Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Quotation Request August RFQ8012021.exe

Overview

General Information

Sample Name:Quotation Request August RFQ8012021.exe
Analysis ID:457719
MD5:dd69f329393643aa570bd3a940323136
SHA1:dbcb022f10c8cfcdd93a75253b9e20260f86dafe
SHA256:9327c22d332141a7ee037b2d393e0ad352a2fc4f6dc9b7cf9c78155d70681e6b
Tags:exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: System File Execution Location Anomaly
Uses dynamic DNS services
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Quotation Request August RFQ8012021.exe (PID: 6640 cmdline: 'C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe' MD5: DD69F329393643AA570BD3A940323136)
    • cmd.exe (PID: 7156 cmdline: 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\AppData\Roaming\MainProc.exe,' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 5868 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\AppData\Roaming\MainProc.exe,' MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • MainProc.exe (PID: 6288 cmdline: 'C:\Users\user\AppData\Roaming\MainProc.exe' MD5: DD69F329393643AA570BD3A940323136)
      • InstallUtil.exe (PID: 5880 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
      • smss.exe (PID: 5460 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • smss.exe (PID: 5908 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • smss.exe (PID: 6752 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • smss.exe (PID: 5772 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • smss.exe (PID: 5032 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • smss.exe (PID: 6904 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • smss.exe (PID: 1664 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • smss.exe (PID: 4928 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • smss.exe (PID: 6196 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • smss.exe (PID: 7084 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • smss.exe (PID: 6048 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • smss.exe (PID: 7116 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • smss.exe (PID: 6712 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • smss.exe (PID: 1260 cmdline: 'C:\Users\user\AppData\Local\Temp\smss.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
  • dhcpmon.exe (PID: 2928 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • conhost.exe (PID: 2224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
  • 0xb4377:$a: NanoCore
  • 0xb439c:$a: NanoCore
  • 0xb43f5:$a: NanoCore
  • 0xc4594:$a: NanoCore
  • 0xc45ba:$a: NanoCore
  • 0xc4616:$a: NanoCore
  • 0xd146d:$a: NanoCore
  • 0xd14c6:$a: NanoCore
  • 0xd14f9:$a: NanoCore
  • 0xd1725:$a: NanoCore
  • 0xd17a1:$a: NanoCore
  • 0xd1dba:$a: NanoCore
  • 0xd1f03:$a: NanoCore
  • 0xd23d7:$a: NanoCore
  • 0xd26be:$a: NanoCore
  • 0xd26d5:$a: NanoCore
  • 0xdb579:$a: NanoCore
  • 0xdb5f5:$a: NanoCore
  • 0xdded8:$a: NanoCore
  • 0xe34a1:$a: NanoCore
  • 0xe351b:$a: NanoCore
00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000012.00000002.944192934.0000000007E20000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x5b99:$x1: NanoCore.ClientPluginHost
    • 0x5bb3:$x2: IClientNetworkHost
    Click to see the 32 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    18.2.InstallUtil.exe.4337c5e.11.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x170b:$x1: NanoCore.ClientPluginHost
    • 0x1725:$x2: IClientNetworkHost
    18.2.InstallUtil.exe.4337c5e.11.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x170b:$x2: NanoCore.ClientPluginHost
    • 0x34b6:$s4: PipeCreated
    • 0x16f8:$s5: IClientLoggingHost
    18.2.InstallUtil.exe.412d7e1.7.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x2dbb:$x1: NanoCore.ClientPluginHost
    • 0x2de5:$x2: IClientNetworkHost
    18.2.InstallUtil.exe.412d7e1.7.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x2dbb:$x2: NanoCore.ClientPluginHost
    • 0x4c6b:$s4: PipeCreated
    18.2.InstallUtil.exe.7dc0000.25.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x5b0b:$x1: NanoCore.ClientPluginHost
    • 0x5b44:$x2: IClientNetworkHost
    Click to see the 194 entries

    Sigma Overview

    AV Detection:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 5880, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    E-Banking Fraud:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 5880, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    System Summary:

    barindex
    Sigma detected: System File Execution Location AnomalyShow sources
    Source: Process startedAuthor: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: 'C:\Users\user\AppData\Local\Temp\smss.exe' , CommandLine: 'C:\Users\user\AppData\Local\Temp\smss.exe' , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\smss.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\smss.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\smss.exe, ParentCommandLine: 'C:\Users\user\AppData\Roaming\MainProc.exe' , ParentImage: C:\Users\user\AppData\Roaming\MainProc.exe, ParentProcessId: 6288, ProcessCommandLine: 'C:\Users\user\AppData\Local\Temp\smss.exe' , ProcessId: 5460
    Sigma detected: Possible Applocker BypassShow sources
    Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ParentCommandLine: 'C:\Users\user\AppData\Roaming\MainProc.exe' , ParentImage: C:\Users\user\AppData\Roaming\MainProc.exe, ParentProcessId: 6288, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 5880

    Stealing of Sensitive Information:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 5880, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Remote Access Functionality:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 5880, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Temp\smss.exeMetadefender: Detection: 13%Perma Link
    Source: C:\Users\user\AppData\Local\Temp\smss.exeReversingLabs: Detection: 12%
    Source: C:\Users\user\AppData\Roaming\MainProc.exeReversingLabs: Detection: 15%
    Multi AV Scanner detection for submitted fileShow sources
    Source: Quotation Request August RFQ8012021.exeVirustotal: Detection: 26%Perma Link
    Source: Quotation Request August RFQ8012021.exeReversingLabs: Detection: 15%
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 18.2.InstallUtil.exe.61a0000.19.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b4a0e7.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.393b248.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.3ffd069.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.3927fe7.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38f542a.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.3ff8a40.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.3ff8a40.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.3810737.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43b4b28.14.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43b4b28.14.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.61a4629.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3a32837.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.37ddb7a.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.393b248.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38f542a.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43afcf2.13.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38239ba.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.61a0000.19.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.3679510.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38239ba.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43b9151.15.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.37ddb7a.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.941301528.0000000003797000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.739331027.0000000003B17000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000012.00000002.941935265.00000000061A0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.739152820.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\MainProc.exeJoe Sandbox ML: detected
    Machine Learning detection for sampleShow sources
    Source: Quotation Request August RFQ8012021.exeJoe Sandbox ML: detected
    Source: 18.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 18.2.InstallUtil.exe.61a0000.19.unpackAvira: Label: TR/NanoCore.fadte
    Source: 18.2.InstallUtil.exe.3ff8a40.6.unpackAvira: Label: TR/NanoCore.fadte
    Source: unknownHTTPS traffic detected: 172.217.168.68:443 -> 192.168.2.4:49732 version: TLS 1.0
    Source: unknownHTTPS traffic detected: 172.217.168.68:443 -> 192.168.2.4:49745 version: TLS 1.0
    Source: Quotation Request August RFQ8012021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp
    Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000012.00000000.787284435.0000000000C62000.00000002.00020000.sdmp, dhcpmon.exe, 0000001A.00000000.826245650.0000000000B72000.00000002.00020000.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp
    Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, dhcpmon.exe, 0000001A.00000000.826245650.0000000000B72000.00000002.00020000.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 4x nop then mov ecx, dword ptr [ebp-6Ch]0_2_04CE41A0
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 4x nop then mov ecx, dword ptr [ebp-6Ch]0_2_04CE41A0
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 4x nop then mov ecx, dword ptr [ebp-6Ch]0_2_04CE41A0
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 4x nop then mov esp, ebp0_2_04CEB120
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 4x nop then mov esp, ebp0_2_04CEB11F
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 4x nop then mov ecx, dword ptr [ebp-6Ch]12_2_00D041A0
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 4x nop then mov ecx, dword ptr [ebp-6Ch]12_2_00D041A0
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 4x nop then mov ecx, dword ptr [ebp-6Ch]12_2_00D041A0
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 4x nop then mov esp, ebp12_2_00D0B120
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 4x nop then mov esp, ebp12_2_00D0B11E
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 4x nop then jmp 05FECFACh12_2_05FECE18
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 4x nop then jmp 05FEBA86h12_2_05FEB948
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 4x nop then jmp 05FECFACh12_2_05FECE08
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 4x nop then jmp 05FEBA86h12_2_05FEB939
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]18_2_07EC1C20
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]18_2_07EC1C86
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]18_2_07EC1C11
    Source: C:\Users\user\AppData\Local\Temp\smss.exeCode function: 4x nop then jmp 04E50799h22_2_04E50560
    Source: C:\Users\user\AppData\Local\Temp\smss.exeCode function: 4x nop then jmp 04E50799h22_2_04E50551
    Source: C:\Users\user\AppData\Local\Temp\smss.exeCode function: 4x nop then jmp 04E90799h23_2_04E90560
    Source: C:\Users\user\AppData\Local\Temp\smss.exeCode function: 4x nop then jmp 04E90799h23_2_04E90551

    Networking:

    barindex
    Uses dynamic DNS servicesShow sources
    Source: unknownDNS query: name: dedicatedlambo9.ddns.net
    Source: global trafficTCP traffic: 192.168.2.4:49765 -> 185.140.53.253:1604
    Source: global trafficTCP traffic: 192.168.2.4:49768 -> 84.38.133.182:1604
    Source: unknownHTTPS traffic detected: 172.217.168.68:443 -> 192.168.2.4:49732 version: TLS 1.0
    Source: unknownHTTPS traffic detected: 172.217.168.68:443 -> 192.168.2.4:49745 version: TLS 1.0
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownDNS traffic detected: queries for: www.google.com
    Source: MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
    Source: MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
    Source: MainProc.exe, 0000000C.00000003.762136895.0000000000A1E000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.737236895.00000000028BD000.00000004.00000001.sdmp, MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpString found in binary or memory: http://crls.pki.goog/gts1c3/fVJxbV-Ktmk.crl0
    Source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmpString found in binary or memory: http://google.com
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.745016724.00000000066F6000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000003.671244020.00000000066F6000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/15
    Source: MainProc.exe, 0000000C.00000003.762407199.0000000006626000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1?&
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.745016724.00000000066F6000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000003.671244020.00000000066F6000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g5
    Source: MainProc.exe, 0000000C.00000003.762407199.0000000006626000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g?&
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.745016724.00000000066F6000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000003.671244020.00000000066F6000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj5
    Source: MainProc.exe, 0000000C.00000003.762407199.0000000006626000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj?&
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000003.669545817.00000000066F6000.00000004.00000001.sdmp, MainProc.exe, 0000000C.00000003.743302521.0000000006626000.00000004.00000001.sdmpString found in binary or memory: http://ns.d
    Source: MainProc.exe, 0000000C.00000003.762136895.0000000000A1E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.737360805.00000000028EA000.00000004.00000001.sdmp, MainProc.exe, 0000000C.00000003.865871111.0000000000A19000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
    Source: MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr10)
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.737236895.00000000028BD000.00000004.00000001.sdmp, MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1c301
    Source: MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gtsr100
    Source: MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.737236895.00000000028BD000.00000004.00000001.sdmp, MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
    Source: MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
    Source: MainProc.exe, 0000000C.00000002.929570918.000000000269C000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.737189942.0000000002891000.00000004.00000001.sdmp, MainProc.exe, 0000000C.00000002.929470061.0000000002671000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.737189942.0000000002891000.00000004.00000001.sdmp, MainProc.exe, 0000000C.00000002.929470061.0000000002671000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
    Source: Quotation Request August RFQ8012021.exe, Quotation Request August RFQ8012021.exe, 00000000.00000002.734568182.0000000000452000.00000002.00020000.sdmp, MainProc.exe, MainProc.exe, 0000000C.00000000.730058481.0000000000202000.00000002.00020000.sdmpString found in binary or memory: https://www.google.com/
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
    Source: smss.exe, 00000016.00000002.813610530.0000000000A00000.00000004.00000001.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: InstallUtil.exe, 00000012.00000002.941935265.00000000061A0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 18.2.InstallUtil.exe.61a0000.19.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b4a0e7.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.393b248.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.3ffd069.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.3927fe7.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38f542a.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.3ff8a40.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.3ff8a40.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.3810737.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43b4b28.14.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43b4b28.14.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.61a4629.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3a32837.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.37ddb7a.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.393b248.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38f542a.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43afcf2.13.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38239ba.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.61a0000.19.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.3679510.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38239ba.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43b9151.15.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.37ddb7a.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.941301528.0000000003797000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.739331027.0000000003B17000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000012.00000002.941935265.00000000061A0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.739152820.00000000039B9000.00000004.00000001.sdmp, type: MEMORY

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 18.2.InstallUtil.exe.4337c5e.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.412d7e1.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7dc0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7e00000.29.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.4139a15.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.61a0000.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b4a0e7.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b4a0e7.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.MainProc.exe.393b248.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.393b248.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.4337c5e.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7e50000.35.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.432982e.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7e90000.36.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.6570000.22.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.3042240.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.3042240.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.43209ff.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.43209ff.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.414e042.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.414e042.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.3ffd069.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7dc0000.25.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.MainProc.exe.3927fe7.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.3927fe7.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.7e90000.36.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.43209ff.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.38f542a.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.38f542a.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.432982e.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.3ff8a40.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7de0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7dd0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7e10000.30.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.74c0000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7e5e8a4.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.3ff8a40.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7e54c9f.34.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.3810737.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.3810737.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.43b4b28.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.43b4b28.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.43b4b28.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.7e10000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.74c0000.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7de0000.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.61a4629.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.5870000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7e20000.31.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.4139a15.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.4139a15.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.3035ff8.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.6570000.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a32837.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a32837.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.MainProc.exe.37ddb7a.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.37ddb7a.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.MainProc.exe.393b248.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.393b248.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.MainProc.exe.38f542a.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.38f542a.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.43afcf2.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.43afcf2.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.7e40000.32.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.38239ba.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.38239ba.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.61a0000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7e40000.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.412d7e1.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.412d7e1.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.7e20000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7e50000.35.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.3679510.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.3679510.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.7df0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.7e00000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.3035ff8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.3035ff8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.MainProc.exe.38239ba.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.38239ba.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.43b9151.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.43b9151.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.3042240.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.MainProc.exe.37ddb7a.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 12.2.MainProc.exe.37ddb7a.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 18.2.InstallUtil.exe.2fe5d94.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 18.2.InstallUtil.exe.2fe5d94.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000012.00000002.944192934.0000000007E20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000012.00000002.944407587.0000000007E90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000002.941301528.0000000003797000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000C.00000002.941301528.0000000003797000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.739331027.0000000003B17000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.739331027.0000000003B17000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000012.00000002.944029550.0000000007DC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000012.00000002.941935265.00000000061A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000012.00000002.944158898.0000000007E10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000012.00000002.944132813.0000000007E00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.739152820.00000000039B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.739152820.00000000039B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000012.00000002.943444482.00000000074C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000012.00000002.944269292.0000000007E50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000012.00000002.942229491.0000000006570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000012.00000002.941578983.0000000005870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000012.00000002.944075779.0000000007DE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000012.00000002.944247779.0000000007E40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Initial sample is a PE file and has a suspicious nameShow sources
    Source: initial sampleStatic PE information: Filename: Quotation Request August RFQ8012021.exe
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE069C CreateProcessAsUserW,12_2_05FE069C
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 0_2_00458C210_2_00458C21
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 0_2_04CEA5500_2_04CEA550
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 0_2_04CE75500_2_04CE7550
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 0_2_04CE96D80_2_04CE96D8
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 0_2_04CEDDD00_2_04CEDDD0
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 0_2_04CE7D540_2_04CE7D54
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_00208C2112_2_00208C21
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_00D0A55012_2_00D0A550
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_00D0755012_2_00D07550
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_00D09A6012_2_00D09A60
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_00D0FCA812_2_00D0FCA8
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_00D07C0012_2_00D07C00
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_00D0DDD012_2_00D0DDD0
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_00D09A5012_2_00D09A50
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_00D0FC9A12_2_00D0FC9A
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_00D0DDC012_2_00D0DDC0
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE155012_2_05FE1550
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE446812_2_05FE4468
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE287812_2_05FE2878
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE93B012_2_05FE93B0
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE4B9812_2_05FE4B98
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE6AC012_2_05FE6AC0
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE0A5812_2_05FE0A58
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE154112_2_05FE1541
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE752012_2_05FE7520
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE445912_2_05FE4459
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE9FD012_2_05FE9FD0
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE5E1012_2_05FE5E10
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE5E0012_2_05FE5E00
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE286812_2_05FE2868
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE93A212_2_05FE93A2
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE4B8812_2_05FE4B88
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE6AB212_2_05FE6AB2
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE628812_2_05FE6288
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE627712_2_05FE6277
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE825812_2_05FE8258
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE0A4812_2_05FE0A48
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_00C620B018_2_00C620B0
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_0658004018_2_06580040
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_065702B018_2_065702B0
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_02D5E48018_2_02D5E480
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_02D5E47118_2_02D5E471
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_02D5BBD418_2_02D5BBD4
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_07ECD4F818_2_07ECD4F8
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_07EC109818_2_07EC1098
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_07EC486818_2_07EC4868
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_07ECC82818_2_07ECC828
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_07EC582018_2_07EC5820
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_07EC1E8E18_2_07EC1E8E
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_07EC1DD018_2_07EC1DD0
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_07EC257018_2_07EC2570
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_07ECC4E018_2_07ECC4E0
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_07EC58DE18_2_07EC58DE
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.745612764.0000000006CF0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Quotation Request August RFQ8012021.exe
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.738580016.0000000003895000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs Quotation Request August RFQ8012021.exe
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.743399156.0000000005EE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Quotation Request August RFQ8012021.exe
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.739331027.0000000003B17000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAstronot plart.exe> vs Quotation Request August RFQ8012021.exe
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.734942939.0000000000510000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameECHE CRYPTED FILE.exeP vs Quotation Request August RFQ8012021.exe
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.743738593.00000000061B0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Quotation Request August RFQ8012021.exe
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.743738593.00000000061B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Quotation Request August RFQ8012021.exe
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\AppData\Roaming\MainProc.exe,'
    Source: 18.2.InstallUtil.exe.4337c5e.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.4337c5e.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.412d7e1.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.412d7e1.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7dc0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7dc0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7e00000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e00000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.4139a15.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.4139a15.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.61a0000.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.61a0000.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b4a0e7.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b4a0e7.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b4a0e7.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.MainProc.exe.393b248.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.MainProc.exe.393b248.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.MainProc.exe.393b248.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.4337c5e.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.4337c5e.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7e50000.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e50000.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.432982e.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.432982e.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7e90000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e90000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.6570000.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.6570000.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.3042240.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.3042240.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.3042240.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.43209ff.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.43209ff.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.43209ff.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.414e042.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.414e042.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.3ffd069.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.3ffd069.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7dc0000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7dc0000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.MainProc.exe.3927fe7.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.MainProc.exe.3927fe7.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.MainProc.exe.3927fe7.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.7e90000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e90000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.43209ff.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.43209ff.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.MainProc.exe.38f542a.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.MainProc.exe.38f542a.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.MainProc.exe.38f542a.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.432982e.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.432982e.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.3ff8a40.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.3ff8a40.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7de0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7de0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7dd0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7dd0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7e10000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e10000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.74c0000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.74c0000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7e5e8a4.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e5e8a4.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.3ff8a40.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.3ff8a40.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7e54c9f.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e54c9f.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.MainProc.exe.3810737.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.MainProc.exe.3810737.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.43b4b28.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.43b4b28.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.43b4b28.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.43b4b28.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.7e10000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e10000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.74c0000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.74c0000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7de0000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7de0000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.61a4629.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.61a4629.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.5870000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.5870000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7e20000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e20000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.4139a15.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.4139a15.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.3035ff8.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.3035ff8.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.6570000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.6570000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a32837.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a32837.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.MainProc.exe.37ddb7a.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.MainProc.exe.37ddb7a.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.MainProc.exe.37ddb7a.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.MainProc.exe.393b248.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.MainProc.exe.393b248.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.MainProc.exe.393b248.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.MainProc.exe.38f542a.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.MainProc.exe.38f542a.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.MainProc.exe.38f542a.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.43afcf2.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.43afcf2.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.7e40000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e40000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.MainProc.exe.38239ba.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.MainProc.exe.38239ba.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.MainProc.exe.38239ba.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.61a0000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.61a0000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7e40000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e40000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.412d7e1.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.412d7e1.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.7e20000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e20000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7e50000.35.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e50000.35.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.MainProc.exe.3679510.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.MainProc.exe.3679510.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.MainProc.exe.3679510.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.7df0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7df0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.7e00000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.7e00000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.3035ff8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.3035ff8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 18.2.InstallUtil.exe.3035ff8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.MainProc.exe.38239ba.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.MainProc.exe.38239ba.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 12.2.MainProc.exe.38239ba.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.43b9151.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.43b9151.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.3042240.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.3042240.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.MainProc.exe.37ddb7a.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 12.2.MainProc.exe.37ddb7a.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 18.2.InstallUtil.exe.2fe5d94.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.2fe5d94.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000012.00000002.944192934.0000000007E20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.944192934.0000000007E20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000012.00000002.944407587.0000000007E90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.944407587.0000000007E90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000C.00000002.941301528.0000000003797000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000C.00000002.941301528.0000000003797000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.739331027.0000000003B17000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.739331027.0000000003B17000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000012.00000002.944029550.0000000007DC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.944029550.0000000007DC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000012.00000002.941935265.00000000061A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.941935265.00000000061A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000012.00000002.944158898.0000000007E10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.944158898.0000000007E10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000012.00000002.944132813.0000000007E00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.944132813.0000000007E00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000000.00000002.739152820.00000000039B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.739152820.00000000039B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000012.00000002.943444482.00000000074C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.943444482.00000000074C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000012.00000002.944269292.0000000007E50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.944269292.0000000007E50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000012.00000002.942229491.0000000006570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.942229491.0000000006570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000012.00000002.941578983.0000000005870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.941578983.0000000005870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000012.00000002.944075779.0000000007DE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000012.00000002.944075779.0000000007DE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000012.00000002.944247779.0000000007E40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 18.2.InstallUtil.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 18.2.InstallUtil.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 18.2.InstallUtil.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: classification engineClassification label: mal100.troj.evad.winEXE@38/23@8/4
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeFile created: C:\Users\user\AppData\Roaming\MainProc.exeJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2224:120:WilError_01
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{c9622013-90b3-4810-9b2a-2fbba1723547}
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
    Source: Quotation Request August RFQ8012021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\smss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\smss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\smss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\smss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\smss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\smss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\smss.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: Quotation Request August RFQ8012021.exeVirustotal: Detection: 26%
    Source: Quotation Request August RFQ8012021.exeReversingLabs: Detection: 15%
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeFile read: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe 'C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe'
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\AppData\Roaming\MainProc.exe,'
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\AppData\Roaming\MainProc.exe,'
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess created: C:\Users\user\AppData\Roaming\MainProc.exe 'C:\Users\user\AppData\Roaming\MainProc.exe'
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\AppData\Roaming\MainProc.exe,'Jump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess created: C:\Users\user\AppData\Roaming\MainProc.exe 'C:\Users\user\AppData\Roaming\MainProc.exe' Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\AppData\Roaming\MainProc.exe,'Jump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe' Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe' Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: Quotation Request August RFQ8012021.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: Quotation Request August RFQ8012021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp
    Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000012.00000000.787284435.0000000000C62000.00000002.00020000.sdmp, dhcpmon.exe, 0000001A.00000000.826245650.0000000000B72000.00000002.00020000.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp
    Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, dhcpmon.exe, 0000001A.00000000.826245650.0000000000B72000.00000002.00020000.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp

    Data Obfuscation:

    barindex
    .NET source code contains potential unpackerShow sources
    Source: Quotation Request August RFQ8012021.exe, Ft8/Cf6.cs.Net Code: k7BL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: MainProc.exe.0.dr, Ft8/Cf6.cs.Net Code: k7BL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 0.2.Quotation Request August RFQ8012021.exe.450000.0.unpack, Ft8/Cf6.cs.Net Code: k7BL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 0.0.Quotation Request August RFQ8012021.exe.450000.0.unpack, Ft8/Cf6.cs.Net Code: k7BL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 12.0.MainProc.exe.200000.0.unpack, Ft8/Cf6.cs.Net Code: k7BL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 12.2.MainProc.exe.200000.0.unpack, Ft8/Cf6.cs.Net Code: k7BL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 18.2.InstallUtil.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 18.2.InstallUtil.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: smss.exe.12.drStatic PE information: 0xC7142059 [Sun Nov 3 05:36:25 2075 UTC]
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 0_2_00455483 push es; ret 0_2_00455613
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 0_2_0045B51D push es; ret 0_2_0045B53F
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeCode function: 0_2_04CE3F02 push E802005Eh; ret 0_2_04CE3F09
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_00205483 push es; ret 12_2_00205613
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_0020B51D push es; ret 12_2_0020B53F
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_00D0BEF8 push eax; retf 12_2_00D0BEF9
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_05FE019F pushfd ; ret 12_2_05FE01A9
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_07EC7983 push es; ret 18_2_07EC7984
    Source: Quotation Request August RFQ8012021.exe, Ky59/f0L9.csHigh entropy of concatenated method names: '.ctor', 'm0EC', 'j6B8', 'Nx6r', 'Ep52', 'g4TH', 'Ke02', 'Jx25', 'd2P0', 'Ex3d'
    Source: Quotation Request August RFQ8012021.exe, Mz7/a3L.csHigh entropy of concatenated method names: '.ctor', 's0Z', 'x5L', 'o7C', 'To6', 'y2Y', 'i0Y', 'Nf8', 'm3L', 'Sd2'
    Source: Quotation Request August RFQ8012021.exe, x5BK/Zc7d.csHigh entropy of concatenated method names: '.ctor', 'Zo7t', 'y4G5', 't8E7', 'Nb9m', 'Ey57', 'o0HQ', 'e7Q4', 'Ag70', 'Pe54'
    Source: Quotation Request August RFQ8012021.exe, Sa4/c1M.csHigh entropy of concatenated method names: '.ctor', 'Yp9', 'Yk8c', 'Ar20', 'Qg7f', 'a7RZ', 'Rn4c', 'Gg72', 'f5FY', 'n9FT'
    Source: MainProc.exe.0.dr, Mz7/a3L.csHigh entropy of concatenated method names: '.ctor', 's0Z', 'x5L', 'o7C', 'To6', 'y2Y', 'i0Y', 'Nf8', 'm3L', 'Sd2'
    Source: MainProc.exe.0.dr, Ky59/f0L9.csHigh entropy of concatenated method names: '.ctor', 'm0EC', 'j6B8', 'Nx6r', 'Ep52', 'g4TH', 'Ke02', 'Jx25', 'd2P0', 'Ex3d'
    Source: MainProc.exe.0.dr, x5BK/Zc7d.csHigh entropy of concatenated method names: '.ctor', 'Zo7t', 'y4G5', 't8E7', 'Nb9m', 'Ey57', 'o0HQ', 'e7Q4', 'Ag70', 'Pe54'
    Source: MainProc.exe.0.dr, Sa4/c1M.csHigh entropy of concatenated method names: '.ctor', 'Yp9', 'Yk8c', 'Ar20', 'Qg7f', 'a7RZ', 'Rn4c', 'Gg72', 'f5FY', 'n9FT'
    Source: 0.2.Quotation Request August RFQ8012021.exe.450000.0.unpack, Mz7/a3L.csHigh entropy of concatenated method names: '.ctor', 's0Z', 'x5L', 'o7C', 'To6', 'y2Y', 'i0Y', 'Nf8', 'm3L', 'Sd2'
    Source: 0.2.Quotation Request August RFQ8012021.exe.450000.0.unpack, Ky59/f0L9.csHigh entropy of concatenated method names: '.ctor', 'm0EC', 'j6B8', 'Nx6r', 'Ep52', 'g4TH', 'Ke02', 'Jx25', 'd2P0', 'Ex3d'
    Source: 0.2.Quotation Request August RFQ8012021.exe.450000.0.unpack, x5BK/Zc7d.csHigh entropy of concatenated method names: '.ctor', 'Zo7t', 'y4G5', 't8E7', 'Nb9m', 'Ey57', 'o0HQ', 'e7Q4', 'Ag70', 'Pe54'
    Source: 0.2.Quotation Request August RFQ8012021.exe.450000.0.unpack, Sa4/c1M.csHigh entropy of concatenated method names: '.ctor', 'Yp9', 'Yk8c', 'Ar20', 'Qg7f', 'a7RZ', 'Rn4c', 'Gg72', 'f5FY', 'n9FT'
    Source: 0.0.Quotation Request August RFQ8012021.exe.450000.0.unpack, Ky59/f0L9.csHigh entropy of concatenated method names: '.ctor', 'm0EC', 'j6B8', 'Nx6r', 'Ep52', 'g4TH', 'Ke02', 'Jx25', 'd2P0', 'Ex3d'
    Source: 0.0.Quotation Request August RFQ8012021.exe.450000.0.unpack, Mz7/a3L.csHigh entropy of concatenated method names: '.ctor', 's0Z', 'x5L', 'o7C', 'To6', 'y2Y', 'i0Y', 'Nf8', 'm3L', 'Sd2'
    Source: 0.0.Quotation Request August RFQ8012021.exe.450000.0.unpack, x5BK/Zc7d.csHigh entropy of concatenated method names: '.ctor', 'Zo7t', 'y4G5', 't8E7', 'Nb9m', 'Ey57', 'o0HQ', 'e7Q4', 'Ag70', 'Pe54'
    Source: 0.0.Quotation Request August RFQ8012021.exe.450000.0.unpack, Sa4/c1M.csHigh entropy of concatenated method names: '.ctor', 'Yp9', 'Yk8c', 'Ar20', 'Qg7f', 'a7RZ', 'Rn4c', 'Gg72', 'f5FY', 'n9FT'
    Source: smss.exe.12.dr, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
    Source: smss.exe.12.dr, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
    Source: smss.exe.12.dr, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
    Source: smss.exe.12.dr, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
    Source: smss.exe.12.dr, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
    Source: 12.0.MainProc.exe.200000.0.unpack, Mz7/a3L.csHigh entropy of concatenated method names: '.ctor', 's0Z', 'x5L', 'o7C', 'To6', 'y2Y', 'i0Y', 'Nf8', 'm3L', 'Sd2'
    Source: 12.0.MainProc.exe.200000.0.unpack, Ky59/f0L9.csHigh entropy of concatenated method names: '.ctor', 'm0EC', 'j6B8', 'Nx6r', 'Ep52', 'g4TH', 'Ke02', 'Jx25', 'd2P0', 'Ex3d'
    Source: 12.0.MainProc.exe.200000.0.unpack, Sa4/c1M.csHigh entropy of concatenated method names: '.ctor', 'Yp9', 'Yk8c', 'Ar20', 'Qg7f', 'a7RZ', 'Rn4c', 'Gg72', 'f5FY', 'n9FT'
    Source: 12.0.MainProc.exe.200000.0.unpack, x5BK/Zc7d.csHigh entropy of concatenated method names: '.ctor', 'Zo7t', 'y4G5', 't8E7', 'Nb9m', 'Ey57', 'o0HQ', 'e7Q4', 'Ag70', 'Pe54'
    Source: 12.2.MainProc.exe.200000.0.unpack, Ky59/f0L9.csHigh entropy of concatenated method names: '.ctor', 'm0EC', 'j6B8', 'Nx6r', 'Ep52', 'g4TH', 'Ke02', 'Jx25', 'd2P0', 'Ex3d'
    Source: 12.2.MainProc.exe.200000.0.unpack, Mz7/a3L.csHigh entropy of concatenated method names: '.ctor', 's0Z', 'x5L', 'o7C', 'To6', 'y2Y', 'i0Y', 'Nf8', 'm3L', 'Sd2'
    Source: 12.2.MainProc.exe.200000.0.unpack, Sa4/c1M.csHigh entropy of concatenated method names: '.ctor', 'Yp9', 'Yk8c', 'Ar20', 'Qg7f', 'a7RZ', 'Rn4c', 'Gg72', 'f5FY', 'n9FT'
    Source: 12.2.MainProc.exe.200000.0.unpack, x5BK/Zc7d.csHigh entropy of concatenated method names: '.ctor', 'Zo7t', 'y4G5', 't8E7', 'Nb9m', 'Ey57', 'o0HQ', 'e7Q4', 'Ag70', 'Pe54'
    Source: 18.2.InstallUtil.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 18.2.InstallUtil.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

    Persistence and Installation Behavior:

    barindex
    Drops PE files with benign system namesShow sources
    Source: C:\Users\user\AppData\Roaming\MainProc.exeFile created: C:\Users\user\AppData\Local\Temp\smss.exeJump to dropped file
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeFile created: C:\Users\user\AppData\Roaming\MainProc.exeJump to dropped file
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
    Source: C:\Users\user\AppData\Roaming\MainProc.exeFile created: C:\Users\user\AppData\Local\Temp\smss.exeJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

    Boot Survival:

    barindex
    Creates an undocumented autostart registry key Show sources
    Source: C:\Windows\SysWOW64\reg.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeFile opened: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe\:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeFile opened: C:\Users\user\AppData\Roaming\MainProc.exe\:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Temp\InstallUtil.exe:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\smss.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\smss.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\smss.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeWindow / User API: threadDelayed 362Jump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeWindow / User API: threadDelayed 6786Jump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeWindow / User API: threadDelayed 2569Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 2016Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 7538Jump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe TID: 6816Thread sleep time: -3689348814741908s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe TID: 7012Thread sleep count: 362 > 30Jump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe TID: 6752Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe TID: 6708Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exe TID: 6336Thread sleep time: -24903104499507879s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exe TID: 6344Thread sleep count: 6786 > 30Jump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exe TID: 6344Thread sleep count: 2569 > 30Jump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exe TID: 7160Thread sleep count: 42 > 30Jump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exe TID: 7160Thread sleep time: -42000s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5472Thread sleep time: -15679732462653109s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exe TID: 5528Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exe TID: 7012Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6876Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\smss.exe TID: 6496Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\smss.exe TID: 6440Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\smss.exe TID: 6960Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\smss.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\smss.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\smss.exeThread delayed: delay time: 922337203685477
    Source: reg.exe, 00000007.00000002.696744889.0000000003A60000.00000002.00000001.sdmp, InstallUtil.exe, 00000012.00000002.942909297.0000000006B90000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: InstallUtil.exe, 00000012.00000002.923504650.0000000001160000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+Qz~.
    Source: reg.exe, 00000007.00000002.696744889.0000000003A60000.00000002.00000001.sdmp, InstallUtil.exe, 00000012.00000002.942909297.0000000006B90000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: reg.exe, 00000007.00000002.696744889.0000000003A60000.00000002.00000001.sdmp, InstallUtil.exe, 00000012.00000002.942909297.0000000006B90000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: smss.exe, 00000016.00000002.813924994.0000000000A81000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: MainProc.exe, 0000000C.00000002.927040949.000000000098F000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: reg.exe, 00000007.00000002.696744889.0000000003A60000.00000002.00000001.sdmp, InstallUtil.exe, 00000012.00000002.942909297.0000000006B90000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeCode function: 12_2_00D09A60 LdrInitializeThunk,12_2_00D09A60
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Allocates memory in foreign processesShow sources
    Source: C:\Users\user\AppData\Roaming\MainProc.exeMemory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and writeJump to behavior
    Injects a PE file into a foreign processesShow sources
    Source: C:\Users\user\AppData\Roaming\MainProc.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
    Writes to foreign memory regionsShow sources
    Source: C:\Users\user\AppData\Roaming\MainProc.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000Jump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000Jump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 420000Jump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 422000Jump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: EB2008Jump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\AppData\Roaming\MainProc.exe,'Jump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeProcess created: C:\Users\user\AppData\Roaming\MainProc.exe 'C:\Users\user\AppData\Roaming\MainProc.exe' Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\AppData\Roaming\MainProc.exe,'Jump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe' Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe' Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: C:\Users\user\AppData\Local\Temp\smss.exeProcess created: C:\Users\user\AppData\Local\Temp\smss.exe 'C:\Users\user\AppData\Local\Temp\smss.exe'
    Source: MainProc.exe, 0000000C.00000002.928939083.00000000010B0000.00000002.00000001.sdmp, InstallUtil.exe, 00000012.00000002.932054814.0000000003289000.00000004.00000001.sdmp, smss.exe, 00000017.00000002.925034890.0000000001390000.00000002.00000001.sdmp, smss.exe, 00000019.00000002.924968623.0000000001490000.00000002.00000001.sdmp, smss.exe, 0000001D.00000002.924435883.00000000014D0000.00000002.00000001.sdmp, smss.exe, 00000020.00000002.923883933.00000000020D0000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: MainProc.exe, 0000000C.00000002.928939083.00000000010B0000.00000002.00000001.sdmp, InstallUtil.exe, 00000012.00000002.927287222.0000000001830000.00000002.00000001.sdmp, smss.exe, 00000017.00000002.925034890.0000000001390000.00000002.00000001.sdmp, smss.exe, 00000019.00000002.924968623.0000000001490000.00000002.00000001.sdmp, smss.exe, 0000001D.00000002.924435883.00000000014D0000.00000002.00000001.sdmp, smss.exe, 00000020.00000002.923883933.00000000020D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: MainProc.exe, 0000000C.00000002.928939083.00000000010B0000.00000002.00000001.sdmp, InstallUtil.exe, 00000012.00000002.927287222.0000000001830000.00000002.00000001.sdmp, smss.exe, 00000017.00000002.925034890.0000000001390000.00000002.00000001.sdmp, smss.exe, 00000019.00000002.924968623.0000000001490000.00000002.00000001.sdmp, smss.exe, 0000001D.00000002.924435883.00000000014D0000.00000002.00000001.sdmp, smss.exe, 00000020.00000002.923883933.00000000020D0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: MainProc.exe, 0000000C.00000002.928939083.00000000010B0000.00000002.00000001.sdmp, InstallUtil.exe, 00000012.00000002.927287222.0000000001830000.00000002.00000001.sdmp, smss.exe, 00000017.00000002.925034890.0000000001390000.00000002.00000001.sdmp, smss.exe, 00000019.00000002.924968623.0000000001490000.00000002.00000001.sdmp, smss.exe, 0000001D.00000002.924435883.00000000014D0000.00000002.00000001.sdmp, smss.exe, 00000020.00000002.923883933.00000000020D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: InstallUtil.exe, 00000012.00000002.929393891.00000000030B9000.00000004.00000001.sdmpBinary or memory string: Program Manager`
    Source: InstallUtil.exe, 00000012.00000002.929393891.00000000030B9000.00000004.00000001.sdmpBinary or memory string: Program Manager
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeQueries volume information: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeQueries volume information: C:\Users\user\AppData\Roaming\MainProc.exe VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\MainProc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\smss.exe VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\smss.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\smss.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\smss.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\smss.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\smss.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\smss.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\smss.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Users\user\AppData\Local\Temp\smss.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\smss.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 18_2_07EC3CA8 GetSystemTimes,18_2_07EC3CA8
    Source: C:\Users\user\Desktop\Quotation Request August RFQ8012021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

    Stealing of Sensitive Information:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 18.2.InstallUtil.exe.61a0000.19.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b4a0e7.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.393b248.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.3ffd069.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.3927fe7.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38f542a.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.3ff8a40.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.3ff8a40.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.3810737.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43b4b28.14.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43b4b28.14.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.61a4629.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3a32837.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.37ddb7a.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.393b248.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38f542a.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43afcf2.13.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38239ba.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.61a0000.19.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.3679510.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38239ba.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43b9151.15.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.37ddb7a.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.941301528.0000000003797000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.739331027.0000000003B17000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000012.00000002.941935265.00000000061A0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.739152820.00000000039B9000.00000004.00000001.sdmp, type: MEMORY

    Remote Access Functionality:

    barindex
    Detected Nanocore RatShow sources
    Source: Quotation Request August RFQ8012021.exe, 00000000.00000002.739331027.0000000003B17000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: MainProc.exe, 0000000C.00000002.941301528.0000000003797000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: InstallUtil.exeString found in binary or memory: NanoCore.ClientPluginHost
    Source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: InstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: InstallUtil.exe, 00000012.00000002.936129956.00000000043AF000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 18.2.InstallUtil.exe.61a0000.19.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b4a0e7.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.393b248.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.3ffd069.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.3927fe7.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38f542a.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.3ff8a40.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.3ff8a40.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.3810737.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43b4b28.14.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43b4b28.14.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b5d348.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.61a4629.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3a32837.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.37ddb7a.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.393b248.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38f542a.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43afcf2.13.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38239ba.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3a45aba.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.61a0000.19.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.39ffc7a.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.3679510.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.38239ba.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 18.2.InstallUtil.exe.43b9151.15.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.Quotation Request August RFQ8012021.exe.3b1752a.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.MainProc.exe.37ddb7a.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.941301528.0000000003797000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.739331027.0000000003B17000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000012.00000002.941935265.00000000061A0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.739152820.00000000039B9000.00000004.00000001.sdmp, type: MEMORY

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1Windows Management Instrumentation1Valid Accounts1Valid Accounts1Disable or Modify Tools1Input Capture21System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder1Access Token Manipulation1Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Process Injection312Obfuscated Files or Information2Security Account ManagerSystem Information Discovery13SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Software Packing11NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsSecurity Software Discovery111SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol12Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading12Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsValid Accounts1DCSyncVirtualization/Sandbox Evasion21Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobModify Registry1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation1/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Virtualization/Sandbox Evasion21Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
    Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronProcess Injection312Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
    Compromise Software Supply ChainUnix ShellLaunchdLaunchdHidden Files and Directories1KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 457719 Sample: Quotation Request August RF... Startdate: 02/08/2021 Architecture: WINDOWS Score: 100 79 Malicious sample detected (through community Yara rule) 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 Sigma detected: NanoCore 2->83 85 7 other signatures 2->85 8 Quotation Request August RFQ8012021.exe 15 7 2->8         started        13 dhcpmon.exe 2->13         started        process3 dnsIp4 61 www.google.com 172.217.168.68, 443, 49732, 49745 GOOGLEUS United States 8->61 49 C:\Users\user\AppData\Roaming\MainProc.exe, PE32 8->49 dropped 51 C:\Users\user\AppData\...\InstallUtil.exe, PE32 8->51 dropped 53 C:\Users\...\MainProc.exe:Zone.Identifier, ASCII 8->53 dropped 55 Quotation Request ... RFQ8012021.exe.log, ASCII 8->55 dropped 87 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->87 15 MainProc.exe 14 5 8->15         started        20 cmd.exe 1 8->20         started        22 conhost.exe 13->22         started        file5 signatures6 process7 dnsIp8 67 192.168.2.1 unknown unknown 15->67 69 www.google.com 15->69 47 C:\Users\user\AppData\Local\Temp\smss.exe, PE32 15->47 dropped 71 Multi AV Scanner detection for dropped file 15->71 73 Machine Learning detection for dropped file 15->73 75 Writes to foreign memory regions 15->75 77 4 other signatures 15->77 24 InstallUtil.exe 1 12 15->24         started        29 smss.exe 2 15->29         started        31 smss.exe 15->31         started        37 3 other processes 15->37 33 reg.exe 1 1 20->33         started        35 conhost.exe 20->35         started        file9 signatures10 process11 dnsIp12 63 185.140.53.253, 1604, 49765, 49766 DAVID_CRAIGGG Sweden 24->63 65 dedicatedlambo9.ddns.net 84.38.133.182, 1604, 49768, 49770 DATACLUB-NL Latvia 24->65 57 C:\Users\user\AppData\Roaming\...\run.dat, data 24->57 dropped 59 C:\Program Files (x86)\...\dhcpmon.exe, PE32 24->59 dropped 89 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->89 91 Multi AV Scanner detection for dropped file 29->91 39 smss.exe 29->39         started        41 smss.exe 31->41         started        93 Creates an undocumented autostart registry key 33->93 43 smss.exe 37->43         started        45 smss.exe 37->45         started        file13 signatures14 process15

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Quotation Request August RFQ8012021.exe26%VirustotalBrowse
    Quotation Request August RFQ8012021.exe15%ReversingLabs
    Quotation Request August RFQ8012021.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Roaming\MainProc.exe100%Joe Sandbox ML
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%MetadefenderBrowse
    C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\smss.exe14%MetadefenderBrowse
    C:\Users\user\AppData\Local\Temp\smss.exe13%ReversingLabs
    C:\Users\user\AppData\Roaming\MainProc.exe15%ReversingLabs

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    18.2.InstallUtil.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    18.2.InstallUtil.exe.61a0000.19.unpack100%AviraTR/NanoCore.fadteDownload File
    18.2.InstallUtil.exe.3ff8a40.6.unpack100%AviraTR/NanoCore.fadteDownload File

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://crl.pki.goog/gsr1/gsr1.crl0;0%URL Reputationsafe
    http://ns.adobe.cobj0%URL Reputationsafe
    http://ns.adobe.cobj?&0%Avira URL Cloudsafe
    http://ns.ado/1?&0%Avira URL Cloudsafe
    http://ns.d0%URL Reputationsafe
    http://ns.adobe.c/g50%Avira URL Cloudsafe
    http://crl.pki.goog/gtsr1/gtsr1.crl0W0%URL Reputationsafe
    http://pki.goog/gsr1/gsr1.crt020%URL Reputationsafe
    http://ns.adobe.c/g0%URL Reputationsafe
    https://pki.goog/repository/00%URL Reputationsafe
    http://ns.adobe.cobj50%Avira URL Cloudsafe
    http://ns.adobe.c/g?&0%Avira URL Cloudsafe
    http://ns.ado/10%URL Reputationsafe
    http://ns.ado/150%Avira URL Cloudsafe
    http://crls.pki.goog/gts1c3/fVJxbV-Ktmk.crl00%Avira URL Cloudsafe
    http://pki.goog/repo/certs/gts1c3.der00%URL Reputationsafe
    http://pki.goog/repo/certs/gtsr1.der040%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    dedicatedlambo9.ddns.net
    		84.38.133.182
    		truefalse
      		high
      www.google.com
      		172.217.168.68
      		truefalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://www.google.comQuotation Request August RFQ8012021.exe, 00000000.00000002.737189942.0000000002891000.00000004.00000001.sdmp, MainProc.exe, 0000000C.00000002.929470061.0000000002671000.00000004.00000001.sdmpfalse
          		high
          http://crl.pki.goog/gsr1/gsr1.crl0;MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://ns.adobe.cobjQuotation Request August RFQ8012021.exe, 00000000.00000002.745016724.00000000066F6000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://ns.adobe.cobj?&MainProc.exe, 0000000C.00000003.762407199.0000000006626000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://ns.ado/1?&MainProc.exe, 0000000C.00000003.762407199.0000000006626000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://ns.dQuotation Request August RFQ8012021.exe, 00000000.00000003.669545817.00000000066F6000.00000004.00000001.sdmp, MainProc.exe, 0000000C.00000003.743302521.0000000006626000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://ns.adobe.c/g5Quotation Request August RFQ8012021.exe, 00000000.00000003.671244020.00000000066F6000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://crl.pki.goog/gtsr1/gtsr1.crl0WMainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://pki.goog/gsr1/gsr1.crt02MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://ns.adobe.c/gQuotation Request August RFQ8012021.exe, 00000000.00000002.745016724.00000000066F6000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://pki.goog/repository/0MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://google.comInstallUtil.exe, 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmpfalse
            		high
            http://ns.adobe.cobj5Quotation Request August RFQ8012021.exe, 00000000.00000003.671244020.00000000066F6000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQuotation Request August RFQ8012021.exe, 00000000.00000002.737189942.0000000002891000.00000004.00000001.sdmp, MainProc.exe, 0000000C.00000002.929470061.0000000002671000.00000004.00000001.sdmpfalse
              		high
              http://ns.adobe.c/g?&MainProc.exe, 0000000C.00000003.762407199.0000000006626000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://www.google.com/Quotation Request August RFQ8012021.exe, Quotation Request August RFQ8012021.exe, 00000000.00000002.734568182.0000000000452000.00000002.00020000.sdmp, MainProc.exe, MainProc.exe, 0000000C.00000000.730058481.0000000000202000.00000002.00020000.sdmpfalse
                		high
                http://schema.org/WebPageMainProc.exe, 0000000C.00000002.929570918.000000000269C000.00000004.00000001.sdmpfalse
                  		high
                  http://ns.ado/1Quotation Request August RFQ8012021.exe, 00000000.00000002.745016724.00000000066F6000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://ns.ado/15Quotation Request August RFQ8012021.exe, 00000000.00000003.671244020.00000000066F6000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crls.pki.goog/gts1c3/fVJxbV-Ktmk.crl0Quotation Request August RFQ8012021.exe, 00000000.00000002.737236895.00000000028BD000.00000004.00000001.sdmp, MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://pki.goog/repo/certs/gts1c3.der0Quotation Request August RFQ8012021.exe, 00000000.00000002.737236895.00000000028BD000.00000004.00000001.sdmp, MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://pki.goog/repo/certs/gtsr1.der04MainProc.exe, 0000000C.00000003.896487259.00000000009E5000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  172.217.168.68
                  		www.google.comUnited States
                  		15169GOOGLEUSfalse
                  84.38.133.182
                  		dedicatedlambo9.ddns.netLatvia
                  		203557DATACLUB-NLfalse
                  185.140.53.253
                  		unknownSweden
                  		209623DAVID_CRAIGGGfalse

                  Private

                  IP
                  192.168.2.1

                  General Information

                  Joe Sandbox Version:33.0.0 White Diamond
                  Analysis ID:457719
                  Start date:02.08.2021
                  Start time:08:43:06
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 14m 39s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Sample file name:Quotation Request August RFQ8012021.exe
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:39
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@38/23@8/4
                  EGA Information:Failed
                  HDC Information:
                  • Successful, ratio: 1.6% (good quality ratio 1.3%)
                  • Quality average: 66.9%
                  • Quality standard deviation: 33.7%
                  HCA Information:
                  • Successful, ratio: 99%
                  • Number of executed functions: 70
                  • Number of non-executed functions: 1
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .exe
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                  • Excluded IPs from analysis (whitelisted): 52.255.188.83, 23.211.6.115, 104.42.151.234, 204.79.197.200, 13.107.21.200, 20.82.209.183, 93.184.221.240, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.50.102.62
                  • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                  • Not all processes where analyzed, report is missing behavior information
                  • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                  • Report creation exceeded maximum time and may have missing disassembly code information.
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  08:44:35API Interceptor1x Sleep call for process: Quotation Request August RFQ8012021.exe modified
                  08:45:07API Interceptor461x Sleep call for process: InstallUtil.exe modified
                  08:45:09AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASN

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                  Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):41064
                  Entropy (8bit):6.164873449128079
                  Encrypted:false
                  SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                  MD5:EFEC8C379D165E3F33B536739AEE26A3
                  SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                  SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                  SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                  Malicious:false
                  Antivirus:
                  • Antivirus: Metadefender, Detection: 0%, Browse
                  • Antivirus: ReversingLabs, Detection: 0%
                  Reputation:unknown
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation Request August RFQ8012021.exe.log
                  Process:C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:modified
                  Size (bytes):1316
                  Entropy (8bit):5.343667025898124
                  Encrypted:false
                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7csXE4D8Q:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHe
                  MD5:379135DE3C31F3A766187BD9B6C730C9
                  SHA1:BEFFE8BDE231861A3FD901A12F51523399B9A5E7
                  SHA-256:BDE88F5C7F95E26FFC5EBE86C38AE61E78E0A5AA932A83DE00F2A46DB24DD22D
                  SHA-512:2897AAB0225823AC258D5D5E52B43140F2B47603689C968243F515B516A2712CAC69A0D7317C53575CF725D7EBDC85C93637F57E626778117364D5666C9FB993
                  Malicious:true
                  Reputation:unknown
                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:modified
                  Size (bytes):950
                  Entropy (8bit):5.350971482944737
                  Encrypted:false
                  SSDEEP:24:MLiKNE4qpE4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MeIH2HKXwYHKhQnoPtHoxHhAHKzva
                  MD5:CEE81B7EB08EE82CFE49E47B81B50D1A
                  SHA1:4746C7068BD50E3309BFFDBE8983B8F27D834DFD
                  SHA-256:B9A90255691E7C9D3CCBD27D00FC514DDD6087446D8DB03335CEF1B5634CC460
                  SHA-512:AF5865439412974FCB6B11E22CFFF1ACA0BEBF83CF398D6056CEEF93720AF0FBCB579858C39E6AA0D989680F2180F2CA181D7D12887604B420D0E1976B8AEA77
                  Malicious:false
                  Reputation:unknown
                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..
                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\smss.exe.log
                  Process:C:\Users\user\AppData\Local\Temp\smss.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1362
                  Entropy (8bit):5.343186145897752
                  Encrypted:false
                  SSDEEP:24:ML9E4Ks2eE4O1lEE4UVwPKDE4KhK3VZ9pKhuE4IWUAE4KI6no84j:MxHKXeHKlEHU0YHKhQnouHIW7HKjovj
                  MD5:1249251E90A1C28AB8F7235F30056DEB
                  SHA1:166BA6B64E9B0D9BA7B856334F7D7EC027030BA1
                  SHA-256:B5D65BF3581136CD5368BC47FA3972E06F526EED407BC6571D11D9CD4B5C4D83
                  SHA-512:FD880C5B12B22241F67139ABD09B99ACE7A4DD24635FC6B340A3E7C463E2AEF3FA68EF647352132934BC1F8CA134F46064049449ACB67954BEDDEA9AA9670885
                  Malicious:false
                  Reputation:unknown
                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                  C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                  Process:C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe
                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):41064
                  Entropy (8bit):6.164873449128079
                  Encrypted:false
                  SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                  MD5:EFEC8C379D165E3F33B536739AEE26A3
                  SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                  SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                  SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                  Malicious:true
                  Antivirus:
                  • Antivirus: Metadefender, Detection: 0%, Browse
                  • Antivirus: ReversingLabs, Detection: 0%
                  Reputation:unknown
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                  C:\Users\user\AppData\Local\Temp\smss.exe
                  Process:C:\Users\user\AppData\Roaming\MainProc.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):78336
                  Entropy (8bit):4.369296705546591
                  Encrypted:false
                  SSDEEP:768:jlU4+MS3Fu0thSOV4GM0SuHk9Oh/1TRIWUk7NlfaNV9KQLxXXSv:l6o03IGMLuHk+Ck5lfaNP7xSv
                  MD5:0E362E7005823D0BEC3719B902ED6D62
                  SHA1:590D860B909804349E0CDC2F1662B37BD62F7463
                  SHA-256:2D0DC6216F613AC7551A7E70A798C22AEE8EB9819428B1357E2B8C73BEF905AD
                  SHA-512:518991B68496B3F8545E418CF9B345E0791E09CC20D177B8AA47E0ABA447AA55383C64F5BDACA39F2B061A5D08C16F2AD484AF8A9F238CA23AB081618FBA3AD3
                  Malicious:true
                  Antivirus:
                  • Antivirus: Metadefender, Detection: 14%, Browse
                  • Antivirus: ReversingLabs, Detection: 13%
                  Reputation:unknown
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y ................P..&...........D... ........@.. ....................................`..................................D..W....`..............................hD............................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............0..............@..B.................D......H.......l....%......)....................................................0..6.......(8...t....&.(8...t....&......(8...t...................8;....8%.....(8...t....&.(8...t............:.....(8...t....:.....(8...t....:....(8...t....................................\:@....(8...t....&.)...&8.....(8...t....&(8...t....&.....:.......8x........:L...88....(8...t....&(8...t....&(8...t....&(8...t.....................:....8!.....(8...t....&......(8...t....&.....(8...t....:8.....(8...t....&.
                  C:\Users\user\AppData\Local\Temp\smss.txt
                  Process:C:\Users\user\AppData\Local\Temp\smss.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):0
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:DymfNt+kiEaKC5YIcEs:Wm1wknaZ5YPEs
                  MD5:6030D395E9112F76A144D1A2D3A5A74A
                  SHA1:8F8E1A7E7FC9711730CF084962911106AF1C890A
                  SHA-256:991205B28FA86D000ADA3BE09B940CD49598CBA126F4041DA905A4FCFAA541B3
                  SHA-512:28A229D642DFABA4F7AE7D972DC1B89FE89D4914E4451CEBCD57C9EBE780D397FCA9953EC8AF51A0F6BD2343A784907485EC051EA2C6B6CA803B731CAD852C04
                  Malicious:false
                  Reputation:unknown
                  Preview: 6288..C:\Users\user\AppData\Roaming\MainProc.exe..6196..
                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                  Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):1392
                  Entropy (8bit):7.024371743172393
                  Encrypted:false
                  SSDEEP:24:IQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUt4:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/f
                  MD5:E78C6686C5A1A9CB0724F84DEA9A75F0
                  SHA1:80E61D5BDC7AF293362024781DA66BEA9D370FF9
                  SHA-256:FBE0B513511C00AC3B7169E1BCFB675CFD708B249365D724269C23FAC1184967
                  SHA-512:FF3835238CAEA26D8800B56901AB962ACD2FA390F955C4A8A15B5817AAB7642D105538CF63938D218567501477FB4B23C2834F22CBC8BA0002C7BCACB2875637
                  Malicious:false
                  Reputation:unknown
                  Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                  Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):8
                  Entropy (8bit):3.0
                  Encrypted:false
                  SSDEEP:3:F+1kw8n:dn
                  MD5:015F76206A31860FD0EBF2D06C6E4F1C
                  SHA1:0F85C4922624E7B45C9FFED521F18E293988484F
                  SHA-256:209B2BD9810266DEA38E4C30B19C6C050C2EE187D5A6FB4C025902F22FD35B45
                  SHA-512:173637CB893AE5A42394292CE39132AA1CEE1FA747BB64FB28E26C6AF88A76CAE3E5924333F7B8D1A8BC9846ECCADC383109F7325C9703F581B1C2DE1A07BB10
                  Malicious:true
                  Reputation:unknown
                  Preview: .....U.H
                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
                  Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):24
                  Entropy (8bit):4.501629167387823
                  Encrypted:false
                  SSDEEP:3:9bzY6oRDIvYk:RzWDI3
                  MD5:ACD3FB4310417DC77FE06F15B0E353E6
                  SHA1:80E7002E655EB5765FDEB21114295CB96AD9D5EB
                  SHA-256:DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
                  SHA-512:DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
                  Malicious:false
                  Reputation:unknown
                  Preview: 9iH...}Z.4..f..J".C;"a
                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                  Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):64
                  Entropy (8bit):5.320159765557392
                  Encrypted:false
                  SSDEEP:3:9bzY6oRDIvYVsRLY6oRDT6P2bfVn1:RzWDIfRWDT621
                  MD5:BB0F9B9992809E733EFFF8B0E562CFD6
                  SHA1:F0BAB3CF73A04F5A689E6AFC764FEE9276992742
                  SHA-256:C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
                  SHA-512:AE4280AA460DC1C0301D458A3A443F6884A0BE37481737B2ADAFD72C33C55F09BED88ED239C91FE6F19CA137AC3CD7C9B8454C21D3F8E759687F701C8B3C7A16
                  Malicious:false
                  Reputation:unknown
                  Preview: 9iH...}Z.4..f..J".C;"a9iH...}Z.4..f.~a........~.~.......3.U.
                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                  Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):327432
                  Entropy (8bit):7.99938831605763
                  Encrypted:true
                  SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                  MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                  SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                  SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                  SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                  Malicious:false
                  Reputation:unknown
                  Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                  C:\Users\user\AppData\Roaming\MainProc.exe
                  Process:C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):775168
                  Entropy (8bit):6.683069808516563
                  Encrypted:false
                  SSDEEP:12288:BLLLO6nlb8uYhkOH7aSV7B+AcitG07iLQSWmJhbfvfkt:BPLRlb853uu7Bg0+LQSWP
                  MD5:DD69F329393643AA570BD3A940323136
                  SHA1:DBCB022F10C8CFCDD93A75253B9E20260F86DAFE
                  SHA-256:9327C22D332141A7EE037B2D393E0AD352A2FC4F6DC9B7CF9C78155D70681E6B
                  SHA-512:836B07E9F14621179B2C5CD4FA7F778F41A51240ED25B5C62A64D7F1B48B233FA972D6CA77A96B780D1F61251BEF9F5B982B694A02A359A55AD3DC2EC23DD0C8
                  Malicious:true
                  Antivirus:
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 15%
                  Reputation:unknown
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....51.........."...P.................. ........@.. .......................@............`.....................................O.......J.................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...J...........................@..@.reloc....... ......................@..B........................H.......P...l...........t................................................( ...*&..(!....*.s"........s#........s$........s%........s&........*Z........o9...........*&..(:....*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*...{......,.+.....,.rq..ps?...z..|.
                  C:\Users\user\AppData\Roaming\MainProc.exe:Zone.Identifier
                  Process:C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:true
                  Reputation:unknown
                  Preview: [ZoneTransfer]....ZoneId=0
                  \Device\ConDrv
                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):2017
                  Entropy (8bit):4.663189584482275
                  Encrypted:false
                  SSDEEP:48:zK4Qu4D4ql0+1AcJRy0EJP64gFljVlWo3ggxUnQK2qmBvgw1+5:zKJDEcTytNe3Wo3uQVBIe+5
                  MD5:9C305D95E7DA8FCA9651F7F426BB25BC
                  SHA1:FDB5C18C26CF5B83EF5DC297C0F9CEBEF6A97FFC
                  SHA-256:444F71CF504D22F0EE88024D61501D3B79AE5D1AFD521E72499F325F6B0B82BE
                  SHA-512:F2829518AE0F6DD35C1DE1175FC8BE3E52EDCAFAD0B2455AC593F5E5D4BD480B014F52C3AE24E742B914685513BE5DF862373E75C45BB7908C775D7E2E404DB3
                  Malicious:false
                  Reputation:unknown
                  Preview: Microsoft (R) .NET Framework Installation utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....Usage: InstallUtil [/u | /uninstall] [option [...]] assembly [[option [...]] assembly] [...]]....InstallUtil executes the installers in each given assembly...If the /u or /uninstall switch is specified, it uninstalls..the assemblies, otherwise it installs them. Unlike other..options, /u applies to all assemblies, regardless of where it..appears on the command line.....Installation is done in a transactioned way: If one of the..assemblies fails to install, the installations of all other..assemblies are rolled back. Uninstall is not transactioned.....Options take the form /switch=[value]. Any option that occurs..before the name of an assembly will apply to that assembly's..installation. Options are cumulative but overridable - options..specified for one assembly will apply to the next as well unless..the option is specified with a new value. The default for

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):6.683069808516563
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  • Win32 Executable (generic) a (10002005/4) 49.75%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Windows Screen Saver (13104/52) 0.07%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  File name:Quotation Request August RFQ8012021.exe
                  File size:775168
                  MD5:dd69f329393643aa570bd3a940323136
                  SHA1:dbcb022f10c8cfcdd93a75253b9e20260f86dafe
                  SHA256:9327c22d332141a7ee037b2d393e0ad352a2fc4f6dc9b7cf9c78155d70681e6b
                  SHA512:836b07e9f14621179b2c5cd4fa7f778f41a51240ed25b5c62a64d7f1b48b233fa972d6ca77a96b780d1f61251bef9f5b982b694a02a359a55ad3dc2ec23dd0c8
                  SSDEEP:12288:BLLLO6nlb8uYhkOH7aSV7B+AcitG07iLQSWmJhbfvfkt:BPLRlb853uu7Bg0+LQSWP
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....51.........."...P.................. ........@.. .......................@............`................................

                  File Icon

                  Icon Hash:00828e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0x4be70e
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                  Time Stamp:0x31359EF3 [Thu Feb 29 12:41:23 1996 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:v4.0.30319
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xbe6bc0x4f.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x64a.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xc20000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000xbc7140xbc800False0.601980841761data6.69306847965IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .rsrc0xc00000x64a0x800False0.361328125data3.73777316937IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0xc20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_VERSION0xc00a00x3c0data
                  RT_MANIFEST0xc04600x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Version Infos

                  DescriptionData
                  Translation0x0000 0x04b0
                  LegalCopyrightCopyright 2002 I22F6?H99HDB==A8GG=
                  Assembly Version1.0.0.0
                  InternalNameECHE CRYPTED FILE.exe
                  FileVersion4.6.8.11
                  CompanyNameI22F6?H99HDB==A8GG=
                  Comments=H63JIF@:2F2?8HH:A
                  ProductNameB26FHH8E2;5D3;?56:=J;<E
                  ProductVersion4.6.8.11
                  FileDescriptionB26FHH8E2;5D3;?56:=J;<E
                  OriginalFilenameECHE CRYPTED FILE.exe

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Aug 2, 2021 08:43:57.989947081 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.015029907 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.020512104 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.057162046 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.088280916 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.095242977 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.095285892 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.095310926 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.095330000 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.102585077 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.109533072 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.134608984 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.193176985 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.222229004 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.253853083 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.297291040 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.298835993 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.298912048 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.300363064 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.301788092 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.303289890 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.304622889 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.307264090 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.307305098 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.307342052 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.307364941 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.307387114 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.307413101 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.307429075 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.307497978 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.308729887 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.308754921 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.308778048 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.308803082 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.308867931 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.308978081 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.336648941 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.336694002 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.336718082 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.336736917 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.336760044 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.336785078 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.336813927 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.336898088 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.338651896 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.338690042 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.338766098 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.340964079 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.341007948 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.341098070 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.342506886 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.342535973 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.342653036 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.344357014 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.344387054 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.344513893 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.346402884 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.346441031 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.346576929 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.347912073 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.347975016 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.348109007 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.349703074 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.349740982 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.349867105 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.351577997 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.351619959 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.351736069 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:43:58.353307009 CEST44349732172.217.168.68192.168.2.4
                  Aug 2, 2021 08:43:58.353650093 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:05.599339008 CEST49732443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:34.685811996 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:34.715183020 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:34.715353012 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:34.771493912 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:34.800407887 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:34.812555075 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:34.812586069 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:34.812598944 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:34.812608957 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:34.812691927 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:34.812728882 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:34.815929890 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:34.843267918 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:34.895953894 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:34.938045025 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:34.968451977 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.015259981 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.015288115 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.015304089 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.015324116 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.015341043 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.015357018 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.015364885 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:35.015398979 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:35.015403986 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:35.017266035 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.017286062 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.017368078 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:35.019393921 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.019416094 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.019506931 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:35.021451950 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.021471977 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.021528959 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:35.023535013 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.023560047 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.023628950 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:35.025621891 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.042138100 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.042164087 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.042226076 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:35.043311119 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.043329954 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.043842077 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:35.045198917 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.045219898 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.045284033 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:35.047297001 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.047319889 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.047382116 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:35.049371004 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.049438000 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:35.049441099 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.051446915 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.051470995 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.051529884 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:35.053509951 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.053612947 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:35.053627968 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.055442095 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.055461884 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.055522919 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:35.057203054 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.057291031 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.057353020 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:35.058950901 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.058969021 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.059037924 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:35.060719967 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.060806990 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:35.061587095 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.061602116 CEST44349745172.217.168.68192.168.2.4
                  Aug 2, 2021 08:44:35.061659098 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:44:39.386766911 CEST49745443192.168.2.4172.217.168.68
                  Aug 2, 2021 08:45:09.131337881 CEST497651604192.168.2.4185.140.53.253
                  Aug 2, 2021 08:45:09.159090996 CEST160449765185.140.53.253192.168.2.4
                  Aug 2, 2021 08:45:09.805810928 CEST497651604192.168.2.4185.140.53.253
                  Aug 2, 2021 08:45:09.833616972 CEST160449765185.140.53.253192.168.2.4
                  Aug 2, 2021 08:45:10.337049007 CEST497651604192.168.2.4185.140.53.253
                  Aug 2, 2021 08:45:10.364833117 CEST160449765185.140.53.253192.168.2.4
                  Aug 2, 2021 08:45:14.452155113 CEST497661604192.168.2.4185.140.53.253
                  Aug 2, 2021 08:45:14.479851007 CEST160449766185.140.53.253192.168.2.4
                  Aug 2, 2021 08:45:14.993814945 CEST497661604192.168.2.4185.140.53.253
                  Aug 2, 2021 08:45:15.021667957 CEST160449766185.140.53.253192.168.2.4
                  Aug 2, 2021 08:45:15.525065899 CEST497661604192.168.2.4185.140.53.253
                  Aug 2, 2021 08:45:15.553946018 CEST160449766185.140.53.253192.168.2.4
                  Aug 2, 2021 08:45:19.558804035 CEST497671604192.168.2.4185.140.53.253
                  Aug 2, 2021 08:45:19.587548018 CEST160449767185.140.53.253192.168.2.4
                  Aug 2, 2021 08:45:20.088448048 CEST497671604192.168.2.4185.140.53.253
                  Aug 2, 2021 08:45:20.116573095 CEST160449767185.140.53.253192.168.2.4
                  Aug 2, 2021 08:45:20.619290113 CEST497671604192.168.2.4185.140.53.253
                  Aug 2, 2021 08:45:20.649913073 CEST160449767185.140.53.253192.168.2.4
                  Aug 2, 2021 08:45:26.045403004 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.071928024 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.074362993 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.155287981 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.194715023 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.212204933 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.240679979 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.291745901 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.383378029 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.460218906 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.460393906 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.462532997 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.462572098 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.462609053 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.462646008 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.462722063 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.462804079 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.488363028 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.488423109 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.488464117 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.488502979 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.488542080 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.488571882 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.488581896 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.488621950 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.488625050 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.488671064 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.488672018 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.488725901 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.513580084 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.513612032 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.513626099 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.513698101 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.513716936 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.513732910 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.513750076 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.513761997 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.513778925 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.513792038 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.513807058 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.513817072 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.513819933 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.513839006 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.513856888 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.513860941 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.513873100 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.513890028 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.513915062 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.513967991 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.538860083 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.538913965 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.538944006 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.538969994 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.538994074 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.538996935 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.539026022 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.539031029 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.539053917 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.539074898 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.539084911 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.539129972 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.539154053 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.539166927 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.539199114 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.539215088 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.539231062 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.539258003 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.539280891 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.539287090 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.539314985 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.539341927 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.539367914 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.539374113 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.539396048 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.539411068 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.539428949 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.539459944 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.539479971 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.539482117 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.539500952 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.539515972 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.539529085 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.539556026 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.539566994 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.539582968 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.539609909 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.539612055 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.539638042 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.539664984 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.539666891 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.539696932 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.539707899 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.564749002 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.564825058 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.564873934 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.564894915 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.564920902 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.564939976 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.564963102 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.565004110 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.565023899 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.565045118 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.565093040 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.565107107 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.565135956 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.565175056 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.565197945 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.565222979 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.565265894 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.565280914 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.565304995 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.565346003 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.565375090 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.565403938 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.565443993 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.565480947 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.565495014 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.565521002 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.565555096 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.565568924 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.565610886 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.565630913 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.565649033 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.565686941 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.565704107 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.565726995 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.565763950 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.565778971 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.565802097 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.565840006 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.565865040 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.565886974 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.565928936 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.565946102 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.565967083 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.566006899 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.566020012 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.566045046 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.566082001 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.566104889 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.566122055 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.566159964 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.566185951 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.566206932 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.566248894 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.566267014 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.566286087 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.566325903 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.566339016 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.566365004 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.566404104 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.566426992 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.566442013 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.566481113 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.566513062 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.566526890 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.566570044 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.566586971 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.566607952 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.566646099 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.566663980 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.566684961 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.566746950 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.592077971 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.592165947 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.592216969 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.592261076 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.592300892 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.592340946 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.592367887 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.592379093 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.592415094 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.592421055 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.592461109 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.592494011 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.592500925 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.592550039 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.592564106 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.592593908 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.592632055 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.592652082 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.592670918 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.592710018 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.592724085 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.592747927 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.592787027 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.592799902 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.592858076 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.592900038 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.592947006 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.592964888 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.592991114 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.593003035 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.593029022 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.593067884 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.593087912 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.593108892 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.593146086 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.593163013 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.593185902 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.593225002 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.593241930 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.593274117 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.593316078 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.593329906 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.593353987 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.593391895 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.593410015 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.593431950 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.593467951 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.593487978 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.593508005 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.593544960 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.593561888 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.593592882 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.593635082 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.593652010 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.593672991 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.593713045 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.593730927 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.593751907 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.593789101 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.593811035 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.593827009 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.593864918 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.593895912 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.593913078 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.593955994 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.593985081 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.593992949 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.594033957 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.594048023 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.594072104 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.594111919 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.594131947 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.620187044 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.620265961 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.620306969 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.620346069 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.620383024 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.620421886 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.620461941 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.620460033 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.620506048 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.620521069 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.620563984 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.620567083 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.620601892 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.620640993 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.620673895 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.620702982 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.620740891 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.620743036 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.620783091 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.620811939 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.620820045 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.620870113 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.620897055 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.620913982 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.620953083 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.620992899 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.621006012 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.621032953 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.621088028 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.621088982 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.621128082 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.621166945 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.621169090 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.621203899 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.621243000 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.621262074 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.621280909 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.621308088 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.621335983 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.621380091 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.621418953 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.621424913 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.621507883 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.621539116 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.621551037 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.621591091 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.621632099 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.621632099 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.621675014 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.621706963 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.621712923 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.621753931 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.621792078 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.621793032 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.621844053 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.621865034 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.621889114 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.621927023 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.621967077 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.621994019 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.622005939 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.622044086 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.622087955 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.622090101 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.622134924 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.622173071 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.622181892 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.622225046 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.622260094 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.622345924 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.648423910 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.648484945 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.648534060 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.648578882 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.648617983 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.648658037 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.648685932 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.648696899 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.648725986 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.648730040 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.648737907 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.648777962 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.648817062 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.648822069 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.648890018 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.648897886 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.648926020 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.648953915 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.648983002 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649013042 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649028063 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.649041891 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649070978 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.649071932 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649106979 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649141073 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649142027 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.649173021 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649199963 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649229050 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649241924 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.649259090 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649286032 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649316072 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649338007 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649359941 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649362087 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.649382114 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649405003 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649441004 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649470091 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649470091 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.649499893 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649528980 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649528980 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.649564028 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649595976 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649624109 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649650097 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.649653912 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649682999 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649712086 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649713993 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.649734974 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.649754047 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649782896 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649807930 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.649817944 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649842978 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649872065 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649899006 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.649900913 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649930954 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649930954 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.649966002 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649996996 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.649996996 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.650027037 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.650055885 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.650085926 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.650087118 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.650115967 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.650146008 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.650173903 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.650118113 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.650202990 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.650208950 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.650240898 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.650247097 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.650283098 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.650311947 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.650311947 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.650342941 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.650366068 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.650371075 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.650401115 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.650428057 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.650429010 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.650461912 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.650486946 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.650492907 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.650521040 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.650547981 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.650548935 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.650578976 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.650599957 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:26.650608063 CEST16044976884.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:26.650660992 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:28.064726114 CEST497681604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:33.312912941 CEST497701604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:33.341936111 CEST16044977084.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:33.345674992 CEST497701604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:33.555939913 CEST497701604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:33.600558043 CEST16044977084.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:33.601165056 CEST497701604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:33.627629995 CEST16044977084.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:33.649832964 CEST497701604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:33.726365089 CEST16044977084.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:33.816210985 CEST497701604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:33.842925072 CEST16044977084.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:33.886310101 CEST497701604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:33.895406961 CEST16044977084.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:33.939863920 CEST16044977084.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:33.995635033 CEST497701604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:35.429410934 CEST497701604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:40.536725998 CEST497721604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:40.561604023 CEST16044977284.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:40.561732054 CEST497721604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:40.562226057 CEST497721604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:40.598342896 CEST16044977284.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:40.643441916 CEST497721604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:40.646939039 CEST497721604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:40.672271967 CEST16044977284.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:40.715030909 CEST497721604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:41.101435900 CEST497721604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:41.177706003 CEST16044977284.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:41.178999901 CEST497721604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:41.249980927 CEST16044977284.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:41.291450024 CEST16044977284.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:41.292367935 CEST497721604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:41.317025900 CEST16044977284.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:41.371313095 CEST497721604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:41.395936012 CEST16044977284.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:41.447860003 CEST497721604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:41.473128080 CEST16044977284.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:41.473483086 CEST497721604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:41.498830080 CEST16044977284.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:41.543261051 CEST497721604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:42.832509041 CEST497721604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:42.911273956 CEST16044977284.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:42.911355019 CEST497721604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:42.979784966 CEST16044977284.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:42.979854107 CEST497721604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:43.056669950 CEST16044977284.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:43.661098957 CEST497721604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:47.850173950 CEST497731604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:47.877194881 CEST16044977384.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:47.877394915 CEST497731604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:47.878109932 CEST497731604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:47.915241003 CEST16044977384.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:47.915652037 CEST497731604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:47.941397905 CEST16044977384.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:47.965790987 CEST497731604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:48.045428991 CEST16044977384.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:48.138868093 CEST16044977384.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:48.140166998 CEST497731604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:48.164705992 CEST16044977384.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:48.215723038 CEST497731604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:48.241025925 CEST16044977384.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:48.293884993 CEST497731604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:48.359086037 CEST497731604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:48.385317087 CEST16044977384.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:48.385401964 CEST497731604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:48.411992073 CEST16044977384.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:48.422842979 CEST497731604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:48.498838902 CEST16044977384.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:48.653729916 CEST497731604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:48.719744921 CEST16044977384.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:49.653959990 CEST497731604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:49.729818106 CEST16044977384.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:50.686021090 CEST497731604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:54.779251099 CEST497741604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:54.805941105 CEST16044977484.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:54.806164026 CEST497741604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:54.822220087 CEST497741604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:54.863619089 CEST16044977484.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:54.864111900 CEST497741604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:54.889852047 CEST16044977484.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:54.892308950 CEST497741604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:54.966383934 CEST16044977484.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:55.076126099 CEST16044977484.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:55.122663021 CEST497741604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:55.149123907 CEST16044977484.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:55.200794935 CEST497741604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:55.203916073 CEST497741604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:55.280277967 CEST16044977484.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:55.280383110 CEST497741604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:55.308080912 CEST16044977484.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:55.308192015 CEST497741604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:55.333844900 CEST16044977484.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:55.388605118 CEST497741604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:55.389523983 CEST497741604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:55.468385935 CEST16044977484.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:55.795941114 CEST497741604192.168.2.484.38.133.182
                  Aug 2, 2021 08:45:55.872981071 CEST16044977484.38.133.182192.168.2.4
                  Aug 2, 2021 08:45:56.779755116 CEST497741604192.168.2.484.38.133.182
                  Aug 2, 2021 08:46:00.877351999 CEST497751604192.168.2.484.38.133.182
                  Aug 2, 2021 08:46:00.902151108 CEST16044977584.38.133.182192.168.2.4
                  Aug 2, 2021 08:46:00.902278900 CEST497751604192.168.2.484.38.133.182
                  Aug 2, 2021 08:46:00.903259039 CEST497751604192.168.2.484.38.133.182
                  Aug 2, 2021 08:46:00.946073055 CEST16044977584.38.133.182192.168.2.4
                  Aug 2, 2021 08:46:00.956881046 CEST497751604192.168.2.484.38.133.182
                  Aug 2, 2021 08:46:00.982475042 CEST16044977584.38.133.182192.168.2.4
                  Aug 2, 2021 08:46:01.029479980 CEST497751604192.168.2.484.38.133.182
                  Aug 2, 2021 08:46:01.055840015 CEST497751604192.168.2.484.38.133.182
                  Aug 2, 2021 08:46:01.133635998 CEST16044977584.38.133.182192.168.2.4
                  Aug 2, 2021 08:46:01.133714914 CEST497751604192.168.2.484.38.133.182
                  Aug 2, 2021 08:46:01.199789047 CEST16044977584.38.133.182192.168.2.4
                  Aug 2, 2021 08:46:01.294704914 CEST16044977584.38.133.182192.168.2.4
                  Aug 2, 2021 08:46:01.296833992 CEST497751604192.168.2.484.38.133.182
                  Aug 2, 2021 08:46:01.321547031 CEST16044977584.38.133.182192.168.2.4
                  Aug 2, 2021 08:46:01.373271942 CEST497751604192.168.2.484.38.133.182
                  Aug 2, 2021 08:46:01.398175001 CEST16044977584.38.133.182192.168.2.4
                  Aug 2, 2021 08:46:01.398646116 CEST497751604192.168.2.484.38.133.182
                  Aug 2, 2021 08:46:01.425009012 CEST16044977584.38.133.182192.168.2.4
                  Aug 2, 2021 08:46:01.425282955 CEST497751604192.168.2.484.38.133.182
                  Aug 2, 2021 08:46:01.452164888 CEST16044977584.38.133.182192.168.2.4
                  Aug 2, 2021 08:46:01.498805046 CEST497751604192.168.2.484.38.133.182
                  Aug 2, 2021 08:46:01.519227028 CEST497751604192.168.2.484.38.133.182
                  Aug 2, 2021 08:46:01.592811108 CEST16044977584.38.133.182192.168.2.4
                  Aug 2, 2021 08:46:05.928576946 CEST16044977584.38.133.182192.168.2.4
                  Aug 2, 2021 08:46:05.983220100 CEST497751604192.168.2.484.38.133.182
                  Aug 2, 2021 08:46:07.902219057 CEST16044977584.38.133.182192.168.2.4
                  Aug 2, 2021 08:46:07.952306032 CEST497751604192.168.2.484.38.133.182
                  Aug 2, 2021 08:46:10.929990053 CEST16044977584.38.133.182192.168.2.4
                  Aug 2, 2021 08:46:10.985685110 CEST497751604192.168.2.484.38.133.182
                  Aug 2, 2021 08:46:15.907649994 CEST16044977584.38.133.182192.168.2.4
                  Aug 2, 2021 08:46:15.953011990 CEST497751604192.168.2.484.38.133.182
                  Aug 2, 2021 08:46:15.977747917 CEST16044977584.38.133.182192.168.2.4
                  Aug 2, 2021 08:46:16.030901909 CEST497751604192.168.2.484.38.133.182

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Aug 2, 2021 08:43:47.951039076 CEST4971453192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:47.978574038 CEST53497148.8.8.8192.168.2.4
                  Aug 2, 2021 08:43:48.607779026 CEST5802853192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:48.636271954 CEST53580288.8.8.8192.168.2.4
                  Aug 2, 2021 08:43:49.310126066 CEST5309753192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:49.346659899 CEST53530978.8.8.8192.168.2.4
                  Aug 2, 2021 08:43:49.937041044 CEST4925753192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:49.966797113 CEST53492578.8.8.8192.168.2.4
                  Aug 2, 2021 08:43:50.997369051 CEST6238953192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:51.033483028 CEST53623898.8.8.8192.168.2.4
                  Aug 2, 2021 08:43:52.168009043 CEST4991053192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:52.192941904 CEST53499108.8.8.8192.168.2.4
                  Aug 2, 2021 08:43:53.195231915 CEST5585453192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:53.222794056 CEST53558548.8.8.8192.168.2.4
                  Aug 2, 2021 08:43:54.606411934 CEST6454953192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:54.636307955 CEST53645498.8.8.8192.168.2.4
                  Aug 2, 2021 08:43:56.139966965 CEST6315353192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:56.179408073 CEST53631538.8.8.8192.168.2.4
                  Aug 2, 2021 08:43:57.423515081 CEST5299153192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:57.456290960 CEST53529918.8.8.8192.168.2.4
                  Aug 2, 2021 08:43:57.933033943 CEST5370053192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:57.960870981 CEST53537008.8.8.8192.168.2.4
                  Aug 2, 2021 08:43:58.228938103 CEST5172653192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:58.253899097 CEST53517268.8.8.8192.168.2.4
                  Aug 2, 2021 08:43:58.308300972 CEST5679453192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:58.359380007 CEST53567948.8.8.8192.168.2.4
                  Aug 2, 2021 08:43:58.370975971 CEST5653453192.168.2.48.8.8.8
                  Aug 2, 2021 08:43:58.403595924 CEST53565348.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:00.395735979 CEST5662753192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:00.428066969 CEST53566278.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:01.462416887 CEST5662153192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:01.487005949 CEST53566218.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:02.537281036 CEST6311653192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:02.564785957 CEST53631168.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:03.604494095 CEST6407853192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:03.639764071 CEST53640788.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:04.664004087 CEST6480153192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:04.696794987 CEST53648018.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:05.396941900 CEST6172153192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:05.424765110 CEST53617218.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:06.432003975 CEST5125553192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:06.460185051 CEST53512558.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:07.637190104 CEST6152253192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:07.664674044 CEST53615228.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:21.263093948 CEST5233753192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:21.306958914 CEST53523378.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:34.640358925 CEST5504653192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:34.666949987 CEST53550468.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:35.025269032 CEST4961253192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:35.060741901 CEST53496128.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:35.066827059 CEST4928553192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:35.100137949 CEST53492858.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:41.273047924 CEST5060153192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:41.305814981 CEST53506018.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:41.514153957 CEST6087553192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:41.555350065 CEST53608758.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:42.905774117 CEST5644853192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:42.940818071 CEST53564488.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:43.326035023 CEST5917253192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:43.370830059 CEST53591728.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:45.728630066 CEST6242053192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:45.763329983 CEST53624208.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:46.974745989 CEST6057953192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:47.012340069 CEST53605798.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:47.902887106 CEST5018353192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:47.939491987 CEST53501838.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:48.415471077 CEST6153153192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:48.451076031 CEST53615318.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:49.225300074 CEST4922853192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:49.257811069 CEST53492288.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:50.295164108 CEST5979453192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:50.328421116 CEST53597948.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:52.380829096 CEST5591653192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:52.416184902 CEST53559168.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:53.000516891 CEST5275253192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:53.033313990 CEST53527528.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:55.817954063 CEST6054253192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:55.821413994 CEST6068953192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:55.858757019 CEST53605428.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:55.864502907 CEST53606898.8.8.8192.168.2.4
                  Aug 2, 2021 08:44:58.659456968 CEST6420653192.168.2.48.8.8.8
                  Aug 2, 2021 08:44:58.695750952 CEST53642068.8.8.8192.168.2.4
                  Aug 2, 2021 08:45:26.005337000 CEST5090453192.168.2.48.8.8.8
                  Aug 2, 2021 08:45:26.040527105 CEST53509048.8.8.8192.168.2.4
                  Aug 2, 2021 08:45:33.120559931 CEST5752553192.168.2.48.8.8.8
                  Aug 2, 2021 08:45:33.166687012 CEST53575258.8.8.8192.168.2.4
                  Aug 2, 2021 08:45:33.274184942 CEST5381453192.168.2.48.8.8.8
                  Aug 2, 2021 08:45:33.311067104 CEST53538148.8.8.8192.168.2.4
                  Aug 2, 2021 08:45:35.860843897 CEST5341853192.168.2.48.8.8.8
                  Aug 2, 2021 08:45:35.893742085 CEST53534188.8.8.8192.168.2.4
                  Aug 2, 2021 08:45:40.482608080 CEST6283353192.168.2.48.8.8.8
                  Aug 2, 2021 08:45:40.515060902 CEST53628338.8.8.8192.168.2.4
                  Aug 2, 2021 08:45:47.813150883 CEST5926053192.168.2.48.8.8.8
                  Aug 2, 2021 08:45:47.848233938 CEST53592608.8.8.8192.168.2.4
                  Aug 2, 2021 08:45:54.743391991 CEST4994453192.168.2.48.8.8.8
                  Aug 2, 2021 08:45:54.777112961 CEST53499448.8.8.8192.168.2.4
                  Aug 2, 2021 08:46:00.841999054 CEST6330053192.168.2.48.8.8.8
                  Aug 2, 2021 08:46:00.867130041 CEST53633008.8.8.8192.168.2.4

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Aug 2, 2021 08:43:57.933033943 CEST192.168.2.48.8.8.80x1966Standard query (0)www.google.comA (IP address)IN (0x0001)
                  Aug 2, 2021 08:44:34.640358925 CEST192.168.2.48.8.8.80x11f5Standard query (0)www.google.comA (IP address)IN (0x0001)
                  Aug 2, 2021 08:45:26.005337000 CEST192.168.2.48.8.8.80x859cStandard query (0)dedicatedlambo9.ddns.netA (IP address)IN (0x0001)
                  Aug 2, 2021 08:45:33.274184942 CEST192.168.2.48.8.8.80xf875Standard query (0)dedicatedlambo9.ddns.netA (IP address)IN (0x0001)
                  Aug 2, 2021 08:45:40.482608080 CEST192.168.2.48.8.8.80x7744Standard query (0)dedicatedlambo9.ddns.netA (IP address)IN (0x0001)
                  Aug 2, 2021 08:45:47.813150883 CEST192.168.2.48.8.8.80xfa33Standard query (0)dedicatedlambo9.ddns.netA (IP address)IN (0x0001)
                  Aug 2, 2021 08:45:54.743391991 CEST192.168.2.48.8.8.80xd6baStandard query (0)dedicatedlambo9.ddns.netA (IP address)IN (0x0001)
                  Aug 2, 2021 08:46:00.841999054 CEST192.168.2.48.8.8.80x9015Standard query (0)dedicatedlambo9.ddns.netA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Aug 2, 2021 08:43:57.960870981 CEST8.8.8.8192.168.2.40x1966No error (0)www.google.com172.217.168.68A (IP address)IN (0x0001)
                  Aug 2, 2021 08:44:34.666949987 CEST8.8.8.8192.168.2.40x11f5No error (0)www.google.com172.217.168.68A (IP address)IN (0x0001)
                  Aug 2, 2021 08:45:26.040527105 CEST8.8.8.8192.168.2.40x859cNo error (0)dedicatedlambo9.ddns.net84.38.133.182A (IP address)IN (0x0001)
                  Aug 2, 2021 08:45:33.311067104 CEST8.8.8.8192.168.2.40xf875No error (0)dedicatedlambo9.ddns.net84.38.133.182A (IP address)IN (0x0001)
                  Aug 2, 2021 08:45:40.515060902 CEST8.8.8.8192.168.2.40x7744No error (0)dedicatedlambo9.ddns.net84.38.133.182A (IP address)IN (0x0001)
                  Aug 2, 2021 08:45:47.848233938 CEST8.8.8.8192.168.2.40xfa33No error (0)dedicatedlambo9.ddns.net84.38.133.182A (IP address)IN (0x0001)
                  Aug 2, 2021 08:45:54.777112961 CEST8.8.8.8192.168.2.40xd6baNo error (0)dedicatedlambo9.ddns.net84.38.133.182A (IP address)IN (0x0001)
                  Aug 2, 2021 08:46:00.867130041 CEST8.8.8.8192.168.2.40x9015No error (0)dedicatedlambo9.ddns.net84.38.133.182A (IP address)IN (0x0001)

                  HTTPS Packets

                  TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                  Aug 2, 2021 08:43:58.095330000 CEST172.217.168.68443192.168.2.449732CN=www.google.com CN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=USCN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=US CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BEMon Jun 28 06:12:58 CEST 2021 Thu Aug 13 02:00:42 CEST 2020 Fri Jun 19 02:00:42 CEST 2020Mon Sep 20 06:12:57 CEST 2021 Thu Sep 30 02:00:42 CEST 2027 Fri Jan 28 01:00:42 CET 2028769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                  CN=GTS CA 1C3, O=Google Trust Services LLC, C=USCN=GTS Root R1, O=Google Trust Services LLC, C=USThu Aug 13 02:00:42 CEST 2020Thu Sep 30 02:00:42 CEST 2027
                  CN=GTS Root R1, O=Google Trust Services LLC, C=USCN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BEFri Jun 19 02:00:42 CEST 2020Fri Jan 28 01:00:42 CET 2028
                  Aug 2, 2021 08:44:34.812608957 CEST172.217.168.68443192.168.2.449745CN=www.google.com CN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=USCN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=US CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BEMon Jun 28 06:12:58 CEST 2021 Thu Aug 13 02:00:42 CEST 2020 Fri Jun 19 02:00:42 CEST 2020Mon Sep 20 06:12:57 CEST 2021 Thu Sep 30 02:00:42 CEST 2027 Fri Jan 28 01:00:42 CET 2028769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                  CN=GTS CA 1C3, O=Google Trust Services LLC, C=USCN=GTS Root R1, O=Google Trust Services LLC, C=USThu Aug 13 02:00:42 CEST 2020Thu Sep 30 02:00:42 CEST 2027
                  CN=GTS Root R1, O=Google Trust Services LLC, C=USCN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BEFri Jun 19 02:00:42 CEST 2020Fri Jan 28 01:00:42 CET 2028

                  Code Manipulations

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  Analysis Process: Quotation Request August RFQ8012021.exe PID: 6640 Parent PID: 5776

                  General

                  Start time:08:43:55
                  Start date:02/08/2021
                  Path:C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\Desktop\Quotation Request August RFQ8012021.exe'
                  Imagebase:0x450000
                  File size:775168 bytes
                  MD5 hash:DD69F329393643AA570BD3A940323136
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.739331027.0000000003B17000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.739331027.0000000003B17000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.739331027.0000000003B17000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.739152820.00000000039B9000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.739152820.00000000039B9000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.739152820.00000000039B9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  Reputation:low

                  Chronological Activities

                  Analysis Process: cmd.exe PID: 7156 Parent PID: 6640

                  General

                  Start time:08:44:14
                  Start date:02/08/2021
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\AppData\Roaming\MainProc.exe,'
                  Imagebase:0x11d0000
                  File size:232960 bytes
                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Chronological Activities

                  Analysis Process: conhost.exe PID: 7164 Parent PID: 7156

                  General

                  Start time:08:44:15
                  Start date:02/08/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff724c50000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Chronological Activities

                  Analysis Process: reg.exe PID: 5868 Parent PID: 7156

                  General

                  Start time:08:44:16
                  Start date:02/08/2021
                  Path:C:\Windows\SysWOW64\reg.exe
                  Wow64 process (32bit):true
                  Commandline:REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\AppData\Roaming\MainProc.exe,'
                  Imagebase:0x1320000
                  File size:59392 bytes
                  MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Chronological Activities

                  Analysis Process: MainProc.exe PID: 6288 Parent PID: 6640

                  General

                  Start time:08:44:33
                  Start date:02/08/2021
                  Path:C:\Users\user\AppData\Roaming\MainProc.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Roaming\MainProc.exe'
                  Imagebase:0x200000
                  File size:775168 bytes
                  MD5 hash:DD69F329393643AA570BD3A940323136
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.941301528.0000000003797000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.941301528.0000000003797000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.941301528.0000000003797000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  Antivirus matches:
                  • Detection: 100%, Joe Sandbox ML
                  • Detection: 15%, ReversingLabs
                  Reputation:low

                  Chronological Activities

                  Analysis Process: InstallUtil.exe PID: 5880 Parent PID: 6288

                  General

                  Start time:08:44:59
                  Start date:02/08/2021
                  Path:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                  Imagebase:0xc60000
                  File size:41064 bytes
                  MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.933931703.000000000407E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.920030285.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.944192934.0000000007E20000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.944192934.0000000007E20000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.944407587.0000000007E90000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.944407587.0000000007E90000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.944029550.0000000007DC0000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.944029550.0000000007DC0000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.941935265.00000000061A0000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.941935265.00000000061A0000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.941935265.00000000061A0000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.944158898.0000000007E10000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.944158898.0000000007E10000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.944132813.0000000007E00000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.944132813.0000000007E00000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.943444482.00000000074C0000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.943444482.00000000074C0000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.944269292.0000000007E50000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.944269292.0000000007E50000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.942229491.0000000006570000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.942229491.0000000006570000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.941578983.0000000005870000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.941578983.0000000005870000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.944075779.0000000007DE0000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000012.00000002.944075779.0000000007DE0000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.944247779.0000000007E40000.00000004.00000001.sdmp, Author: Florian Roth
                  Antivirus matches:
                  • Detection: 0%, Metadefender, Browse
                  • Detection: 0%, ReversingLabs
                  Reputation:moderate

                  Chronological Activities

                  Analysis Process: smss.exe PID: 5460 Parent PID: 6288

                  General

                  Start time:08:45:07
                  Start date:02/08/2021
                  Path:C:\Users\user\AppData\Local\Temp\smss.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\smss.exe'
                  Imagebase:0x1e0000
                  File size:78336 bytes
                  MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Antivirus matches:
                  • Detection: 14%, Metadefender, Browse
                  • Detection: 13%, ReversingLabs
                  Reputation:moderate

                  Chronological Activities

                  Analysis Process: smss.exe PID: 5908 Parent PID: 5460

                  General

                  Start time:08:45:11
                  Start date:02/08/2021
                  Path:C:\Users\user\AppData\Local\Temp\smss.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\smss.exe'
                  Imagebase:0x220000
                  File size:78336 bytes
                  MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Reputation:moderate

                  Chronological Activities

                  Analysis Process: smss.exe PID: 6752 Parent PID: 6288

                  General

                  Start time:08:45:15
                  Start date:02/08/2021
                  Path:C:\Users\user\AppData\Local\Temp\smss.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\smss.exe'
                  Imagebase:0x780000
                  File size:78336 bytes
                  MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET

                  Chronological Activities

                  Analysis Process: smss.exe PID: 5772 Parent PID: 6752

                  General

                  Start time:08:45:17
                  Start date:02/08/2021
                  Path:C:\Users\user\AppData\Local\Temp\smss.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\smss.exe'
                  Imagebase:0x270000
                  File size:78336 bytes
                  MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET

                  Chronological Activities

                  Analysis Process: dhcpmon.exe PID: 2928 Parent PID: 3424

                  General

                  Start time:08:45:17
                  Start date:02/08/2021
                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                  Imagebase:0xb70000
                  File size:41064 bytes
                  MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Antivirus matches:
                  • Detection: 0%, Metadefender, Browse
                  • Detection: 0%, ReversingLabs

                  Chronological Activities

                  Analysis Process: conhost.exe PID: 2224 Parent PID: 2928

                  General

                  Start time:08:45:18
                  Start date:02/08/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff724c50000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language

                  Chronological Activities

                  Analysis Process: smss.exe PID: 5032 Parent PID: 6288

                  General

                  Start time:08:45:22
                  Start date:02/08/2021
                  Path:C:\Users\user\AppData\Local\Temp\smss.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\smss.exe'
                  Imagebase:0xf30000
                  File size:78336 bytes
                  MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET

                  Chronological Activities

                  Analysis Process: smss.exe PID: 6904 Parent PID: 5032

                  General

                  Start time:08:45:26
                  Start date:02/08/2021
                  Path:C:\Users\user\AppData\Local\Temp\smss.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\smss.exe'
                  Imagebase:0x350000
                  File size:78336 bytes
                  MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET

                  Chronological Activities

                  Analysis Process: smss.exe PID: 1664 Parent PID: 6288

                  General

                  Start time:08:45:32
                  Start date:02/08/2021
                  Path:C:\Users\user\AppData\Local\Temp\smss.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\smss.exe'
                  Imagebase:0x460000
                  File size:78336 bytes
                  MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET

                  Chronological Activities

                  Analysis Process: smss.exe PID: 4928 Parent PID: 1664

                  General

                  Start time:08:45:36
                  Start date:02/08/2021
                  Path:C:\Users\user\AppData\Local\Temp\smss.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\smss.exe'
                  Imagebase:0xf50000
                  File size:78336 bytes
                  MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET

                  Chronological Activities

                  Analysis Process: smss.exe PID: 6196 Parent PID: 6288

                  General

                  Start time:08:45:41
                  Start date:02/08/2021
                  Path:C:\Users\user\AppData\Local\Temp\smss.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\smss.exe'
                  Imagebase:0x500000
                  File size:78336 bytes
                  MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET

                  Chronological Activities

                  Disassembly

                  Code Analysis

                  Reset < >

                    Analysis Process: Quotation Request August RFQ8012021.exe PID: 6640 Parent PID: 5776 Quotation Request August RFQ8012021.exeCOMMON

                    Executed Functions

                    Function 04CE7550, Relevance: 4.3, Strings: 3, Instructions: 526COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.740945665.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: D0l$D0l$D0l
                    • API String ID: 0-534402280
                    • Opcode ID: 4f9bf1b7c170014c751427591a0bd777d332a9fd5216358728736edf9e1320f4
                    • Instruction ID: 4676e63bf9e93aad2469b8c97af8c7835e21c8306bf6b16c897161b10f26d325
                    • Opcode Fuzzy Hash: 4f9bf1b7c170014c751427591a0bd777d332a9fd5216358728736edf9e1320f4
                    • Instruction Fuzzy Hash: 52128C70A012198FDB14DF6AC854BAEBBB3EF88304F158469E506DB395EB34ED41CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04CE96D8, Relevance: 2.8, Strings: 2, Instructions: 260COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.740945665.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: $,l$D0l
                    • API String ID: 0-4131145392
                    • Opcode ID: 96d966645784b1a7adf607d54b197655466b68771f68e67e1740e21679da73b8
                    • Instruction ID: 68b9014a6a9d06ac6fa432870520c300043740440d9efc9b9d13d4db7583de67
                    • Opcode Fuzzy Hash: 96d966645784b1a7adf607d54b197655466b68771f68e67e1740e21679da73b8
                    • Instruction Fuzzy Hash: DD819074B043188FDB18AF76985477EBAB3AFC8214B09882ED506E7388DF399C019791
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04CEA550, Relevance: 1.6, Strings: 1, Instructions: 327COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.740945665.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: D0l
                    • API String ID: 0-2947690527
                    • Opcode ID: 1f32a72ea3a8c94fec868a6113856878593abfe571c3e07ffc6b6f82e580b33a
                    • Instruction ID: 02f3b8488605a0c65a9b13c12fdad7a7ccbcd5604ac89aebbbe4388c993fd8d2
                    • Opcode Fuzzy Hash: 1f32a72ea3a8c94fec868a6113856878593abfe571c3e07ffc6b6f82e580b33a
                    • Instruction Fuzzy Hash: 65B10330704212CFDB245FB7851633A72A7AFC5A40F0A882DD697C7694DF36E982D762
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04CEDDD0, Relevance: .5, Instructions: 460COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.740945665.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 57816526d9be8a0adacc9a8cf93441a151b85adb65bc3472b17a213466d270e6
                    • Instruction ID: 80b30ce6442de382dbc68b9f96cdc5dc7a88ef2fec746f62eb0dfa9396b8b383
                    • Opcode Fuzzy Hash: 57816526d9be8a0adacc9a8cf93441a151b85adb65bc3472b17a213466d270e6
                    • Instruction Fuzzy Hash: BB22C375A00218DFDB15CFA5C944F99BBB2FF48304F1580E9E609AB262DB32AD91DF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04CE7D54, Relevance: .3, Instructions: 331COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.740945665.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c16059b31c5a8b3b061dfe757c11b756939cc17eafa2ee4624bf25aeab1749ff
                    • Instruction ID: f03f4eb959c1e63498a8269b40c60d62010e1e3394d3bbd9b20351d4b696358a
                    • Opcode Fuzzy Hash: c16059b31c5a8b3b061dfe757c11b756939cc17eafa2ee4624bf25aeab1749ff
                    • Instruction Fuzzy Hash: F3D12875A01219DFDB54DFAAC984AADBBB3FF88300F198069E415AB261D731ED41CB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04CE41A0, Relevance: .3, Instructions: 326COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.740945665.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b242dae9056b0e03d95731577f6b3af8779abae4cb89e4af543c3fccf78cfc1c
                    • Instruction ID: d019e757b66973699ef6797f4c2d30f5fa79ddafa7bf4d2de5ba41e0ca057e11
                    • Opcode Fuzzy Hash: b242dae9056b0e03d95731577f6b3af8779abae4cb89e4af543c3fccf78cfc1c
                    • Instruction Fuzzy Hash: E0E1F374E00318DFDB14EFA1C8547AEBBB2FB88304F2485AAD4056B3A5DB395A85CF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04CEB11F, Relevance: .1, Instructions: 63COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.740945665.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4caea563e93704b93157b5adbee893689916d7c25ef7f197ac476334b42f0f50
                    • Instruction ID: d773830cd2bbef383c87be0b49918ddd9d23d61221bbd6d37aff0547984e3f30
                    • Opcode Fuzzy Hash: 4caea563e93704b93157b5adbee893689916d7c25ef7f197ac476334b42f0f50
                    • Instruction Fuzzy Hash: 0D2104B4D04219DFDB08EFB6D4443BEBBF2BB49304F1485AAD414A3254EB795A46CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04CEB120, Relevance: .1, Instructions: 63COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.740945665.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a28a550b652434eff46896affdb8ebf89058f9fe6c939adcbc59691977575a2d
                    • Instruction ID: c087df04ad0c2eeec73323c98d132566ecda690f9d8bf4dbc91d7626eeb62665
                    • Opcode Fuzzy Hash: a28a550b652434eff46896affdb8ebf89058f9fe6c939adcbc59691977575a2d
                    • Instruction Fuzzy Hash: 0B2104B4D04219DFDB08EFBAD4443BEBBF2BB49304F1485AAD414A3254EB795A45CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04CEBC24, Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.740945665.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false
                    Similarity
                    • API ID: DeleteFile
                    • String ID:
                    • API String ID: 4033686569-0
                    • Opcode ID: 49c9e667fcda3847813cfc1f9af1264a8de21a64e497c5147365747fcc87d811
                    • Instruction ID: 96262f4bbfc4fbe5536ef202516636a305ff7cf6c1b948186dddb47c0cf7bbde
                    • Opcode Fuzzy Hash: 49c9e667fcda3847813cfc1f9af1264a8de21a64e497c5147365747fcc87d811
                    • Instruction Fuzzy Hash: 5A31DBB4D05258DFDB10CFAAD884AEEFBF5AB49314F14806AE804B7210D374AA45CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04CE5A38, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                    Download Yara Rule
                    APIs
                    • KiUserExceptionDispatcher.NTDLL ref: 04CE5AD2
                    Memory Dump Source
                    • Source File: 00000000.00000002.740945665.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false
                    Similarity
                    • API ID: DispatcherExceptionUser
                    • String ID:
                    • API String ID: 6842923-0
                    • Opcode ID: 3c61cffd6109e43ac9feb6b41735ffe8126ab5aa4354f20e4b936e89ae738e37
                    • Instruction ID: 73c38169a2ef393c5bdef1da8595e1b7cc20e97101df0c421977f3591645f495
                    • Opcode Fuzzy Hash: 3c61cffd6109e43ac9feb6b41735ffe8126ab5aa4354f20e4b936e89ae738e37
                    • Instruction Fuzzy Hash: 0121E774E042099FDB04DFA6D5447BEBBF2FB88304F14846A9809A3354EB345A85DF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DFD3B4, Relevance: .1, Instructions: 75COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.736609942.0000000000DFD000.00000040.00000001.sdmp, Offset: 00DFD000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6329423222b94257e01a468d0527c0fc7508fac76c2b728143a48e4078594afe
                    • Instruction ID: cb2a7fd8c94c6e02112d11e7577fb7e08c8ad143397e55f7e56968e37e15f99a
                    • Opcode Fuzzy Hash: 6329423222b94257e01a468d0527c0fc7508fac76c2b728143a48e4078594afe
                    • Instruction Fuzzy Hash: 212125B1504248DFDB00CF10D8C0F26BBA7FB94324F25C5A9EA054B246C336E856DBB2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DFD4A0, Relevance: .1, Instructions: 75COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.736609942.0000000000DFD000.00000040.00000001.sdmp, Offset: 00DFD000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6b771ccfd0ec42f86d834be72642545af67a2e1a439a3606d508531730d04457
                    • Instruction ID: de8b497a3e1ef2056dd3b3c3a2504df153e6f106bd6b9d6c043e7390328cb32b
                    • Opcode Fuzzy Hash: 6b771ccfd0ec42f86d834be72642545af67a2e1a439a3606d508531730d04457
                    • Instruction Fuzzy Hash: 362106B1504248DFDB01DF14D9C0B26BB67FB94328F25C569DA054B356C336D856C7B2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DFD49B, Relevance: .1, Instructions: 56COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.736609942.0000000000DFD000.00000040.00000001.sdmp, Offset: 00DFD000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d64be9e6e5fb1503ac377ff25c790c42a4935d682b06cab609eecbbc498f43bb
                    • Instruction ID: 01e86519c5667330c236821c494c91ca9d531562bc723e95f327b7440993edfb
                    • Opcode Fuzzy Hash: d64be9e6e5fb1503ac377ff25c790c42a4935d682b06cab609eecbbc498f43bb
                    • Instruction Fuzzy Hash: FB11B176904284CFCB12CF14D9C4B26BF72FB95324F28C6A9D9050B656C33AD856CBA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DFD3AF, Relevance: .1, Instructions: 56COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.736609942.0000000000DFD000.00000040.00000001.sdmp, Offset: 00DFD000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d64be9e6e5fb1503ac377ff25c790c42a4935d682b06cab609eecbbc498f43bb
                    • Instruction ID: aeceb332624230344640b42af6d1f2532a19456635b33552b8a8152934a07004
                    • Opcode Fuzzy Hash: d64be9e6e5fb1503ac377ff25c790c42a4935d682b06cab609eecbbc498f43bb
                    • Instruction Fuzzy Hash: 8511E676504284CFCF11CF10D5C4B26BF72FB94324F28C6A9D9454B656C33AE856CBA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DFD819, Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.736609942.0000000000DFD000.00000040.00000001.sdmp, Offset: 00DFD000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 33c809345f5ddd2199f0fc0b55bf043c0e8ab229769172e2409881f674141635
                    • Instruction ID: 166937f688a8ce33bbe8e768d772587a71f5282d3f92d243902e3b11a19323ba
                    • Opcode Fuzzy Hash: 33c809345f5ddd2199f0fc0b55bf043c0e8ab229769172e2409881f674141635
                    • Instruction Fuzzy Hash: 94012B71408388DAE7108B16DC84B72BB9AEF413B4F1DC16AEF445B286C378D844CAB1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DFD818, Relevance: .0, Instructions: 36COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.736609942.0000000000DFD000.00000040.00000001.sdmp, Offset: 00DFD000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 10661b452b98310ed65063ce4733b18d563e430cfeae50d5aa2718bbf4418f6a
                    • Instruction ID: 3538e7bc85f67faafe9796c8a8686650e73ccc86f6707bb7095b4277feace395
                    • Opcode Fuzzy Hash: 10661b452b98310ed65063ce4733b18d563e430cfeae50d5aa2718bbf4418f6a
                    • Instruction Fuzzy Hash: DDF06271404284AAE7108A16DC84B62FBA9EB51774F18C55AEE085B286C3799844CAB1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 00458C21, Relevance: 3.1, Instructions: 3142COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.734568182.0000000000452000.00000002.00020000.sdmp, Offset: 00450000, based on PE: true
                    • Associated: 00000000.00000002.734546026.0000000000450000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.734942939.0000000000510000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 80726f4c415a7a9e765005f3b3118c2c39781bb647a5bb685f7de02c2dc2dcd6
                    • Instruction ID: 59e80411f8e9b6ca6c79419faecae9e7254a8eb1ddb6fe430ffefb57e23f1ac7
                    • Opcode Fuzzy Hash: 80726f4c415a7a9e765005f3b3118c2c39781bb647a5bb685f7de02c2dc2dcd6
                    • Instruction Fuzzy Hash: E5436C6100E7C2AFD7038B7499715E27FB5AE5322530E04D7D8C08F5A3E2186E6AD77A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Analysis Process: MainProc.exe PID: 6288 Parent PID: 6640 MainProc.exeCOMMON

                    Executed Functions

                    Function 00D09A60, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 236COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000C.00000002.928793760.0000000000D00000.00000040.00000001.sdmp, Offset: 00D00000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: $,l
                    • API String ID: 0-2175311112
                    • Opcode ID: 0f82bd1c2f2379b10c72a2830f46addfed79c4d4bc8f9e8fd138079981433ff2
                    • Instruction ID: 7c2ed404dc38f612c09f946633d2fc9026d987787e8da576d8d8b7d276998aed
                    • Opcode Fuzzy Hash: 0f82bd1c2f2379b10c72a2830f46addfed79c4d4bc8f9e8fd138079981433ff2
                    • Instruction Fuzzy Hash: D6A1B574E042188FDB14DFA9C894B9DFBF2BB88314F24C169D849AB359DB349985CF60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05FE069C, Relevance: 1.8, APIs: 1, Instructions: 253processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,05FE7B5D,?,?,?), ref: 05FE7DC4
                    Memory Dump Source
                    • Source File: 0000000C.00000002.945310152.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false
                    Similarity
                    • API ID: CreateProcessUser
                    • String ID:
                    • API String ID: 2217836671-0
                    • Opcode ID: b177af3354451b4f41e1bd497ccf91441d754efe16a40d306a2be260a5321177
                    • Instruction ID: 31f2fbf1ef9d2279734220ab99c46b32ba5c1718d26cd8af0ae7a52fcfa89f26
                    • Opcode Fuzzy Hash: b177af3354451b4f41e1bd497ccf91441d754efe16a40d306a2be260a5321177
                    • Instruction Fuzzy Hash: B991CE71D0426D8FCB25DFA5C884BEDBBB5AF09304F0490A9E549B7210DB74AA85CF94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05FE7BCC, Relevance: 1.8, APIs: 1, Instructions: 255processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,05FE7B5D,?,?,?), ref: 05FE7DC4
                    Memory Dump Source
                    • Source File: 0000000C.00000002.945310152.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false
                    Similarity
                    • API ID: CreateProcessUser
                    • String ID:
                    • API String ID: 2217836671-0
                    • Opcode ID: 5a8105aaa7dd4c6562e5fef175485a7d8fc2867d1bb5bf8e7b45f5654717e8ec
                    • Instruction ID: 54778bca23fbe845b6fae46eae5b130df8d9a050e7b2fc29173592d85b60436e
                    • Opcode Fuzzy Hash: 5a8105aaa7dd4c6562e5fef175485a7d8fc2867d1bb5bf8e7b45f5654717e8ec
                    • Instruction Fuzzy Hash: 0D91CF75D0426D8FDB25DFA4C880BEDBBB5AF09304F0490AAE549B7210DB74AA85CF94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05FEAA18, Relevance: 1.6, APIs: 1, Instructions: 119injectionCOMMON
                    Download Yara Rule
                    APIs
                    • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 05FEAAF3
                    Memory Dump Source
                    • Source File: 0000000C.00000002.945310152.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 5b4c6b1fe1d5543c6c0da4d54e3691fb0d87dd9318112ef6a7a8da1759da7f90
                    • Instruction ID: b60a349cc07fe26d11e8f2c7ea4e3df8775ab54a5dad40c7e335dce5770fb25a
                    • Opcode Fuzzy Hash: 5b4c6b1fe1d5543c6c0da4d54e3691fb0d87dd9318112ef6a7a8da1759da7f90
                    • Instruction Fuzzy Hash: 2941A9B5D012589FDF10CFA9D984ADEFBF1BB49314F14902AE815B7200D778AA45CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05FEAA20, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                    Download Yara Rule
                    APIs
                    • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 05FEAAF3
                    Memory Dump Source
                    • Source File: 0000000C.00000002.945310152.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false
                    Similarity
                    • API ID: MemoryProcessWrite
                    • String ID:
                    • API String ID: 3559483778-0
                    • Opcode ID: 90a64a54da02f714503939009d3259bc022a9dd7789754d88ec7ac0d3083c030
                    • Instruction ID: 4a69897bc2437ad0cf58316483ef799431944ac3a819a5097d92456d7ca87586
                    • Opcode Fuzzy Hash: 90a64a54da02f714503939009d3259bc022a9dd7789754d88ec7ac0d3083c030
                    • Instruction Fuzzy Hash: F24198B5D012589FDF00CFA9D984AEEFBF1BB49314F14902AE819B7210D778AA45CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05FEA732, Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 05FEA7E2
                    Memory Dump Source
                    • Source File: 0000000C.00000002.945310152.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: d617242312095fe0fbcd6367e94cbf4ffe8443e6100e284071e898c24f2f53d0
                    • Instruction ID: 90136f8e2fa180d00b93eb77af99287eb9df45f320e222624622f1084a5ddaa3
                    • Opcode Fuzzy Hash: d617242312095fe0fbcd6367e94cbf4ffe8443e6100e284071e898c24f2f53d0
                    • Instruction Fuzzy Hash: A131A8B9D042589FCF10CFA9D884ADEFBB5FB49310F14942AE815B7200D739A945CFA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05FEA738, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 05FEA7E2
                    Memory Dump Source
                    • Source File: 0000000C.00000002.945310152.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: bbfba17ca718a434f502142d1424d129358c8e476cdcb1ef515b45ba032baed2
                    • Instruction ID: e5c2b2e425adb5bb1760614ca941869f3dd3d4a540346b2a8e2c71a996e9cef9
                    • Opcode Fuzzy Hash: bbfba17ca718a434f502142d1424d129358c8e476cdcb1ef515b45ba032baed2
                    • Instruction Fuzzy Hash: 4831A8B9D042589FCF10CFA9D884ADEFBB5BB49310F10942AE815B7200D739A945CF55
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05FEAE69, Relevance: 1.6, APIs: 1, Instructions: 98threadinjectionCOMMON
                    Download Yara Rule
                    APIs
                    • SetThreadContext.KERNEL32(?,?), ref: 05FEAF1F
                    Memory Dump Source
                    • Source File: 0000000C.00000002.945310152.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false
                    Similarity
                    • API ID: ContextThread
                    • String ID:
                    • API String ID: 1591575202-0
                    • Opcode ID: f0386a2e3465733068bc1a811e4ac5b5a693699de938bcef5dc595d6226a6ab1
                    • Instruction ID: 886573e0ad9a4a06ceddeb269ec243e3fa903666223e20b37a83b300d296289f
                    • Opcode Fuzzy Hash: f0386a2e3465733068bc1a811e4ac5b5a693699de938bcef5dc595d6226a6ab1
                    • Instruction Fuzzy Hash: A741CAB5D052589FDB10CFAAD884AEEFBF1BF48314F14802AE855B7200C778A945CFA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05FE9C38, Relevance: 1.6, APIs: 1, Instructions: 97threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetThreadContext.KERNEL32(?,?), ref: 05FE9CEF
                    Memory Dump Source
                    • Source File: 0000000C.00000002.945310152.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false
                    Similarity
                    • API ID: ContextThread
                    • String ID:
                    • API String ID: 1591575202-0
                    • Opcode ID: 800bed2fb3d99e4c74e20daacba1a5a5540aa2e29051f257a464c69a6800efa7
                    • Instruction ID: 86660be2b33cebb4acabbbe634ffe7059b63d1b56671fc6889fd8bd3d83725e7
                    • Opcode Fuzzy Hash: 800bed2fb3d99e4c74e20daacba1a5a5540aa2e29051f257a464c69a6800efa7
                    • Instruction Fuzzy Hash: 0C41CEB5D012589FDB10DFA9D984AEEFBF5BF48314F14802AE815B7200D778A985CFA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05FE1439, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualProtect.KERNEL32(?,?,99D1E852,26A428F6), ref: 05FE14E7
                    Memory Dump Source
                    • Source File: 0000000C.00000002.945310152.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: fd4927a8f04fd1d0c48a2b89a50eb8e5f679263d1c1681d02a1a236cd9e9a32e
                    • Instruction ID: 3f89f2b4d0249e315064b994612e77023d4ed335f7017ee7b218b8241a8c6d03
                    • Opcode Fuzzy Hash: fd4927a8f04fd1d0c48a2b89a50eb8e5f679263d1c1681d02a1a236cd9e9a32e
                    • Instruction Fuzzy Hash: FE3186B9D042589FCB10CFAAE884ADEFBB5AB59310F14902AE815B7210D778A945CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05FE0410, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualProtect.KERNEL32(?,?,99D1E852,26A428F6), ref: 05FE14E7
                    Memory Dump Source
                    • Source File: 0000000C.00000002.945310152.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: 712d5388551063be864e1526b9ca9b8ba7bf56c7f7a1e574aed134c91a3eff97
                    • Instruction ID: 7af97daf8a27cf51f9c55f54e9bcf910ff738e966a19382a8d74a2fb37de6fda
                    • Opcode Fuzzy Hash: 712d5388551063be864e1526b9ca9b8ba7bf56c7f7a1e574aed134c91a3eff97
                    • Instruction Fuzzy Hash: F93198B9D042589FCB10CFAAD884ADEFBF5BB09310F14902AE815B7310D778A945CFA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05FE5AE0, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualProtect.KERNEL32(00000000,?,?,?), ref: 05FE5B8F
                    Memory Dump Source
                    • Source File: 0000000C.00000002.945310152.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: 843e341997c2af47f1869fbf10c29cf9606bace148fd8db5e5b412f57a2721a2
                    • Instruction ID: 0f044ec096e13c222feb106235c80bc59034ccad148ef4d412a311a767129a04
                    • Opcode Fuzzy Hash: 843e341997c2af47f1869fbf10c29cf9606bace148fd8db5e5b412f57a2721a2
                    • Instruction Fuzzy Hash: C13197B9D042589FDF10CFA9D884AEEFBB4BB19314F14902AE814B7310D778A945CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05FE0610, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualProtect.KERNEL32(00000000,?,?,?), ref: 05FE5B8F
                    Memory Dump Source
                    • Source File: 0000000C.00000002.945310152.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: ab9eb7a27b26a7ba645eafe014c493b31bd5ccf803710974f3763a7537bfdfe8
                    • Instruction ID: 2f6354b3b8898276607436b289454ae8c65b7d42bfae242b0c06954504dd7135
                    • Opcode Fuzzy Hash: ab9eb7a27b26a7ba645eafe014c493b31bd5ccf803710974f3763a7537bfdfe8
                    • Instruction Fuzzy Hash: 6B3197B9D042589FCF10CFA9D884AEEFBF5BB19314F14902AE815B7210D778A945CFA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05FE9C40, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetThreadContext.KERNEL32(?,?), ref: 05FE9CEF
                    Memory Dump Source
                    • Source File: 0000000C.00000002.945310152.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false
                    Similarity
                    • API ID: ContextThread
                    • String ID:
                    • API String ID: 1591575202-0
                    • Opcode ID: ef6f8ae5085e32d965533955ed5a67d7f13e7c86e5c340333ec96705483d4575
                    • Instruction ID: a32430865b255115685d56f6c726fc96d60d6f330a01dce0073680c941e35b28
                    • Opcode Fuzzy Hash: ef6f8ae5085e32d965533955ed5a67d7f13e7c86e5c340333ec96705483d4575
                    • Instruction Fuzzy Hash: FC31CBB5D002589FDB10DFAAD984AEEFBF1BF48314F14802AE815B7200D778A945CFA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05FEAE70, Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON
                    Download Yara Rule
                    APIs
                    • SetThreadContext.KERNEL32(?,?), ref: 05FEAF1F
                    Memory Dump Source
                    • Source File: 0000000C.00000002.945310152.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false
                    Similarity
                    • API ID: ContextThread
                    • String ID:
                    • API String ID: 1591575202-0
                    • Opcode ID: 18fffe315d10c4eac2d4084472c7cfb3bbaf73da1c2a65f0e918a674d2317950
                    • Instruction ID: e79c5c13d74aec152e0cee38268ddbbf64d092bdd159ec79f5396e83ce1f1bc9
                    • Opcode Fuzzy Hash: 18fffe315d10c4eac2d4084472c7cfb3bbaf73da1c2a65f0e918a674d2317950
                    • Instruction Fuzzy Hash: FA31B9B5D012589FDB10CFAAD884AEEFBF1BF48314F14802AE815B7240C778A945CFA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00D0BC24, Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000C.00000002.928793760.0000000000D00000.00000040.00000001.sdmp, Offset: 00D00000, based on PE: false
                    Similarity
                    • API ID: DeleteFile
                    • String ID:
                    • API String ID: 4033686569-0
                    • Opcode ID: d77e76394fee2f35c70522eb56fbedfcd10743332a52bcfa7ee3e2d756451362
                    • Instruction ID: 50fdbef8dac76db0704c5d1600d5c4bcf6e607aeeb1c3461b3a3e1adccf6a807
                    • Opcode Fuzzy Hash: d77e76394fee2f35c70522eb56fbedfcd10743332a52bcfa7ee3e2d756451362
                    • Instruction Fuzzy Hash: E031DBB4D052589FDB10CFA9D884AEEFBF4BB49314F24802AE808B7350D374A945CFA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00D0F6A5, Relevance: 1.6, APIs: 1, Instructions: 84fileCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000C.00000002.928793760.0000000000D00000.00000040.00000001.sdmp, Offset: 00D00000, based on PE: false
                    Similarity
                    • API ID: DeleteFile
                    • String ID:
                    • API String ID: 4033686569-0
                    • Opcode ID: 3c071772db13137e20e1cfc028bb8ae13d36aa5e86ef45757ad5ed68ef762f45
                    • Instruction ID: 4ca56fcb1b3642d814703e60f84900c039234872566007c4a0bcd06951e59159
                    • Opcode Fuzzy Hash: 3c071772db13137e20e1cfc028bb8ae13d36aa5e86ef45757ad5ed68ef762f45
                    • Instruction Fuzzy Hash: EC31BCB4D012189FDB10CFA9D484AEEFBF5BB49314F14802AE408B7250D778AA46CF65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05FEB0C1, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000C.00000002.945310152.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: a6071d2effd2af6c80cc7a40823d57ca4b86f4ff294d026ae2520506e61d6d38
                    • Instruction ID: da07ea3a18620680f62199d51536ef0ae950b403fb3271b99de794c9808cf13b
                    • Opcode Fuzzy Hash: a6071d2effd2af6c80cc7a40823d57ca4b86f4ff294d026ae2520506e61d6d38
                    • Instruction Fuzzy Hash: C23198B5D052589FDB10CFAAE884A9EFBB5BB49324F14842AE815B7210C778A941CF94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05FEB0C8, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000C.00000002.945310152.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false
                    Similarity
                    • API ID: ResumeThread
                    • String ID:
                    • API String ID: 947044025-0
                    • Opcode ID: ab3f5ebebd48da75708e90313b47aebc16cfa445c227716f0f585ac89fe834d3
                    • Instruction ID: 1404a2372c741e9ecb003c7483607735aea0571ff41d27473220d2456e6cd84e
                    • Opcode Fuzzy Hash: ab3f5ebebd48da75708e90313b47aebc16cfa445c227716f0f585ac89fe834d3
                    • Instruction Fuzzy Hash: AC31AAB5D052589FDF10CFAAE884ADEFBB5BB49324F14802AE815B7310C778A901CF94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00D05A38, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                    Download Yara Rule
                    APIs
                    • KiUserExceptionDispatcher.NTDLL ref: 00D05AD2
                    Memory Dump Source
                    • Source File: 0000000C.00000002.928793760.0000000000D00000.00000040.00000001.sdmp, Offset: 00D00000, based on PE: false
                    Similarity
                    • API ID: DispatcherExceptionUser
                    • String ID:
                    • API String ID: 6842923-0
                    • Opcode ID: ca2662c85bca0e6080f9b65f870f24073447d5a3956a30a0e0a420543e1e466b
                    • Instruction ID: 7c7901ce7800438dc253e420931f7cb4174cdb2d2522e54217ce0f0432e9145a
                    • Opcode Fuzzy Hash: ca2662c85bca0e6080f9b65f870f24073447d5a3956a30a0e0a420543e1e466b
                    • Instruction Fuzzy Hash: 5521F674E042099FDB04DFA6D5447BEBBF1FB88300F14856A8819A3394EB385A45CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B9D819, Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000C.00000002.928205029.0000000000B9D000.00000040.00000001.sdmp, Offset: 00B9D000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 59ae8f151d1659d1739946e1f40b3dd1dd25a18df008f6d5a9a0149d0d628795
                    • Instruction ID: ccfe3c5224f3e9c6067400bab4676b87af4372720ebcd61985ea14b13d9f6d90
                    • Opcode Fuzzy Hash: 59ae8f151d1659d1739946e1f40b3dd1dd25a18df008f6d5a9a0149d0d628795
                    • Instruction Fuzzy Hash: 0F018471508340AAEB108A17CCC4B66BBD8EF41364F1884AAEE045B297C778E844CAB1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00B9D818, Relevance: .0, Instructions: 36COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000C.00000002.928205029.0000000000B9D000.00000040.00000001.sdmp, Offset: 00B9D000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8c7d66301f4a6ecc6e7c4d5a760178dd9387a8ab0489063b9f6b68c3011f53fd
                    • Instruction ID: 49b8d57d9fec7b4fbc4d2c91bbf706736f3b1aff2cdb34b17aa2e52e590a9b92
                    • Opcode Fuzzy Hash: 8c7d66301f4a6ecc6e7c4d5a760178dd9387a8ab0489063b9f6b68c3011f53fd
                    • Instruction Fuzzy Hash: 3AF06271504284AEEB118E16DCC4B62FFE8EB51774F18C4AAED085B296C3799844CAB1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Analysis Process: InstallUtil.exe PID: 5880 Parent PID: 6288 InstallUtil.exeCOMMON

                    Executed Functions

                    Function 07EC3CA8, Relevance: 1.7, APIs: 1, Instructions: 155COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000012.00000002.944511555.0000000007EC0000.00000040.00000001.sdmp, Offset: 07EC0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 89d3eec1a5cdcbfe6ef50f947a3daf7ee5b97ae9313a9f4225b6e1a08234e155
                    • Instruction ID: 988566099b873283ce81bafffb18ae77a2f2cd8432828ba386c2f4eebb94cff8
                    • Opcode Fuzzy Hash: 89d3eec1a5cdcbfe6ef50f947a3daf7ee5b97ae9313a9f4225b6e1a08234e155
                    • Instruction Fuzzy Hash: 8251EFB5D052089FDB00DFA9E9416DEBFF4EF49310F1081AAE944E7241D7309909CBA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02D5B6C0, Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 02D5B730
                    • GetCurrentThread.KERNEL32 ref: 02D5B76D
                    • GetCurrentProcess.KERNEL32 ref: 02D5B7AA
                    • GetCurrentThreadId.KERNEL32 ref: 02D5B803
                    Memory Dump Source
                    • Source File: 00000012.00000002.927788824.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false
                    Similarity
                    • API ID: Current$ProcessThread
                    • String ID:
                    • API String ID: 2063062207-0
                    • Opcode ID: 6555ca3cf96ccfcd419ecb705b5efcdfabb4de3282c0f91eba1b76bb15726688
                    • Instruction ID: 3715c8f9a67c3d2c394865df43ca6c00a429e209c64fdbe53e4d2eab4d3fa2ab
                    • Opcode Fuzzy Hash: 6555ca3cf96ccfcd419ecb705b5efcdfabb4de3282c0f91eba1b76bb15726688
                    • Instruction Fuzzy Hash: 575127B4E006098FEB10CFAAD5487DEBBF1EB48318F24846AE419B7350D7759845CF66
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02D5B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 02D5B730
                    • GetCurrentThread.KERNEL32 ref: 02D5B76D
                    • GetCurrentProcess.KERNEL32 ref: 02D5B7AA
                    • GetCurrentThreadId.KERNEL32 ref: 02D5B803
                    Memory Dump Source
                    • Source File: 00000012.00000002.927788824.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false
                    Similarity
                    • API ID: Current$ProcessThread
                    • String ID:
                    • API String ID: 2063062207-0
                    • Opcode ID: 9ef7343f231609b913952641ee1d17707ca9b0848ad703549c1e59b04a87269f
                    • Instruction ID: 7ffc48c8f78d55c804839719d74028126324142a292b68447b0fcdef9437bef0
                    • Opcode Fuzzy Hash: 9ef7343f231609b913952641ee1d17707ca9b0848ad703549c1e59b04a87269f
                    • Instruction Fuzzy Hash: C55127B4E006598FEB10CFAAD548B9EBBF1AB48318F20846AE419B7350D7755884CF65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07EC3DB5, Relevance: 1.7, APIs: 1, Instructions: 228timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetSystemTimes.KERNEL32(?,?,?), ref: 07EC40F4
                    Memory Dump Source
                    • Source File: 00000012.00000002.944511555.0000000007EC0000.00000040.00000001.sdmp, Offset: 07EC0000, based on PE: false
                    Similarity
                    • API ID: SystemTimes
                    • String ID:
                    • API String ID: 375623090-0
                    • Opcode ID: da953f316cbaf46ee39082c512a4273d571eca2030697b6e13a593cec81cec4f
                    • Instruction ID: 84888a90b7f87e412bb7d3e40eb072554155628c5fc5cb7b58e31a858a1ea303
                    • Opcode Fuzzy Hash: da953f316cbaf46ee39082c512a4273d571eca2030697b6e13a593cec81cec4f
                    • Instruction Fuzzy Hash: 3FB1B4B5D0021ACFDB11DF69C880AD9FBB5FF49310F15C69AD958AB201E770AA85CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02D593E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000), ref: 02D5962E
                    Memory Dump Source
                    • Source File: 00000012.00000002.927788824.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: 1a8203e1ac8c4174dc56c657576350638cc2d7aa9e357a517e091cb94102463e
                    • Instruction ID: 1199e0becd2fe2a98d2176c990b1a797d677e7c0f69f4ec515e70250abf51196
                    • Opcode Fuzzy Hash: 1a8203e1ac8c4174dc56c657576350638cc2d7aa9e357a517e091cb94102463e
                    • Instruction Fuzzy Hash: DC7123B0A00B158FDB64DF2AC45079ABBF1BF88214F00892DD98AD7B40DBB5E845CF95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 06581A54, Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON
                    Download Yara Rule
                    APIs
                    • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06584988
                    Memory Dump Source
                    • Source File: 00000012.00000002.942253125.0000000006580000.00000040.00000001.sdmp, Offset: 06570000, based on PE: true
                    • Associated: 00000012.00000002.942229491.0000000006570000.00000004.00000001.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: Query_
                    • String ID:
                    • API String ID: 428220571-0
                    • Opcode ID: 19a1dd01cffcc6df8405c614b44ca892defd63ae6e17571396cc1faa704c1c36
                    • Instruction ID: 635c9091b46f10e08caf6dcf76016b3f47fb04eb0d27a1024052e0afb8ab03ea
                    • Opcode Fuzzy Hash: 19a1dd01cffcc6df8405c614b44ca892defd63ae6e17571396cc1faa704c1c36
                    • Instruction Fuzzy Hash: 5C5100B1D002599FDB60DFA9C981ADEBBB1BF48314F14812AE814BB650DBB4A845CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02D5FB81, Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                    Download Yara Rule
                    APIs
                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02D5FD0A
                    Memory Dump Source
                    • Source File: 00000012.00000002.927788824.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false
                    Similarity
                    • API ID: CreateWindow
                    • String ID:
                    • API String ID: 716092398-0
                    • Opcode ID: e28314d5992143738f94ae5f7f6d0789aaef9f9ca52406ee31814821996d7f70
                    • Instruction ID: 50f5379c838a4c2a95d7f121d63f643e8985ca4a3edf8928e400c6c0c069e2d6
                    • Opcode Fuzzy Hash: e28314d5992143738f94ae5f7f6d0789aaef9f9ca52406ee31814821996d7f70
                    • Instruction Fuzzy Hash: 1A51F1B1D003489FDF14CFAAD884ADEBBB5FF49314F24812AE819AB210D7B49945CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02D5FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                    Download Yara Rule
                    APIs
                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02D5FD0A
                    Memory Dump Source
                    • Source File: 00000012.00000002.927788824.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false
                    Similarity
                    • API ID: CreateWindow
                    • String ID:
                    • API String ID: 716092398-0
                    • Opcode ID: c858062602eeba1a240c27a81d171dab180a5890b670607a6fe00e7407fec7c2
                    • Instruction ID: 907852af6577b0ebf7ed2b0b74caf0338f45c7b84676b6d5d4a541c9dc624531
                    • Opcode Fuzzy Hash: c858062602eeba1a240c27a81d171dab180a5890b670607a6fe00e7407fec7c2
                    • Instruction Fuzzy Hash: 9041AFB1D10319DFDF14CFAAD884ADEBBB5BF48314F24812AE819AB210D7B59945CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 065812D0, Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThreadId.KERNEL32 ref: 065813A9
                    Memory Dump Source
                    • Source File: 00000012.00000002.942253125.0000000006580000.00000040.00000001.sdmp, Offset: 06570000, based on PE: true
                    • Associated: 00000012.00000002.942229491.0000000006570000.00000004.00000001.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: CurrentThread
                    • String ID:
                    • API String ID: 2882836952-0
                    • Opcode ID: 73cecc94b031b699e305c1ee6eb3f3333f2ff09fe1c8b93f66ad5df5ca1707e4
                    • Instruction ID: 3772880243726549668e6b1a026f8f630a89ba994d9116a2df55cbd7fbfab73d
                    • Opcode Fuzzy Hash: 73cecc94b031b699e305c1ee6eb3f3333f2ff09fe1c8b93f66ad5df5ca1707e4
                    • Instruction Fuzzy Hash: CF316870E006198FDB64EF69D488BAEBBF5BB48714F14802AE406B7B50CB749C46CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07EC7350, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000012.00000002.944511555.0000000007EC0000.00000040.00000001.sdmp, Offset: 07EC0000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: ecff5556ca94abcd3b17b966dc1403b24f9e6db5feb5fd6f404f1a7174af6de3
                    • Instruction ID: 76c030d39928feed5b724c3780ce985caf1702dc769b3e8ee402f7ec1f662a3c
                    • Opcode Fuzzy Hash: ecff5556ca94abcd3b17b966dc1403b24f9e6db5feb5fd6f404f1a7174af6de3
                    • Instruction Fuzzy Hash: B23143B4D15249DFDB14CFA9C985B9EBBF1EB08314F10822DE816E7245D774A882CF92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07EC9D45, Relevance: 1.6, APIs: 1, Instructions: 88libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000012.00000002.944511555.0000000007EC0000.00000040.00000001.sdmp, Offset: 07EC0000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 8fccd594483553c40cee71f73431a0e457394acf5f8ac26607b293aeca3f9a8f
                    • Instruction ID: 25fde5c70ebb4f5432761003e8cb5750650847e584afa7d81d65fb5eed35b83b
                    • Opcode Fuzzy Hash: 8fccd594483553c40cee71f73431a0e457394acf5f8ac26607b293aeca3f9a8f
                    • Instruction Fuzzy Hash: 743134B4D15249CFDB14CFA9C985BDEBBF1AB08314F14822DE815E7281D774A482CF96
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07EC3D98, Relevance: 1.6, APIs: 1, Instructions: 83timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetSystemTimes.KERNEL32(?,?,?), ref: 07EC40F4
                    Memory Dump Source
                    • Source File: 00000012.00000002.944511555.0000000007EC0000.00000040.00000001.sdmp, Offset: 07EC0000, based on PE: false
                    Similarity
                    • API ID: SystemTimes
                    • String ID:
                    • API String ID: 375623090-0
                    • Opcode ID: a3806611299f552ea03f69a43de807c3b027dec52ab9d221dbb8c66a6b354b3e
                    • Instruction ID: 9cc1f907fa9739b8ecd36869709e49c80a459d298f0660c3898de70a742da34c
                    • Opcode Fuzzy Hash: a3806611299f552ea03f69a43de807c3b027dec52ab9d221dbb8c66a6b354b3e
                    • Instruction Fuzzy Hash: B23133B5D062489FDB10CFA9D980ACEFFF4BF49310F14816AE808EB242D3749945CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07EC3D7B, Relevance: 1.6, APIs: 1, Instructions: 83timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetSystemTimes.KERNEL32(?,?,?), ref: 07EC40F4
                    Memory Dump Source
                    • Source File: 00000012.00000002.944511555.0000000007EC0000.00000040.00000001.sdmp, Offset: 07EC0000, based on PE: false
                    Similarity
                    • API ID: SystemTimes
                    • String ID:
                    • API String ID: 375623090-0
                    • Opcode ID: 03f7e6b25a575bdeabf0d67a72cd5192b521ce04ee46518c800cee386b8d84fa
                    • Instruction ID: 94421ca2bf341995937f9218427d678460c54f9bd8805e4e0d40bc70ea35ac9a
                    • Opcode Fuzzy Hash: 03f7e6b25a575bdeabf0d67a72cd5192b521ce04ee46518c800cee386b8d84fa
                    • Instruction Fuzzy Hash: 5F3132B5D062499FDB00CFA9D981ADEFFF4BF49310F14806AE818EB241D7389945CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02D5BCF9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D5BD87
                    Memory Dump Source
                    • Source File: 00000012.00000002.927788824.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 242cfffc224bd68c85a34fc793636bd110a380cf117efc7e8d8021f1908f33d1
                    • Instruction ID: abbd222a89e83942c70c902c9fcbdf1c1dba995efe5b4dafcd5603d3843992b1
                    • Opcode Fuzzy Hash: 242cfffc224bd68c85a34fc793636bd110a380cf117efc7e8d8021f1908f33d1
                    • Instruction Fuzzy Hash: 6821E3B59002589FDF10CFA9D584BEEBBF4EB48324F14841AE955A7310C378A954CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02D5BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D5BD87
                    Memory Dump Source
                    • Source File: 00000012.00000002.927788824.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 36560b8d85d783aab3eb3a9c063e1ad38d97b211754f78f6ef2157b54a422902
                    • Instruction ID: 4888f75b495e245dd575fec4f1fe6b628cfa720af9770f4af9f4b6d1f5a9513c
                    • Opcode Fuzzy Hash: 36560b8d85d783aab3eb3a9c063e1ad38d97b211754f78f6ef2157b54a422902
                    • Instruction Fuzzy Hash: 4F21C2B59002189FDB10CFAAD984BDEBBF8EB48324F14841AE915A7310D378A954CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07EC22B4, Relevance: 1.6, APIs: 1, Instructions: 61timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetSystemTimes.KERNEL32(?,?,?), ref: 07EC40F4
                    Memory Dump Source
                    • Source File: 00000012.00000002.944511555.0000000007EC0000.00000040.00000001.sdmp, Offset: 07EC0000, based on PE: false
                    Similarity
                    • API ID: SystemTimes
                    • String ID:
                    • API String ID: 375623090-0
                    • Opcode ID: 98674502ecfacb3e7498587ddfe93aa1471062a7c33c912851884a401fc5355e
                    • Instruction ID: e9cd339f02f16c2ec96afe702c27d68442c76cf35208f6273ebd640ad42f57d8
                    • Opcode Fuzzy Hash: 98674502ecfacb3e7498587ddfe93aa1471062a7c33c912851884a401fc5355e
                    • Instruction Fuzzy Hash: CC21F3B5D012099FDB40CFAAD584BDEFBF4EB59224F14806AE908AB241D3749A41CBA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02D58768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02D596A9,00000800,00000000,00000000), ref: 02D598BA
                    Memory Dump Source
                    • Source File: 00000012.00000002.927788824.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 052a90d504c532770a190e405816b1280972000a1775c4087ce0a19ef4086883
                    • Instruction ID: a87b6b6eccfada2a25475f45da57bb16e6d6249532ce1d43cf139af4d5d5506e
                    • Opcode Fuzzy Hash: 052a90d504c532770a190e405816b1280972000a1775c4087ce0a19ef4086883
                    • Instruction Fuzzy Hash: 681103B6D00209DFDB10CF9AD444BDEBBF4EB48324F04842AE915A7700C3B9A945CFA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02D59849, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02D596A9,00000800,00000000,00000000), ref: 02D598BA
                    Memory Dump Source
                    • Source File: 00000012.00000002.927788824.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 4787e549af1fb974e1c4b1ebf08bd6cba783de13dfa6eb931f5904c8000e78d3
                    • Instruction ID: 83ea9769f163a9c07e87c182c9c6b99af30c5a12badbdfafb5d172b7b5351576
                    • Opcode Fuzzy Hash: 4787e549af1fb974e1c4b1ebf08bd6cba783de13dfa6eb931f5904c8000e78d3
                    • Instruction Fuzzy Hash: 4B1114B6D002098FDB10CF9AD844BDEFBF4EB48314F04852AE819A7300C3B8A945CFA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02D595C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000), ref: 02D5962E
                    Memory Dump Source
                    • Source File: 00000012.00000002.927788824.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: 5a1e0900116fbaa40df067508b4a68219c9eb3794b36a5b5ad1bd370785f006a
                    • Instruction ID: a23ca62de54b10e6603a5cc8b036558e721357e9e9f01fb76c8d4aa47f24765f
                    • Opcode Fuzzy Hash: 5a1e0900116fbaa40df067508b4a68219c9eb3794b36a5b5ad1bd370785f006a
                    • Instruction Fuzzy Hash: E411E3B5D00259CFDB10CF9AD444BDEFBF4AB88224F14852AD819A7700D375A545CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02D5FE38, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • SetWindowLongW.USER32(?,?,?), ref: 02D5FE9D
                    Memory Dump Source
                    • Source File: 00000012.00000002.927788824.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false
                    Similarity
                    • API ID: LongWindow
                    • String ID:
                    • API String ID: 1378638983-0
                    • Opcode ID: e2a112be54fdcba97d275f9c237866fd116c518768f76cf0da6b29975898fd8a
                    • Instruction ID: f7d4acb682c1ea8553279b1fbc95327cb2d4febcc89f0b5ef529f9762dec6dcb
                    • Opcode Fuzzy Hash: e2a112be54fdcba97d275f9c237866fd116c518768f76cf0da6b29975898fd8a
                    • Instruction Fuzzy Hash: 791103B59002089FDB10CF9AD589BDEFBF8EB48324F10851AE859A7700C374A944CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02D5FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                    Download Yara Rule
                    APIs
                    • SetWindowLongW.USER32(?,?,?), ref: 02D5FE9D
                    Memory Dump Source
                    • Source File: 00000012.00000002.927788824.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false
                    Similarity
                    • API ID: LongWindow
                    • String ID:
                    • API String ID: 1378638983-0
                    • Opcode ID: 064a8a22b13fdcafb5362a14810208c077b6a68503e209adb54a9dcae4f828cd
                    • Instruction ID: 6948b49672694a284a726c10711e9b6e48707262eb0ba4ca0303761df2d64f87
                    • Opcode Fuzzy Hash: 064a8a22b13fdcafb5362a14810208c077b6a68503e209adb54a9dcae4f828cd
                    • Instruction Fuzzy Hash: 0711E2B59002499FDB10CF9AD585BDFBBF8EB48324F10855AE919A7740C3B4A944CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Analysis Process: smss.exe PID: 5460 Parent PID: 6288 smss.exeCOMMON

                    Executed Functions

                    Function 04E50551, Relevance: .2, Instructions: 162COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000016.00000002.814864547.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0051d0ec67696175d0e3232d76e50abe266424392d6878411f6ba991bd99a587
                    • Instruction ID: a49c679dbbe528eab2c6997449b681cd50f16e17cbf5cba56ff79331a9591c11
                    • Opcode Fuzzy Hash: 0051d0ec67696175d0e3232d76e50abe266424392d6878411f6ba991bd99a587
                    • Instruction Fuzzy Hash: 1461E370E01208CFDB54DFB5D981ADEBBB2EF89304F20856AD409AB365DB385946CF44
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04E50560, Relevance: .2, Instructions: 154COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000016.00000002.814864547.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 65f7cad63f3389400366e048183688ab0c4f23a17a7d9d63680101058354acc6
                    • Instruction ID: e86734316a3d05cdb96a70ad621049af877c65641d95a838f52dada281f6755f
                    • Opcode Fuzzy Hash: 65f7cad63f3389400366e048183688ab0c4f23a17a7d9d63680101058354acc6
                    • Instruction Fuzzy Hash: A761D270E01208CFDB58DFB5D981A9DBBF2BF89304F20846AD409AB365DB386945CF54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04E500D8, Relevance: .4, Instructions: 444COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000016.00000002.814864547.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8d2dbfa4ab0f76859794a5661ddd65131e0db3f4e16826825cb5e40fad962ce3
                    • Instruction ID: 6cfe43e5d493d4c2dd86321438c624d443255dfe88abb6a663c733a280a11b54
                    • Opcode Fuzzy Hash: 8d2dbfa4ab0f76859794a5661ddd65131e0db3f4e16826825cb5e40fad962ce3
                    • Instruction Fuzzy Hash: BBE0482009F3C04FC7129B74AC69BD97F70AF43219F0945EFD8458B5A3D7250445D725
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04E50468, Relevance: .1, Instructions: 70COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000016.00000002.814864547.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1d9bd06b9c3bb43535a25e9825d4840a40dcea4219abefc2413a68aa4f39b12c
                    • Instruction ID: f3d92b86865dcaf68ffd83c1e92030abfee3671ddfa79ff9031b8bd303fa41f8
                    • Opcode Fuzzy Hash: 1d9bd06b9c3bb43535a25e9825d4840a40dcea4219abefc2413a68aa4f39b12c
                    • Instruction Fuzzy Hash: 0D117C70E4A1088FCB10DFB9E8557FDBBB5AF8A305F006429D419B72A1EB385846CF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04E507B2, Relevance: .0, Instructions: 47COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000016.00000002.814864547.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 77979e2cb6b8b8ae4a21eacf3a29595785a6710d3b868276a8a21cb637d3894f
                    • Instruction ID: fc6bee60e08563f106962be1ee616f6f7d6a48546bb5ed1f08f4489a4fd31cef
                    • Opcode Fuzzy Hash: 77979e2cb6b8b8ae4a21eacf3a29595785a6710d3b868276a8a21cb637d3894f
                    • Instruction Fuzzy Hash: 9C018C70D092499FCB05DFB5D8916AEBBB1FF86308F10846EC414A7290DB341A16CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04E50448, Relevance: .0, Instructions: 11COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000016.00000002.814864547.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7a05d4460479b7c4a68dae285a535911c66530d9f111e2367ddfd30e63152558
                    • Instruction ID: 5147bebc791e3cda2594ac59a1733ede9d358d7b9f184165b888adbb43dcf6ec
                    • Opcode Fuzzy Hash: 7a05d4460479b7c4a68dae285a535911c66530d9f111e2367ddfd30e63152558
                    • Instruction Fuzzy Hash: BBC09B300EB7054FC5142794B80C73DF768B70630DF442911B61D1157167705494D559
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Analysis Process: smss.exe PID: 5908 Parent PID: 5460 smss.exeCOMMON

                    Executed Functions

                    Function 04E90551, Relevance: .2, Instructions: 163COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000017.00000002.930255267.0000000004E90000.00000040.00000001.sdmp, Offset: 04E90000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 49c6819d18e6dac2455383980caef1605355ef457216f149c88a8f14cf4b615d
                    • Instruction ID: 22f6a3df2bbcaa3a9c8d4d54317b5bc53c0fd83834745eae712f48a32328d06f
                    • Opcode Fuzzy Hash: 49c6819d18e6dac2455383980caef1605355ef457216f149c88a8f14cf4b615d
                    • Instruction Fuzzy Hash: C961E170E01208CFDB58DFB5D591ADEBBF2AF89304F20856AD419AB355DB38A942CF44
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04E90560, Relevance: .2, Instructions: 154COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000017.00000002.930255267.0000000004E90000.00000040.00000001.sdmp, Offset: 04E90000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 07eb5ebb015cb82e1ce7a7ffd075e1f0caa83df0ce734bd8dd0aabc8afbeba69
                    • Instruction ID: 0bc2ac20a6d917f2b0eb1f79241c6051f932b26dad9cfe45022f063b8de36661
                    • Opcode Fuzzy Hash: 07eb5ebb015cb82e1ce7a7ffd075e1f0caa83df0ce734bd8dd0aabc8afbeba69
                    • Instruction Fuzzy Hash: A861E170E01208CFDB18DFB5D591ADEBBF2AF89304F20846AD419AB355DB386941CF54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04E900D8, Relevance: .4, Instructions: 448COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000017.00000002.930255267.0000000004E90000.00000040.00000001.sdmp, Offset: 04E90000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5e6d25a9f70d63dd83834e93dec800ead3bdcdd71d6643f39886ab0f4b61d199
                    • Instruction ID: 3f614e15e4051d8c2040b2e7e6bb2720e8b9c2713d84e3bf0a3846b326a3207d
                    • Opcode Fuzzy Hash: 5e6d25a9f70d63dd83834e93dec800ead3bdcdd71d6643f39886ab0f4b61d199
                    • Instruction Fuzzy Hash: 9FE0652144E3804FC7074B689865BA53FB06F43205B0A84D3C9448B593D6105815D766
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04E90468, Relevance: .1, Instructions: 71COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000017.00000002.930255267.0000000004E90000.00000040.00000001.sdmp, Offset: 04E90000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 74088f7fd23ad448edc8b81aaa3c108b4be5e1001c30aa82b88c5f877c963f64
                    • Instruction ID: 6002e18a63a7ff4f0fc39006baa5bf859f4a3a4123d11525c880156c1827d2e4
                    • Opcode Fuzzy Hash: 74088f7fd23ad448edc8b81aaa3c108b4be5e1001c30aa82b88c5f877c963f64
                    • Instruction Fuzzy Hash: 24119D70D491088BCF10DFA8D8547FDBBF5AB4A305F406438C415B7291EB386916CB64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 04E90448, Relevance: .0, Instructions: 11COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000017.00000002.930255267.0000000004E90000.00000040.00000001.sdmp, Offset: 04E90000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 41421e65f926887dcacf3bdc3ba633a73fe10fcecdd0da43b662092dc33a6abd
                    • Instruction ID: c32f541881d79f14824d5cd61d73b717dfc1e0e061c58924585042fed43bb2db
                    • Opcode Fuzzy Hash: 41421e65f926887dcacf3bdc3ba633a73fe10fcecdd0da43b662092dc33a6abd
                    • Instruction Fuzzy Hash: 8DC09B308957058EC9151794B41CF7DB6D8B70730DF446D10971D1359257749474D559
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions