Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report wm4J5m8pIK.exe

Overview

General Information

Sample Name:wm4J5m8pIK.exe
Analysis ID:457788
MD5:8fa8f52dfc55d341300eff8e4c44ba33
SHA1:4fbdb8c39bbc48b159e1f795a2222d51077fdbe9
SHA256:2c7da7ff43c90ae620fd5135c2ed34c7e644a9a1098bfb69f1dc6b8ab6410c9a
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wm4J5m8pIK.exe (PID: 5804 cmdline: 'C:\Users\user\Desktop\wm4J5m8pIK.exe' MD5: 8FA8F52DFC55D341300EFF8E4C44BA33)
    • wm4J5m8pIK.exe (PID: 5600 cmdline: C:\Users\user\Desktop\wm4J5m8pIK.exe MD5: 8FA8F52DFC55D341300EFF8E4C44BA33)
  • dhcpmon.exe (PID: 6316 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 8FA8F52DFC55D341300EFF8E4C44BA33)
    • dhcpmon.exe (PID: 6992 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 8FA8F52DFC55D341300EFF8E4C44BA33)
    • dhcpmon.exe (PID: 7044 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 8FA8F52DFC55D341300EFF8E4C44BA33)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "6a1c2465-7ac5-4f1d-acc5-ef04fcf4", "Group": "Default", "Domain1": "hhjhtggfr.duckdns.org", "Domain2": "dertrefg.duckdns.org", "Port": 8234, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "hhjhtggfr.duckdns.org"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000014.00000002.400395562.0000000004029000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000014.00000002.400395562.0000000004029000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x42ee5:$a: NanoCore
    • 0x42f3e:$a: NanoCore
    • 0x42f7b:$a: NanoCore
    • 0x42ff4:$a: NanoCore
    • 0x5669f:$a: NanoCore
    • 0x566b4:$a: NanoCore
    • 0x566e9:$a: NanoCore
    • 0x6f18b:$a: NanoCore
    • 0x6f1a0:$a: NanoCore
    • 0x6f1d5:$a: NanoCore
    • 0x42f47:$b: ClientPlugin
    • 0x42f84:$b: ClientPlugin
    • 0x43882:$b: ClientPlugin
    • 0x4388f:$b: ClientPlugin
    • 0x5645b:$b: ClientPlugin
    • 0x56476:$b: ClientPlugin
    • 0x564a6:$b: ClientPlugin
    • 0x566bd:$b: ClientPlugin
    • 0x566f2:$b: ClientPlugin
    • 0x6ef47:$b: ClientPlugin
    • 0x6ef62:$b: ClientPlugin
    00000014.00000002.398013426.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000014.00000002.398013426.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000014.00000002.398013426.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfcf5:$a: NanoCore
      • 0xfd05:$a: NanoCore
      • 0xff39:$a: NanoCore
      • 0xff4d:$a: NanoCore
      • 0xff8d:$a: NanoCore
      • 0xfd54:$b: ClientPlugin
      • 0xff56:$b: ClientPlugin
      • 0xff96:$b: ClientPlugin
      • 0xfe7b:$c: ProjectData
      • 0x10882:$d: DESCrypto
      • 0x1824e:$e: KeepAlive
      • 0x1623c:$g: LogClientMessage
      • 0x12437:$i: get_Connected
      • 0x10bb8:$j: #=q
      • 0x10be8:$j: #=q
      • 0x10c04:$j: #=q
      • 0x10c34:$j: #=q
      • 0x10c50:$j: #=q
      • 0x10c6c:$j: #=q
      • 0x10c9c:$j: #=q
      • 0x10cb8:$j: #=q
      Click to see the 5 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      20.2.dhcpmon.exe.3089658.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      20.2.dhcpmon.exe.3089658.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      20.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      20.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      20.2.dhcpmon.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 14 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\wm4J5m8pIK.exe, ProcessId: 5600, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\wm4J5m8pIK.exe, ProcessId: 5600, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\wm4J5m8pIK.exe, ProcessId: 5600, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\wm4J5m8pIK.exe, ProcessId: 5600, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000014.00000002.400395562.0000000004029000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6a1c2465-7ac5-4f1d-acc5-ef04fcf4", "Group": "Default", "Domain1": "hhjhtggfr.duckdns.org", "Domain2": "dertrefg.duckdns.org", "Port": 8234, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "hhjhtggfr.duckdns.org"}
        Multi AV Scanner detection for domain / URLShow sources
        Source: hhjhtggfr.duckdns.orgVirustotal: Detection: 8%Perma Link
        Source: hhjhtggfr.duckdns.orgVirustotal: Detection: 8%Perma Link
        Source: dertrefg.duckdns.orgVirustotal: Detection: 7%Perma Link
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 18%Perma Link
        Multi AV Scanner detection for submitted fileShow sources
        Source: wm4J5m8pIK.exeVirustotal: Detection: 18%Perma Link
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.406ff3c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.406b106.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.4074565.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.406ff3c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000014.00000002.400395562.0000000004029000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.398013426.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.400062984.0000000003021000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7044, type: MEMORYSTR
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: wm4J5m8pIK.exeJoe Sandbox ML: detected
        Source: 20.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: wm4J5m8pIK.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: wm4J5m8pIK.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49713 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49714 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49715 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49717 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49720 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49723 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49725 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49726 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49727 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49728 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49729 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49733 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49734 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49735 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49736 -> 203.159.80.186:8234
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49737 -> 203.159.80.186:8234
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: hhjhtggfr.duckdns.org
        Source: Malware configuration extractorURLs: dertrefg.duckdns.org
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: hhjhtggfr.duckdns.org
        Source: global trafficTCP traffic: 192.168.2.5:49713 -> 203.159.80.186:8234
        Source: Joe Sandbox ViewASN Name: LOVESERVERSGB LOVESERVERSGB
        Source: unknownDNS traffic detected: queries for: hhjhtggfr.duckdns.org
        Source: dhcpmon.exe, 00000014.00000002.400395562.0000000004029000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.406ff3c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.406b106.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.4074565.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.406ff3c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000014.00000002.400395562.0000000004029000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.398013426.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.400062984.0000000003021000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7044, type: MEMORYSTR

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 20.2.dhcpmon.exe.3089658.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 20.2.dhcpmon.exe.406ff3c.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.2.dhcpmon.exe.406b106.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.2.dhcpmon.exe.406b106.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 20.2.dhcpmon.exe.4074565.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 20.2.dhcpmon.exe.406ff3c.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000002.400395562.0000000004029000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000002.398013426.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000014.00000002.398013426.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000014.00000002.400062984.0000000003021000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 7044, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 7044, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 20_2_02E0E48020_2_02E0E480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 20_2_02E0E47120_2_02E0E471
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 20_2_02E0BBD420_2_02E0BBD4
        Source: wm4J5m8pIK.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: wm4J5m8pIK.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: wm4J5m8pIK.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: wm4J5m8pIK.exe, 00000000.00000000.225339257.00000000007A6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSHA2.exe< vs wm4J5m8pIK.exe
        Source: wm4J5m8pIK.exe, 00000007.00000000.278716006.00000000005A6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSHA2.exe< vs wm4J5m8pIK.exe
        Source: wm4J5m8pIK.exe, 00000007.00000003.287286490.0000000000A7C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs wm4J5m8pIK.exe
        Source: wm4J5m8pIK.exeBinary or memory string: OriginalFilenameSHA2.exe< vs wm4J5m8pIK.exe
        Source: wm4J5m8pIK.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 20.2.dhcpmon.exe.3089658.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.2.dhcpmon.exe.3089658.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 20.2.dhcpmon.exe.406ff3c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.2.dhcpmon.exe.406ff3c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 20.2.dhcpmon.exe.406b106.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.2.dhcpmon.exe.406b106.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 20.2.dhcpmon.exe.406b106.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 20.2.dhcpmon.exe.4074565.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.2.dhcpmon.exe.4074565.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 20.2.dhcpmon.exe.406ff3c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 20.2.dhcpmon.exe.406ff3c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000014.00000002.400395562.0000000004029000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000002.398013426.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000014.00000002.398013426.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000014.00000002.400062984.0000000003021000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 7044, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 7044, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: wm4J5m8pIK.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: dhcpmon.exe.7.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 20.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 20.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 20.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@8/8@17/2
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wm4J5m8pIK.exe.logJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{6a1c2465-7ac5-4f1d-acc5-ef04fcf454c9}
        Source: wm4J5m8pIK.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: wm4J5m8pIK.exeVirustotal: Detection: 18%
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeFile read: C:\Users\user\Desktop\wm4J5m8pIK.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\wm4J5m8pIK.exe 'C:\Users\user\Desktop\wm4J5m8pIK.exe'
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess created: C:\Users\user\Desktop\wm4J5m8pIK.exe C:\Users\user\Desktop\wm4J5m8pIK.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess created: C:\Users\user\Desktop\wm4J5m8pIK.exe C:\Users\user\Desktop\wm4J5m8pIK.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: wm4J5m8pIK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: wm4J5m8pIK.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
        Source: wm4J5m8pIK.exeStatic file information: File size 1378816 > 1048576
        Source: wm4J5m8pIK.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x142e00
        Source: wm4J5m8pIK.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 20.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 20.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 19_2_003A4625 push ds; ret 19_2_003A4626
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 20_2_00824625 push ds; ret 20_2_00824626
        Source: initial sampleStatic PE information: section name: .text entropy: 7.57991184815
        Source: initial sampleStatic PE information: section name: .text entropy: 7.57991184815
        Source: 20.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 20.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeFile opened: C:\Users\user\Desktop\wm4J5m8pIK.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWindow / User API: threadDelayed 5131Jump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWindow / User API: threadDelayed 3699Jump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWindow / User API: foregroundWindowGot 582Jump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWindow / User API: foregroundWindowGot 679Jump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exe TID: 5964Thread sleep time: -44072s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exe TID: 5908Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exe TID: 1112Thread sleep time: -9223372036854770s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6320Thread sleep time: -40023s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6344Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7120Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeThread delayed: delay time: 44072Jump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 40023Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        .NET source code references suspicious native API functionsShow sources
        Source: wm4J5m8pIK.exe, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
        Source: 0.0.wm4J5m8pIK.exe.660000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
        Source: dhcpmon.exe.7.dr, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
        Source: 7.0.wm4J5m8pIK.exe.460000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
        Source: 15.0.dhcpmon.exe.a0000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
        Source: 19.0.dhcpmon.exe.3a0000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
        Source: 19.2.dhcpmon.exe.3a0000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
        Source: 20.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.csReference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
        Source: 20.2.dhcpmon.exe.820000.1.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
        Source: 20.0.dhcpmon.exe.820000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeProcess created: C:\Users\user\Desktop\wm4J5m8pIK.exe C:\Users\user\Desktop\wm4J5m8pIK.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeQueries volume information: C:\Users\user\Desktop\wm4J5m8pIK.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeQueries volume information: C:\Users\user\Desktop\wm4J5m8pIK.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\wm4J5m8pIK.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.406ff3c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.406b106.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.4074565.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.406ff3c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000014.00000002.400395562.0000000004029000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.398013426.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.400062984.0000000003021000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7044, type: MEMORYSTR

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: wm4J5m8pIK.exe, 00000007.00000003.287286490.0000000000A7C000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000014.00000002.400395562.0000000004029000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000014.00000002.400395562.0000000004029000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.406ff3c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.406b106.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.4074565.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.dhcpmon.exe.406ff3c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000014.00000002.400395562.0000000004029000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.398013426.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.400062984.0000000003021000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7044, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection11Masquerading2Input Capture11Query Registry1Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSVirtualization/Sandbox Evasion21Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        wm4J5m8pIK.exe18%VirustotalBrowse
        wm4J5m8pIK.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe18%VirustotalBrowse

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        20.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        SourceDetectionScannerLabelLink
        hhjhtggfr.duckdns.org9%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        hhjhtggfr.duckdns.org9%VirustotalBrowse
        hhjhtggfr.duckdns.org0%Avira URL Cloudsafe
        dertrefg.duckdns.org8%VirustotalBrowse
        dertrefg.duckdns.org0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        hhjhtggfr.duckdns.org
        		203.159.80.186
        		truetrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        hhjhtggfr.duckdns.orgtrue
        • 9%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        dertrefg.duckdns.orgtrue
        • 8%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public

        IPDomainCountryFlagASNASN NameMalicious
        203.159.80.186
        		hhjhtggfr.duckdns.orgNetherlands
        		47987LOVESERVERSGBtrue

        Private

        IP
        192.168.2.1

        General Information

        Joe Sandbox Version:33.0.0 White Diamond
        Analysis ID:457788
        Start date:02.08.2021
        Start time:10:02:56
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 9m 16s
        Hypervisor based Inspection enabled:false
        Report type:full
        Sample file name:wm4J5m8pIK.exe
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:27
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@8/8@17/2
        EGA Information:Failed
        HDC Information:
        • Successful, ratio: 12% (good quality ratio 12%)
        • Quality average: 63%
        • Quality standard deviation: 3.6%
        HCA Information:
        • Successful, ratio: 99%
        • Number of executed functions: 12
        • Number of non-executed functions: 3
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        • Found application associated with file extension: .exe
        Warnings:
        Show All
        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 52.255.188.83, 52.147.198.201, 23.211.6.115, 131.253.33.200, 13.107.22.200, 23.211.4.86, 20.82.210.154, 93.184.221.240, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.82.209.183
        • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, wu.ec.azureedge.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcoleus16.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        10:04:09API Interceptor811x Sleep call for process: wm4J5m8pIK.exe modified
        10:04:15AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        10:04:53API Interceptor1x Sleep call for process: dhcpmon.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        203.159.80.1862fja1Oszs9.exeGet hashmaliciousBrowse
        • hutyrtit.ydns.eu/microC.exe

        Domains

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        hhjhtggfr.duckdns.orgWrNhr6yUD8.exeGet hashmaliciousBrowse
        • 37.0.8.214
        YjnGfifJ4X.exeGet hashmaliciousBrowse
        • 203.159.80.101
        E8NURjuahU.exeGet hashmaliciousBrowse
        • 203.159.80.101
        MkASxmQIe3.exeGet hashmaliciousBrowse
        • 203.159.80.101
        6rkqQM8Ldz.exeGet hashmaliciousBrowse
        • 203.159.80.101
        bHSfr2q0yu.exeGet hashmaliciousBrowse
        • 203.159.80.101
        lqtN3Z5Uzp.exeGet hashmaliciousBrowse
        • 203.159.80.101
        Invoice 406496.docGet hashmaliciousBrowse
        • 203.159.80.101
        1OLlrVAlAE.exeGet hashmaliciousBrowse
        • 203.159.80.101
        microC.exeGet hashmaliciousBrowse
        • 203.159.80.101

        ASN

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        LOVESERVERSGB2fja1Oszs9.exeGet hashmaliciousBrowse
        • 203.159.80.186
        SKM-582649274924.exeGet hashmaliciousBrowse
        • 203.159.80.93
        Shipping Details_PDF.exeGet hashmaliciousBrowse
        • 203.159.80.118
        eInvoicing.jarGet hashmaliciousBrowse
        • 203.159.80.23
        DyxL4y2hv3.exeGet hashmaliciousBrowse
        • 203.159.80.165
        ktWmI8zMGs.exeGet hashmaliciousBrowse
        • 203.159.80.182
        fBR05jzjti.exeGet hashmaliciousBrowse
        • 203.159.80.165
        Original Shipping .docGet hashmaliciousBrowse
        • 203.159.80.165
        hfJdO3BjO0.exeGet hashmaliciousBrowse
        • 203.159.80.107
        No.IV21002542.docGet hashmaliciousBrowse
        • 203.159.80.107
        payment details.docGet hashmaliciousBrowse
        • 203.159.80.107
        DblVVdaNgC.exeGet hashmaliciousBrowse
        • 203.159.80.107
        g2v7gt7qnt.exeGet hashmaliciousBrowse
        • 203.159.80.107
        Pfanner_106888964.exeGet hashmaliciousBrowse
        • 203.159.80.182
        THIRD PO.docGet hashmaliciousBrowse
        • 203.159.80.101
        D3NBBjj3lw.exeGet hashmaliciousBrowse
        • 203.159.80.101
        iCQfyvJX6i.exeGet hashmaliciousBrowse
        • 203.159.80.101
        5iNDenLpgE.exeGet hashmaliciousBrowse
        • 203.159.80.101
        zcwuWwArl5.exeGet hashmaliciousBrowse
        • 203.159.80.101
        aBV85W9scn.exeGet hashmaliciousBrowse
        • 203.159.80.101

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Process:C:\Users\user\Desktop\wm4J5m8pIK.exe
        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
        Category:dropped
        Size (bytes):1378816
        Entropy (8bit):7.548476087877472
        Encrypted:false
        SSDEEP:24576:26IBQ76DOifx8Dgyfx8Dgz06TbTZpq72pMNaDuDHQUl3uwDZzGL:OQ76f58Dgy58Dgz06n1pfWNdlJZa
        MD5:8FA8F52DFC55D341300EFF8E4C44BA33
        SHA1:4FBDB8C39BBC48B159E1F795A2222D51077FDBE9
        SHA-256:2C7DA7FF43C90AE620FD5135C2ED34C7E644A9A1098BFB69F1DC6B8AB6410C9A
        SHA-512:A29B2B8FCDE4EF5917E6AAD29C547D2FCEF3E452B3ED502788BD5BF7CB2E107C46A12783EBBE8EB4AA896C56DFD3FD37C994B67EB5C8F5C9C32FBA75FE486205
        Malicious:true
        Antivirus:
        • Antivirus: Joe Sandbox ML, Detection: 100%
        • Antivirus: Virustotal, Detection: 18%, Browse
        Reputation:low
        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1..a..............P..............L... ...`....@.. .......................`............@..................................K..O....`.. ....................@....................................................... ............... ..H............text....,... ...................... ..`.rsrc... ....`.......0..............@..@.reloc.......@......................@..B.................K......H........0..d.......s........o............................................(....*&..(.....*.s.........s ........s!........s"........s#........*...0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0...........~....o'....+..*.0...........~....o(....+..*.0..<........~.....().....,!r...p.....(*...o+...s,............~.....+..*.0...........~.....+..*".......*.0..&........(....r1..p~....o-...(......t$....+..*...0..&........(....r7..p~....o-...(......
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
        Process:C:\Users\user\Desktop\wm4J5m8pIK.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):26
        Entropy (8bit):3.95006375643621
        Encrypted:false
        SSDEEP:3:ggPYV:rPYV
        MD5:187F488E27DB4AF347237FE461A079AD
        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
        Malicious:true
        Reputation:high, very likely benign file
        Preview: [ZoneTransfer]....ZoneId=0
        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
        Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):1216
        Entropy (8bit):5.355304211458859
        Encrypted:false
        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
        MD5:FED34146BF2F2FA59DCF8702FCC8232E
        SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
        SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
        SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
        Malicious:false
        Reputation:high, very likely benign file
        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wm4J5m8pIK.exe.log
        Process:C:\Users\user\Desktop\wm4J5m8pIK.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):1216
        Entropy (8bit):5.355304211458859
        Encrypted:false
        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
        MD5:FED34146BF2F2FA59DCF8702FCC8232E
        SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
        SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
        SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
        Malicious:true
        Reputation:high, very likely benign file
        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
        Process:C:\Users\user\Desktop\wm4J5m8pIK.exe
        File Type:data
        Category:dropped
        Size (bytes):1856
        Entropy (8bit):7.024371743172393
        Encrypted:false
        SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCr
        MD5:838CD9DBC78EA45A5406EAE23962086D
        SHA1:C8273AACDEE03AC0CDCDDBAA83F51D04D6A4203C
        SHA-256:6E11A62511C5BBC0413128305069B780C448684B54FAA3E8DD0B4FD3DB8C9867
        SHA-512:F7D25EF1FA6F50667DD6785CC774E0AA6BC52A2231FE96E7C59D14EFDFDDA076F6399288CF6EAC8EFA8A75727893432AA155DA0E392F8CD1F26C5C5871EAC6B5
        Malicious:false
        Reputation:moderate, very likely benign file
        Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Process:C:\Users\user\Desktop\wm4J5m8pIK.exe
        File Type:Non-ISO extended-ASCII text, with no line terminators
        Category:dropped
        Size (bytes):8
        Entropy (8bit):2.75
        Encrypted:false
        SSDEEP:3:TF8t:m
        MD5:E8983D699E232A5B7C1FA96E107D27D4
        SHA1:79C8F3A4338622B7D46DFC878AB52B7AF814D850
        SHA-256:B1024BBCD30F38AB928B05E37771A0F4D2CFA740D301043F787C4C0A99E5F7E5
        SHA-512:68485EFF1C0BDAE02C2F5DC10B18E3AEBA8271C13D2E82E81B5615BD29343CBB1BAB7F4B4E669F94A7FCF6A38D0178E1155D75DC615B560E64148270271A0423
        Malicious:true
        Reputation:low
        Preview: '.U..U.H
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
        Process:C:\Users\user\Desktop\wm4J5m8pIK.exe
        File Type:data
        Category:modified
        Size (bytes):40
        Entropy (8bit):5.153055907333276
        Encrypted:false
        SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
        MD5:4E5E92E2369688041CC82EF9650EDED2
        SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
        SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
        SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
        Malicious:false
        Reputation:moderate, very likely benign file
        Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
        Process:C:\Users\user\Desktop\wm4J5m8pIK.exe
        File Type:data
        Category:dropped
        Size (bytes):327432
        Entropy (8bit):7.99938831605763
        Encrypted:true
        SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
        MD5:7E8F4A764B981D5B82D1CC49D341E9C6
        SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
        SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
        SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
        Malicious:false
        Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
        Entropy (8bit):7.548476087877472
        TrID:
        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
        • Win32 Executable (generic) a (10002005/4) 49.78%
        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
        • Generic Win/DOS Executable (2004/3) 0.01%
        • DOS Executable Generic (2002/1) 0.01%
        File name:wm4J5m8pIK.exe
        File size:1378816
        MD5:8fa8f52dfc55d341300eff8e4c44ba33
        SHA1:4fbdb8c39bbc48b159e1f795a2222d51077fdbe9
        SHA256:2c7da7ff43c90ae620fd5135c2ed34c7e644a9a1098bfb69f1dc6b8ab6410c9a
        SHA512:a29b2b8fcde4ef5917e6aad29c547d2fcef3e452b3ed502788bd5bf7cb2e107c46a12783ebbe8eb4aa896c56dfd3fd37c994b67eb5c8f5c9c32fba75fe486205
        SSDEEP:24576:26IBQ76DOifx8Dgyfx8Dgz06TbTZpq72pMNaDuDHQUl3uwDZzGL:OQ76f58Dgy58Dgz06n1pfWNdlJZa
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1..a..............P..............L... ...`....@.. .......................`............@................................

        File Icon

        Icon Hash:b07968fcd4ec7090

        Static PE Info

        General

        Entrypoint:0x544c06
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Time Stamp:0x61079B31 [Mon Aug 2 07:13:53 2021 UTC]
        TLS Callbacks:
        CLR (.Net) Version:v4.0.30319
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

        Entrypoint Preview

        Instruction
        jmp dword ptr [00402000h]
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x144bb40x4f.text
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1460000xd620.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1540000xc.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x20000x142c0c0x142e00False0.72027136566data7.57991184815IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        .rsrc0x1460000xd6200xd800False0.708405671296data6.5968021119IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0x1540000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

        Resources

        NameRVASizeTypeLanguageCountry
        RT_ICON0x1462000x2e8data
        RT_ICON0x1464f80x128GLS_BINARY_LSB_FIRST
        RT_ICON0x1466300xea8data
        RT_ICON0x1474e80x8a8data
        RT_ICON0x147da00x568GLS_BINARY_LSB_FIRST
        RT_ICON0x1483180x7228PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
        RT_ICON0x14f5500x25a8data
        RT_ICON0x151b080x10a8data
        RT_ICON0x152bc00x468GLS_BINARY_LSB_FIRST
        RT_GROUP_ICON0x1530380x84data
        RT_VERSION0x1530cc0x354data
        RT_MANIFEST0x1534300x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

        Imports

        DLLImport
        mscoree.dll_CorExeMain

        Version Infos

        DescriptionData
        Translation0x0000 0x04b0
        LegalCopyrightCopyright Casper College 2009
        Assembly Version1.0.0.0
        InternalNameSHA2.exe
        FileVersion1.0.0.0
        CompanyNameCasper College
        LegalTrademarks
        Comments
        ProductNamepacman2008_01
        ProductVersion1.0.0.0
        FileDescriptionpacman2008_01
        OriginalFilenameSHA2.exe

        Network Behavior

        Snort IDS Alerts

        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
        08/02/21-10:04:14.771126TCP2025019ET TROJAN Possible NanoCore C2 60B497138234192.168.2.5203.159.80.186
        08/02/21-10:04:24.339627TCP2025019ET TROJAN Possible NanoCore C2 60B497148234192.168.2.5203.159.80.186
        08/02/21-10:04:29.237612TCP2025019ET TROJAN Possible NanoCore C2 60B497158234192.168.2.5203.159.80.186
        08/02/21-10:04:34.009201TCP2025019ET TROJAN Possible NanoCore C2 60B497178234192.168.2.5203.159.80.186
        08/02/21-10:04:46.937776TCP2025019ET TROJAN Possible NanoCore C2 60B497208234192.168.2.5203.159.80.186
        08/02/21-10:04:52.000559TCP2025019ET TROJAN Possible NanoCore C2 60B497238234192.168.2.5203.159.80.186
        08/02/21-10:04:59.132078TCP2025019ET TROJAN Possible NanoCore C2 60B497258234192.168.2.5203.159.80.186
        08/02/21-10:05:07.264035TCP2025019ET TROJAN Possible NanoCore C2 60B497268234192.168.2.5203.159.80.186
        08/02/21-10:05:12.208710TCP2025019ET TROJAN Possible NanoCore C2 60B497278234192.168.2.5203.159.80.186
        08/02/21-10:05:18.473782TCP2025019ET TROJAN Possible NanoCore C2 60B497288234192.168.2.5203.159.80.186
        08/02/21-10:05:27.044328TCP2025019ET TROJAN Possible NanoCore C2 60B497298234192.168.2.5203.159.80.186
        08/02/21-10:05:32.296396TCP2025019ET TROJAN Possible NanoCore C2 60B497338234192.168.2.5203.159.80.186
        08/02/21-10:05:36.939239TCP2025019ET TROJAN Possible NanoCore C2 60B497348234192.168.2.5203.159.80.186
        08/02/21-10:05:42.049631TCP2025019ET TROJAN Possible NanoCore C2 60B497358234192.168.2.5203.159.80.186
        08/02/21-10:05:48.052361TCP2025019ET TROJAN Possible NanoCore C2 60B497368234192.168.2.5203.159.80.186
        08/02/21-10:05:54.013288TCP2025019ET TROJAN Possible NanoCore C2 60B497378234192.168.2.5203.159.80.186

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        Aug 2, 2021 10:04:14.677799940 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:14.707200050 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:14.708043098 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:14.771126032 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:14.817156076 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:14.829607964 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:14.858860016 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:14.878441095 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:14.962662935 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.010819912 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.010889053 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.010931969 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.010972023 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.011039972 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.040220022 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.040280104 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.040319920 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.040359020 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.040396929 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.040425062 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.040445089 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.040467024 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.040489912 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.040491104 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.040529966 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.043745995 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.069274902 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.069331884 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.069370031 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.069408894 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.069446087 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.069483995 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.069508076 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.069525003 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.069564104 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.069576979 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.069607019 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.069612980 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.069657087 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.069695950 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.069710016 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.069735050 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.072321892 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.072369099 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.072407007 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.072446108 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.072458982 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.072532892 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.098803997 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.098862886 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.098915100 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.098958969 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.098963976 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.098995924 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.099036932 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.099062920 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.099076033 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.099129915 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.099133968 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.099199057 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.099237919 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.099272966 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.099273920 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.099294901 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.099323034 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.099364996 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.099402905 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.099416971 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.099442959 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.099464893 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.099483013 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.099519968 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.099559069 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.099570036 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.099597931 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.099607944 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.099653959 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.100158930 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.103069067 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.103136063 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.103190899 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.103236914 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.103239059 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.103281975 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.103286982 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.103319883 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.103358984 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.103398085 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.103411913 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.103435040 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.103445053 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.103475094 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.103513002 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.103565931 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.103568077 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.103611946 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.130489111 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130521059 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130542040 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130561113 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130578995 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130597115 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130614042 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130630970 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130649090 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130655050 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.130664110 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130683899 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130701065 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130716085 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130731106 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.130733013 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130752087 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130759001 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.130768061 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130784988 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130786896 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.130800962 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130820990 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130831003 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.130839109 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130855083 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130872011 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.130872011 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130886078 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130904913 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130906105 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.130923033 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130935907 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.130939007 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130956888 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130973101 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.130980968 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.130989075 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.131006002 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.131006956 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.131021976 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.131027937 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.131042004 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.131051064 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.131059885 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.131077051 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.131084919 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.131093025 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.131108999 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.131127119 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.131170988 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.134856939 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.134885073 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.134902000 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.134919882 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.134937048 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.134967089 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.135004997 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.135015965 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.135032892 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.135061026 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.135087967 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.135104895 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.135127068 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.135134935 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.135152102 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.135169029 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.135186911 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.135211945 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.161442041 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161480904 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161493063 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161505938 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161524057 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161540031 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161556959 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161572933 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161588907 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161604881 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161617041 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.161629915 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161648989 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161664963 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161674976 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.161684036 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161700964 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161715984 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161732912 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161735058 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.161751032 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161767006 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161783934 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161787987 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.161797047 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161811113 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161818027 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.161823988 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161835909 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.161837101 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161853075 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161871910 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.161871910 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161890984 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161895990 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.161906004 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161916971 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.161922932 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161938906 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161952972 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.161953926 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161969900 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161986113 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.161992073 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.162004948 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.162023067 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.162039995 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.162076950 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.162086010 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.165424109 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.165456057 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.165472984 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.165488005 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.165503979 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.165519953 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.165539980 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.165558100 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.165572882 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.165577888 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.165590048 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.165606022 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.165621996 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.165642023 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.165673018 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.193239927 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193270922 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193288088 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193304062 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193320036 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193340063 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193357944 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193373919 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193389893 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193409920 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193427086 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193439960 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193455935 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193469048 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193485022 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193491936 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.193505049 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193522930 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193535089 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.193541050 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193557024 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193573952 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193574905 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.193591118 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193607092 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193608999 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.193624020 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193635941 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.193644047 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193661928 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193672895 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.193677902 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193697929 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193715096 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193717957 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.193732023 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193747044 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193753958 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.193767071 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193783045 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193789005 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.193799973 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193815947 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193835974 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193852901 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.193866968 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.193922043 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.195652008 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.195682049 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.195698023 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.195718050 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.195735931 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.195751905 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.195769072 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.195785046 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.195801020 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.195804119 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.195817947 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.195835114 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.195843935 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.195854902 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.195874929 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.195921898 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.224246979 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224282980 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224296093 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224308968 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224328041 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224344969 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224361897 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224378109 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224399090 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224411964 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224425077 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224442005 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224455118 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224473000 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224486113 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224504948 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224520922 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224523067 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.224536896 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224553108 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224570990 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224589109 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224600077 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.224606037 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224623919 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224643946 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224658966 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.224661112 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224674940 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224678993 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.224693060 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224709034 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.224711895 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224730015 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224731922 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.224747896 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224769115 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224782944 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.224787951 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224806070 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224819899 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224828005 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.224837065 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224852085 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.224858046 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224879026 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224883080 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.224893093 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224910975 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224912882 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.224929094 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224948883 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224966049 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.224967957 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.224984884 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.225003004 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.225017071 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.225018978 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.225035906 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.225045919 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.225052118 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.225070953 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.225075006 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.225090981 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.225110054 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.225126982 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.225143909 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.225159883 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.225162029 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.225177050 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.225193977 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.225209951 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.225214005 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.225230932 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.225248098 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.225249052 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.225265980 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.225281000 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.225284100 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.225301981 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.225315094 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.225318909 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.225337029 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.225347996 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.225354910 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:15.225378990 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.225406885 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:15.981106043 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:16.075891018 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:16.765758991 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:16.868922949 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:16.916002035 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:16.994898081 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:17.278908014 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:17.358207941 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:17.390499115 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:17.499490976 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:17.539453030 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:17.550297022 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:17.579629898 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:17.579755068 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:17.610424995 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:17.702610970 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:17.966125011 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:18.057049990 CEST823449713203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:18.209173918 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:18.212279081 CEST497138234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:24.309801102 CEST497148234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:24.338541985 CEST823449714203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:24.338737011 CEST497148234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:24.339627028 CEST497148234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:24.376122952 CEST823449714203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:24.500463009 CEST497148234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:24.528970957 CEST823449714203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:24.538469076 CEST497148234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:24.569215059 CEST823449714203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:24.639707088 CEST497148234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:29.029479027 CEST497158234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:29.061520100 CEST823449715203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:29.061709881 CEST497158234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:29.237612009 CEST497158234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:29.292576075 CEST823449715203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:29.391218901 CEST497158234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:29.422538042 CEST823449715203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:29.423022985 CEST497158234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:29.458734989 CEST823449715203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:29.500523090 CEST497158234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:29.531145096 CEST497158234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:29.618846893 CEST823449715203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:29.627044916 CEST497158234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:33.832998991 CEST497178234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:33.862891912 CEST823449717203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:33.863013029 CEST497178234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:34.009201050 CEST497178234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:34.065016031 CEST823449717203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:34.110312939 CEST497178234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:34.133290052 CEST497178234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:34.163106918 CEST823449717203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:34.204065084 CEST497178234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:34.350892067 CEST497178234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:34.431324005 CEST823449717203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:34.637032986 CEST823449717203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:34.688458920 CEST497178234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:34.717504978 CEST823449717203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:34.733406067 CEST497178234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:34.823466063 CEST823449717203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:34.823761940 CEST497178234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:34.865492105 CEST823449717203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:34.907248020 CEST497178234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:34.937433958 CEST823449717203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:34.987420082 CEST497178234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:35.767796040 CEST497178234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:35.853363037 CEST823449717203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:36.767606020 CEST497178234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:41.369059086 CEST497188234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:41.399440050 CEST823449718203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:41.399605989 CEST497188234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:42.641360044 CEST497188234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:42.674693108 CEST823449718203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:46.906338930 CEST497208234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:46.936733007 CEST823449720203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:46.936897993 CEST497208234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:46.937776089 CEST497208234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:47.001480103 CEST823449720203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:47.048955917 CEST497208234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:47.079061031 CEST823449720203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:47.109477997 CEST497208234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:47.144336939 CEST823449720203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:47.146275997 CEST497208234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:47.230397940 CEST823449720203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:47.471888065 CEST823449720203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:47.475508928 CEST497208234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:47.518882990 CEST823449720203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:47.564614058 CEST497208234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:47.593291044 CEST823449720203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:47.597026110 CEST497208234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:47.645651102 CEST823449720203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:47.645776987 CEST497208234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:47.675998926 CEST823449720203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:47.676337004 CEST497208234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:47.676363945 CEST497208234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:51.971096992 CEST497238234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:51.999974966 CEST823449723203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:52.000094891 CEST497238234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:52.000559092 CEST497238234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:52.087611914 CEST823449723203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:52.102283955 CEST823449723203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:52.102691889 CEST497238234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:52.132906914 CEST823449723203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:52.134217024 CEST497238234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:52.228282928 CEST823449723203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:52.388647079 CEST823449723203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:52.423785925 CEST497238234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:52.452476025 CEST823449723203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:52.502497911 CEST497238234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:52.652256012 CEST823449723203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:52.705806017 CEST497238234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:52.734656096 CEST823449723203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:52.735184908 CEST497238234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:52.764641047 CEST823449723203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:52.765039921 CEST497238234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:52.795691967 CEST823449723203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:52.847166061 CEST497238234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:52.974893093 CEST497238234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:53.074217081 CEST823449723203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:53.074404001 CEST497238234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:53.168041945 CEST823449723203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:53.830363035 CEST497238234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:53.915982008 CEST823449723203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:54.769251108 CEST497238234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:59.101320028 CEST497258234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:59.129601955 CEST823449725203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:59.131618977 CEST497258234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:59.132077932 CEST497258234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:59.195318937 CEST823449725203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:59.195960045 CEST497258234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:59.226622105 CEST823449725203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:59.269058943 CEST497258234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:59.353188038 CEST823449725203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:59.780096054 CEST823449725203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:59.888453007 CEST497258234192.168.2.5203.159.80.186
        Aug 2, 2021 10:04:59.918872118 CEST823449725203.159.80.186192.168.2.5
        Aug 2, 2021 10:04:59.919023991 CEST497258234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:00.006222963 CEST823449725203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:00.006311893 CEST497258234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:00.041920900 CEST823449725203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:00.125526905 CEST497258234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:00.153863907 CEST823449725203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:00.289239883 CEST497258234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:02.189436913 CEST497258234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:02.278286934 CEST823449725203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:02.922986984 CEST497258234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:07.232912064 CEST497268234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:07.262608051 CEST823449726203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:07.263041973 CEST497268234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:07.264034986 CEST497268234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:07.293256998 CEST823449726203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:07.357517958 CEST497268234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:07.387293100 CEST823449726203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:07.404175043 CEST497268234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:07.440243959 CEST823449726203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:07.450375080 CEST497268234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:07.526880026 CEST823449726203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:07.755609035 CEST823449726203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:07.771800995 CEST497268234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:07.801719904 CEST823449726203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:07.847524881 CEST497268234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:07.887597084 CEST823449726203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:07.941332102 CEST497268234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:07.970175982 CEST823449726203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:07.983778954 CEST497268234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:08.012291908 CEST823449726203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:08.037704945 CEST497268234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:08.071084976 CEST823449726203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:08.100308895 CEST497268234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:12.178978920 CEST497278234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:12.207714081 CEST823449727203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:12.207845926 CEST497278234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:12.208709955 CEST497278234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:12.264024019 CEST823449727203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:12.264400959 CEST497278234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:12.293603897 CEST823449727203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:12.310204029 CEST497278234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:12.384586096 CEST823449727203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:12.560311079 CEST823449727203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:12.563231945 CEST497278234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:12.592845917 CEST823449727203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:12.645293951 CEST497278234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:12.698734045 CEST823449727203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:12.745760918 CEST497278234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:12.775886059 CEST823449727203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:12.777487040 CEST497278234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:12.813709974 CEST823449727203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:12.813862085 CEST497278234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:12.844924927 CEST823449727203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:12.900001049 CEST497278234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:13.129883051 CEST497278234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:13.212682962 CEST823449727203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:14.152116060 CEST497278234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:18.443411112 CEST497288234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:18.472343922 CEST823449728203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:18.472455025 CEST497288234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:18.473782063 CEST497288234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:18.522910118 CEST823449728203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:18.523156881 CEST497288234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:18.552512884 CEST823449728203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:18.558075905 CEST497288234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:18.634970903 CEST823449728203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:18.855859041 CEST823449728203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:18.895375967 CEST497288234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:18.932188034 CEST823449728203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:18.973542929 CEST497288234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:19.012027979 CEST823449728203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:19.067300081 CEST497288234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:19.087865114 CEST497288234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:19.097403049 CEST823449728203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:19.145422935 CEST497288234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:19.165957928 CEST823449728203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:19.166099072 CEST497288234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:19.197926998 CEST823449728203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:19.239269018 CEST497288234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:19.274373055 CEST823449728203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:19.288732052 CEST497288234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:19.369157076 CEST823449728203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:20.201179028 CEST823449728203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:20.255232096 CEST497288234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:20.980185986 CEST497288234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:21.072056055 CEST823449728203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:21.927366972 CEST497288234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:22.009802103 CEST823449728203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:22.927666903 CEST497288234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:27.009016991 CEST497298234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:27.042931080 CEST823449729203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:27.043195963 CEST497298234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:27.044327974 CEST497298234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:27.077785015 CEST823449729203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:27.130511999 CEST497298234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:27.159272909 CEST823449729203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:27.171907902 CEST497298234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:27.201466084 CEST823449729203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:27.234016895 CEST497298234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:27.322192907 CEST823449729203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:27.512470961 CEST823449729203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:27.542074919 CEST497298234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:27.571261883 CEST823449729203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:27.572551012 CEST497298234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:27.650244951 CEST823449729203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:27.650320053 CEST497298234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:27.668241024 CEST823449729203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:27.708631039 CEST497298234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:27.738518953 CEST823449729203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:27.786762953 CEST497298234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:27.945509911 CEST497298234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:32.222626925 CEST497338234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:32.251235962 CEST823449733203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:32.251347065 CEST497338234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:32.296396017 CEST497338234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:32.355654001 CEST823449733203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:32.356054068 CEST497338234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:32.384423018 CEST823449733203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:32.428102016 CEST497338234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:32.456558943 CEST823449733203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:32.458614111 CEST497338234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:32.542578936 CEST823449733203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:32.655852079 CEST823449733203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:32.671869993 CEST497338234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:32.727711916 CEST823449733203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:32.771707058 CEST497338234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:32.788230896 CEST497338234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:36.899385929 CEST497348234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:36.938563108 CEST823449734203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:36.938703060 CEST497348234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:36.939239025 CEST497348234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:36.978092909 CEST823449734203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:37.021962881 CEST497348234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:37.054629087 CEST823449734203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:37.054955006 CEST497348234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:37.084080935 CEST823449734203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:37.086059093 CEST497348234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:37.166311026 CEST823449734203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:37.653145075 CEST823449734203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:37.655499935 CEST497348234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:37.684714079 CEST823449734203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:37.687083006 CEST497348234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:37.716984034 CEST823449734203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:37.717067957 CEST497348234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:37.771261930 CEST823449734203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:37.818898916 CEST497348234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:37.844820023 CEST497348234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:37.928884029 CEST497348234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:37.933011055 CEST823449734203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:37.933254957 CEST497348234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:42.015893936 CEST497358234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:42.048616886 CEST823449735203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:42.048871994 CEST497358234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:42.049631119 CEST497358234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:42.095436096 CEST823449735203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:42.106558084 CEST497358234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:42.135663033 CEST823449735203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:42.139437914 CEST497358234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:42.212677002 CEST823449735203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:42.444686890 CEST823449735203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:42.445686102 CEST497358234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:42.474739075 CEST823449735203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:42.522576094 CEST497358234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:42.550798893 CEST823449735203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:42.551350117 CEST497358234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:42.584923029 CEST823449735203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:42.587542057 CEST497358234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:42.616996050 CEST823449735203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:42.617542028 CEST497358234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:42.712574959 CEST823449735203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:42.929543972 CEST497358234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:43.118664980 CEST823449735203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:43.949887991 CEST497358234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:48.020539999 CEST497368234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:48.051482916 CEST823449736203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:48.051593065 CEST497368234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:48.052361012 CEST497368234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:48.102646112 CEST823449736203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:48.113589048 CEST497368234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:48.143724918 CEST823449736203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:48.145339966 CEST497368234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:48.228949070 CEST823449736203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:48.418983936 CEST823449736203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:48.421025991 CEST497368234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:48.449558973 CEST823449736203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:48.491933107 CEST497368234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:48.599641085 CEST823449736203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:48.634227037 CEST497368234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:48.728773117 CEST823449736203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:48.821278095 CEST823449736203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:48.821985006 CEST497368234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:48.900197983 CEST823449736203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:48.900350094 CEST497368234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:48.939846039 CEST823449736203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:48.940371990 CEST497368234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:48.983288050 CEST823449736203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:49.023081064 CEST497368234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:49.930919886 CEST497368234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:53.983831882 CEST497378234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:54.012654066 CEST823449737203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:54.013256073 CEST497378234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:54.013288021 CEST497378234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:54.213053942 CEST823449737203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:54.320287943 CEST823449737203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:54.321343899 CEST497378234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:54.350796938 CEST823449737203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:54.352025986 CEST497378234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:54.525289059 CEST823449737203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:54.580212116 CEST823449737203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:54.580631971 CEST497378234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:54.609194994 CEST823449737203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:54.665102959 CEST497378234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:54.744374037 CEST823449737203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:54.763035059 CEST497378234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:54.791444063 CEST823449737203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:54.791878939 CEST497378234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:54.821063042 CEST823449737203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:54.821193933 CEST497378234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:54.850066900 CEST823449737203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:54.898479939 CEST497378234192.168.2.5203.159.80.186
        Aug 2, 2021 10:05:59.099045992 CEST823449737203.159.80.186192.168.2.5
        Aug 2, 2021 10:05:59.148819923 CEST497378234192.168.2.5203.159.80.186

        UDP Packets

        TimestampSource PortDest PortSource IPDest IP
        Aug 2, 2021 10:03:39.264986992 CEST6180553192.168.2.58.8.8.8
        Aug 2, 2021 10:03:39.297377110 CEST53618058.8.8.8192.168.2.5
        Aug 2, 2021 10:03:39.914453983 CEST5479553192.168.2.58.8.8.8
        Aug 2, 2021 10:03:39.940572977 CEST53547958.8.8.8192.168.2.5
        Aug 2, 2021 10:03:40.570497990 CEST4955753192.168.2.58.8.8.8
        Aug 2, 2021 10:03:40.597969055 CEST53495578.8.8.8192.168.2.5
        Aug 2, 2021 10:03:40.969286919 CEST6173353192.168.2.58.8.8.8
        Aug 2, 2021 10:03:41.009179115 CEST53617338.8.8.8192.168.2.5
        Aug 2, 2021 10:03:43.094080925 CEST6544753192.168.2.58.8.8.8
        Aug 2, 2021 10:03:43.122375965 CEST53654478.8.8.8192.168.2.5
        Aug 2, 2021 10:03:43.842588902 CEST5244153192.168.2.58.8.8.8
        Aug 2, 2021 10:03:43.870548010 CEST53524418.8.8.8192.168.2.5
        Aug 2, 2021 10:03:46.296399117 CEST6217653192.168.2.58.8.8.8
        Aug 2, 2021 10:03:46.326467991 CEST53621768.8.8.8192.168.2.5
        Aug 2, 2021 10:03:47.084573984 CEST5959653192.168.2.58.8.8.8
        Aug 2, 2021 10:03:47.117432117 CEST53595968.8.8.8192.168.2.5
        Aug 2, 2021 10:03:48.743884087 CEST6529653192.168.2.58.8.8.8
        Aug 2, 2021 10:03:48.769618034 CEST53652968.8.8.8192.168.2.5
        Aug 2, 2021 10:03:49.468190908 CEST6318353192.168.2.58.8.8.8
        Aug 2, 2021 10:03:49.496596098 CEST53631838.8.8.8192.168.2.5
        Aug 2, 2021 10:04:04.882872105 CEST6015153192.168.2.58.8.8.8
        Aug 2, 2021 10:04:04.915708065 CEST53601518.8.8.8192.168.2.5
        Aug 2, 2021 10:04:07.102639914 CEST5696953192.168.2.58.8.8.8
        Aug 2, 2021 10:04:07.136981010 CEST53569698.8.8.8192.168.2.5
        Aug 2, 2021 10:04:12.536665916 CEST5516153192.168.2.58.8.8.8
        Aug 2, 2021 10:04:12.569021940 CEST53551618.8.8.8192.168.2.5
        Aug 2, 2021 10:04:14.522439957 CEST5475753192.168.2.58.8.8.8
        Aug 2, 2021 10:04:14.662118912 CEST53547578.8.8.8192.168.2.5
        Aug 2, 2021 10:04:24.272156000 CEST4999253192.168.2.58.8.8.8
        Aug 2, 2021 10:04:24.308578014 CEST53499928.8.8.8192.168.2.5
        Aug 2, 2021 10:04:28.987812042 CEST6007553192.168.2.58.8.8.8
        Aug 2, 2021 10:04:29.022208929 CEST53600758.8.8.8192.168.2.5
        Aug 2, 2021 10:04:33.090459108 CEST5501653192.168.2.58.8.8.8
        Aug 2, 2021 10:04:33.123682976 CEST53550168.8.8.8192.168.2.5
        Aug 2, 2021 10:04:33.680172920 CEST6434553192.168.2.58.8.8.8
        Aug 2, 2021 10:04:33.817778111 CEST53643458.8.8.8192.168.2.5
        Aug 2, 2021 10:04:41.151750088 CEST5712853192.168.2.58.8.8.8
        Aug 2, 2021 10:04:41.187736034 CEST53571288.8.8.8192.168.2.5
        Aug 2, 2021 10:04:43.459480047 CEST5479153192.168.2.58.8.8.8
        Aug 2, 2021 10:04:43.494144917 CEST53547918.8.8.8192.168.2.5
        Aug 2, 2021 10:04:46.871819019 CEST5046353192.168.2.58.8.8.8
        Aug 2, 2021 10:04:46.904643059 CEST53504638.8.8.8192.168.2.5
        Aug 2, 2021 10:04:49.871419907 CEST5039453192.168.2.58.8.8.8
        Aug 2, 2021 10:04:49.911501884 CEST53503948.8.8.8192.168.2.5
        Aug 2, 2021 10:04:51.942584991 CEST5853053192.168.2.58.8.8.8
        Aug 2, 2021 10:04:51.970065117 CEST53585308.8.8.8192.168.2.5
        Aug 2, 2021 10:04:54.968739986 CEST5381353192.168.2.58.8.8.8
        Aug 2, 2021 10:04:55.004445076 CEST53538138.8.8.8192.168.2.5
        Aug 2, 2021 10:04:59.064100981 CEST6373253192.168.2.58.8.8.8
        Aug 2, 2021 10:04:59.097481012 CEST53637328.8.8.8192.168.2.5
        Aug 2, 2021 10:05:07.196168900 CEST5734453192.168.2.58.8.8.8
        Aug 2, 2021 10:05:07.231401920 CEST53573448.8.8.8192.168.2.5
        Aug 2, 2021 10:05:12.152043104 CEST5445053192.168.2.58.8.8.8
        Aug 2, 2021 10:05:12.177535057 CEST53544508.8.8.8192.168.2.5
        Aug 2, 2021 10:05:18.252171040 CEST5926153192.168.2.58.8.8.8
        Aug 2, 2021 10:05:18.390911102 CEST53592618.8.8.8192.168.2.5
        Aug 2, 2021 10:05:26.979337931 CEST5715153192.168.2.58.8.8.8
        Aug 2, 2021 10:05:27.007220984 CEST53571518.8.8.8192.168.2.5
        Aug 2, 2021 10:05:29.723864079 CEST5941353192.168.2.58.8.8.8
        Aug 2, 2021 10:05:29.759546995 CEST53594138.8.8.8192.168.2.5
        Aug 2, 2021 10:05:31.614351988 CEST6051653192.168.2.58.8.8.8
        Aug 2, 2021 10:05:31.664489031 CEST53605168.8.8.8192.168.2.5
        Aug 2, 2021 10:05:32.083272934 CEST5164953192.168.2.58.8.8.8
        Aug 2, 2021 10:05:32.221256018 CEST53516498.8.8.8192.168.2.5
        Aug 2, 2021 10:05:36.863857985 CEST6508653192.168.2.58.8.8.8
        Aug 2, 2021 10:05:36.898267031 CEST53650868.8.8.8192.168.2.5
        Aug 2, 2021 10:05:41.977792025 CEST5643253192.168.2.58.8.8.8
        Aug 2, 2021 10:05:42.014321089 CEST53564328.8.8.8192.168.2.5
        Aug 2, 2021 10:05:47.985821962 CEST5292953192.168.2.58.8.8.8
        Aug 2, 2021 10:05:48.019078016 CEST53529298.8.8.8192.168.2.5
        Aug 2, 2021 10:05:53.946765900 CEST6431753192.168.2.58.8.8.8
        Aug 2, 2021 10:05:53.982575893 CEST53643178.8.8.8192.168.2.5

        DNS Queries

        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
        Aug 2, 2021 10:04:14.522439957 CEST192.168.2.58.8.8.80x5027Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
        Aug 2, 2021 10:04:24.272156000 CEST192.168.2.58.8.8.80xe40bStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
        Aug 2, 2021 10:04:28.987812042 CEST192.168.2.58.8.8.80x745dStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
        Aug 2, 2021 10:04:33.680172920 CEST192.168.2.58.8.8.80xa0b2Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
        Aug 2, 2021 10:04:41.151750088 CEST192.168.2.58.8.8.80x167fStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
        Aug 2, 2021 10:04:46.871819019 CEST192.168.2.58.8.8.80x74c0Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
        Aug 2, 2021 10:04:51.942584991 CEST192.168.2.58.8.8.80x92ddStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
        Aug 2, 2021 10:04:59.064100981 CEST192.168.2.58.8.8.80x6414Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
        Aug 2, 2021 10:05:07.196168900 CEST192.168.2.58.8.8.80x8f43Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
        Aug 2, 2021 10:05:12.152043104 CEST192.168.2.58.8.8.80x1ccaStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
        Aug 2, 2021 10:05:18.252171040 CEST192.168.2.58.8.8.80x7699Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
        Aug 2, 2021 10:05:26.979337931 CEST192.168.2.58.8.8.80x9fa5Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
        Aug 2, 2021 10:05:32.083272934 CEST192.168.2.58.8.8.80xf87dStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
        Aug 2, 2021 10:05:36.863857985 CEST192.168.2.58.8.8.80xa636Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
        Aug 2, 2021 10:05:41.977792025 CEST192.168.2.58.8.8.80xc297Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
        Aug 2, 2021 10:05:47.985821962 CEST192.168.2.58.8.8.80x9f9fStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
        Aug 2, 2021 10:05:53.946765900 CEST192.168.2.58.8.8.80x78f2Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
        Aug 2, 2021 10:04:14.662118912 CEST8.8.8.8192.168.2.50x5027No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
        Aug 2, 2021 10:04:24.308578014 CEST8.8.8.8192.168.2.50xe40bNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
        Aug 2, 2021 10:04:29.022208929 CEST8.8.8.8192.168.2.50x745dNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
        Aug 2, 2021 10:04:33.817778111 CEST8.8.8.8192.168.2.50xa0b2No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
        Aug 2, 2021 10:04:41.187736034 CEST8.8.8.8192.168.2.50x167fNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
        Aug 2, 2021 10:04:46.904643059 CEST8.8.8.8192.168.2.50x74c0No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
        Aug 2, 2021 10:04:51.970065117 CEST8.8.8.8192.168.2.50x92ddNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
        Aug 2, 2021 10:04:59.097481012 CEST8.8.8.8192.168.2.50x6414No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
        Aug 2, 2021 10:05:07.231401920 CEST8.8.8.8192.168.2.50x8f43No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
        Aug 2, 2021 10:05:12.177535057 CEST8.8.8.8192.168.2.50x1ccaNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
        Aug 2, 2021 10:05:18.390911102 CEST8.8.8.8192.168.2.50x7699No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
        Aug 2, 2021 10:05:27.007220984 CEST8.8.8.8192.168.2.50x9fa5No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
        Aug 2, 2021 10:05:32.221256018 CEST8.8.8.8192.168.2.50xf87dNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
        Aug 2, 2021 10:05:36.898267031 CEST8.8.8.8192.168.2.50xa636No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
        Aug 2, 2021 10:05:42.014321089 CEST8.8.8.8192.168.2.50xc297No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
        Aug 2, 2021 10:05:48.019078016 CEST8.8.8.8192.168.2.50x9f9fNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
        Aug 2, 2021 10:05:53.982575893 CEST8.8.8.8192.168.2.50x78f2No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)

        Code Manipulations

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        Behavior

        Click to jump to process

        System Behavior

        Analysis Process: wm4J5m8pIK.exe PID: 5804 Parent PID: 5732

        General

        Start time:10:03:45
        Start date:02/08/2021
        Path:C:\Users\user\Desktop\wm4J5m8pIK.exe
        Wow64 process (32bit):true
        Commandline:'C:\Users\user\Desktop\wm4J5m8pIK.exe'
        Imagebase:0x660000
        File size:1378816 bytes
        MD5 hash:8FA8F52DFC55D341300EFF8E4C44BA33
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Reputation:low

        Chronological Activities

        Analysis Process: wm4J5m8pIK.exe PID: 5600 Parent PID: 5804

        General

        Start time:10:04:10
        Start date:02/08/2021
        Path:C:\Users\user\Desktop\wm4J5m8pIK.exe
        Wow64 process (32bit):true
        Commandline:C:\Users\user\Desktop\wm4J5m8pIK.exe
        Imagebase:0x460000
        File size:1378816 bytes
        MD5 hash:8FA8F52DFC55D341300EFF8E4C44BA33
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Reputation:low

        Chronological Activities

        Analysis Process: dhcpmon.exe PID: 6316 Parent PID: 3472

        General

        Start time:10:04:24
        Start date:02/08/2021
        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Wow64 process (32bit):true
        Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Imagebase:0xa0000
        File size:1378816 bytes
        MD5 hash:8FA8F52DFC55D341300EFF8E4C44BA33
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Antivirus matches:
        • Detection: 100%, Joe Sandbox ML
        • Detection: 18%, Virustotal, Browse
        Reputation:low

        Chronological Activities

        Analysis Process: dhcpmon.exe PID: 6992 Parent PID: 6316

        General

        Start time:10:04:54
        Start date:02/08/2021
        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Wow64 process (32bit):false
        Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Imagebase:0x3a0000
        File size:1378816 bytes
        MD5 hash:8FA8F52DFC55D341300EFF8E4C44BA33
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low

        Chronological Activities

        Analysis Process: dhcpmon.exe PID: 7044 Parent PID: 6316

        General

        Start time:10:04:55
        Start date:02/08/2021
        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Wow64 process (32bit):true
        Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Imagebase:0x820000
        File size:1378816 bytes
        MD5 hash:8FA8F52DFC55D341300EFF8E4C44BA33
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Yara matches:
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.400395562.0000000004029000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.400395562.0000000004029000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.398013426.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.398013426.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.398013426.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.400062984.0000000003021000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.400062984.0000000003021000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        Reputation:low

        Chronological Activities

        Disassembly

        Code Analysis

        Reset < >

          Analysis Process: dhcpmon.exe PID: 7044 Parent PID: 6316 dhcpmon.exeCOMMON

          Executed Functions

          Function 02E0B6C0, Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
          Download Yara Rule
          APIs
          • GetCurrentProcess.KERNEL32 ref: 02E0B730
          • GetCurrentThread.KERNEL32 ref: 02E0B76D
          • GetCurrentProcess.KERNEL32 ref: 02E0B7AA
          • GetCurrentThreadId.KERNEL32 ref: 02E0B803
          Memory Dump Source
          • Source File: 00000014.00000002.399408081.0000000002E00000.00000040.00000001.sdmp, Offset: 02E00000, based on PE: false
          Similarity
          • API ID: Current$ProcessThread
          • String ID:
          • API String ID: 2063062207-0
          • Opcode ID: e49f29ee303c905f443f9f5e65a7f9b2db83e39f1fdad17d6607dddc5419caca
          • Instruction ID: 07d123bef33684362f3821d125735d57c6db0c1426163f8929e925902e5ddcea
          • Opcode Fuzzy Hash: e49f29ee303c905f443f9f5e65a7f9b2db83e39f1fdad17d6607dddc5419caca
          • Instruction Fuzzy Hash: 5D5155B0A402488FDB10CFA9C5897DEBBF1BF49308F24C569E059B7390C734588ACB65
          Uniqueness

          Uniqueness Score: -1.00%

          Function 02E0B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
          Download Yara Rule
          APIs
          • GetCurrentProcess.KERNEL32 ref: 02E0B730
          • GetCurrentThread.KERNEL32 ref: 02E0B76D
          • GetCurrentProcess.KERNEL32 ref: 02E0B7AA
          • GetCurrentThreadId.KERNEL32 ref: 02E0B803
          Memory Dump Source
          • Source File: 00000014.00000002.399408081.0000000002E00000.00000040.00000001.sdmp, Offset: 02E00000, based on PE: false
          Similarity
          • API ID: Current$ProcessThread
          • String ID:
          • API String ID: 2063062207-0
          • Opcode ID: 778c1fca7748cff30b5b8bb6a7f8c327ed0b980d65daaa9db7275ec745f0d585
          • Instruction ID: 57036add5bf11844f0b8b3673befac79860e88f105a4fd4723b7855ee1aa7525
          • Opcode Fuzzy Hash: 778c1fca7748cff30b5b8bb6a7f8c327ed0b980d65daaa9db7275ec745f0d585
          • Instruction Fuzzy Hash: 385145B0A402488FDB10CFA9C588B9EBBF1BF48308F24C569E019B7390D7746889CB65
          Uniqueness

          Uniqueness Score: -1.00%

          Function 02E0FAA0, Relevance: 1.8, APIs: 1, Instructions: 286COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000014.00000002.399408081.0000000002E00000.00000040.00000001.sdmp, Offset: 02E00000, based on PE: false
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 79059a141b065968a9e82f4584486ca9616e39a5d475915afc53341a8bb898ff
          • Instruction ID: 9614f48187524deaf701210694679811f364dc5f6b9cae9b7fd7d7f89b2d201a
          • Opcode Fuzzy Hash: 79059a141b065968a9e82f4584486ca9616e39a5d475915afc53341a8bb898ff
          • Instruction Fuzzy Hash: 53A16D71C093889FCF12CFA4C8A19DDBFB1EF0A304F19819AE484AB262C7349856DF51
          Uniqueness

          Uniqueness Score: -1.00%

          Function 02E093E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
          Download Yara Rule
          APIs
          • GetModuleHandleW.KERNELBASE(00000000), ref: 02E0962E
          Memory Dump Source
          • Source File: 00000014.00000002.399408081.0000000002E00000.00000040.00000001.sdmp, Offset: 02E00000, based on PE: false
          Similarity
          • API ID: HandleModule
          • String ID:
          • API String ID: 4139908857-0
          • Opcode ID: d48343a3d0bb9ca83d6e5bcfeba5b00c4d030804a41ed8d38043bf4eee21a2f8
          • Instruction ID: d6c8efcf3eec13e6bcae69e59088e881f41d76af427f4551ac1961e5641cfc76
          • Opcode Fuzzy Hash: d48343a3d0bb9ca83d6e5bcfeba5b00c4d030804a41ed8d38043bf4eee21a2f8
          • Instruction Fuzzy Hash: B0714870A00B058FD724DF6AD48079AB7F1FF88618F008A2DD586DBA91D734E846CF91
          Uniqueness

          Uniqueness Score: -1.00%

          Function 02E0FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
          Download Yara Rule
          APIs
          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E0FD0A
          Memory Dump Source
          • Source File: 00000014.00000002.399408081.0000000002E00000.00000040.00000001.sdmp, Offset: 02E00000, based on PE: false
          Similarity
          • API ID: CreateWindow
          • String ID:
          • API String ID: 716092398-0
          • Opcode ID: befcd4e4b78e7e20a29e9d251f5a3a004de430488d63a8300280605089e9e84b
          • Instruction ID: c0127d9e8f0f00d548434c212e52d8ded14697abc55d5f454ef12710f2a2e9b4
          • Opcode Fuzzy Hash: befcd4e4b78e7e20a29e9d251f5a3a004de430488d63a8300280605089e9e84b
          • Instruction Fuzzy Hash: F041C0B1D003099FDF14CF99C884ADEBBB5FF48714F24812AE819AB650D775A885CF90
          Uniqueness

          Uniqueness Score: -1.00%

          Function 02E0BCF9, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
          Download Yara Rule
          APIs
          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E0BD87
          Memory Dump Source
          • Source File: 00000014.00000002.399408081.0000000002E00000.00000040.00000001.sdmp, Offset: 02E00000, based on PE: false
          Similarity
          • API ID: DuplicateHandle
          • String ID:
          • API String ID: 3793708945-0
          • Opcode ID: 89e7158c2b4359ae604dd2d2e39b942cc6507727fd5753c830bde4fefe1d24b0
          • Instruction ID: 58c248ab6d3ad805fb90ca988dd236bc6954902d3ee7f62c4750f5e8b8e7f6f9
          • Opcode Fuzzy Hash: 89e7158c2b4359ae604dd2d2e39b942cc6507727fd5753c830bde4fefe1d24b0
          • Instruction Fuzzy Hash: 1C21DFB59002489FDB10CFA9D885AEEBFF5FB48324F14802AE954A7250D379A945CFA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 02E0BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
          Download Yara Rule
          APIs
          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E0BD87
          Memory Dump Source
          • Source File: 00000014.00000002.399408081.0000000002E00000.00000040.00000001.sdmp, Offset: 02E00000, based on PE: false
          Similarity
          • API ID: DuplicateHandle
          • String ID:
          • API String ID: 3793708945-0
          • Opcode ID: c8f5ff437883c342e64cfa261adeaa86a4475c91a193ff3aad75c4e8d3bcc8a6
          • Instruction ID: da1d2d9e82df49cf9b43b86891885a61f396865c7be7b110dd8fe0c6d1d696c4
          • Opcode Fuzzy Hash: c8f5ff437883c342e64cfa261adeaa86a4475c91a193ff3aad75c4e8d3bcc8a6
          • Instruction Fuzzy Hash: 4221E2B59002489FDB10CFAAD884ADEFBF8FB48324F14801AE914B3350D378A944CFA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 02E09849, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02E096A9,00000800,00000000,00000000), ref: 02E098BA
          Memory Dump Source
          • Source File: 00000014.00000002.399408081.0000000002E00000.00000040.00000001.sdmp, Offset: 02E00000, based on PE: false
          Similarity
          • API ID: LibraryLoad
          • String ID:
          • API String ID: 1029625771-0
          • Opcode ID: b5b75c414992581827ea65841155f20dc4150aa5ba61e5d464e9a16682627e51
          • Instruction ID: a64395f5f7ad24136fa009dcf2fa5b54576512c467a0cd8d8e6644a29d731a4a
          • Opcode Fuzzy Hash: b5b75c414992581827ea65841155f20dc4150aa5ba61e5d464e9a16682627e51
          • Instruction Fuzzy Hash: BF11F2B69002498FCB10CFAAD484AEEFBF4AB89724F14842ED455A7601C375A946CFA5
          Uniqueness

          Uniqueness Score: -1.00%

          Function 02E08768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02E096A9,00000800,00000000,00000000), ref: 02E098BA
          Memory Dump Source
          • Source File: 00000014.00000002.399408081.0000000002E00000.00000040.00000001.sdmp, Offset: 02E00000, based on PE: false
          Similarity
          • API ID: LibraryLoad
          • String ID:
          • API String ID: 1029625771-0
          • Opcode ID: b25b9088bd292e8cc8b01af6bf624b8c5d5ac3f582d989a072adb135f5568342
          • Instruction ID: b372baf195abb66c0cbc7519a0e2b5078fc2387bd63fe379231eabfb301a81e0
          • Opcode Fuzzy Hash: b25b9088bd292e8cc8b01af6bf624b8c5d5ac3f582d989a072adb135f5568342
          • Instruction Fuzzy Hash: 441133B69002498FCB10CF9AC484ADEFBF4EB48724F04842AE415B7741C374A945CFA5
          Uniqueness

          Uniqueness Score: -1.00%

          Function 02E095C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
          Download Yara Rule
          APIs
          • GetModuleHandleW.KERNELBASE(00000000), ref: 02E0962E
          Memory Dump Source
          • Source File: 00000014.00000002.399408081.0000000002E00000.00000040.00000001.sdmp, Offset: 02E00000, based on PE: false
          Similarity
          • API ID: HandleModule
          • String ID:
          • API String ID: 4139908857-0
          • Opcode ID: ef6dc4046c6143353ab7fbc486883af7606bf929fba06b72d5a8c1c670d70db5
          • Instruction ID: 40d1a882e10cbec7ed602c8dd5085f9e93da8556aa30852c6eeef554caf6fd42
          • Opcode Fuzzy Hash: ef6dc4046c6143353ab7fbc486883af7606bf929fba06b72d5a8c1c670d70db5
          • Instruction Fuzzy Hash: A31102B1D002498FCB10CF9AD484BDEFBF4AB88628F14841AD419A7641D374A546CFA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 02E0FE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
          Download Yara Rule
          APIs
          • SetWindowLongW.USER32(?,?,?), ref: 02E0FE9D
          Memory Dump Source
          • Source File: 00000014.00000002.399408081.0000000002E00000.00000040.00000001.sdmp, Offset: 02E00000, based on PE: false
          Similarity
          • API ID: LongWindow
          • String ID:
          • API String ID: 1378638983-0
          • Opcode ID: e27ddeb8f89d886cb63f02e060c1b76cf517b2fb148be1d5e6c4dbbeaad79e23
          • Instruction ID: 69668b5e69cbfc630d1bad5c7df32de0fd057454a78ef964e10792c6a9188faf
          • Opcode Fuzzy Hash: e27ddeb8f89d886cb63f02e060c1b76cf517b2fb148be1d5e6c4dbbeaad79e23
          • Instruction Fuzzy Hash: EF1133B59002488FCB10CF99C585BDFBBF4EB48328F10845AD858B7741C374A946CFA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 02E0FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
          Download Yara Rule
          APIs
          • SetWindowLongW.USER32(?,?,?), ref: 02E0FE9D
          Memory Dump Source
          • Source File: 00000014.00000002.399408081.0000000002E00000.00000040.00000001.sdmp, Offset: 02E00000, based on PE: false
          Similarity
          • API ID: LongWindow
          • String ID:
          • API String ID: 1378638983-0
          • Opcode ID: aa2e195895e0a57683271fe9ed30441937a1b7d19023b7af94a6675539eb9d8e
          • Instruction ID: 867ee159087c98dc14cfeaad7f69d94a4e4403cc9ec40b07c3e5664d57d28d2d
          • Opcode Fuzzy Hash: aa2e195895e0a57683271fe9ed30441937a1b7d19023b7af94a6675539eb9d8e
          • Instruction Fuzzy Hash: 211100B59002498FDB20CF99D585BDFBBF8EB48324F10841AE818A7740C374A945CFA1
          Uniqueness

          Uniqueness Score: -1.00%

          Non-executed Functions

          Function 02E0E480, Relevance: .3, Instructions: 315COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000014.00000002.399408081.0000000002E00000.00000040.00000001.sdmp, Offset: 02E00000, based on PE: false
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 8633f6f174b69cf1e4211b58d1f25b0f582625758f68b5a34debab9ae8249ced
          • Instruction ID: ab27da31c24833171619cd25c0936d8f260bb371aaea72430fff04508c2ebde3
          • Opcode Fuzzy Hash: 8633f6f174b69cf1e4211b58d1f25b0f582625758f68b5a34debab9ae8249ced
          • Instruction Fuzzy Hash: 1412C6B14137668AE330CF69ED981897B70B745328F914209DEE12EAD8D7BE114ACF46
          Uniqueness

          Uniqueness Score: -1.00%

          Function 02E0BBD4, Relevance: .3, Instructions: 265COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000014.00000002.399408081.0000000002E00000.00000040.00000001.sdmp, Offset: 02E00000, based on PE: false
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 4dc6eb930bde9ee3640f01131605a0a8e22411a99404dca09be885e44e348b22
          • Instruction ID: 7c20812bbf7d594fd6eec59a53ca85093bc4fb2c6c4dede2a3c3456af8c81817
          • Opcode Fuzzy Hash: 4dc6eb930bde9ee3640f01131605a0a8e22411a99404dca09be885e44e348b22
          • Instruction Fuzzy Hash: CEA19F36E4021A8FCF15DFB5C8845DDBBB6FF89304B15916AE805BB260EB31A946CF40
          Uniqueness

          Uniqueness Score: -1.00%

          Function 02E0E471, Relevance: .2, Instructions: 222COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000014.00000002.399408081.0000000002E00000.00000040.00000001.sdmp, Offset: 02E00000, based on PE: false
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 45e49bf7a32021f89746858a6c3bcfed78a103833c8fcb10c9e12b950d87d332
          • Instruction ID: 8ee8b3c60c0df23a67d4db8365a93df07e2bb5bc5b50beadce24001d2c83ed8b
          • Opcode Fuzzy Hash: 45e49bf7a32021f89746858a6c3bcfed78a103833c8fcb10c9e12b950d87d332
          • Instruction Fuzzy Hash: 93C15BB14127668AD720CF69ED881897B71FB85328F514309DEE12FAD8D7BE108ACF45
          Uniqueness

          Uniqueness Score: -1.00%