
Opcode Fuzzy Hash: b467cd56b77c24f0ff1bf1589f96a8e6f510fa70fb8e2e49433677420168f8a1
Instruction Fuzzy Hash: D301D635900644DFDB218F05D885756FFE4EF09720F18C09ADE854B252D2B5A418DF72

Uniqueness

Uniqueness Score: -1.00%

Function 0107BE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0107BE70

Memory Dump Source

Source File: 00000007.00000002.368067755.000000000107A000.00000040.00000001.sdmp, Offset: 0107A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 412624236d20cc0cb3667290a134363260aceca68048c52b5021dfc653a4c305
Instruction ID: 14ffce1ecb4e0fc74dd43c3b9767f22032a705b511788895fe1b134dffd5e3b5
Opcode Fuzzy Hash: 412624236d20cc0cb3667290a134363260aceca68048c52b5021dfc653a4c305
Instruction Fuzzy Hash: 28F0AF35904644DFDB208F19D884766FFE4EF04720F18C4AADE894B312D2B5A408CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 04F720D0, Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

r*+, xrefs: 04F7230F

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: c4d4cb72f7ef1b5a310f7f5661c6b45bce4fa8c352ee7db12728081f9a07f4dc
Instruction ID: 32f828df2a6afe0ff86fbfe546ca9ca98f113954a494a8a05b1a9ddd1603fcc8
Opcode Fuzzy Hash: c4d4cb72f7ef1b5a310f7f5661c6b45bce4fa8c352ee7db12728081f9a07f4dc
Instruction Fuzzy Hash: DA717031F08205CFDB44DFA4C4816BEBBB1FF84300F1284ABD5429B255EB79A942CB52

Uniqueness

Uniqueness Score: -1.00%

Function 04F71458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$ghr, xrefs: 04F714C7

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 6588ea4ef896cfc6ee9409cae67b9590431563534334485f48fe439baa2dcad2
Instruction ID: 807c56deaeed237476d11e0b46ad39fe3219fabdab5b9e7d27be17fe2242bcba
Opcode Fuzzy Hash: 6588ea4ef896cfc6ee9409cae67b9590431563534334485f48fe439baa2dcad2
Instruction Fuzzy Hash: B851EA34A00214CFDB58DF64D994B9DBBB2BF49300F1441EAD40AAB365DB35AD8ACF51

Uniqueness

Uniqueness Score: -1.00%

Function 04F71292, Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

$ghr, xrefs: 04F71349

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 08028ecaef202f6f9bb4e799f53cc933d51ec41b90fb21707d2dd112bdb3611d
Instruction ID: 5ebc728ea4ccda07cd423d50b28a8efc3b9de7d2bf1af54c3d15bdc9ced9095f
Opcode Fuzzy Hash: 08028ecaef202f6f9bb4e799f53cc933d51ec41b90fb21707d2dd112bdb3611d
Instruction Fuzzy Hash: 65411830A04319CFDB54DF69D884B9DBBB1BF49300F1040AAD44AAB755DB34AD8ADF61

Uniqueness

Uniqueness Score: -1.00%

Function 04F70BC0, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5122dbf5a28fadeb9207b55cfef73acb44637b9f2d7f50cb2f255738baed4524
Instruction ID: 3e794aee2ac3b0d54c7eefde16fa11ccbf9688d3a4aa0f31b5c3b0e0e3adb749
Opcode Fuzzy Hash: 5122dbf5a28fadeb9207b55cfef73acb44637b9f2d7f50cb2f255738baed4524
Instruction Fuzzy Hash: 2C41E532B051048FC7159F2CC414AAE7BE6AFC6310F1580ABE906DF3A1DEB6AC068791

Uniqueness

Uniqueness Score: -1.00%

Function 04F702DA, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f13e0658ca955f88f8c91f34f50f4e721690c94f1f46b06aa0528985bacda9d9
Instruction ID: 552c50968a49dbea4d28eec6061bacbb268b5317c4913a8bae02536bfeb572fa
Opcode Fuzzy Hash: f13e0658ca955f88f8c91f34f50f4e721690c94f1f46b06aa0528985bacda9d9
Instruction Fuzzy Hash: E0414830F01205CFDB98DF68C054BAE7BB2AF89710F15446AD502AB7A1DF79AC42DB51

Uniqueness

Uniqueness Score: -1.00%

Function 04F70007, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0a54f4c0f9d5134ba8d996bdcb9e1a5d769fecce6f16ea535c5ad8a79560c70
Instruction ID: 951c25b89656d4dbcdb92caf4f9a23a77dd16037185163ca61777ce64d4f9afb
Opcode Fuzzy Hash: e0a54f4c0f9d5134ba8d996bdcb9e1a5d769fecce6f16ea535c5ad8a79560c70
Instruction Fuzzy Hash: 69316071A0D3C6CFC703AB7498641983FB1FF42214B05459FD4C2CB157EA79581AC752

Uniqueness

Uniqueness Score: -1.00%

Function 04F72C58, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08edbcf64d005ce53700d6d5bcb5c976467866e1773e9e150b558bb64a23a932
Instruction ID: df935fb8536fc365e6bf93080dc2d1da724a4ac86f76e164c43d31eab7ad8f33
Opcode Fuzzy Hash: 08edbcf64d005ce53700d6d5bcb5c976467866e1773e9e150b558bb64a23a932
Instruction Fuzzy Hash: C121453A70C241CFC7159B28D884978BFA5FF96234B0642E7E086CF291D72AAC02D752

Uniqueness

Uniqueness Score: -1.00%

Function 04F721E8, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d956ccac6ec5d47fd6338dcd7eb7532fdffb4d8ce958f213190a98a04c9f0cf
Instruction ID: 32670de316fb5db325d3a199f57f7a3253c9be309cef4b95c3b6290534805da9
Opcode Fuzzy Hash: 4d956ccac6ec5d47fd6338dcd7eb7532fdffb4d8ce958f213190a98a04c9f0cf
Instruction Fuzzy Hash: B7314F31E08209DFDB44DFA4C4446BDBBB1FF45300F1149EBD6429B261E639EA42DB52

Uniqueness

Uniqueness Score: -1.00%

Function 04F725DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c082ec0b52bcaf09c242b34f0220c828b1e8eaf282443794bd86a6264c929f
Instruction ID: f4d485d09ae060628d086ddb4508fa5942c1295f2cebac036e5ad654df12e9aa
Opcode Fuzzy Hash: e1c082ec0b52bcaf09c242b34f0220c828b1e8eaf282443794bd86a6264c929f
Instruction Fuzzy Hash: 38315A30E04245CBDB64DF65D84465EFBA2BF84324F21D66AC085AF259DBB8A48ACF41

Uniqueness

Uniqueness Score: -1.00%

Function 04F74190, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c6fb30c7727f16a70b26e45a523bf46edde041d0277f541173861b1f036457b
Instruction ID: de9f63ce84293ac9ae8ac31c315017984be5358b8fed1297c06e2840c3284032
Opcode Fuzzy Hash: 3c6fb30c7727f16a70b26e45a523bf46edde041d0277f541173861b1f036457b
Instruction Fuzzy Hash: 1B11E472B002158BDB24BBB8D8005BF7AB6EFD4340F51412BD60797284EEB9A84187A2

Uniqueness

Uniqueness Score: -1.00%

Function 01210846, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.368185857.0000000001210000.00000040.00000040.sdmp, Offset: 01210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fba04812e6312736e3d4c8a21b20407ccab93abf66cef701d91127d96cb38a7
Instruction ID: f9e86cbb099fd40ff61340200c1c0e7dbe7f47338254672e5e9985db4d5ce743
Opcode Fuzzy Hash: 6fba04812e6312736e3d4c8a21b20407ccab93abf66cef701d91127d96cb38a7
Instruction Fuzzy Hash: 27218B3110D3C19FD707CB20C860B55BFB2AB57614F1A81EED9858B6A3C33A8806CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0121087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.368185857.0000000001210000.00000040.00000040.sdmp, Offset: 01210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd18b1449198e05decd2c1d8b6d0a3fcfaba93ac082485e91a8c0c6111720cd0
Instruction ID: 92b7bb03b31c60210ef920af4e29d33bd64fcb7cb5e07323be027ccce6262502
Opcode Fuzzy Hash: cd18b1449198e05decd2c1d8b6d0a3fcfaba93ac082485e91a8c0c6111720cd0
Instruction Fuzzy Hash: B511E434218384DFE305DB24C544B26BBD5AB98B08F24C9ADFA490B647C777D843CA95

Uniqueness

Uniqueness Score: -1.00%

Function 04F711DF, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4498237b2599b847ee23fb9edfbed31ebfc979ce48f92740d5f22c47c23817a
Instruction ID: 327a2354acbc3a3d801561b4877b832f43774aaef6cd3e5e5e6e977bb7124ddc
Opcode Fuzzy Hash: f4498237b2599b847ee23fb9edfbed31ebfc979ce48f92740d5f22c47c23817a
Instruction Fuzzy Hash: 4911AC31308280CFC3199B28C5548A97FF6EF9630071501EBD242CB7B2DE69AC0EDB92

Uniqueness

Uniqueness Score: -1.00%

Function 04F705BA, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6256890e4f57395f4e4518be107241601e2205ac98bde8b15b70e5fd2d5debc
Instruction ID: 1b0575b46e7ecf0f40787315868f7ced034852f0821e73c889c40f859f3a216a
Opcode Fuzzy Hash: b6256890e4f57395f4e4518be107241601e2205ac98bde8b15b70e5fd2d5debc
Instruction Fuzzy Hash: 7701F4717042210BCA0A763D94212BE369B5FC6A50758016FE146DF386DDB85D0343E7

Uniqueness

Uniqueness Score: -1.00%

Function 04F71209, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b7a52b0a29d75425485498c66bc7c0d1048555518edac24bddc21943898f97f
Instruction ID: 7b497cdbc3963440b482aab53b032118eb90315200c11fe7ba3170eb924d53d1
Opcode Fuzzy Hash: 0b7a52b0a29d75425485498c66bc7c0d1048555518edac24bddc21943898f97f
Instruction Fuzzy Hash: C7018C31314250CFC7489B28D1548A97BE6FF8621071541BBE202CB776DE699C0ECB41

Uniqueness

Uniqueness Score: -1.00%

Function 012105D1, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.368185857.0000000001210000.00000040.00000040.sdmp, Offset: 01210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e512935355b62f5d634b89236c9de09fa4f63435e3ce968aaf3a563290e8c71
Instruction ID: a186e9f1aecd868371155aef39d99dbe21d6e3d88f2259b86b3f15ea20dc125f
Opcode Fuzzy Hash: 5e512935355b62f5d634b89236c9de09fa4f63435e3ce968aaf3a563290e8c71
Instruction Fuzzy Hash: FF01AE765097806FD7128F16EC40863FFF8DF46630759C49FED498B611E2256905CB72

Uniqueness

Uniqueness Score: -1.00%

Function 04F705C8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c91fc8b9db3984c4192ac156e65d1ce3884fa03be30ef384c658499a57f147
Instruction ID: 4fc4d7413a4c795a57763891cf246a6ef78f11798c43dd64dee1c635eaf5163b
Opcode Fuzzy Hash: 23c91fc8b9db3984c4192ac156e65d1ce3884fa03be30ef384c658499a57f147
Instruction Fuzzy Hash: D2F0B4727001210BCA49767DA4617BF629B9FC5A50794412FE246EB384DEB49C4313E6

Uniqueness

Uniqueness Score: -1.00%

Function 04F71218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac1044dd80808dead2a3c912b1e15e895c1f5fd3836c8bf8a04455402fabb44e
Instruction ID: f3d66c0e0716288849087efadd369aa113714d940a2540192dca2f7fc3278d58
Opcode Fuzzy Hash: ac1044dd80808dead2a3c912b1e15e895c1f5fd3836c8bf8a04455402fabb44e
Instruction Fuzzy Hash: D4016D31304110CBC608AB2CD55896D7BEAFFC971072441ABE606CB765DFB6AC0ED781

Uniqueness

Uniqueness Score: -1.00%

Function 04F74180, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9874e6c13762bde907043a4e2547aa730c0ffa33457cdaf1ddc3ab5bebc7501d
Instruction ID: 6a336b15d303e816ea550bb49c0d7d3a8f9165ed870923a20b3da2c3c4129fca
Opcode Fuzzy Hash: 9874e6c13762bde907043a4e2547aa730c0ffa33457cdaf1ddc3ab5bebc7501d
Instruction Fuzzy Hash: 86F05933B083548BDB226674A8054EF7FA58F923E0B11067BD552C6105F7BF500387A1

Uniqueness

Uniqueness Score: -1.00%

Function 04F70918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f5a7b42345ec9b27b43d08aa74b04ee32123e1b9c2a634724a55abb16d62a61
Instruction ID: d15ba60a9296d7c3a67b22096ae67e20f437d4400fa3b114fef2fdf2dc95742b
Opcode Fuzzy Hash: 4f5a7b42345ec9b27b43d08aa74b04ee32123e1b9c2a634724a55abb16d62a61
Instruction Fuzzy Hash: FCE0E533F152189EAB5069F8D8015AFBBB99FC5250F004427EF07A3305FD78A8039292

Uniqueness

Uniqueness Score: -1.00%

Function 04F70908, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce2765b4d2f29714b89b4a33ce5d38dd5ca611d182cb789b441e5be456b21497
Instruction ID: 92b8b301baae19a44bf23eb5945d1e97e588b45b0048ce25e9d1094d92c807b6
Opcode Fuzzy Hash: ce2765b4d2f29714b89b4a33ce5d38dd5ca611d182cb789b441e5be456b21497
Instruction Fuzzy Hash: B9F0E231A093849FD7515AB4C81156B7FB58F82250B05049BEE439B346ED6CAE47A392

Uniqueness

Uniqueness Score: -1.00%

Function 01210938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.368185857.0000000001210000.00000040.00000040.sdmp, Offset: 01210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 229419697d3a2c89517f66fbb0456270858d522e7d2c296e975c5689d3bb9d3c
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: F8F0FB35108645DFC306DF04D540B15FBE2EB89718F24C6A9E9490B656C3379812DA85

Uniqueness

Uniqueness Score: -1.00%

Function 012105F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.368185857.0000000001210000.00000040.00000040.sdmp, Offset: 01210000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a6d680a789de01d5aac15fd63695bf34bc99bb9a75ed7154dac5ae980b4d4f
Instruction ID: edb8c2457311fe846f9e34d9edc9a38af372de6c8509c9b33bec04bd65c2b21e
Opcode Fuzzy Hash: 41a6d680a789de01d5aac15fd63695bf34bc99bb9a75ed7154dac5ae980b4d4f
Instruction Fuzzy Hash: 92E092766006008BD650CF0BEC41452F7D8EB88630B18C07FDC0D8B700E135B504CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 04F702A1, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4075ffdba9649fc85f1e7228f9f72d45dc1804d3153dd508b62635e6cb6f4afd
Instruction ID: 30224049f6f38e190f4dfde2e1f149cdee89c61272f249178b4729bcd1e46484
Opcode Fuzzy Hash: 4075ffdba9649fc85f1e7228f9f72d45dc1804d3153dd508b62635e6cb6f4afd
Instruction Fuzzy Hash: F0E0C23220E340CFC3525A18F8214C23BF0FF862203054A9BD486C7A15CB697D42C700

Uniqueness

Uniqueness Score: -1.00%

Function 04F7016F, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c68a29b31207a8f595ff79232ee640c2c57fa9dd2b123d44708bfc40c265cda6
Instruction ID: 04a8269e84d5837c291a7e9c1145d04db1dd420bd762f968b89c6e97c1835c47
Opcode Fuzzy Hash: c68a29b31207a8f595ff79232ee640c2c57fa9dd2b123d44708bfc40c265cda6
Instruction Fuzzy Hash: 1CE02B321093848FC7152774E0164AC3764DF8622670006BEC4A28BBD1DA3BD495C711

Uniqueness

Uniqueness Score: -1.00%

Function 04F70650, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b01f33eac505dd8dceb1b40e6a40191912e5bd24a1718e836a71d22d5ea1afe
Instruction ID: 4c425375cf8b271b7b9260d38eccc0d8de2dfba0f71041df61378d61f827bfb4
Opcode Fuzzy Hash: 7b01f33eac505dd8dceb1b40e6a40191912e5bd24a1718e836a71d22d5ea1afe
Instruction Fuzzy Hash: 85D05E3218F384CFC35256746C250697B659E83216B1444B7E98099826E92EA972ABA3

Uniqueness

Uniqueness Score: -1.00%

Function 04F72D20, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdae0e1ca084ac22feb69ac93e5bed25c3d4c712db70ceffda212d1617d87a9b
Instruction ID: 24d34b7da5cc732657426b77d67ad27dd63054a46a18b912ea3612905782a0af
Opcode Fuzzy Hash: bdae0e1ca084ac22feb69ac93e5bed25c3d4c712db70ceffda212d1617d87a9b
Instruction Fuzzy Hash: E5D0A73238E384EFD39713A06C18FB67F644B4B221F0A80D7D58A8E4F7E64D6502A312

Uniqueness

Uniqueness Score: -1.00%

Function 010723F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.368063263.0000000001072000.00000040.00000001.sdmp, Offset: 01072000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88247fc23aa102599150f5f6d48a293cf1d48d5a82f132e8eec8f327367228e3
Instruction ID: c5bfa8c0e72d0e433c00ac1655aadd3142c7edbe37f923642c57469e0bd1c411
Opcode Fuzzy Hash: 88247fc23aa102599150f5f6d48a293cf1d48d5a82f132e8eec8f327367228e3
Instruction Fuzzy Hash: ACD05E79615A818FE3268A1CC1A8B953FE4AB51B04F4644FDE8408B663C768D9D1D200

Uniqueness

Uniqueness Score: -1.00%

Function 010723BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.368063263.0000000001072000.00000040.00000001.sdmp, Offset: 01072000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f073585b83bad544d9c1549d1446f0f75e75312704a69827f59b962a9eb9f8b
Instruction ID: 9c287e7bcb67eecbadb44a2f4f6adf9ddca1941b5cd3ad344b29f993650074a5
Opcode Fuzzy Hash: 9f073585b83bad544d9c1549d1446f0f75e75312704a69827f59b962a9eb9f8b
Instruction Fuzzy Hash: 93D05E347006818BD715DB0CC594F593BD4AB41B00F0684ECAD408B662C3A4D881C600

Uniqueness

Uniqueness Score: -1.00%

Function 04F70180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d2b0ef6f58cde45e255b66979cfe9842ca4e37972ca845ca7f3821a03b86123
Instruction ID: 70c577296bb52da3c0b177e176d938c3b3a426c9bc55c803b68c9043d79ee529
Opcode Fuzzy Hash: 6d2b0ef6f58cde45e255b66979cfe9842ca4e37972ca845ca7f3821a03b86123
Instruction Fuzzy Hash: 60D01230214314CFCB286BB0E01942C33AAAB8820A701087CD88687B48EF3BE890CB04

Uniqueness

Uniqueness Score: -1.00%

Function 04F70660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb51a70dc9a3824acdbe4ac56f58e1d99eea8576258f044d0eed432dce7ffc79
Instruction ID: 9def4f1675f1fdccf3177938d30a4c766b2bc1cfad871be947c3921e9cdfde62
Opcode Fuzzy Hash: cb51a70dc9a3824acdbe4ac56f58e1d99eea8576258f044d0eed432dce7ffc79
Instruction Fuzzy Hash: 6DC02B32149204CEC22416702C1443D720A9FC1301310C433940120028DD3BB473AD11

Uniqueness

Uniqueness Score: -1.00%

Function 04F72EC0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b29418ad74072e05485c2295bde32136dc5007c103d64486355f666050708b0f
Instruction ID: f3b8ab166680e0c81a7ec360d85f0c19f99d416327cfab96440cb28f132058bb
Opcode Fuzzy Hash: b29418ad74072e05485c2295bde32136dc5007c103d64486355f666050708b0f
Instruction Fuzzy Hash: 3EB0123020C2080B1B506AB12808A2A338C468040934010B5984CC1000F909E0902340

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04F70D93, Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 04F710CB
0jr, xrefs: 04F70F8E
X1kr, xrefs: 04F70F1C
,:kr, xrefs: 04F70E38

Memory Dump Source

Source File: 00000007.00000002.369007213.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false

Similarity

API ID:
String ID: ,:kr$0jr$:@Dr$X1kr
API String ID: 0-1245831938
Opcode ID: 4541edbc5182ee0fd69986234469c8d0be839ee1f02e7bb2b0a926c99c907294
Instruction ID: 07e2aad796384089f8a4cd32cde3f7d8957a67b48aee34fd8981bf75bcfaa89f
Opcode Fuzzy Hash: 4541edbc5182ee0fd69986234469c8d0be839ee1f02e7bb2b0a926c99c907294
Instruction Fuzzy Hash: 4DB1B770A04344CFD3A4EF78D160B6ABBE2BF94704F50596EE5898B399DF719842CB02

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report gXcRJ8123G.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports