Play interactive tour

Edit tour

Windows Analysis Report iGZtra5EaP.exe

Overview

General Information

Sample Name:	iGZtra5EaP.exe
Analysis ID:	458908
MD5:	5abfc84b2a671617a4930a61e218b6c6
SHA1:	fb2e5175272b90aa204853dd2ba2dc175ff5958f
SHA256:	776e6e841b2a1b1dacd2beb12f76949dc9a395a45bd7107475d90b60f09e5f39
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

iGZtra5EaP.exe (PID: 5832 cmdline: 'C:\Users\user\Desktop\iGZtra5EaP.exe' MD5: 5ABFC84B2A671617A4930A61E218B6C6)

schtasks.exe (PID: 6008 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp3997.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

iGZtra5EaP.exe (PID: 4720 cmdline: {path} MD5: 5ABFC84B2A671617A4930A61E218B6C6)

schtasks.exe (PID: 4664 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp489A.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5556 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp4CC2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

iGZtra5EaP.exe (PID: 1288 cmdline: C:\Users\user\Desktop\iGZtra5EaP.exe 0 MD5: 5ABFC84B2A671617A4930A61E218B6C6)

schtasks.exe (PID: 5044 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpF219.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

iGZtra5EaP.exe (PID: 5016 cmdline: {path} MD5: 5ABFC84B2A671617A4930A61E218B6C6)

dhcpmon.exe (PID: 496 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 5ABFC84B2A671617A4930A61E218B6C6)

schtasks.exe (PID: 5004 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpF5E2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 3008 cmdline: {path} MD5: 5ABFC84B2A671617A4930A61E218B6C6)

dhcpmon.exe (PID: 5756 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 5ABFC84B2A671617A4930A61E218B6C6)

schtasks.exe (PID: 1036 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp63D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 5200 cmdline: {path} MD5: 5ABFC84B2A671617A4930A61E218B6C6)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "f0d143be-967c-4293-98d3-3a1e128b", "Group": "BotNet", "Domain1": "microsoftsecurity.sytes.net", "Domain2": "backupnew.duckdns.org", "Port": 1177, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6934b:$a: NanoCore 0x693a4:$a: NanoCore 0x693e1:$a: NanoCore 0x6945a:$a: NanoCore 0x693ad:$b: ClientPlugin 0x693ea:$b: ClientPlugin 0x69ce8:$b: ClientPlugin 0x69cf5:$b: ClientPlugin 0x5f4d6:$e: KeepAlive 0x69835:$g: LogClientMessage 0x697b5:$i: get_Connected 0x59781:$j: #=q 0x597b1:$j: #=q 0x597ed:$j: #=q 0x59815:$j: #=q 0x59845:$j: #=q 0x59875:$j: #=q 0x598a5:$j: #=q 0x598d5:$j: #=q 0x598f1:$j: #=q 0x59921:$j: #=q
0000000C.00000002.482078580.0000000006E40000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
0000000C.00000002.482078580.0000000006E40000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000002.476961664.000000000454E000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.476961664.000000000454E000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1c29:$a: NanoCore 0x1c82:$a: NanoCore 0x1cbf:$a: NanoCore 0x1d38:$a: NanoCore 0x153e3:$a: NanoCore 0x153f8:$a: NanoCore 0x1542d:$a: NanoCore 0x23042:$a: NanoCore 0x23067:$a: NanoCore 0x230c0:$a: NanoCore 0x3325d:$a: NanoCore 0x33283:$a: NanoCore 0x332df:$a: NanoCore 0x40134:$a: NanoCore 0x4018d:$a: NanoCore 0x401c0:$a: NanoCore 0x403ec:$a: NanoCore 0x40468:$a: NanoCore 0x40a81:$a: NanoCore 0x40bca:$a: NanoCore 0x4109e:$a: NanoCore
0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb4c7f:$a: NanoCore 0xb4ca4:$a: NanoCore 0xb4cfd:$a: NanoCore 0xc4e9c:$a: NanoCore 0xc4ec2:$a: NanoCore 0xc4f1e:$a: NanoCore 0xd1d75:$a: NanoCore 0xd1dce:$a: NanoCore 0xd1e01:$a: NanoCore 0xd202d:$a: NanoCore 0xd20a9:$a: NanoCore 0xd26c2:$a: NanoCore 0xd280b:$a: NanoCore 0xd2cdf:$a: NanoCore 0xd2fc6:$a: NanoCore 0xd2fdd:$a: NanoCore 0xdbe81:$a: NanoCore 0xdbefd:$a: NanoCore 0xde7e0:$a: NanoCore 0xe1b92:$a: NanoCore 0xe2f4e:$a: NanoCore
00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000C.00000002.482179100.0000000006E90000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
0000000C.00000002.482179100.0000000006E90000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
0000000C.00000002.471078718.0000000001AD0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
0000000C.00000002.471078718.0000000001AD0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
00000011.00000002.398277931.0000000002B51000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10abd:$x1: NanoCore.ClientPluginHost 0x434dd:$x1: NanoCore.ClientPluginHost 0x10afa:$x2: IClientNetworkHost 0x4351a:$x2: IClientNetworkHost 0x1462d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4704d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10825:$a: NanoCore 0x10835:$a: NanoCore 0x10a69:$a: NanoCore 0x10a7d:$a: NanoCore 0x10abd:$a: NanoCore 0x43245:$a: NanoCore 0x43255:$a: NanoCore 0x43489:$a: NanoCore 0x4349d:$a: NanoCore 0x434dd:$a: NanoCore 0x10884:$b: ClientPlugin 0x10a86:$b: ClientPlugin 0x10ac6:$b: ClientPlugin 0x432a4:$b: ClientPlugin 0x434a6:$b: ClientPlugin 0x434e6:$b: ClientPlugin 0x109ab:$c: ProjectData 0x433cb:$c: ProjectData 0x113b2:$d: DESCrypto 0x43dd2:$d: DESCrypto 0x18d7e:$e: KeepAlive
0000000C.00000002.475401082.000000000374C000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x79cb2:$a: NanoCore 0x79cd7:$a: NanoCore 0x79d30:$a: NanoCore 0x89f27:$a: NanoCore 0x89f4d:$a: NanoCore 0x89fa9:$a: NanoCore 0x96e53:$a: NanoCore 0x96eac:$a: NanoCore 0x96edf:$a: NanoCore 0x9710b:$a: NanoCore 0x97187:$a: NanoCore 0x977a0:$a: NanoCore 0x978e9:$a: NanoCore 0x97dbd:$a: NanoCore 0x980a4:$a: NanoCore 0x980bb:$a: NanoCore 0xa0faf:$a: NanoCore 0xa102b:$a: NanoCore 0xa390e:$a: NanoCore 0xa80d0:$a: NanoCore 0xa811a:$a: NanoCore
0000000C.00000002.481910813.0000000006DB0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
0000000C.00000002.481910813.0000000006DB0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
0000000C.00000002.481995550.0000000006E00000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
0000000C.00000002.481995550.0000000006E00000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
0000001E.00000002.422052368.0000000003011000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001E.00000002.422052368.0000000003011000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69463:$a: NanoCore 0x694bc:$a: NanoCore 0x694f9:$a: NanoCore 0x69572:$a: NanoCore 0x694c5:$b: ClientPlugin 0x69502:$b: ClientPlugin 0x69e00:$b: ClientPlugin 0x69e0d:$b: ClientPlugin 0x5f5ee:$e: KeepAlive 0x6994d:$g: LogClientMessage 0x698cd:$i: get_Connected 0x59899:$j: #=q 0x598c9:$j: #=q 0x59905:$j: #=q 0x5992d:$j: #=q 0x5995d:$j: #=q 0x5998d:$j: #=q 0x599bd:$j: #=q 0x599ed:$j: #=q 0x59a09:$j: #=q 0x59a39:$j: #=q
0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000021.00000002.431850871.0000000003FA9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000021.00000002.431850871.0000000003FA9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x435bd:$a: NanoCore 0x43616:$a: NanoCore 0x43653:$a: NanoCore 0x436cc:$a: NanoCore 0x56d77:$a: NanoCore 0x56d8c:$a: NanoCore 0x56dc1:$a: NanoCore 0x6fd73:$a: NanoCore 0x6fd88:$a: NanoCore 0x6fdbd:$a: NanoCore 0x4361f:$b: ClientPlugin 0x4365c:$b: ClientPlugin 0x43f5a:$b: ClientPlugin 0x43f67:$b: ClientPlugin 0x56b33:$b: ClientPlugin 0x56b4e:$b: ClientPlugin 0x56b7e:$b: ClientPlugin 0x56d95:$b: ClientPlugin 0x56dca:$b: ClientPlugin 0x6fb2f:$b: ClientPlugin 0x6fb4a:$b: ClientPlugin
0000000C.00000002.481497763.00000000069D0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0000000C.00000002.481497763.00000000069D0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
0000000C.00000002.481497763.00000000069D0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.482020693.0000000006E10000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
0000000C.00000002.482020693.0000000006E10000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
0000000C.00000002.481961618.0000000006DE0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
0000000C.00000002.481961618.0000000006DE0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
0000000C.00000002.481945946.0000000006DD0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
0000000C.00000002.481945946.0000000006DD0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10abd:$x1: NanoCore.ClientPluginHost 0x434dd:$x1: NanoCore.ClientPluginHost 0x10afa:$x2: IClientNetworkHost 0x4351a:$x2: IClientNetworkHost 0x1462d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4704d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10825:$a: NanoCore 0x10835:$a: NanoCore 0x10a69:$a: NanoCore 0x10a7d:$a: NanoCore 0x10abd:$a: NanoCore 0x43245:$a: NanoCore 0x43255:$a: NanoCore 0x43489:$a: NanoCore 0x4349d:$a: NanoCore 0x434dd:$a: NanoCore 0x10884:$b: ClientPlugin 0x10a86:$b: ClientPlugin 0x10ac6:$b: ClientPlugin 0x432a4:$b: ClientPlugin 0x434a6:$b: ClientPlugin 0x434e6:$b: ClientPlugin 0x109ab:$c: ProjectData 0x433cb:$c: ProjectData 0x113b2:$d: DESCrypto 0x43dd2:$d: DESCrypto 0x18d7e:$e: KeepAlive
0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000002.482036750.0000000006E20000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
0000000C.00000002.482036750.0000000006E20000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
0000000C.00000002.473787584.00000000034F7000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4a012:$a: NanoCore 0x4a037:$a: NanoCore 0x4a090:$a: NanoCore 0x5a277:$a: NanoCore 0x5a29d:$a: NanoCore 0x5a2f9:$a: NanoCore 0x67193:$a: NanoCore 0x671ec:$a: NanoCore 0x6721f:$a: NanoCore 0x6744b:$a: NanoCore 0x674c7:$a: NanoCore 0x67ae0:$a: NanoCore 0x67c29:$a: NanoCore 0x680fd:$a: NanoCore 0x683e4:$a: NanoCore 0x683fb:$a: NanoCore 0x712df:$a: NanoCore 0x7135b:$a: NanoCore 0x73c3e:$a: NanoCore 0x783f0:$a: NanoCore 0x7843a:$a: NanoCore
0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000002.480093816.0000000005EC0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0000000C.00000002.480093816.0000000005EC0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0000000C.00000002.482102080.0000000006E50000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
0000000C.00000002.482102080.0000000006E50000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
0000000C.00000002.477941629.00000000048DF000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.477941629.00000000048DF000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xde9:$a: NanoCore 0xe42:$a: NanoCore 0xe7f:$a: NanoCore 0xef8:$a: NanoCore 0x145a3:$a: NanoCore 0x145b8:$a: NanoCore 0x145ed:$a: NanoCore 0x22202:$a: NanoCore 0x22227:$a: NanoCore 0x22280:$a: NanoCore 0x3241d:$a: NanoCore 0x32443:$a: NanoCore 0x3249f:$a: NanoCore 0x3f2f4:$a: NanoCore 0x3f34d:$a: NanoCore 0x3f380:$a: NanoCore 0x3f5ac:$a: NanoCore 0x3f628:$a: NanoCore 0x3fc41:$a: NanoCore 0x3fd8a:$a: NanoCore 0x4025e:$a: NanoCore
00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10abd:$x1: NanoCore.ClientPluginHost 0x103cfd:$x1: NanoCore.ClientPluginHost 0x10afa:$x2: IClientNetworkHost 0x103d3a:$x2: IClientNetworkHost 0x1462d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x10786d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10825:$a: NanoCore 0x10835:$a: NanoCore 0x10a69:$a: NanoCore 0x10a7d:$a: NanoCore 0x10abd:$a: NanoCore 0x103a65:$a: NanoCore 0x103a75:$a: NanoCore 0x103ca9:$a: NanoCore 0x103cbd:$a: NanoCore 0x103cfd:$a: NanoCore 0x10884:$b: ClientPlugin 0x10a86:$b: ClientPlugin 0x10ac6:$b: ClientPlugin 0x103ac4:$b: ClientPlugin 0x103cc6:$b: ClientPlugin 0x103d06:$b: ClientPlugin 0x109ab:$c: ProjectData 0x103beb:$c: ProjectData 0x2d5c1b:$c: ProjectData 0x113b2:$d: DESCrypto 0x1045f2:$d: DESCrypto
0000000C.00000002.480306697.0000000006760000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
0000000C.00000002.480306697.0000000006760000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
0000000C.00000002.476599395.00000000044C9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.476599395.00000000044C9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x35bd:$a: NanoCore 0x3616:$a: NanoCore 0x3653:$a: NanoCore 0x36cc:$a: NanoCore 0x16d77:$a: NanoCore 0x16d8c:$a: NanoCore 0x16dc1:$a: NanoCore 0x2fd73:$a: NanoCore 0x2fd88:$a: NanoCore 0x2fdbd:$a: NanoCore 0x361f:$b: ClientPlugin 0x365c:$b: ClientPlugin 0x3f5a:$b: ClientPlugin 0x3f67:$b: ClientPlugin 0x16b33:$b: ClientPlugin 0x16b4e:$b: ClientPlugin 0x16b7e:$b: ClientPlugin 0x16d95:$b: ClientPlugin 0x16dca:$b: ClientPlugin 0x2fb2f:$b: ClientPlugin 0x2fb4a:$b: ClientPlugin
00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10abd:$x1: NanoCore.ClientPluginHost 0x434dd:$x1: NanoCore.ClientPluginHost 0x10afa:$x2: IClientNetworkHost 0x4351a:$x2: IClientNetworkHost 0x1462d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4704d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10825:$a: NanoCore 0x10835:$a: NanoCore 0x10a69:$a: NanoCore 0x10a7d:$a: NanoCore 0x10abd:$a: NanoCore 0x43245:$a: NanoCore 0x43255:$a: NanoCore 0x43489:$a: NanoCore 0x4349d:$a: NanoCore 0x434dd:$a: NanoCore 0x10884:$b: ClientPlugin 0x10a86:$b: ClientPlugin 0x10ac6:$b: ClientPlugin 0x432a4:$b: ClientPlugin 0x434a6:$b: ClientPlugin 0x434e6:$b: ClientPlugin 0x109ab:$c: ProjectData 0x433cb:$c: ProjectData 0x113b2:$d: DESCrypto 0x43dd2:$d: DESCrypto 0x18d7e:$e: KeepAlive
00000000.00000002.293558443.0000000002CC1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000001B.00000002.418018556.0000000003A19000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001B.00000002.418018556.0000000003A19000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x435bd:$a: NanoCore 0x43616:$a: NanoCore 0x43653:$a: NanoCore 0x436cc:$a: NanoCore 0x56d77:$a: NanoCore 0x56d8c:$a: NanoCore 0x56dc1:$a: NanoCore 0x6fd73:$a: NanoCore 0x6fd88:$a: NanoCore 0x6fdbd:$a: NanoCore 0x4361f:$b: ClientPlugin 0x4365c:$b: ClientPlugin 0x43f5a:$b: ClientPlugin 0x43f67:$b: ClientPlugin 0x56b33:$b: ClientPlugin 0x56b4e:$b: ClientPlugin 0x56b7e:$b: ClientPlugin 0x56d95:$b: ClientPlugin 0x56dca:$b: ClientPlugin 0x6fb2f:$b: ClientPlugin 0x6fb4a:$b: ClientPlugin
0000001E.00000002.423536148.0000000004019000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001E.00000002.423536148.0000000004019000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x435bd:$a: NanoCore 0x43616:$a: NanoCore 0x43653:$a: NanoCore 0x436cc:$a: NanoCore 0x56d77:$a: NanoCore 0x56d8c:$a: NanoCore 0x56dc1:$a: NanoCore 0x6fd73:$a: NanoCore 0x6fd88:$a: NanoCore 0x6fdbd:$a: NanoCore 0x4361f:$b: ClientPlugin 0x4365c:$b: ClientPlugin 0x43f5a:$b: ClientPlugin 0x43f67:$b: ClientPlugin 0x56b33:$b: ClientPlugin 0x56b4e:$b: ClientPlugin 0x56b7e:$b: ClientPlugin 0x56d95:$b: ClientPlugin 0x56dca:$b: ClientPlugin 0x6fb2f:$b: ClientPlugin 0x6fb4a:$b: ClientPlugin
0000000C.00000002.476392070.0000000004481000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.476392070.0000000004481000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x9721:$a: NanoCore 0x977a:$a: NanoCore 0x97b7:$a: NanoCore 0x9830:$a: NanoCore 0x1cedb:$a: NanoCore 0x1cef0:$a: NanoCore 0x1cf25:$a: NanoCore 0x2ab3a:$a: NanoCore 0x2ab5f:$a: NanoCore 0x2abb8:$a: NanoCore 0x9783:$b: ClientPlugin 0x97c0:$b: ClientPlugin 0xa0be:$b: ClientPlugin 0xa0cb:$b: ClientPlugin 0x1cc97:$b: ClientPlugin 0x1ccb2:$b: ClientPlugin 0x1cce2:$b: ClientPlugin 0x1cef9:$b: ClientPlugin 0x1cf2e:$b: ClientPlugin 0x2a931:$b: ClientPlugin 0x2a942:$b: ClientPlugin
00000012.00000002.400511596.0000000003091000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000C.00000002.481978911.0000000006DF0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
0000000C.00000002.481978911.0000000006DF0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
00000021.00000002.431679291.0000000002FA1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000021.00000002.431679291.0000000002FA1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69463:$a: NanoCore 0x694bc:$a: NanoCore 0x694f9:$a: NanoCore 0x69572:$a: NanoCore 0x694c5:$b: ClientPlugin 0x69502:$b: ClientPlugin 0x69e00:$b: ClientPlugin 0x69e0d:$b: ClientPlugin 0x5f5ee:$e: KeepAlive 0x6994d:$g: LogClientMessage 0x698cd:$i: get_Connected 0x59899:$j: #=q 0x598c9:$j: #=q 0x59905:$j: #=q 0x5992d:$j: #=q 0x5995d:$j: #=q 0x5998d:$j: #=q 0x599bd:$j: #=q 0x599ed:$j: #=q 0x59a09:$j: #=q 0x59a39:$j: #=q
0000000C.00000002.472713339.0000000003481000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: iGZtra5EaP.exe PID: 5832	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb29d8:$x1: NanoCore.ClientPluginHost 0xb2a15:$x2: IClientNetworkHost 0xb5fe8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc0e74:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xd87f4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: iGZtra5EaP.exe PID: 5832	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: iGZtra5EaP.exe PID: 5832	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: iGZtra5EaP.exe PID: 5832	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb271f:$a: NanoCore 0xb272f:$a: NanoCore 0xb27a4:$a: NanoCore 0xb27b3:$a: NanoCore 0xb2984:$a: NanoCore 0xb2998:$a: NanoCore 0xb29d8:$a: NanoCore 0xbd4de:$a: NanoCore 0xbd4f0:$a: NanoCore 0xbd52c:$a: NanoCore 0xd4e5e:$a: NanoCore 0xd4e70:$a: NanoCore 0xd4eac:$a: NanoCore 0xb2743:$b: ClientPlugin 0xb27fd:$b: ClientPlugin 0xb29a1:$b: ClientPlugin 0xb29e1:$b: ClientPlugin 0xbd4f9:$b: ClientPlugin 0xbd535:$b: ClientPlugin 0xd4e79:$b: ClientPlugin 0xd4eb5:$b: ClientPlugin
Process Memory Space: iGZtra5EaP.exe PID: 4720	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x7599:$x1: NanoCore.ClientPluginHost 0x75c3:$x2: IClientNetworkHost 0x1e061d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1ea966:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: iGZtra5EaP.exe PID: 4720	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: iGZtra5EaP.exe PID: 4720	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x7574:$a: NanoCore 0x7599:$a: NanoCore 0x75f2:$a: NanoCore 0xabb7:$a: NanoCore 0xabda:$a: NanoCore 0xac2f:$a: NanoCore 0x15b83:$a: NanoCore 0x15ba7:$a: NanoCore 0x15bff:$a: NanoCore 0x1d075:$a: NanoCore 0x1d0ce:$a: NanoCore 0x1d0f4:$a: NanoCore 0x1d436:$a: NanoCore 0x1d457:$a: NanoCore 0x1d49a:$a: NanoCore 0x1d4ed:$a: NanoCore 0x1d51c:$a: NanoCore 0x1d722:$a: NanoCore 0x1d796:$a: NanoCore 0x1dd4d:$a: NanoCore 0x1de89:$a: NanoCore
Process Memory Space: iGZtra5EaP.exe PID: 1288	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 496	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 5756	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: iGZtra5EaP.exe PID: 5016	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x15d14:$x1: NanoCore.ClientPluginHost 0x15d2e:$x2: IClientNetworkHost 0x31341:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3bdcb:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: iGZtra5EaP.exe PID: 5016	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: iGZtra5EaP.exe PID: 5016	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x74e:$a: NanoCore 0x7a9:$a: NanoCore 0x81d:$a: NanoCore 0x15c7e:$a: NanoCore 0x15cd7:$a: NanoCore 0x15d14:$a: NanoCore 0x15d8d:$a: NanoCore 0x1651b:$a: NanoCore 0x1656e:$a: NanoCore 0x165a7:$a: NanoCore 0x1661a:$a: NanoCore 0x1711f:$a: NanoCore 0x2dcb8:$a: NanoCore 0x2dd13:$a: NanoCore 0x2dd22:$a: NanoCore 0x38435:$a: NanoCore 0x38447:$a: NanoCore 0x38483:$a: NanoCore 0x4abf9:$a: NanoCore 0x4ac0c:$a: NanoCore 0x4ac3e:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 3008	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2b842:$x1: NanoCore.ClientPluginHost 0x2b85c:$x2: IClientNetworkHost 0x35232:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3fcbc:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 3008	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 3008	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x11cf4:$a: NanoCore 0x11d08:$a: NanoCore 0x12ae2:$a: NanoCore 0x16649:$a: NanoCore 0x166a4:$a: NanoCore 0x16718:$a: NanoCore 0x2b7ac:$a: NanoCore 0x2b805:$a: NanoCore 0x2b842:$a: NanoCore 0x2b8bb:$a: NanoCore 0x2bda8:$a: NanoCore 0x2bdfb:$a: NanoCore 0x2be34:$a: NanoCore 0x2bea7:$a: NanoCore 0x2c9ac:$a: NanoCore 0x31c04:$a: NanoCore 0x31c13:$a: NanoCore 0x3c326:$a: NanoCore 0x3c338:$a: NanoCore 0x3c374:$a: NanoCore 0x4df5d:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 5200	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3fb2:$x1: NanoCore.ClientPluginHost 0x3fef:$x2: IClientNetworkHost 0x7ae0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x12b66:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 5200	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 5200	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3c86:$a: NanoCore 0x3c96:$a: NanoCore 0x3d4e:$a: NanoCore 0x3d5d:$a: NanoCore 0x3f5e:$a: NanoCore 0x3f72:$a: NanoCore 0x3fb2:$a: NanoCore 0xf1d0:$a: NanoCore 0xf1e2:$a: NanoCore 0xf21e:$a: NanoCore 0x2e682:$a: NanoCore 0x2e8eb:$a: NanoCore 0x2e93e:$a: NanoCore 0x2e977:$a: NanoCore 0x2e9ea:$a: NanoCore 0x355a6:$a: NanoCore 0x355b9:$a: NanoCore 0x355eb:$a: NanoCore 0x3b241:$a: NanoCore 0x3b254:$a: NanoCore 0x3b286:$a: NanoCore
Click to see the 96 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.iGZtra5EaP.exe.6de0000.35.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
12.2.iGZtra5EaP.exe.6de0000.35.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.6e10000.38.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e10000.38.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
33.2.dhcpmon.exe.3009684.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
33.2.dhcpmon.exe.3009684.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.6760000.28.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6760000.28.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
30.2.dhcpmon.exe.4060614.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
30.2.dhcpmon.exe.4060614.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
30.2.dhcpmon.exe.4060614.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
27.2.iGZtra5EaP.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
27.2.iGZtra5EaP.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
27.2.iGZtra5EaP.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
27.2.iGZtra5EaP.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
27.2.iGZtra5EaP.exe.3a64c3d.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24180:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241ad:$x2: IClientNetworkHost
27.2.iGZtra5EaP.exe.3a64c3d.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24180:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2525b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2419a:$s5: IClientLoggingHost
27.2.iGZtra5EaP.exe.3a64c3d.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.6e40000.40.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e40000.40.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
17.2.iGZtra5EaP.exe.3b59930.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
17.2.iGZtra5EaP.exe.3b59930.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
17.2.iGZtra5EaP.exe.3b59930.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.2.iGZtra5EaP.exe.3b59930.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
20.2.dhcpmon.exe.4149930.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.dhcpmon.exe.4149930.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.dhcpmon.exe.4149930.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
12.2.iGZtra5EaP.exe.44d4c3d.15.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24180:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241ad:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.44d4c3d.15.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24180:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2525b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2419a:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.44d4c3d.15.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.69d4629.30.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.69d4629.30.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.69d4629.30.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.6e54c9f.43.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e54c9f.43.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
33.2.dhcpmon.exe.3ff0614.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287a9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287d6:$x2: IClientNetworkHost
33.2.dhcpmon.exe.3ff0614.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287a9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29884:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287c3:$s5: IClientLoggingHost
33.2.dhcpmon.exe.3ff0614.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.6e90000.44.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e90000.44.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.6e10000.38.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e10000.38.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
30.2.dhcpmon.exe.405b7de.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5df:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d60c:$x2: IClientNetworkHost
30.2.dhcpmon.exe.405b7de.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5df:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6ba:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5f9:$s5: IClientLoggingHost
30.2.dhcpmon.exe.405b7de.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
30.2.dhcpmon.exe.405b7de.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d595:$a: NanoCore 0x2d5aa:$a: NanoCore 0x2d5df:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d351:$b: ClientPlugin 0x2d36c:$b: ClientPlugin
12.2.iGZtra5EaP.exe.37e1a28.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0xb587:$x1: NanoCore.ClientPluginHost 0x126a8:$x1: NanoCore.ClientPluginHost 0x18985:$x1: NanoCore.ClientPluginHost 0x22fe7:$x1: NanoCore.ClientPluginHost 0x2d467:$x1: NanoCore.ClientPluginHost 0x3849d:$x1: NanoCore.ClientPluginHost 0x44297:$x1: NanoCore.ClientPluginHost 0x50082:$x1: NanoCore.ClientPluginHost 0x62083:$x1: NanoCore.ClientPluginHost 0x66ea3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb5c0:$x2: IClientNetworkHost 0x189be:$x2: IClientNetworkHost 0x23144:$x2: IClientNetworkHost 0x2d4a0:$x2: IClientNetworkHost 0x384b7:$x2: IClientNetworkHost 0x442b1:$x2: IClientNetworkHost 0x500bf:$x2: IClientNetworkHost 0x6209d:$x2: IClientNetworkHost 0x66ebd:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.37e1a28.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0xb587:$x2: NanoCore.ClientPluginHost 0x126a8:$x2: NanoCore.ClientPluginHost 0x18985:$x2: NanoCore.ClientPluginHost 0x22fe7:$x2: NanoCore.ClientPluginHost 0x2d467:$x2: NanoCore.ClientPluginHost 0x3849d:$x2: NanoCore.ClientPluginHost 0x44297:$x2: NanoCore.ClientPluginHost 0x50082:$x2: NanoCore.ClientPluginHost 0x62083:$x2: NanoCore.ClientPluginHost 0x66ea3:$x2: NanoCore.ClientPluginHost 0x23f3d:$s3: PipeExists 0x6246f:$s3: PipeExists 0x6728f:$s3: PipeExists 0x1800:$s4: PipeCreated 0xb68b:$s4: PipeCreated 0x12786:$s4: PipeCreated 0x18aa0:$s4: PipeCreated 0x231dd:$s4: PipeCreated 0x2d5b2:$s4: PipeCreated 0x394d2:$s4: PipeCreated
12.2.iGZtra5EaP.exe.37e1a28.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb587:$a: NanoCore 0xb603:$a: NanoCore 0xdee6:$a: NanoCore 0x126a8:$a: NanoCore 0x126f2:$a: NanoCore 0x1334c:$a: NanoCore 0x18985:$a: NanoCore 0x189ff:$a: NanoCore 0x22fe7:$a: NanoCore 0x230d1:$a: NanoCore 0x23f48:$a: NanoCore
12.2.iGZtra5EaP.exe.37cd3a8.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.37cd3a8.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.6dd0000.34.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6dd0000.34.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.448e778.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x1d3e7:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x1d411:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.448e778.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x1d3e7:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x1f297:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.448e778.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.34b6ba0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.34b6ba0.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.6e20000.39.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e20000.39.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
30.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
30.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
30.2.dhcpmon.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
30.2.dhcpmon.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.2.iGZtra5EaP.exe.1ad0000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.1ad0000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
33.2.dhcpmon.exe.3feb7de.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5df:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d60c:$x2: IClientNetworkHost
33.2.dhcpmon.exe.3feb7de.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5df:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6ba:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5f9:$s5: IClientLoggingHost
33.2.dhcpmon.exe.3feb7de.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
33.2.dhcpmon.exe.3feb7de.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d595:$a: NanoCore 0x2d5aa:$a: NanoCore 0x2d5df:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d351:$b: ClientPlugin 0x2d36c:$b: ClientPlugin
12.2.iGZtra5EaP.exe.48fc66c.23.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.48fc66c.23.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
12.2.iGZtra5EaP.exe.470d0e9.21.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.470d0e9.21.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
12.2.iGZtra5EaP.exe.69d0000.31.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.69d0000.31.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.69d0000.31.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.353c47c.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14e21:$x1: NanoCore.ClientPluginHost 0x21fcf:$x1: NanoCore.ClientPluginHost 0x2be63:$x1: NanoCore.ClientPluginHost 0x32f74:$x1: NanoCore.ClientPluginHost 0x39241:$x1: NanoCore.ClientPluginHost 0x43893:$x1: NanoCore.ClientPluginHost 0x4dd03:$x1: NanoCore.ClientPluginHost 0x58d29:$x1: NanoCore.ClientPluginHost 0x64b13:$x1: NanoCore.ClientPluginHost 0x708d2:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e4e:$x2: IClientNetworkHost 0x22008:$x2: IClientNetworkHost 0x2be9c:$x2: IClientNetworkHost 0x3927a:$x2: IClientNetworkHost 0x439f0:$x2: IClientNetworkHost 0x4dd3c:$x2: IClientNetworkHost 0x58d43:$x2: IClientNetworkHost 0x64b2d:$x2: IClientNetworkHost 0x7090f:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.353c47c.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x14e21:$x2: NanoCore.ClientPluginHost 0x21fcf:$x2: NanoCore.ClientPluginHost 0x2be63:$x2: NanoCore.ClientPluginHost 0x32f74:$x2: NanoCore.ClientPluginHost 0x39241:$x2: NanoCore.ClientPluginHost 0x43893:$x2: NanoCore.ClientPluginHost 0x4dd03:$x2: NanoCore.ClientPluginHost 0x58d29:$x2: NanoCore.ClientPluginHost 0x64b13:$x2: NanoCore.ClientPluginHost 0x708d2:$x2: NanoCore.ClientPluginHost 0x15df0:$s2: FileCommand 0x447e9:$s3: PipeExists 0x6a6b:$s4: PipeCreated 0x1a7f2:$s4: PipeCreated 0x220ec:$s4: PipeCreated 0x2bf67:$s4: PipeCreated 0x33052:$s4: PipeCreated 0x3935c:$s4: PipeCreated 0x43a89:$s4: PipeCreated 0x4de4e:$s4: PipeCreated
12.2.iGZtra5EaP.exe.353c47c.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14dfb:$a: NanoCore 0x14e21:$a: NanoCore 0x14e7d:$a: NanoCore 0x21d17:$a: NanoCore 0x21d70:$a: NanoCore 0x21da3:$a: NanoCore 0x21fcf:$a: NanoCore 0x2204b:$a: NanoCore 0x22664:$a: NanoCore 0x227ad:$a: NanoCore 0x22c81:$a: NanoCore 0x22f68:$a: NanoCore 0x22f7f:$a: NanoCore 0x2be63:$a: NanoCore 0x2bedf:$a: NanoCore 0x2e7c2:$a: NanoCore 0x32f74:$a: NanoCore 0x32fbe:$a: NanoCore
12.2.iGZtra5EaP.exe.48e3e40.25.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.48e3e40.25.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.48e3e40.25.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.dhcpmon.exe.4099930.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
18.2.dhcpmon.exe.4099930.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.dhcpmon.exe.4099930.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
12.2.iGZtra5EaP.exe.6db0000.33.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6db0000.33.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.69d0000.31.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.69d0000.31.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.69d0000.31.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.4492da1.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x18dbe:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x18de8:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.4492da1.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x18dbe:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x1ac6e:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.4492da1.12.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.4553c80.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x1d3e7:$x1: NanoCore.ClientPluginHost 0x2d603:$x1: NanoCore.ClientPluginHost 0x3a76c:$x1: NanoCore.ClientPluginHost 0x3fe5f:$x1: NanoCore.ClientPluginHost 0x460e8:$x1: NanoCore.ClientPluginHost 0x506f7:$x1: NanoCore.ClientPluginHost 0x5ab22:$x1: NanoCore.ClientPluginHost 0x65aff:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x1d411:$x2: IClientNetworkHost 0x2d630:$x2: IClientNetworkHost 0x3a7a5:$x2: IClientNetworkHost 0x46121:$x2: IClientNetworkHost 0x50854:$x2: IClientNetworkHost 0x5ab5b:$x2: IClientNetworkHost 0x65b19:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.4553c80.19.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x1d3e7:$x2: NanoCore.ClientPluginHost 0x2d603:$x2: NanoCore.ClientPluginHost 0x3a76c:$x2: NanoCore.ClientPluginHost 0x3fe5f:$x2: NanoCore.ClientPluginHost 0x460e8:$x2: NanoCore.ClientPluginHost 0x506f7:$x2: NanoCore.ClientPluginHost 0x5ab22:$x2: NanoCore.ClientPluginHost 0x65aff:$x2: NanoCore.ClientPluginHost 0x2e5d2:$s2: FileCommand 0x5164d:$s3: PipeExists 0x10888:$s4: PipeCreated 0x1f297:$s4: PipeCreated 0x32fd4:$s4: PipeCreated 0x3a889:$s4: PipeCreated 0x3ff3d:$s4: PipeCreated 0x46203:$s4: PipeCreated 0x508ed:$s4: PipeCreated 0x5ac6d:$s4: PipeCreated 0x66b34:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.4553c80.19.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.4553c80.19.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf763:$a: NanoCore 0xf778:$a: NanoCore 0xf7ad:$a: NanoCore 0x1d3c2:$a: NanoCore 0x1d3e7:$a: NanoCore 0x1d440:$a: NanoCore 0x2d5dd:$a: NanoCore 0x2d603:$a: NanoCore 0x2d65f:$a: NanoCore 0x3a4b4:$a: NanoCore 0x3a50d:$a: NanoCore 0x3a540:$a: NanoCore 0x3a76c:$a: NanoCore 0x3a7e8:$a: NanoCore 0x3ae01:$a: NanoCore 0x3af4a:$a: NanoCore 0x3b41e:$a: NanoCore 0x3b705:$a: NanoCore 0x3b71c:$a: NanoCore 0x3eaa5:$a: NanoCore 0x3fe5f:$a: NanoCore
12.2.iGZtra5EaP.exe.44d0614.14.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.44d0614.14.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.44d0614.14.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
27.2.iGZtra5EaP.exe.3a60614.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287a9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287d6:$x2: IClientNetworkHost
27.2.iGZtra5EaP.exe.3a60614.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287a9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29884:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287c3:$s5: IClientLoggingHost
27.2.iGZtra5EaP.exe.3a60614.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.dhcpmon.exe.4149930.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.dhcpmon.exe.4149930.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
20.2.dhcpmon.exe.4149930.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.dhcpmon.exe.4149930.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
12.2.iGZtra5EaP.exe.6e5e8a4.41.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e5e8a4.41.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
27.2.iGZtra5EaP.exe.3a5b7de.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5df:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d60c:$x2: IClientNetworkHost
27.2.iGZtra5EaP.exe.3a5b7de.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5df:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6ba:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5f9:$s5: IClientLoggingHost
27.2.iGZtra5EaP.exe.3a5b7de.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
27.2.iGZtra5EaP.exe.3a5b7de.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d595:$a: NanoCore 0x2d5aa:$a: NanoCore 0x2d5df:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d351:$b: ClientPlugin 0x2d36c:$b: ClientPlugin
30.2.dhcpmon.exe.3079684.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
30.2.dhcpmon.exe.3079684.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
27.2.iGZtra5EaP.exe.2a7956c.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
27.2.iGZtra5EaP.exe.2a7956c.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.6df0000.36.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6df0000.36.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.6e20000.39.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e20000.39.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.1ad0000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.1ad0000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
12.2.iGZtra5EaP.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.iGZtra5EaP.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
30.2.dhcpmon.exe.4064c3d.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24180:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241ad:$x2: IClientNetworkHost
30.2.dhcpmon.exe.4064c3d.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24180:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2525b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2419a:$s5: IClientLoggingHost
30.2.dhcpmon.exe.4064c3d.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.6e00000.37.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e00000.37.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.6e90000.44.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e90000.44.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.6e40000.40.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e40000.40.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.6e00000.37.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e00000.37.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.4489942.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2221d:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x22247:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.4489942.13.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2221d:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x240cd:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.4489942.13.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.4489942.13.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x221f8:$a: NanoCore 0x2221d:$a: NanoCore 0x22276:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x21fef:$b: ClientPlugin 0x22000:$b: ClientPlugin
12.2.iGZtra5EaP.exe.454ee4a.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2221d:$x1: NanoCore.ClientPluginHost 0x32439:$x1: NanoCore.ClientPluginHost 0x3f5a2:$x1: NanoCore.ClientPluginHost 0x44c95:$x1: NanoCore.ClientPluginHost 0x4af1e:$x1: NanoCore.ClientPluginHost 0x5552d:$x1: NanoCore.ClientPluginHost 0x5f958:$x1: NanoCore.ClientPluginHost 0x6a935:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x22247:$x2: IClientNetworkHost 0x32466:$x2: IClientNetworkHost 0x3f5db:$x2: IClientNetworkHost 0x4af57:$x2: IClientNetworkHost 0x5568a:$x2: IClientNetworkHost 0x5f991:$x2: IClientNetworkHost 0x6a94f:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.454ee4a.18.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2221d:$x2: NanoCore.ClientPluginHost 0x32439:$x2: NanoCore.ClientPluginHost 0x3f5a2:$x2: NanoCore.ClientPluginHost 0x44c95:$x2: NanoCore.ClientPluginHost 0x4af1e:$x2: NanoCore.ClientPluginHost 0x5552d:$x2: NanoCore.ClientPluginHost 0x5f958:$x2: NanoCore.ClientPluginHost 0x6a935:$x2: NanoCore.ClientPluginHost 0x33408:$s2: FileCommand 0x1261:$s3: PipeExists 0x56483:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x240cd:$s4: PipeCreated 0x37e0a:$s4: PipeCreated 0x3f6bf:$s4: PipeCreated 0x44d73:$s4: PipeCreated 0x4b039:$s4: PipeCreated 0x55723:$s4: PipeCreated
12.2.iGZtra5EaP.exe.454ee4a.18.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.454ee4a.18.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x221f8:$a: NanoCore 0x2221d:$a: NanoCore 0x22276:$a: NanoCore 0x32413:$a: NanoCore 0x32439:$a: NanoCore 0x32495:$a: NanoCore 0x3f2ea:$a: NanoCore 0x3f343:$a: NanoCore 0x3f376:$a: NanoCore 0x3f5a2:$a: NanoCore 0x3f61e:$a: NanoCore 0x3fc37:$a: NanoCore 0x3fd80:$a: NanoCore 0x40254:$a: NanoCore
12.2.iGZtra5EaP.exe.4553c80.19.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.4553c80.19.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.4553c80.19.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.6760000.28.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6760000.28.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.353c47c.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.353c47c.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
12.2.iGZtra5EaP.exe.44cb7de.16.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5df:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d60c:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.44cb7de.16.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5df:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6ba:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5f9:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.44cb7de.16.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.44cb7de.16.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d595:$a: NanoCore 0x2d5aa:$a: NanoCore 0x2d5df:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d351:$b: ClientPlugin 0x2d36c:$b: ClientPlugin
27.2.iGZtra5EaP.exe.3a60614.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
27.2.iGZtra5EaP.exe.3a60614.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
27.2.iGZtra5EaP.exe.3a60614.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.48e3e40.25.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.48e3e40.25.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf763:$a: NanoCore 0xf778:$a: NanoCore 0xf7ad:$a: NanoCore 0x1d3c2:$a: NanoCore 0x1d3e7:$a: NanoCore 0x1d440:$a: NanoCore 0x2d5dd:$a: NanoCore 0x2d603:$a: NanoCore 0x2d65f:$a: NanoCore 0x3a4b4:$a: NanoCore 0x3a50d:$a: NanoCore 0x3a540:$a: NanoCore 0x3a76c:$a: NanoCore 0x3a7e8:$a: NanoCore 0x3ae01:$a: NanoCore 0x3af4a:$a: NanoCore 0x3b41e:$a: NanoCore 0x3b705:$a: NanoCore 0x3b71c:$a: NanoCore 0x3eaa5:$a: NanoCore 0x3fe5f:$a: NanoCore
33.2.dhcpmon.exe.3ff4c3d.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24180:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241ad:$x2: IClientNetworkHost
33.2.dhcpmon.exe.3ff4c3d.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24180:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2525b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2419a:$s5: IClientLoggingHost
33.2.dhcpmon.exe.3ff4c3d.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.448e778.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.448e778.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.448e778.11.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.45582a9.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x18dbe:$x1: NanoCore.ClientPluginHost 0x28fda:$x1: NanoCore.ClientPluginHost 0x36143:$x1: NanoCore.ClientPluginHost 0x3b836:$x1: NanoCore.ClientPluginHost 0x41abf:$x1: NanoCore.ClientPluginHost 0x4c0ce:$x1: NanoCore.ClientPluginHost 0x564f9:$x1: NanoCore.ClientPluginHost 0x614d6:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x18de8:$x2: IClientNetworkHost 0x29007:$x2: IClientNetworkHost 0x3617c:$x2: IClientNetworkHost 0x41af8:$x2: IClientNetworkHost 0x4c22b:$x2: IClientNetworkHost 0x56532:$x2: IClientNetworkHost 0x614f0:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.45582a9.17.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x18dbe:$x2: NanoCore.ClientPluginHost 0x28fda:$x2: NanoCore.ClientPluginHost 0x36143:$x2: NanoCore.ClientPluginHost 0x3b836:$x2: NanoCore.ClientPluginHost 0x41abf:$x2: NanoCore.ClientPluginHost 0x4c0ce:$x2: NanoCore.ClientPluginHost 0x564f9:$x2: NanoCore.ClientPluginHost 0x614d6:$x2: NanoCore.ClientPluginHost 0x29fa9:$s2: FileCommand 0x4d024:$s3: PipeExists 0xc25f:$s4: PipeCreated 0x1ac6e:$s4: PipeCreated 0x2e9ab:$s4: PipeCreated 0x36260:$s4: PipeCreated 0x3b914:$s4: PipeCreated 0x41bda:$s4: PipeCreated 0x4c2c4:$s4: PipeCreated 0x56644:$s4: PipeCreated 0x6250b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.45582a9.17.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.45582a9.17.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb13a:$a: NanoCore 0xb14f:$a: NanoCore 0xb184:$a: NanoCore 0x18d99:$a: NanoCore 0x18dbe:$a: NanoCore 0x18e17:$a: NanoCore 0x28fb4:$a: NanoCore 0x28fda:$a: NanoCore 0x29036:$a: NanoCore 0x35e8b:$a: NanoCore 0x35ee4:$a: NanoCore 0x35f17:$a: NanoCore 0x36143:$a: NanoCore 0x361bf:$a: NanoCore 0x367d8:$a: NanoCore 0x36921:$a: NanoCore 0x36df5:$a: NanoCore 0x370dc:$a: NanoCore 0x370f3:$a: NanoCore 0x3a47c:$a: NanoCore 0x3b836:$a: NanoCore
12.2.iGZtra5EaP.exe.35486f8.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.35486f8.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
18.2.dhcpmon.exe.4099930.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
18.2.dhcpmon.exe.4099930.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
18.2.dhcpmon.exe.4099930.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.dhcpmon.exe.4099930.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
12.2.iGZtra5EaP.exe.37c111c.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.37c111c.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
30.2.dhcpmon.exe.4060614.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287a9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287d6:$x2: IClientNetworkHost
30.2.dhcpmon.exe.4060614.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287a9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29884:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287c3:$s5: IClientLoggingHost
30.2.dhcpmon.exe.4060614.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
33.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
33.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
33.2.dhcpmon.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
33.2.dhcpmon.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
33.2.dhcpmon.exe.3ff0614.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
33.2.dhcpmon.exe.3ff0614.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
33.2.dhcpmon.exe.3ff0614.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.471931d.20.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.471931d.20.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.5ec0000.27.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.5ec0000.27.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.35486f8.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d53:$x1: NanoCore.ClientPluginHost 0x1fbe7:$x1: NanoCore.ClientPluginHost 0x26cf8:$x1: NanoCore.ClientPluginHost 0x2cfc5:$x1: NanoCore.ClientPluginHost 0x37617:$x1: NanoCore.ClientPluginHost 0x41a87:$x1: NanoCore.ClientPluginHost 0x4caad:$x1: NanoCore.ClientPluginHost 0x58897:$x1: NanoCore.ClientPluginHost 0x64656:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d8c:$x2: IClientNetworkHost 0x1fc20:$x2: IClientNetworkHost 0x2cffe:$x2: IClientNetworkHost 0x37774:$x2: IClientNetworkHost 0x41ac0:$x2: IClientNetworkHost 0x4cac7:$x2: IClientNetworkHost 0x588b1:$x2: IClientNetworkHost 0x64693:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.35486f8.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x15d53:$x2: NanoCore.ClientPluginHost 0x1fbe7:$x2: NanoCore.ClientPluginHost 0x26cf8:$x2: NanoCore.ClientPluginHost 0x2cfc5:$x2: NanoCore.ClientPluginHost 0x37617:$x2: NanoCore.ClientPluginHost 0x41a87:$x2: NanoCore.ClientPluginHost 0x4caad:$x2: NanoCore.ClientPluginHost 0x58897:$x2: NanoCore.ClientPluginHost 0x64656:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0x3856d:$s3: PipeExists 0xe576:$s4: PipeCreated 0x15e70:$s4: PipeCreated 0x1fceb:$s4: PipeCreated 0x26dd6:$s4: PipeCreated 0x2d0e0:$s4: PipeCreated 0x3780d:$s4: PipeCreated 0x41bd2:$s4: PipeCreated 0x4dae2:$s4: PipeCreated 0x5a642:$s4: PipeCreated
12.2.iGZtra5EaP.exe.35486f8.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a9b:$a: NanoCore 0x15af4:$a: NanoCore 0x15b27:$a: NanoCore 0x15d53:$a: NanoCore 0x15dcf:$a: NanoCore 0x163e8:$a: NanoCore 0x16531:$a: NanoCore 0x16a05:$a: NanoCore 0x16cec:$a: NanoCore 0x16d03:$a: NanoCore 0x1fbe7:$a: NanoCore 0x1fc63:$a: NanoCore 0x22546:$a: NanoCore 0x26cf8:$a: NanoCore 0x26d42:$a: NanoCore 0x2799c:$a: NanoCore 0x2cfc5:$a: NanoCore 0x2d03f:$a: NanoCore
0.2.iGZtra5EaP.exe.3cc9930.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.iGZtra5EaP.exe.3cc9930.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.iGZtra5EaP.exe.3cc9930.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.iGZtra5EaP.exe.3cc9930.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.iGZtra5EaP.exe.3cfc550.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd07ad:$x1: NanoCore.ClientPluginHost 0xd07ea:$x2: IClientNetworkHost 0xd431d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.iGZtra5EaP.exe.3cfc550.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.iGZtra5EaP.exe.3cfc550.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xd0515:$a: NanoCore 0xd0525:$a: NanoCore 0xd0759:$a: NanoCore 0xd076d:$a: NanoCore 0xd07ad:$a: NanoCore 0xd0574:$b: ClientPlugin 0xd0776:$b: ClientPlugin 0xd07b6:$b: ClientPlugin 0xd069b:$c: ProjectData 0x2a26cb:$c: ProjectData 0xd10a2:$d: DESCrypto 0xd8a6e:$e: KeepAlive 0xd6a5c:$g: LogClientMessage 0xd2c57:$i: get_Connected 0xd13d8:$j: #=q 0xd1408:$j: #=q 0xd1424:$j: #=q 0xd1454:$j: #=q 0xd1470:$j: #=q 0xd148c:$j: #=q 0xd14bc:$j: #=q
12.2.iGZtra5EaP.exe.6e50000.42.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e50000.42.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.6dd0000.34.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6dd0000.34.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3f0b:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.6e50000.42.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6e50000.42.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.355cd68.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0xb577:$x1: NanoCore.ClientPluginHost 0x12688:$x1: NanoCore.ClientPluginHost 0x18955:$x1: NanoCore.ClientPluginHost 0x22fa7:$x1: NanoCore.ClientPluginHost 0x2d417:$x1: NanoCore.ClientPluginHost 0x3843d:$x1: NanoCore.ClientPluginHost 0x44227:$x1: NanoCore.ClientPluginHost 0x4ffe6:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb5b0:$x2: IClientNetworkHost 0x1898e:$x2: IClientNetworkHost 0x23104:$x2: IClientNetworkHost 0x2d450:$x2: IClientNetworkHost 0x38457:$x2: IClientNetworkHost 0x44241:$x2: IClientNetworkHost 0x50023:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.355cd68.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0xb577:$x2: NanoCore.ClientPluginHost 0x12688:$x2: NanoCore.ClientPluginHost 0x18955:$x2: NanoCore.ClientPluginHost 0x22fa7:$x2: NanoCore.ClientPluginHost 0x2d417:$x2: NanoCore.ClientPluginHost 0x3843d:$x2: NanoCore.ClientPluginHost 0x44227:$x2: NanoCore.ClientPluginHost 0x4ffe6:$x2: NanoCore.ClientPluginHost 0x23efd:$s3: PipeExists 0x1800:$s4: PipeCreated 0xb67b:$s4: PipeCreated 0x12766:$s4: PipeCreated 0x18a70:$s4: PipeCreated 0x2319d:$s4: PipeCreated 0x2d562:$s4: PipeCreated 0x39472:$s4: PipeCreated 0x45fd2:$s4: PipeCreated 0x53439:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost 0xb591:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.355cd68.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb577:$a: NanoCore 0xb5f3:$a: NanoCore 0xded6:$a: NanoCore 0x12688:$a: NanoCore 0x126d2:$a: NanoCore 0x1332c:$a: NanoCore 0x18955:$a: NanoCore 0x189cf:$a: NanoCore 0x22fa7:$a: NanoCore 0x23091:$a: NanoCore 0x23f08:$a: NanoCore
12.2.iGZtra5EaP.exe.6df0000.36.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.6df0000.36.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.37c111c.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14e31:$x1: NanoCore.ClientPluginHost 0x21fef:$x1: NanoCore.ClientPluginHost 0x2be93:$x1: NanoCore.ClientPluginHost 0x32fb4:$x1: NanoCore.ClientPluginHost 0x39291:$x1: NanoCore.ClientPluginHost 0x438f3:$x1: NanoCore.ClientPluginHost 0x4dd73:$x1: NanoCore.ClientPluginHost 0x58da9:$x1: NanoCore.ClientPluginHost 0x64ba3:$x1: NanoCore.ClientPluginHost 0x7098e:$x1: NanoCore.ClientPluginHost 0x8298f:$x1: NanoCore.ClientPluginHost 0x877af:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e5e:$x2: IClientNetworkHost 0x22028:$x2: IClientNetworkHost 0x2becc:$x2: IClientNetworkHost 0x392ca:$x2: IClientNetworkHost 0x43a50:$x2: IClientNetworkHost 0x4ddac:$x2: IClientNetworkHost 0x58dc3:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.37c111c.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x14e31:$x2: NanoCore.ClientPluginHost 0x21fef:$x2: NanoCore.ClientPluginHost 0x2be93:$x2: NanoCore.ClientPluginHost 0x32fb4:$x2: NanoCore.ClientPluginHost 0x39291:$x2: NanoCore.ClientPluginHost 0x438f3:$x2: NanoCore.ClientPluginHost 0x4dd73:$x2: NanoCore.ClientPluginHost 0x58da9:$x2: NanoCore.ClientPluginHost 0x64ba3:$x2: NanoCore.ClientPluginHost 0x7098e:$x2: NanoCore.ClientPluginHost 0x8298f:$x2: NanoCore.ClientPluginHost 0x877af:$x2: NanoCore.ClientPluginHost 0x15e00:$s2: FileCommand 0x44849:$s3: PipeExists 0x82d7b:$s3: PipeExists 0x87b9b:$s3: PipeExists 0x6a6b:$s4: PipeCreated 0x1a802:$s4: PipeCreated 0x2210c:$s4: PipeCreated 0x2bf97:$s4: PipeCreated
12.2.iGZtra5EaP.exe.37c111c.10.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14e0b:$a: NanoCore 0x14e31:$a: NanoCore 0x14e8d:$a: NanoCore 0x21d37:$a: NanoCore 0x21d90:$a: NanoCore 0x21dc3:$a: NanoCore 0x21fef:$a: NanoCore 0x2206b:$a: NanoCore 0x22684:$a: NanoCore 0x227cd:$a: NanoCore 0x22ca1:$a: NanoCore 0x22f88:$a: NanoCore 0x22f9f:$a: NanoCore 0x2be93:$a: NanoCore 0x2bf0f:$a: NanoCore 0x2e7f2:$a: NanoCore 0x32fb4:$a: NanoCore 0x32ffe:$a: NanoCore
12.2.iGZtra5EaP.exe.44d0614.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287a9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287d6:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.44d0614.14.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287a9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29884:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287c3:$s5: IClientLoggingHost
12.2.iGZtra5EaP.exe.44d0614.14.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.48fc66c.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14dd7:$x1: NanoCore.ClientPluginHost 0x21f40:$x1: NanoCore.ClientPluginHost 0x27633:$x1: NanoCore.ClientPluginHost 0x2d8bc:$x1: NanoCore.ClientPluginHost 0x37ecb:$x1: NanoCore.ClientPluginHost 0x422f6:$x1: NanoCore.ClientPluginHost 0x4d2d3:$x1: NanoCore.ClientPluginHost 0x59075:$x1: NanoCore.ClientPluginHost 0x7df79:$x1: NanoCore.ClientPluginHost 0x8d3b9:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e04:$x2: IClientNetworkHost 0x21f79:$x2: IClientNetworkHost 0x2d8f5:$x2: IClientNetworkHost 0x38028:$x2: IClientNetworkHost 0x4232f:$x2: IClientNetworkHost 0x4d2ed:$x2: IClientNetworkHost 0x5908f:$x2: IClientNetworkHost 0x7df93:$x2: IClientNetworkHost 0x8d3f6:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.48fc66c.23.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14db1:$a: NanoCore 0x14dd7:$a: NanoCore 0x14e33:$a: NanoCore 0x21c88:$a: NanoCore 0x21ce1:$a: NanoCore 0x21d14:$a: NanoCore 0x21f40:$a: NanoCore 0x21fbc:$a: NanoCore 0x225d5:$a: NanoCore 0x2271e:$a: NanoCore 0x22bf2:$a: NanoCore 0x22ed9:$a: NanoCore 0x22ef0:$a: NanoCore 0x26279:$a: NanoCore 0x27633:$a: NanoCore 0x2767d:$a: NanoCore 0x282d7:$a: NanoCore 0x2d8bc:$a: NanoCore
0.2.iGZtra5EaP.exe.3cc9930.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x1033cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x10340a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x106f3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.iGZtra5EaP.exe.3cc9930.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.iGZtra5EaP.exe.3cc9930.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x103135:$a: NanoCore 0x103145:$a: NanoCore 0x103379:$a: NanoCore 0x10338d:$a: NanoCore 0x1033cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x103194:$b: ClientPlugin 0x103396:$b: ClientPlugin 0x1033d6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x1032bb:$c: ProjectData 0x2d52eb:$c: ProjectData 0x10a82:$d: DESCrypto 0x103cc2:$d: DESCrypto
17.2.iGZtra5EaP.exe.3b59930.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
17.2.iGZtra5EaP.exe.3b59930.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.2.iGZtra5EaP.exe.3b59930.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
12.2.iGZtra5EaP.exe.37cd3a8.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d63:$x1: NanoCore.ClientPluginHost 0x1fc07:$x1: NanoCore.ClientPluginHost 0x26d28:$x1: NanoCore.ClientPluginHost 0x2d005:$x1: NanoCore.ClientPluginHost 0x37667:$x1: NanoCore.ClientPluginHost 0x41ae7:$x1: NanoCore.ClientPluginHost 0x4cb1d:$x1: NanoCore.ClientPluginHost 0x58917:$x1: NanoCore.ClientPluginHost 0x64702:$x1: NanoCore.ClientPluginHost 0x76703:$x1: NanoCore.ClientPluginHost 0x7b523:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d9c:$x2: IClientNetworkHost 0x1fc40:$x2: IClientNetworkHost 0x2d03e:$x2: IClientNetworkHost 0x377c4:$x2: IClientNetworkHost 0x41b20:$x2: IClientNetworkHost 0x4cb37:$x2: IClientNetworkHost 0x58931:$x2: IClientNetworkHost 0x6473f:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.37cd3a8.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x15d63:$x2: NanoCore.ClientPluginHost 0x1fc07:$x2: NanoCore.ClientPluginHost 0x26d28:$x2: NanoCore.ClientPluginHost 0x2d005:$x2: NanoCore.ClientPluginHost 0x37667:$x2: NanoCore.ClientPluginHost 0x41ae7:$x2: NanoCore.ClientPluginHost 0x4cb1d:$x2: NanoCore.ClientPluginHost 0x58917:$x2: NanoCore.ClientPluginHost 0x64702:$x2: NanoCore.ClientPluginHost 0x76703:$x2: NanoCore.ClientPluginHost 0x7b523:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0x385bd:$s3: PipeExists 0x76aef:$s3: PipeExists 0x7b90f:$s3: PipeExists 0xe576:$s4: PipeCreated 0x15e80:$s4: PipeCreated 0x1fd0b:$s4: PipeCreated 0x26e06:$s4: PipeCreated 0x2d120:$s4: PipeCreated
12.2.iGZtra5EaP.exe.37cd3a8.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15aab:$a: NanoCore 0x15b04:$a: NanoCore 0x15b37:$a: NanoCore 0x15d63:$a: NanoCore 0x15ddf:$a: NanoCore 0x163f8:$a: NanoCore 0x16541:$a: NanoCore 0x16a15:$a: NanoCore 0x16cfc:$a: NanoCore 0x16d13:$a: NanoCore 0x1fc07:$a: NanoCore 0x1fc83:$a: NanoCore 0x22566:$a: NanoCore 0x26d28:$a: NanoCore 0x26d72:$a: NanoCore 0x279cc:$a: NanoCore 0x2d005:$a: NanoCore 0x2d07f:$a: NanoCore
12.2.iGZtra5EaP.exe.471931d.20.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.471931d.20.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a58:$a: NanoCore 0x15ab1:$a: NanoCore 0x15ae4:$a: NanoCore 0x15d10:$a: NanoCore 0x15d8c:$a: NanoCore 0x163a5:$a: NanoCore 0x164ee:$a: NanoCore 0x169c2:$a: NanoCore 0x16ca9:$a: NanoCore 0x16cc0:$a: NanoCore 0x1fb64:$a: NanoCore 0x1fbe0:$a: NanoCore 0x224c3:$a: NanoCore 0x25875:$a: NanoCore 0x26c31:$a: NanoCore 0x26c7b:$a: NanoCore 0x278d5:$a: NanoCore 0x2cebc:$a: NanoCore
12.2.iGZtra5EaP.exe.48e8469.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x18dbe:$x1: NanoCore.ClientPluginHost 0x28fda:$x1: NanoCore.ClientPluginHost 0x36143:$x1: NanoCore.ClientPluginHost 0x3b836:$x1: NanoCore.ClientPluginHost 0x41abf:$x1: NanoCore.ClientPluginHost 0x4c0ce:$x1: NanoCore.ClientPluginHost 0x564f9:$x1: NanoCore.ClientPluginHost 0x614d6:$x1: NanoCore.ClientPluginHost 0x6d278:$x1: NanoCore.ClientPluginHost 0x9217c:$x1: NanoCore.ClientPluginHost 0xa15bc:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x18de8:$x2: IClientNetworkHost 0x29007:$x2: IClientNetworkHost 0x3617c:$x2: IClientNetworkHost 0x41af8:$x2: IClientNetworkHost 0x4c22b:$x2: IClientNetworkHost 0x56532:$x2: IClientNetworkHost 0x614f0:$x2: IClientNetworkHost 0x6d292:$x2: IClientNetworkHost
12.2.iGZtra5EaP.exe.48e8469.24.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.48e8469.24.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb13a:$a: NanoCore 0xb14f:$a: NanoCore 0xb184:$a: NanoCore 0x18d99:$a: NanoCore 0x18dbe:$a: NanoCore 0x18e17:$a: NanoCore 0x28fb4:$a: NanoCore 0x28fda:$a: NanoCore 0x29036:$a: NanoCore 0x35e8b:$a: NanoCore 0x35ee4:$a: NanoCore 0x35f17:$a: NanoCore 0x36143:$a: NanoCore 0x361bf:$a: NanoCore 0x367d8:$a: NanoCore 0x36921:$a: NanoCore 0x36df5:$a: NanoCore 0x370dc:$a: NanoCore 0x370f3:$a: NanoCore 0x3a47c:$a: NanoCore 0x3b836:$a: NanoCore
12.2.iGZtra5EaP.exe.472d94a.22.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.472d94a.22.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb537:$a: NanoCore 0xb5b3:$a: NanoCore 0xde96:$a: NanoCore 0x11248:$a: NanoCore 0x12604:$a: NanoCore 0x1264e:$a: NanoCore 0x132a8:$a: NanoCore 0x1888f:$a: NanoCore 0x18909:$a: NanoCore 0x22ea0:$a: NanoCore 0x22f8a:$a: NanoCore
12.2.iGZtra5EaP.exe.470d0e9.21.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.iGZtra5EaP.exe.470d0e9.21.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14db3:$a: NanoCore 0x14dd9:$a: NanoCore 0x14e35:$a: NanoCore 0x21c8c:$a: NanoCore 0x21ce5:$a: NanoCore 0x21d18:$a: NanoCore 0x21f44:$a: NanoCore 0x21fc0:$a: NanoCore 0x225d9:$a: NanoCore 0x22722:$a: NanoCore 0x22bf6:$a: NanoCore 0x22edd:$a: NanoCore 0x22ef4:$a: NanoCore 0x2bd98:$a: NanoCore 0x2be14:$a: NanoCore 0x2e6f7:$a: NanoCore 0x31aa9:$a: NanoCore 0x32e65:$a: NanoCore
Click to see the 237 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\iGZtra5EaP.exe, ProcessId: 4720, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\iGZtra5EaP.exe, ProcessId: 4720, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\iGZtra5EaP.exe, ProcessId: 4720, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\iGZtra5EaP.exe, ProcessId: 4720, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "f0d143be-967c-4293-98d3-3a1e128b", "Group": "BotNet", "Domain1": "microsoftsecurity.sytes.net", "Domain2": "backupnew.duckdns.org", "Port": 1177, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for domain / URL

Show sources

Source: backupnew.duckdns.org	Virustotal: Detection: 8%	Perma Link
Source: microsoftsecurity.sytes.net	Virustotal: Detection: 8%	Perma Link
Source: backupnew.duckdns.org	Virustotal: Detection: 8%	Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exe	ReversingLabs: Detection: 64%

Multi AV Scanner detection for submitted file

Show sources

Source: iGZtra5EaP.exe	Virustotal: Detection: 48%			Perma Link
Source: iGZtra5EaP.exe	ReversingLabs: Detection: 64%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 30.2.dhcpmon.exe.4060614.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a64c3d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.iGZtra5EaP.exe.3b59930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.4149930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44d4c3d.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.69d4629.30.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3ff0614.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.405b7de.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.448e778.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3feb7de.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.69d0000.31.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.48e3e40.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.4099930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.69d0000.31.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4492da1.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4553c80.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44d0614.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a60614.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.4149930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a5b7de.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.4064c3d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4489942.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.454ee4a.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4553c80.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44cb7de.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a60614.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.48e3e40.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3ff4c3d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.448e778.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.45582a9.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.4099930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.4060614.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3ff0614.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iGZtra5EaP.exe.3cc9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iGZtra5EaP.exe.3cfc550.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44d0614.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iGZtra5EaP.exe.3cc9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.iGZtra5EaP.exe.3b59930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.471931d.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.48e8469.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.472d94a.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.470d0e9.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476961664.000000000454E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.422052368.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.431850871.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.481497763.00000000069D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.477941629.00000000048DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476599395.00000000044C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.418018556.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.423536148.0000000004019000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476392070.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.431679291.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.472713339.0000000003481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 4720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 5016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5200, type: MEMORYSTR

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: iGZtra5EaP.exe

Joe Sandbox ML: detected

Source: 27.2.iGZtra5EaP.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 30.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.2.iGZtra5EaP.exe.69d0000.31.unpack	Avira: Label: TR/NanoCore.fadte
Source: 12.2.iGZtra5EaP.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 33.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: iGZtra5EaP.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: iGZtra5EaP.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	12_2_06DCBD68
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 4x nop then pop ebp	12_2_06DCB7E7
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 4x nop then pop ebp	12_2_06DCB359
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	12_2_06DCBDF0

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49737 -> 20.197.234.75:1177
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49743 -> 20.197.234.75:1177
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49744 -> 20.197.234.75:1177
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49745 -> 20.197.234.75:1177

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: backupnew.duckdns.org
Source: Malware configuration extractor	URLs: microsoftsecurity.sytes.net

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: backupnew.duckdns.org

Source: global traffic	TCP traffic: 192.168.2.3:49724 -> 20.206.66.33:1177
Source: global traffic	TCP traffic: 192.168.2.3:49737 -> 20.197.234.75:1177

Source: unknown

DNS traffic detected: queries for: microsoftsecurity.sytes.net

Source: iGZtra5EaP.exe	String found in binary or memory: http://douglasheriot.com/uno/
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: iGZtra5EaP.exe, 00000000.00000002.293558443.0000000002CC1000.00000004.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.398277931.0000000002B51000.00000004.00000001.sdmp, dhcpmon.exe, 00000012.00000002.400511596.0000000003091000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 30.2.dhcpmon.exe.4060614.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a64c3d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.iGZtra5EaP.exe.3b59930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.4149930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44d4c3d.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.69d4629.30.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3ff0614.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.405b7de.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.448e778.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3feb7de.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.69d0000.31.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.48e3e40.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.4099930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.69d0000.31.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4492da1.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4553c80.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44d0614.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a60614.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.4149930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a5b7de.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.4064c3d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4489942.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.454ee4a.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4553c80.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44cb7de.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a60614.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.48e3e40.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3ff4c3d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.448e778.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.45582a9.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.4099930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.4060614.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3ff0614.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iGZtra5EaP.exe.3cc9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iGZtra5EaP.exe.3cfc550.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44d0614.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iGZtra5EaP.exe.3cc9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.iGZtra5EaP.exe.3b59930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.471931d.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.48e8469.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.472d94a.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.470d0e9.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476961664.000000000454E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.422052368.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.431850871.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.481497763.00000000069D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.477941629.00000000048DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476599395.00000000044C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.418018556.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.423536148.0000000004019000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476392070.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.431679291.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.472713339.0000000003481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 4720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 5016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5200, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 12.2.iGZtra5EaP.exe.6de0000.35.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6e10000.38.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 33.2.dhcpmon.exe.3009684.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6760000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.2.dhcpmon.exe.4060614.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.iGZtra5EaP.exe.3a64c3d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6e40000.40.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.iGZtra5EaP.exe.3b59930.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.iGZtra5EaP.exe.3b59930.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.dhcpmon.exe.4149930.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.dhcpmon.exe.4149930.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.44d4c3d.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.69d4629.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6e54c9f.43.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 33.2.dhcpmon.exe.3ff0614.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6e90000.44.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6e10000.38.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.2.dhcpmon.exe.405b7de.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.2.dhcpmon.exe.405b7de.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.37e1a28.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.37e1a28.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.37cd3a8.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6dd0000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.448e778.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.34b6ba0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6e20000.39.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.1ad0000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 33.2.dhcpmon.exe.3feb7de.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 33.2.dhcpmon.exe.3feb7de.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.48fc66c.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.470d0e9.21.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.69d0000.31.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.353c47c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.353c47c.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.48e3e40.25.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.4099930.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.4099930.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.6db0000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.69d0000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.4492da1.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.4553c80.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.4553c80.19.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.44d0614.14.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.iGZtra5EaP.exe.3a60614.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.dhcpmon.exe.4149930.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.dhcpmon.exe.4149930.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.6e5e8a4.41.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.iGZtra5EaP.exe.3a5b7de.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.iGZtra5EaP.exe.3a5b7de.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 30.2.dhcpmon.exe.3079684.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.iGZtra5EaP.exe.2a7956c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6df0000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6e20000.39.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.1ad0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 30.2.dhcpmon.exe.4064c3d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6e00000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6e90000.44.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6e40000.40.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6e00000.37.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.4489942.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.4489942.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.454ee4a.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.454ee4a.18.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.4553c80.19.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6760000.28.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.353c47c.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.44cb7de.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.44cb7de.16.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.iGZtra5EaP.exe.3a60614.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.48e3e40.25.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.dhcpmon.exe.3ff4c3d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.448e778.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.45582a9.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.45582a9.17.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.35486f8.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.4099930.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.dhcpmon.exe.4099930.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.37c111c.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 30.2.dhcpmon.exe.4060614.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.dhcpmon.exe.3ff0614.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.471931d.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.5ec0000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.35486f8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.35486f8.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.iGZtra5EaP.exe.3cc9930.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.iGZtra5EaP.exe.3cc9930.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.iGZtra5EaP.exe.3cfc550.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.iGZtra5EaP.exe.3cfc550.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.6e50000.42.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6dd0000.34.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.6e50000.42.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.355cd68.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.355cd68.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.6df0000.36.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.37c111c.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.37c111c.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.44d0614.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.48fc66c.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.48fc66c.23.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.iGZtra5EaP.exe.3cc9930.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.iGZtra5EaP.exe.3cc9930.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.iGZtra5EaP.exe.3b59930.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.iGZtra5EaP.exe.3b59930.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.37cd3a8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.37cd3a8.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.471931d.20.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.48e8469.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.iGZtra5EaP.exe.48e8469.24.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.472d94a.22.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.iGZtra5EaP.exe.470d0e9.21.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.482078580.0000000006E40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.476961664.000000000454E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.482179100.0000000006E90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.471078718.0000000001AD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.475401082.000000000374C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.481910813.0000000006DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.481995550.0000000006E00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001E.00000002.422052368.0000000003011000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.431850871.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.481497763.00000000069D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.482020693.0000000006E10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.481961618.0000000006DE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.481945946.0000000006DD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.482036750.0000000006E20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.473787584.00000000034F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.480093816.0000000005EC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.482102080.0000000006E50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.477941629.00000000048DF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.480306697.0000000006760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.476599395.00000000044C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.418018556.0000000003A19000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001E.00000002.423536148.0000000004019000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.476392070.0000000004481000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.481978911.0000000006DF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000021.00000002.431679291.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: iGZtra5EaP.exe PID: 5832, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: iGZtra5EaP.exe PID: 5832, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: iGZtra5EaP.exe PID: 4720, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: iGZtra5EaP.exe PID: 4720, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: iGZtra5EaP.exe PID: 5016, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: iGZtra5EaP.exe PID: 5016, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 3008, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 3008, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 5200, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 5200, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 0_2_02B57E88	0_2_02B57E88
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 0_2_02B5D424	0_2_02B5D424
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 0_2_02B57E79	0_2_02B57E79
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 0_2_052A1AC0	0_2_052A1AC0
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 0_2_052AA5E4	0_2_052AA5E4
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_0182E480	12_2_0182E480
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_0182E471	12_2_0182E471
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_0182BBD4	12_2_0182BBD4
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DC0040	12_2_06DC0040
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DC8D08	12_2_06DC8D08
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DC9B98	12_2_06DC9B98
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DC9C56	12_2_06DC9C56
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_01047E79	17_2_01047E79
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_0104D424	17_2_0104D424
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_050D1AC0	17_2_050D1AC0
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_050D0006	17_2_050D0006
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_050D0040	17_2_050D0040
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_050D1AB1	17_2_050D1AB1
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_084BA1B8	17_2_084BA1B8
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_084B6220	17_2_084B6220
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_084B4230	17_2_084B4230
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_084B4B00	17_2_084B4B00
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_084B9588	17_2_084B9588
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_084BA1AA	17_2_084BA1AA
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_084BE4F8	17_2_084BE4F8
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_084BA488	17_2_084BA488
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_084BA482	17_2_084BA482
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_084B957A	17_2_084B957A
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_084B3EE8	17_2_084B3EE8
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_084B9F58	17_2_084B9F58
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_02E67E88	18_2_02E67E88
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_02E6D424	18_2_02E6D424
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_02E67E79	18_2_02E67E79
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_05651AC0	18_2_05651AC0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_05650040	18_2_05650040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_05650006	18_2_05650006
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_05651AB1	18_2_05651AB1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_0711DF70	18_2_0711DF70
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_071147E0	18_2_071147E0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07117EB0	18_2_07117EB0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_0711E6F8	18_2_0711E6F8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07114D78	18_2_07114D78
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_0711C5B0	18_2_0711C5B0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07115CC8	18_2_07115CC8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07114A50	18_2_07114A50
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07115908	18_2_07115908
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07115140	18_2_07115140
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07118990	18_2_07118990
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_071147D0	18_2_071147D0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07114D67	18_2_07114D67
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07116C22	18_2_07116C22
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07116C28	18_2_07116C28
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_0711D458	18_2_0711D458
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07115CB8	18_2_07115CB8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07114378	18_2_07114378
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07114369	18_2_07114369
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07114A42	18_2_07114A42
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07115130	18_2_07115130
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07113851	18_2_07113851
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_071158F8	18_2_071158F8

Source: iGZtra5EaP.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: eBopYzBwUYOW.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.12.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: iGZtra5EaP.exe	Binary or memory string: OriginalFilename vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000000.00000002.294056271.0000000002F9F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameResource_Meter.dll> vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000000.00000002.302493562.000000000EA00000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000000.00000002.302493562.000000000EA00000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000000.00000002.300051492.0000000007670000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIpTl.exe( vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000000.00000002.302136335.000000000E910000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe	Binary or memory string: OriginalFilename vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.480906806.00000000068E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.479435381.00000000059A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000002.470898373.00000000018E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000000C.00000000.292068443.0000000000EF2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIpTl.exe( vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe	Binary or memory string: OriginalFilename vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000011.00000002.408352281.00000000070B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000011.00000002.398277931.0000000002B51000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000011.00000002.399298004.0000000002E2F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameResource_Meter.dll> vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000011.00000000.303701249.0000000000632000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIpTl.exe( vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000011.00000002.410906313.000000000E310000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000011.00000002.396930695.0000000000D5A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000011.00000002.408776484.0000000007150000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 00000011.00000002.408776484.0000000007150000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000001B.00000000.394808398.0000000000522000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIpTl.exe( vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe, 0000001B.00000002.418018556.0000000003A19000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs iGZtra5EaP.exe
Source: iGZtra5EaP.exe	Binary or memory string: OriginalFilenameIpTl.exe( vs iGZtra5EaP.exe

Source: iGZtra5EaP.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 12.2.iGZtra5EaP.exe.6de0000.35.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6de0000.35.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6e10000.38.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e10000.38.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.dhcpmon.exe.3009684.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 33.2.dhcpmon.exe.3009684.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6760000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6760000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 30.2.dhcpmon.exe.4060614.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.2.dhcpmon.exe.4060614.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.2.iGZtra5EaP.exe.3a64c3d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.iGZtra5EaP.exe.3a64c3d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6e40000.40.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e40000.40.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.iGZtra5EaP.exe.3b59930.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.iGZtra5EaP.exe.3b59930.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.iGZtra5EaP.exe.3b59930.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.dhcpmon.exe.4149930.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.dhcpmon.exe.4149930.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.44d4c3d.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.44d4c3d.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.69d4629.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.69d4629.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6e54c9f.43.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e54c9f.43.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.dhcpmon.exe.3ff0614.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 33.2.dhcpmon.exe.3ff0614.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6e90000.44.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e90000.44.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6e10000.38.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e10000.38.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 30.2.dhcpmon.exe.405b7de.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.2.dhcpmon.exe.405b7de.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 30.2.dhcpmon.exe.405b7de.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.37e1a28.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.37e1a28.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.37e1a28.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.37cd3a8.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.37cd3a8.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6dd0000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6dd0000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.448e778.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.448e778.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.34b6ba0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.34b6ba0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6e20000.39.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e20000.39.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.1ad0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.1ad0000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.dhcpmon.exe.3feb7de.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 33.2.dhcpmon.exe.3feb7de.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.dhcpmon.exe.3feb7de.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.48fc66c.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.48fc66c.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.470d0e9.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.470d0e9.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.69d0000.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.69d0000.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.353c47c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.353c47c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.353c47c.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.48e3e40.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.48e3e40.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.dhcpmon.exe.4099930.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.dhcpmon.exe.4099930.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.6db0000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6db0000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.69d0000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.69d0000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.4492da1.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.4492da1.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.4553c80.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.4553c80.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.4553c80.19.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.44d0614.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.44d0614.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.2.iGZtra5EaP.exe.3a60614.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.iGZtra5EaP.exe.3a60614.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.dhcpmon.exe.4149930.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.dhcpmon.exe.4149930.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.dhcpmon.exe.4149930.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.6e5e8a4.41.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e5e8a4.41.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.2.iGZtra5EaP.exe.3a5b7de.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.iGZtra5EaP.exe.3a5b7de.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.2.iGZtra5EaP.exe.3a5b7de.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 30.2.dhcpmon.exe.3079684.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.2.dhcpmon.exe.3079684.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.2.iGZtra5EaP.exe.2a7956c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.iGZtra5EaP.exe.2a7956c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6df0000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6df0000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6e20000.39.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e20000.39.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.1ad0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.1ad0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 30.2.dhcpmon.exe.4064c3d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.2.dhcpmon.exe.4064c3d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6e00000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e00000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6e90000.44.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e90000.44.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6e40000.40.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e40000.40.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6e00000.37.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e00000.37.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.4489942.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.4489942.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.4489942.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.454ee4a.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.454ee4a.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.454ee4a.18.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.4553c80.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.4553c80.19.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6760000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6760000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.353c47c.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.353c47c.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.44cb7de.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.44cb7de.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.44cb7de.16.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.2.iGZtra5EaP.exe.3a60614.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.iGZtra5EaP.exe.3a60614.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.48e3e40.25.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 33.2.dhcpmon.exe.3ff4c3d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 33.2.dhcpmon.exe.3ff4c3d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.448e778.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.448e778.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.45582a9.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.45582a9.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.45582a9.17.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.35486f8.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.35486f8.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.dhcpmon.exe.4099930.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.dhcpmon.exe.4099930.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.dhcpmon.exe.4099930.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.37c111c.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.37c111c.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 30.2.dhcpmon.exe.4060614.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 30.2.dhcpmon.exe.4060614.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 33.2.dhcpmon.exe.3ff0614.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 33.2.dhcpmon.exe.3ff0614.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.471931d.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.471931d.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.5ec0000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.5ec0000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.35486f8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.35486f8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.35486f8.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.iGZtra5EaP.exe.3cc9930.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.iGZtra5EaP.exe.3cc9930.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.iGZtra5EaP.exe.3cc9930.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.iGZtra5EaP.exe.3cfc550.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.iGZtra5EaP.exe.3cfc550.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.6e50000.42.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e50000.42.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6dd0000.34.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6dd0000.34.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.6e50000.42.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6e50000.42.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.355cd68.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.355cd68.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.355cd68.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.6df0000.36.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.6df0000.36.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.37c111c.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.37c111c.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.37c111c.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.44d0614.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.44d0614.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.48fc66c.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.48fc66c.23.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.iGZtra5EaP.exe.3cc9930.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.iGZtra5EaP.exe.3cc9930.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.iGZtra5EaP.exe.3b59930.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.iGZtra5EaP.exe.3b59930.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.37cd3a8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.37cd3a8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.iGZtra5EaP.exe.37cd3a8.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.471931d.20.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.48e8469.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.iGZtra5EaP.exe.48e8469.24.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.472d94a.22.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.iGZtra5EaP.exe.470d0e9.21.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.482078580.0000000006E40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.482078580.0000000006E40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.476961664.000000000454E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.482179100.0000000006E90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.482179100.0000000006E90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.471078718.0000000001AD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.471078718.0000000001AD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.475401082.000000000374C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.481910813.0000000006DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.481910813.0000000006DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.481995550.0000000006E00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.481995550.0000000006E00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001E.00000002.422052368.0000000003011000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000021.00000002.431850871.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.481497763.00000000069D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.481497763.00000000069D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.482020693.0000000006E10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.482020693.0000000006E10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.481961618.0000000006DE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.481961618.0000000006DE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.481945946.0000000006DD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.481945946.0000000006DD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.482036750.0000000006E20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.482036750.0000000006E20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.473787584.00000000034F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.480093816.0000000005EC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.480093816.0000000005EC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.482102080.0000000006E50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.482102080.0000000006E50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.477941629.00000000048DF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.480306697.0000000006760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.480306697.0000000006760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.476599395.00000000044C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000002.418018556.0000000003A19000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001E.00000002.423536148.0000000004019000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.476392070.0000000004481000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.481978911.0000000006DF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.481978911.0000000006DF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000021.00000002.431679291.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: iGZtra5EaP.exe PID: 5832, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: iGZtra5EaP.exe PID: 5832, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: iGZtra5EaP.exe PID: 4720, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: iGZtra5EaP.exe PID: 4720, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: iGZtra5EaP.exe PID: 5016, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: iGZtra5EaP.exe PID: 5016, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 3008, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 3008, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 5200, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 5200, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: iGZtra5EaP.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: eBopYzBwUYOW.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.12.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 30.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 30.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 30.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 33.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 33.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 30.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 30.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@30/15@7/2

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

File created: C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exe

Jump to behavior

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{f0d143be-967c-4293-98d3-3a1e128b5398}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2588:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5096:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:256:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1324:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5072:120:WilError_01

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

File created: C:\Users\user\AppData\Local\Temp\tmp3997.tmp

Jump to behavior

Source: iGZtra5EaP.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: iGZtra5EaP.exe	Virustotal: Detection: 48%
Source: iGZtra5EaP.exe	ReversingLabs: Detection: 64%

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

File read: C:\Users\user\Desktop\iGZtra5EaP.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\iGZtra5EaP.exe 'C:\Users\user\Desktop\iGZtra5EaP.exe'
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp3997.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Users\user\Desktop\iGZtra5EaP.exe {path}
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp489A.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp4CC2.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\iGZtra5EaP.exe C:\Users\user\Desktop\iGZtra5EaP.exe 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpF219.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Users\user\Desktop\iGZtra5EaP.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpF5E2.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp63D.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp3997.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Users\user\Desktop\iGZtra5EaP.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp489A.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp4CC2.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpF219.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Users\user\Desktop\iGZtra5EaP.exe {path}	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpF5E2.tmp'	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp63D.tmp'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: iGZtra5EaP.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: iGZtra5EaP.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 30.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 30.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 33.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 33.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 0_2_009585A5 push edx; iretd	0_2_009585A6
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 0_2_00954664 push dword ptr [edx+ebx*2+20h]; ret	0_2_0095466C
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_00EF85A5 push edx; iretd	12_2_00EF85A6
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_00EF4664 push dword ptr [edx+ebx*2+20h]; ret	12_2_00EF466C
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD61F push es; retf	12_2_06DCD620
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD61B push es; retf	12_2_06DCD61C
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD603 push es; retf	12_2_06DCD618
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD633 push es; retf	12_2_06DCD618
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD62F push es; retf	12_2_06DCD630
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD62B push es; retf	12_2_06DCD62C
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD627 push es; retf	12_2_06DCD628
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD623 push es; retf	12_2_06DCD624
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD4FF push es; retf	12_2_06DCD500
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD4FB push es; retf	12_2_06DCD4FC
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD467 push es; retf	12_2_06DCD468
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD463 push es; retf	12_2_06DCD464
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD597 push es; retf	12_2_06DCD598
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD5B7 push es; retf	12_2_06DCD5CC
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD3C7 push es; ret	12_2_06DCD3C8
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCD3C3 push es; ret	12_2_06DCD3C4
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 12_2_06DCCD42 push 8B000005h; retf	12_2_06DCCD47
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_00634664 push dword ptr [edx+ebx*2+20h]; ret	17_2_0063466C
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_006385A5 push edx; iretd	17_2_006385A6
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_050D806D pushad ; retf	17_2_050D806E
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Code function: 17_2_050D8A30 push C58FBA62h; ret	17_2_050D8A35
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_00C685A5 push edx; iretd	18_2_00C685A6
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_00C64664 push dword ptr [edx+ebx*2+20h]; ret	18_2_00C6466C
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_0565806D pushad ; retf	18_2_0565806E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_05658A30 push C58FBA62h; ret	18_2_05658A35
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_07117E80 push esp; ret	18_2_07117E8D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_0711981D pushad ; iretd	18_2_07119839

Source: initial sample	Static PE information: section name: .text entropy: 7.50200224495
Source: initial sample	Static PE information: section name: .text entropy: 7.50200224495
Source: initial sample	Static PE information: section name: .text entropy: 7.50200224495

Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 12.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 27.2.iGZtra5EaP.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 30.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 30.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 33.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 33.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	File created: C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp3997.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

File opened: C:\Users\user\Desktop\iGZtra5EaP.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.398277931.0000000002B51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.293558443.0000000002CC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.400511596.0000000003091000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 1288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5756, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: iGZtra5EaP.exe, 00000000.00000002.293558443.0000000002CC1000.00000004.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.398277931.0000000002B51000.00000004.00000001.sdmp, dhcpmon.exe, 00000012.00000002.400511596.0000000003091000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: iGZtra5EaP.exe, 00000000.00000002.293558443.0000000002CC1000.00000004.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.398277931.0000000002B51000.00000004.00000001.sdmp, dhcpmon.exe, 00000012.00000002.400511596.0000000003091000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Window / User API: threadDelayed 2413	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Window / User API: threadDelayed 6764	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Window / User API: foregroundWindowGot 567	Jump to behavior

Source: C:\Users\user\Desktop\iGZtra5EaP.exe TID: 1636	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe TID: 1200	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe TID: 3868	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1180	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5896	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\iGZtra5EaP.exe TID: 6004	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1928	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5480	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: dhcpmon.exe, 00000014.00000002.427212461.000000000E4C0000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: iGZtra5EaP.exe, 0000000C.00000002.470898373.00000000018E0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: iGZtra5EaP.exe, 00000000.00000002.301129173.0000000008C30000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMware3TV9F2PNWin32_VideoControllerXYX6N6Y_VideoController120060621000000.000000-00087424060disp
Source: dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: dhcpmon.exe, 00000014.00000002.427212461.000000000E4C0000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SAE
Source: dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000014.00000002.427212461.000000000E4C0000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMware3TV9F2PNWin32_VideoControllerXYX6N6Y_VideoController120060621000000.000000-00087424060display.infMSBDAU1H7SVAXPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsK9WOH_X5
Source: iGZtra5EaP.exe, 0000000C.00000002.470898373.00000000018E0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: iGZtra5EaP.exe, 00000000.00000002.301129173.0000000008C30000.00000004.00000001.sdmp	Binary or memory string: ontroller(Standard display types)VMware3TV9F2PNWin32_VideoControllerXYX6N6Y_VideoController120060621000000.000000-00087424060display.infMSBDAU1H7SVAXPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsK9WOH_X5Hy
Source: iGZtra5EaP.exe, 0000000C.00000002.470898373.00000000018E0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: dhcpmon.exe, 00000012.00000002.413353329.00000000088D0000.00000004.00000001.sdmp	Binary or memory string: y types)VMware3TV9F2PNWin32_VideoControllerXYX6N6Y_Vid=
Source: dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: iGZtra5EaP.exe, 0000000C.00000002.470898373.00000000018E0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Memory written: C:\Users\user\Desktop\iGZtra5EaP.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Memory written: C:\Users\user\Desktop\iGZtra5EaP.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp3997.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Users\user\Desktop\iGZtra5EaP.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp489A.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp4CC2.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpF219.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Process created: C:\Users\user\Desktop\iGZtra5EaP.exe {path}	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpF5E2.tmp'	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp63D.tmp'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}

Source: iGZtra5EaP.exe, 0000000C.00000002.474203989.00000000035BC000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: iGZtra5EaP.exe, 0000000C.00000002.471140321.0000000001E70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: iGZtra5EaP.exe, 0000000C.00000002.471140321.0000000001E70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: iGZtra5EaP.exe, 0000000C.00000002.475401082.000000000374C000.00000004.00000001.sdmp	Binary or memory string: Program ManagerP%"D
Source: iGZtra5EaP.exe, 0000000C.00000002.474203989.00000000035BC000.00000004.00000001.sdmp	Binary or memory string: Program Managerx
Source: iGZtra5EaP.exe, 0000000C.00000002.471140321.0000000001E70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Users\user\Desktop\iGZtra5EaP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Users\user\Desktop\iGZtra5EaP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Users\user\Desktop\iGZtra5EaP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Users\user\Desktop\iGZtra5EaP.exe VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\iGZtra5EaP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

Code function: 17_2_084B90D8 GetUserNameA,

17_2_084B90D8

Source: C:\Users\user\Desktop\iGZtra5EaP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 30.2.dhcpmon.exe.4060614.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a64c3d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.iGZtra5EaP.exe.3b59930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.4149930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44d4c3d.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.69d4629.30.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3ff0614.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.405b7de.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.448e778.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3feb7de.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.69d0000.31.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.48e3e40.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.4099930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.69d0000.31.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4492da1.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4553c80.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44d0614.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a60614.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.4149930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a5b7de.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.4064c3d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4489942.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.454ee4a.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4553c80.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44cb7de.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a60614.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.48e3e40.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3ff4c3d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.448e778.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.45582a9.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.4099930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.4060614.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3ff0614.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iGZtra5EaP.exe.3cc9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iGZtra5EaP.exe.3cfc550.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44d0614.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iGZtra5EaP.exe.3cc9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.iGZtra5EaP.exe.3b59930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.471931d.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.48e8469.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.472d94a.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.470d0e9.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476961664.000000000454E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.422052368.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.431850871.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.481497763.00000000069D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.477941629.00000000048DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476599395.00000000044C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.418018556.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.423536148.0000000004019000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476392070.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.431679291.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.472713339.0000000003481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 4720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 5016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5200, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: iGZtra5EaP.exe, 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: iGZtra5EaP.exe, 0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: iGZtra5EaP.exe, 0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 0000001E.00000002.422052368.0000000003011000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000001E.00000002.422052368.0000000003011000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000021.00000002.431850871.0000000003FA9000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 30.2.dhcpmon.exe.4060614.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a64c3d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.iGZtra5EaP.exe.3b59930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.4149930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44d4c3d.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.69d4629.30.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3ff0614.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.405b7de.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.448e778.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3feb7de.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.69d0000.31.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.48e3e40.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.4099930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.69d0000.31.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4492da1.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4553c80.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44d0614.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a60614.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.4149930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a5b7de.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.4064c3d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4489942.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.454ee4a.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.4553c80.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44cb7de.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.iGZtra5EaP.exe.3a60614.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.48e3e40.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3ff4c3d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.448e778.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.45582a9.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.4099930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.dhcpmon.exe.4060614.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3ff0614.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iGZtra5EaP.exe.3cc9930.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iGZtra5EaP.exe.3cfc550.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.44d0614.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iGZtra5EaP.exe.3cc9930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.iGZtra5EaP.exe.3b59930.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.471931d.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.48e8469.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.472d94a.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.iGZtra5EaP.exe.470d0e9.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476961664.000000000454E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.422052368.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.431850871.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.481497763.00000000069D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.477941629.00000000048DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476599395.00000000044C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.418018556.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.423536148.0000000004019000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.476392070.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.431679291.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.472713339.0000000003481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 4720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iGZtra5EaP.exe PID: 5016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5200, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Scheduled Task/Job1	Process Injection112	Masquerading2	Input Capture11	Security Software Discovery311	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion131	Security Account Manager	Virtualization/Sandbox Evasion131	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol21	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information3	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing13	Proc Filesystem	System Information Discovery12	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
iGZtra5EaP.exe	49%	Virustotal		Browse
iGZtra5EaP.exe	64%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
iGZtra5EaP.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	64%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exe	64%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
27.2.iGZtra5EaP.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
30.2.dhcpmon.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
12.2.iGZtra5EaP.exe.69d0000.31.unpack	100%	Avira	TR/NanoCore.fadte	Download File
12.2.iGZtra5EaP.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
33.2.dhcpmon.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

Source	Detection	Scanner	Label	Link
backupnew.duckdns.org	9%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
microsoftsecurity.sytes.net	9%	Virustotal		Browse
microsoftsecurity.sytes.net	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
backupnew.duckdns.org	9%	Virustotal		Browse
backupnew.duckdns.org	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://douglasheriot.com/uno/	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
backupnew.duckdns.org	20.197.234.75	true	true	9%, Virustotal, Browse	unknown
microsoftsecurity.sytes.net	20.206.66.33	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
microsoftsecurity.sytes.net	true	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
backupnew.duckdns.org	true	9%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false		high
http://www.tiro.com	dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://google.com	iGZtra5EaP.exe, 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false		high
http://douglasheriot.com/uno/	iGZtra5EaP.exe	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false		high
http://www.fonts.com	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	iGZtra5EaP.exe, 00000000.00000002.293558443.0000000002CC1000.00000004.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.398277931.0000000002B51000.00000004.00000001.sdmp, dhcpmon.exe, 00000012.00000002.400511596.0000000003091000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	iGZtra5EaP.exe, 00000000.00000002.298590445.0000000005D20000.00000002.00000001.sdmp, iGZtra5EaP.exe, 00000011.00000002.405976014.0000000005B70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.409652849.00000000060D0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.418390500.00000000060E0000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
20.206.66.33	microsoftsecurity.sytes.net	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.197.234.75	backupnew.duckdns.org	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458908
Start date:	03.08.2021
Start time:	21:11:20
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	iGZtra5EaP.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@30/15@7/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.8% (good quality ratio 0.5%) Quality average: 40.1% Quality standard deviation: 36.9%
HCA Information:	Successful, ratio: 99% Number of executed functions: 192 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 104.42.151.234, 168.61.161.212, 20.82.210.154, 23.35.236.56, 173.222.108.226, 173.222.108.210, 80.67.82.235, 80.67.82.211, 20.50.102.62, 23.211.6.115, 40.112.88.60 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:12:54	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
21:12:55	API Interceptor	653x Sleep call for process: iGZtra5EaP.exe modified
21:12:56	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\iGZtra5EaP.exe" s>$(Arg0)
21:12:56	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
backupnew.duckdns.org	y7PKSDpFe0.exe	Get hash	malicious	Browse	191.177.183.137

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Users\user\Desktop\iGZtra5EaP.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	788480
Entropy (8bit):	7.405761902599822
Encrypted:	false
SSDEEP:	24576:K+J70cLvBwP+8oUSmntIV+60wST8OQpi:KK70qvFISLZ5I3
MD5:	5ABFC84B2A671617A4930A61E218B6C6
SHA1:	FB2E5175272B90AA204853DD2BA2DC175FF5958F
SHA-256:	776E6E841B2A1B1DACD2BEB12F76949DC9A395A45BD7107475D90B60F09E5F39
SHA-512:	64A5E3C121442007176DE090B4F24FBB7FFE0018BB774431D70B4941EFE9264E23349CF0A83750BEAE6172E05D30C9CBAAFD542F74FA22EDFEE190DD7515DF36
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 64%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].`.................x..........^.... ........@.. .......................`............@.....................................O............................@....................................................... ............... ..H............text...dw... ...x.................. ..`.rsrc................z..............@..@.reloc.......@......................@..B................@.......H......................0...._...........................................0..............0..............s....(......0...........(......0............}......}.....(.........}........(...s'...}.......}......}.....u....,9..o.......(....r...p(....-...o.......(....r...p(....+..+....,...t....s0........}.....0..I...............(.... N... !l..a%..^E................+.... ...Z ..a+....}........0..E........ q[0. ..L.a%..^E............#...+!....$...s#...}..... .(.+Z ]r..a+.....0..

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\iGZtra5EaP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\iGZtra5EaP.exe.log Download File
Process:	C:\Users\user\Desktop\iGZtra5EaP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	true
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\tmp3997.tmp Download File
Process:	C:\Users\user\Desktop\iGZtra5EaP.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.197051255242617
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBpFtn:cbh47TlNQ//rydbz9I3YODOLNdq3nv
MD5:	F100F4090A302E04A4E5584333049320
SHA1:	69E6D2690B5E7D9BAFD8D69FF8D9ABEA0C34AC01
SHA-256:	A9DFF35D768ED46D311434A85F8BFF2F1B7D02160E6FCE7EFB8A579C90E02BB0
SHA-512:	CF0A3368A7A96FFD4A6DE947120BB61CA61C751DB91458BA4DC77EF2836B1D44E4AD3E464EB21FFD82AE9B1A17196545C09D196DE8D30A1716F3830499077430
Malicious:	true
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmp489A.tmp Download File
Process:	C:\Users\user\Desktop\iGZtra5EaP.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1300
Entropy (8bit):	5.108613782269879
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0zgLrxtn:cbk4oL600QydbQxIYODOLedq3Lvj
MD5:	73882135D094B9C109522AE7A7FB03A0
SHA1:	8455954767A1F42B6393ADCB5CA25E96CA467D7B
SHA-256:	9AD453C7A4F46761E71DC36D48B953E8A8818299E599528545284311EE94C7FF
SHA-512:	9785A28A920F0964EE37087EF8D6C17CC432F982EF88A684CFEA3261BE9CC01B6D89C67E2F631E50615416786E8D6A36AA8264C9086A0883C90E698B5BCA387B
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp4CC2.tmp Download File
Process:	C:\Users\user\Desktop\iGZtra5EaP.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp63D.tmp Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.197051255242617
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBpFtn:cbh47TlNQ//rydbz9I3YODOLNdq3nv
MD5:	F100F4090A302E04A4E5584333049320
SHA1:	69E6D2690B5E7D9BAFD8D69FF8D9ABEA0C34AC01
SHA-256:	A9DFF35D768ED46D311434A85F8BFF2F1B7D02160E6FCE7EFB8A579C90E02BB0
SHA-512:	CF0A3368A7A96FFD4A6DE947120BB61CA61C751DB91458BA4DC77EF2836B1D44E4AD3E464EB21FFD82AE9B1A17196545C09D196DE8D30A1716F3830499077430
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmpF219.tmp Download File
Process:	C:\Users\user\Desktop\iGZtra5EaP.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.197051255242617
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBpFtn:cbh47TlNQ//rydbz9I3YODOLNdq3nv
MD5:	F100F4090A302E04A4E5584333049320
SHA1:	69E6D2690B5E7D9BAFD8D69FF8D9ABEA0C34AC01
SHA-256:	A9DFF35D768ED46D311434A85F8BFF2F1B7D02160E6FCE7EFB8A579C90E02BB0
SHA-512:	CF0A3368A7A96FFD4A6DE947120BB61CA61C751DB91458BA4DC77EF2836B1D44E4AD3E464EB21FFD82AE9B1A17196545C09D196DE8D30A1716F3830499077430
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmpF5E2.tmp Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.197051255242617
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBpFtn:cbh47TlNQ//rydbz9I3YODOLNdq3nv
MD5:	F100F4090A302E04A4E5584333049320
SHA1:	69E6D2690B5E7D9BAFD8D69FF8D9ABEA0C34AC01
SHA-256:	A9DFF35D768ED46D311434A85F8BFF2F1B7D02160E6FCE7EFB8A579C90E02BB0
SHA-512:	CF0A3368A7A96FFD4A6DE947120BB61CA61C751DB91458BA4DC77EF2836B1D44E4AD3E464EB21FFD82AE9B1A17196545C09D196DE8D30A1716F3830499077430
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\iGZtra5EaP.exe
File Type:	data
Category:	dropped
Size (bytes):	696
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	12:X4LEnybgCF0uCYKZr+dLEnybgCF0uCYKZr+dLEnybgCF0uCYKZr+K:IQnybgC4jh+dQnybgC4jh+dQnybgC4jp
MD5:	AF6AA7C823112E2342E8D98BE5EDE0A9
SHA1:	D48CA92F4FA11CC9619185563F2D57A6099D21D0
SHA-256:	8D2ACD0CB78A2C690E2DCA1E9C92D273DAF4804DF0B4AC55E14D120C96F7671D
SHA-512:	B822403E85339F4FF2D88608D73DA75A149756FF44454386E1EB2451A6CCCE0F65ECA596F95BBBAD942C963F8C4CA2ADE582D6E50750596DB263BA879FB3ECE1
Malicious:	false
Reputation:	unknown
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\iGZtra5EaP.exe
File Type:	ATSC A/52 aka AC-3 aka Dolby Digital stream, reserved frequency,, emergency (E) 2 front/2 rear,
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:d:d
MD5:	20522AD33E431199BB129A1CA16DC20F
SHA1:	13C39E11506CDFEC1DB5466B527EB0FD330EA995
SHA-256:	C21A5D95DEA000373611071378FFB0EA886D4ED3F351DF8B7F1622B81E159164
SHA-512:	E49AD7E3542762FA4505433CC34A38175C6AD670D25D374104B3D7819F2162ABBA011B9AFD1181717A5FA80143EBEC7412653870F1C63713F2D88D7102BE8468
Malicious:	true
Reputation:	unknown
Preview:	.wB!.V.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Users\user\Desktop\iGZtra5EaP.exe
File Type:	data
Category:	modified
Size (bytes):	327768
Entropy (8bit):	7.999367066417797
Encrypted:	true
SSDEEP:	6144:oX44S90aTiB66x3PlZmqze1d1wI8lkWmtjJ/3Exi:LkjbU7LjGxi
MD5:	2E52F446105FBF828E63CF808B721F9C
SHA1:	5330E54F238F46DC04C1AC62B051DB4FCD7416FB
SHA-256:	2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
SHA-512:	C08BA0E3315E2314ECBEF38722DF834C2CB8412446A9A310F41A8F83B4AC5984FCC1B26A1D8B0D58A730FDBDD885714854BDFD04DCDF7F582FC125F552D5C3CA
Malicious:	false
Reputation:	unknown
Preview:	pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...\|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.).....{B.[...y%...i.Q.<..xt.X..H.. ..HF7g...I.3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.\|i4...i...;O...n.?.,. ....v?.5}.OY@.dG\|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...\|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`\|.B....3.....I..o...u1..8i=.z.W..7

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Users\user\Desktop\iGZtra5EaP.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	37
Entropy (8bit):	4.337435460048129
Encrypted:	false
SSDEEP:	3:oNWXp5vMiZXEQgE1J:oNWXpFMgX5Br
MD5:	6C946DFBF2EF9628FED080E3558D6822
SHA1:	B3DF6F9B8483D7F991B1D45AD814E5411CBE9001
SHA-256:	A82D2B0C7E89C7C267181AC684F6319F8EF28CAFD5A4BB4B8792DECB80AD7403
SHA-512:	BF0E078002808DD32BFD4D8757857C64026C091647A79838B49D37F085377569E74D553872D0DB10FF6481958057FFF973EB257AC58F0EC43907004D627CC524
Malicious:	false
Reputation:	unknown
Preview:	C:\Users\user\Desktop\iGZtra5EaP.exe

C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exe Download File
Process:	C:\Users\user\Desktop\iGZtra5EaP.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	788480
Entropy (8bit):	7.405761902599822
Encrypted:	false
SSDEEP:	24576:K+J70cLvBwP+8oUSmntIV+60wST8OQpi:KK70qvFISLZ5I3
MD5:	5ABFC84B2A671617A4930A61E218B6C6
SHA1:	FB2E5175272B90AA204853DD2BA2DC175FF5958F
SHA-256:	776E6E841B2A1B1DACD2BEB12F76949DC9A395A45BD7107475D90B60F09E5F39
SHA-512:	64A5E3C121442007176DE090B4F24FBB7FFE0018BB774431D70B4941EFE9264E23349CF0A83750BEAE6172E05D30C9CBAAFD542F74FA22EDFEE190DD7515DF36
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 64%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].`.................x..........^.... ........@.. .......................`............@.....................................O............................@....................................................... ............... ..H............text...dw... ...x.................. ..`.rsrc................z..............@..@.reloc.......@......................@..B................@.......H......................0...._...........................................0..............0..............s....(......0...........(......0............}......}.....(.........}........(...s'...}.......}......}.....u....,9..o.......(....r...p(....-...o.......(....r...p(....+..+....,...t....s0........}.....0..I...............(.... N... !l..a%..^E................+.... ...Z ..a+....}........0..E........ q[0. ..L.a%..^E............#...+!....$...s#...}..... .(.+Z ]r..a+.....0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.405761902599822
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	iGZtra5EaP.exe
File size:	788480
MD5:	5abfc84b2a671617a4930a61e218b6c6
SHA1:	fb2e5175272b90aa204853dd2ba2dc175ff5958f
SHA256:	776e6e841b2a1b1dacd2beb12f76949dc9a395a45bd7107475d90b60f09e5f39
SHA512:	64a5e3c121442007176de090b4f24fbb7ffe0018bb774431d70b4941efe9264e23349cf0a83750beae6172e05d30c9cbaafd542f74fa22edfee190dd7515df36
SSDEEP:	24576:K+J70cLvBwP+8oUSmntIV+60wST8OQpi:KK70qvFISLZ5I3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].`.................x..........^.... ........@.. .......................`............@................................

File Icon


Icon Hash:	f8beee8f9792cc60

Static PE Info

General
Entrypoint:	0x4a975e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60FF5D0A [Tue Jul 27 01:10:34 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa970c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xaa000	0x18a1c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa7764	0xa7800	False	0.768110132929	data	7.50200224495	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xaa000	0x18a1c	0x18c00	False	0.646977588384	data	6.18338598117	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc4000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xaa1a8	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0xaa610	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 14476016, next used block 16777215
RT_ICON	0xab6b8	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0xadc60	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
RT_ICON	0xb1e88	0x10828	dBase III DBT, version number 0, next free block index 40
RT_GROUP_ICON	0xc26b0	0x4c	data
RT_VERSION	0xc26fc	0x320	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2010 - 2021
Assembly Version	1.0.0.0
InternalName	IpTl.exe
FileVersion	1.0.0.0
CompanyName	Douglas Heriot
LegalTrademarks
Comments
ProductName	Uno
ProductVersion	1.0.0.0
FileDescription	Uno
OriginalFilename	IpTl.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/03/21-21:13:53.952166	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49737	1177	192.168.2.3	20.197.234.75
08/03/21-21:14:01.197544	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49743	1177	192.168.2.3	20.197.234.75
08/03/21-21:14:08.027723	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49744	1177	192.168.2.3	20.197.234.75
08/03/21-21:14:15.852637	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49745	1177	192.168.2.3	20.197.234.75

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 21:12:57.579962015 CEST	49724	1177	192.168.2.3	20.206.66.33
Aug 3, 2021 21:13:00.571827888 CEST	49724	1177	192.168.2.3	20.206.66.33
Aug 3, 2021 21:13:06.587903976 CEST	49724	1177	192.168.2.3	20.206.66.33
Aug 3, 2021 21:13:16.871193886 CEST	49733	1177	192.168.2.3	20.206.66.33
Aug 3, 2021 21:13:19.885943890 CEST	49733	1177	192.168.2.3	20.206.66.33
Aug 3, 2021 21:13:25.886432886 CEST	49733	1177	192.168.2.3	20.206.66.33
Aug 3, 2021 21:13:35.279393911 CEST	49734	1177	192.168.2.3	20.206.66.33
Aug 3, 2021 21:13:38.278109074 CEST	49734	1177	192.168.2.3	20.206.66.33
Aug 3, 2021 21:13:44.278810978 CEST	49734	1177	192.168.2.3	20.206.66.33
Aug 3, 2021 21:13:53.692378998 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:53.897825003 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:53.897969961 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:53.952166080 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:54.176150084 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.192786932 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:54.398108959 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.399007082 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:54.645457029 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.647166967 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:54.895523071 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.908375025 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.908399105 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.908425093 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.908472061 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.908510923 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.908514977 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:54.908531904 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.908560038 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:54.908570051 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.908590078 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.908622980 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:54.908626080 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.908644915 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:54.908664942 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:54.911101103 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.115344048 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115370989 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115396976 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115415096 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115437984 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115452051 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115462065 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.115470886 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115494013 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115519047 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115537882 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115552902 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115564108 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.115570068 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115595102 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115596056 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.115617037 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.115617990 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115633965 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115648985 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.115668058 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.115905046 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.116800070 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.116831064 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.116842985 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.116854906 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.116878986 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.117013931 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.320789099 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.320813894 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.320841074 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.320861101 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.320880890 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.320899963 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.320930004 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.320945978 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.320950985 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.320966959 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.320971012 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.320997953 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321034908 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.321091890 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321137905 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321180105 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.321201086 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321219921 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321244001 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.321263075 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321283102 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321306944 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321320057 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.321325064 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321346045 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321368933 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321386099 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321386099 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.321404934 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321428061 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321450949 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.321451902 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321466923 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.321469069 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321472883 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.321489096 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321510077 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321525097 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.321527004 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321546078 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321571112 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321583033 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.321585894 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321604013 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.321613073 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.322253942 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.322272062 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.322293043 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.322304010 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.322315931 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.322360039 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.322371960 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.322392941 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.322396040 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.322397947 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.322410107 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.322426081 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.323831081 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.327096939 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.526596069 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.526623011 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.526653051 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.526670933 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.526689053 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.526711941 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.526730061 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.526751041 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.526770115 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.526772976 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.526787996 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.526808023 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.526824951 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.526848078 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.526848078 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.526865959 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.526894093 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.526911020 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.526931047 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.526932955 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.526946068 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.526962042 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.526973009 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.526983976 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.527000904 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.527004957 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.527014971 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.527034998 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.527049065 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.527062893 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.527075052 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.527091026 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.527102947 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.527134895 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.527139902 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.527158022 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.527175903 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.527193069 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.527210951 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.527220964 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.527235985 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.527242899 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.527255058 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.527271986 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.527282953 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.527290106 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.527302980 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.527321100 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.527333021 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.527350903 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.527369022 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.527380943 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.527400017 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.527410984 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.527416945 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.527446985 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.527544975 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.527559996 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.528686047 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.528702021 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.529359102 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.585092068 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.732501984 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.732522011 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.732537985 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.732548952 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.732562065 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.732578993 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.732590914 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.732605934 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.732618093 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.732621908 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.732630014 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.732644081 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.732656002 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.732671022 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.732772112 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.732790947 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.732809067 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.732815981 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.732834101 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.732842922 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.732847929 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.732861042 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.732877016 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.732897997 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.732909918 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.732927084 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.732940912 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.732954025 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.732959032 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.732975960 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.732990980 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.733006954 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.733007908 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.733021975 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.733033895 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.733036995 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.733050108 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.733057976 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.733064890 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.733069897 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.733083010 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.733098030 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.733114958 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.733127117 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.733131886 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.733144045 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.733159065 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.733163118 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.733175993 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.733186960 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.733187914 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.733198881 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.733211040 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.733211994 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.733223915 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.733237982 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.733249903 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.733251095 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.733262062 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.733273983 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.733278036 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.733333111 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.733387947 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.734020948 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.734040022 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.734761953 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.937680006 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.937707901 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.937726974 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.937745094 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.937773943 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.937784910 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.937793016 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.937807083 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.937820911 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.937827110 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.937835932 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.937840939 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.937858105 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.937869072 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.937972069 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.938030005 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938051939 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938067913 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938083887 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938101053 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938122034 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938127041 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.938138008 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938143015 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.938158989 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938177109 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938193083 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938205004 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.938209057 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938221931 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.938224077 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938239098 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938256025 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938256025 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.938271999 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938273907 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.938288927 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938308954 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938323975 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938338995 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938344002 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.938354015 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938374043 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938389063 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938404083 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938410044 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.938420057 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938438892 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.938441038 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938451052 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938467979 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938473940 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.938484907 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938504934 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938505888 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.938519955 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938538074 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.938539982 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938555002 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938570023 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.938570976 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938585043 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.938586950 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938605070 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938623905 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.938652039 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.938791037 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:55.939548016 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.939569950 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:55.939656019 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.143209934 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143234968 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143260002 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143276930 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143296003 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143318892 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143316984 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.143343925 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143357992 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.143368959 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143404961 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.143433094 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143455029 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143471003 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143487930 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143536091 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.143559933 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143587112 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143610001 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143626928 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.143630981 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143651962 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143671989 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.143672943 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143695116 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143708944 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.143717051 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143738031 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143754005 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.143764019 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143788099 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143809080 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143812895 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.143829107 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143846989 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143863916 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143882036 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.143884897 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.143949986 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.144000053 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.144021988 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.144071102 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.144110918 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.144258976 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.144282103 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.144301891 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.144309998 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.144324064 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.144340038 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.144443035 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.144468069 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.144480944 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.144541025 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.144572020 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.144581079 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.144583941 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.144599915 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.144623995 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.144642115 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.144659042 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.144664049 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.144686937 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.144694090 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.144709110 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.144717932 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.144731998 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.144752026 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.144752979 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.144787073 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.327301979 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.348766088 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.348819971 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.348851919 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.348860025 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.348895073 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.348900080 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.348910093 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.348936081 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.348946095 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.348974943 CEST	1177	49737	20.197.234.75	192.168.2.3
Aug 3, 2021 21:13:56.349004030 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:13:56.349026918 CEST	49737	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:00.970020056 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:01.175970078 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:01.176161051 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:01.197544098 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:01.419172049 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:01.419339895 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:01.676690102 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:01.676873922 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:01.882389069 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:01.883533955 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.129656076 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.147871017 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.147905111 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.147931099 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.147958040 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.147984028 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.148000002 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.148004055 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.148022890 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.148030043 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.148056984 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.148077011 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.148082972 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.148108959 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.148128033 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.148168087 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.328252077 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.353526115 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.353562117 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.353584051 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.353606939 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.353629112 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.353652000 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.353667974 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.353673935 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.353692055 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.353696108 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.353701115 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.353723049 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.353724957 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.353745937 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.353766918 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.353789091 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.353811026 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.353837013 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.353835106 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.353847027 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.353849888 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.353862047 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.353883982 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.353907108 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.353919983 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.353940964 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.353961945 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.353986025 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.353996038 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.354000092 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.354160070 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.559748888 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.559777975 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.559799910 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.559818983 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.559849024 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.559870005 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.559873104 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.559894085 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.559906960 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.559912920 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.559933901 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.559935093 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.559952021 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.559957027 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.559973001 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.559992075 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.559995890 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.560020924 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560033083 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.560050011 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560106993 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560127974 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.560131073 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560151100 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560169935 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560183048 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.560194969 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560214043 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560225010 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.560239077 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560260057 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.560261011 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560280085 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560300112 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.560301065 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560321093 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560339928 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560354948 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560374975 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560395956 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560416937 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560431957 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560453892 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560473919 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560493946 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560520887 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560539961 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560559988 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560580015 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560600042 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560621977 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.560623884 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.560698986 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.560739994 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.560820103 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.560827971 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.560832977 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.560837030 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.560883045 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.560887098 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.765916109 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.765954971 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.765981913 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766009092 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766033888 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766053915 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.766060114 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766082048 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.766099930 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766127110 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766135931 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.766153097 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766180038 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766205072 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766211033 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.766232014 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766237974 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.766258001 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766297102 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766300917 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.766331911 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766349077 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766374111 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.766391993 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766419888 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766427994 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.766452074 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766462088 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.766480923 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766505957 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766530037 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.766534090 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766561985 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766582966 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.766587019 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766613007 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766639948 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766664982 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.766676903 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766691923 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766697884 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.766717911 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766741037 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.766743898 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766769886 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766778946 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.766802073 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766832113 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766854048 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.766859055 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766885042 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766910076 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.766910076 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766935110 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766953945 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.766961098 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.766985893 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.767016888 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.767018080 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.767045975 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.767061949 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.767071962 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.767097950 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.767138958 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.767143965 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.767170906 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.767196894 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.767222881 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.767225027 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.767255068 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.767256021 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.767304897 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.972721100 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.972805977 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.972871065 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.972899914 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.972918034 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.972965002 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973006964 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973030090 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.973047972 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973071098 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.973073006 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973117113 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973139048 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.973141909 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973160982 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973187923 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973207951 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.973212004 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973236084 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973237991 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.973258972 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973278999 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.973283052 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973305941 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973329067 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973351955 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973361969 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.973380089 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973395109 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.973406076 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973426104 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.973429918 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973454952 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973479033 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973495007 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.973503113 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973526955 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973526955 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.973551035 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973567009 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.973579884 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973603964 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973615885 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.973627090 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973650932 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973675013 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973697901 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973700047 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.973721981 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973728895 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.973746061 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973761082 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.973773003 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973797083 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973819017 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.973820925 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973845005 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973866940 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973890066 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973906994 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.973913908 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973937035 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973947048 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.973963022 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.973987103 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.974009991 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.974033117 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.974051952 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:02.974054098 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.974092007 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:02.974168062 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.179470062 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.179505110 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.179528952 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.179553032 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.179578066 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.179600000 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.179620028 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.179642916 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.179667950 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.179687977 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.179689884 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.179712057 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.179732084 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.179753065 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.179759979 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.179771900 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.179794073 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.179795980 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.179821014 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.179822922 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.179847956 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.179872990 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.179883957 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.179896116 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.179918051 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.179927111 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.179941893 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.179965019 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.179965019 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.179987907 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.180008888 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.180011988 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.180036068 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.180059910 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.180080891 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.180079937 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.180099964 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.180114985 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.180114985 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.180130005 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.180145025 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.180156946 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.180160046 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.180179119 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.180181980 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.180196047 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.180214882 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.180218935 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.180241108 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.180257082 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.180260897 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.180280924 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.180282116 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.180299997 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.180319071 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.180332899 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.180346966 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.180368900 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.180383921 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.180388927 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.180404902 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.180411100 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.180433989 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.180453062 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.180468082 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.180476904 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.180495024 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.180500984 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.180696011 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.327820063 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.385880947 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.385915995 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.385943890 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.385961056 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.385970116 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.385982990 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386001110 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386017084 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386029005 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386049032 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386054039 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386065960 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386081934 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386094093 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386107922 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386118889 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386135101 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386146069 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386161089 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386184931 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386203051 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386225939 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386233091 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386255980 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386255980 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386279106 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386282921 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386296034 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386311054 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386321068 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386336088 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386348009 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386365891 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386370897 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386393070 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386398077 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386418104 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386428118 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386445045 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386449099 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386471033 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386478901 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386497021 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386504889 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386523962 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386528969 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386548996 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386554956 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386579037 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386583090 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386607885 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386612892 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386632919 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386641979 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386660099 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386663914 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386686087 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386693954 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386710882 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386718988 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386738062 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386746883 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386763096 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386771917 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386792898 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386797905 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386820078 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386827946 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386846066 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386853933 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386872053 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386879921 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386898041 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386905909 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386924028 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386930943 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386950016 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386959076 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.386976004 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.386981964 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.387006044 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.387008905 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.387032986 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.387041092 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.387058973 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.387067080 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.387084961 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.387094021 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.387109995 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.387126923 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.387161016 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.387180090 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.387186050 CEST	1177	49743	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:03.387203932 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:03.387249947 CEST	49743	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:07.821561098 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:08.026835918 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:08.026987076 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:08.027723074 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:08.256501913 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:08.256791115 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:08.461868048 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:08.461942911 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:08.707760096 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:08.707859993 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:08.957807064 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:08.969230890 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:08.969295025 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:08.969337940 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:08.969374895 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:08.969397068 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:08.969413996 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:08.969446898 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:08.969451904 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:08.969489098 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:08.969506979 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:08.969527006 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:08.969563961 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:08.969610929 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:08.969620943 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:08.969661951 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.174741983 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.174896955 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.174938917 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.174977064 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.175007105 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.175012112 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.175036907 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.175050020 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.175086021 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.175101042 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.175138950 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.175165892 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.175193071 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.175220013 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.175225973 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.175245047 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.175256968 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.175271034 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.175295115 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.175307989 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.175318956 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.175342083 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.175355911 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.175364971 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.175390959 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.175400972 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.175416946 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.175438881 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.175451040 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.175929070 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.330303907 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.380558014 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.380594969 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.380615950 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.380654097 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.380676031 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.380697012 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.380700111 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.380718946 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.380740881 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.380767107 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.380776882 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.380791903 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.380812883 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.380831003 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.380836010 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.380857944 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.380877018 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.380878925 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.380901098 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.380923033 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.380929947 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.380949974 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.380974054 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.380985022 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.380995989 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.381016970 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.381031990 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.381038904 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.381059885 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.381082058 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.381098986 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.381103992 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.381136894 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.381160975 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.381160975 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.381185055 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.381206989 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.381208897 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.381227970 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.381248951 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.381258011 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.381272078 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.381294012 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.381306887 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.381320953 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.381345034 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.381366014 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.381366014 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.381387949 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.381408930 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.381423950 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.381429911 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.381452084 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.381464005 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.381473064 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.381516933 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.381565094 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.582706928 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.586545944 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.586568117 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.586584091 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.586599112 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.586616993 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.586632967 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.586647987 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.586664915 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.586667061 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.586685896 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.586721897 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.586735964 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.586754084 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.586770058 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.586781979 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.586800098 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.586808920 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.586817980 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.586833000 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.586848021 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.586850882 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.586863995 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.586878061 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.586879015 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.586893082 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.586909056 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.586913109 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.586926937 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.586941004 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.586945057 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.586960077 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.586973906 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.586977959 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.586988926 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.587003946 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.587018967 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.587023020 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.587040901 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.587060928 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.587064028 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.587085009 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.587104082 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.587129116 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.587136030 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.587156057 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.587157011 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.587177992 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.587194920 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.587213039 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.587229013 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.587229967 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.587249994 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.587263107 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.587270975 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.587289095 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.587289095 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.587307930 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.587316036 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.587327003 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.587347031 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.587352037 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.587364912 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.587384939 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.587393045 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.587399960 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.587414980 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.587445974 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.587485075 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.792682886 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.792737961 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.792781115 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.792823076 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.792856932 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.792857885 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.792889118 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.792896032 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.792933941 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.792957067 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.792979956 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.792999029 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793013096 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.793037891 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793071032 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.793076038 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793096066 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793133974 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793148041 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.793155909 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793178082 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793191910 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.793196917 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793216944 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793234110 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.793236017 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793253899 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793272972 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.793275118 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793294907 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793313980 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.793317080 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793337107 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793354988 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793355942 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.793415070 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793432951 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.793435097 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793457031 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793473959 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.793505907 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793525934 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793544054 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793549061 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.793566942 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793586016 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793593884 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.793605089 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793625116 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793631077 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.793643951 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793661118 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.793663979 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793684006 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793700933 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793704033 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.793723106 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793745041 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793756962 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.793766022 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793787956 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793795109 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.793808937 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793828011 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793831110 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.793848038 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793867111 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.793869019 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793893099 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793915987 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.793917894 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.793958902 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.999316931 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.999407053 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.999474049 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.999528885 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.999532938 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.999602079 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.999638081 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.999665022 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.999707937 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.999716043 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.999738932 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.999758005 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.999775887 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.999780893 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.999802113 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.999820948 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.999821901 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.999840975 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.999861956 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.999867916 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.999882936 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.999900103 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.999902964 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.999922991 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.999946117 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.999954939 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.999969006 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:09.999989986 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:09.999989986 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000010967 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000030994 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000049114 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.000050068 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000070095 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000087976 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.000089884 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000113010 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000119925 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.000135899 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000154972 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000161886 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.000176907 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000195980 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000204086 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.000217915 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000240088 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000241995 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.000260115 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000276089 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.000283957 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000303984 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000323057 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000343084 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000343084 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.000363111 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000381947 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000384092 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.000402927 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000411987 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.000423908 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000446081 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000448942 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.000471115 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000490904 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.000490904 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000550032 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000559092 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.000574112 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000593901 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000613928 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.000617027 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.000655890 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.208434105 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.208457947 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.208470106 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.208506107 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.208524942 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.208542109 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.208555937 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.208578110 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.208592892 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.208600044 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.208607912 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.208623886 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.208625078 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.208638906 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.208657026 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.208667994 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.208692074 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.208729982 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.208781958 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.209068060 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.209230900 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.209291935 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.209424019 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.209474087 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.209517002 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.209521055 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.209557056 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.209595919 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.209598064 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.209636927 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.209682941 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.209686995 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.209732056 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.209772110 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.209779024 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.209813118 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.209853888 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.209853888 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.209893942 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.209933043 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.209939003 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.209971905 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.210014105 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.210026026 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.210069895 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.210110903 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.284461975 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.346240044 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.491054058 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.491079092 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.491094112 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.491158009 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.491197109 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.491221905 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.491235971 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.491261005 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.491281986 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.491282940 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.491302967 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.491341114 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.491344929 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.491364002 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.491367102 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.491405964 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.491406918 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.491425037 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.491441011 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.491449118 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.491488934 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.491492033 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.491512060 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.491532087 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.491535902 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.491571903 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.491585016 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.491595984 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.491606951 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.491621971 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.491636992 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.491651058 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.491667032 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.491684914 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:10.491689920 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.491708994 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.491740942 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:10.602055073 CEST	1177	49744	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:11.596939087 CEST	49744	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:15.645524979 CEST	49745	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:15.852154970 CEST	1177	49745	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:15.852262020 CEST	49745	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:15.852637053 CEST	49745	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:16.079766989 CEST	1177	49745	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:16.079967022 CEST	49745	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:16.286473989 CEST	1177	49745	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:16.287188053 CEST	49745	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:16.542690992 CEST	1177	49745	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:16.621334076 CEST	1177	49745	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:16.633764029 CEST	49745	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:16.840351105 CEST	1177	49745	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:16.845769882 CEST	49745	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:17.052263021 CEST	1177	49745	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:17.053579092 CEST	49745	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:17.260416985 CEST	1177	49745	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:17.260855913 CEST	49745	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:17.511542082 CEST	1177	49745	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:17.512813091 CEST	49745	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:17.761470079 CEST	1177	49745	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:20.118555069 CEST	49745	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:20.371035099 CEST	1177	49745	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:21.075942993 CEST	1177	49745	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:21.125529051 CEST	49745	1177	192.168.2.3	20.197.234.75
Aug 3, 2021 21:14:21.794574976 CEST	1177	49745	20.197.234.75	192.168.2.3
Aug 3, 2021 21:14:21.844408035 CEST	49745	1177	192.168.2.3	20.197.234.75

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 21:12:01.109611988 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:01.134887934 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:02.063708067 CEST	60152	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:02.091734886 CEST	53	60152	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:03.066673994 CEST	57544	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:03.103312969 CEST	53	57544	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:04.533109903 CEST	55984	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:04.557722092 CEST	53	55984	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:06.049359083 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:06.082962036 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:07.082231998 CEST	65110	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:07.106795073 CEST	53	65110	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:08.409079075 CEST	58361	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:08.433707952 CEST	53	58361	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:09.438163042 CEST	63492	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:09.472070932 CEST	53	63492	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:10.619234085 CEST	60831	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:10.644360065 CEST	53	60831	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:11.951595068 CEST	60100	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:11.984942913 CEST	53	60100	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:13.041790962 CEST	53195	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:13.066571951 CEST	53	53195	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:14.066262007 CEST	50141	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:14.093660116 CEST	53	50141	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:15.132930994 CEST	53023	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:15.160356045 CEST	53	53023	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:16.128326893 CEST	49563	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:16.155726910 CEST	53	49563	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:16.948605061 CEST	51352	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:16.975970984 CEST	53	51352	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:17.785754919 CEST	59349	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:17.811728001 CEST	53	59349	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:18.827930927 CEST	57084	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:18.860707998 CEST	53	57084	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:28.849370003 CEST	58823	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:28.893198013 CEST	53	58823	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:38.021297932 CEST	57568	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:38.058449030 CEST	53	57568	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:55.061098099 CEST	50540	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:55.111238003 CEST	53	50540	8.8.8.8	192.168.2.3
Aug 3, 2021 21:12:57.517040014 CEST	54366	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:12:57.551525116 CEST	53	54366	8.8.8.8	192.168.2.3
Aug 3, 2021 21:13:05.174351931 CEST	53034	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:13:05.206892967 CEST	53	53034	8.8.8.8	192.168.2.3
Aug 3, 2021 21:13:08.243547916 CEST	57762	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:13:08.280884027 CEST	53	57762	8.8.8.8	192.168.2.3
Aug 3, 2021 21:13:16.810172081 CEST	55435	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:13:16.852745056 CEST	53	55435	8.8.8.8	192.168.2.3
Aug 3, 2021 21:13:35.243072987 CEST	50713	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:13:35.278100014 CEST	53	50713	8.8.8.8	192.168.2.3
Aug 3, 2021 21:13:41.339929104 CEST	56132	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:13:41.373847961 CEST	53	56132	8.8.8.8	192.168.2.3
Aug 3, 2021 21:13:53.562072992 CEST	58987	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:13:53.690700054 CEST	53	58987	8.8.8.8	192.168.2.3
Aug 3, 2021 21:13:55.349746943 CEST	56579	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:13:55.382289886 CEST	53	56579	8.8.8.8	192.168.2.3
Aug 3, 2021 21:13:55.394263983 CEST	60633	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:13:55.441853046 CEST	53	60633	8.8.8.8	192.168.2.3
Aug 3, 2021 21:14:00.827917099 CEST	61292	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:14:00.968957901 CEST	53	61292	8.8.8.8	192.168.2.3
Aug 3, 2021 21:14:07.783363104 CEST	63619	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:14:07.818789959 CEST	53	63619	8.8.8.8	192.168.2.3
Aug 3, 2021 21:14:15.611778975 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:14:15.644599915 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 3, 2021 21:14:22.665736914 CEST	61946	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:14:22.698612928 CEST	53	61946	8.8.8.8	192.168.2.3
Aug 3, 2021 21:14:22.919195890 CEST	64910	53	192.168.2.3	8.8.8.8
Aug 3, 2021 21:14:22.952229977 CEST	53	64910	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 3, 2021 21:12:57.517040014 CEST	192.168.2.3	8.8.8.8	0x2fa0	Standard query (0)	microsoftsecurity.sytes.net	A (IP address)	IN (0x0001)
Aug 3, 2021 21:13:16.810172081 CEST	192.168.2.3	8.8.8.8	0xced5	Standard query (0)	microsoftsecurity.sytes.net	A (IP address)	IN (0x0001)
Aug 3, 2021 21:13:35.243072987 CEST	192.168.2.3	8.8.8.8	0x56c6	Standard query (0)	microsoftsecurity.sytes.net	A (IP address)	IN (0x0001)
Aug 3, 2021 21:13:53.562072992 CEST	192.168.2.3	8.8.8.8	0x3bf6	Standard query (0)	backupnew.duckdns.org	A (IP address)	IN (0x0001)
Aug 3, 2021 21:14:00.827917099 CEST	192.168.2.3	8.8.8.8	0x5378	Standard query (0)	backupnew.duckdns.org	A (IP address)	IN (0x0001)
Aug 3, 2021 21:14:07.783363104 CEST	192.168.2.3	8.8.8.8	0xa0b0	Standard query (0)	backupnew.duckdns.org	A (IP address)	IN (0x0001)
Aug 3, 2021 21:14:15.611778975 CEST	192.168.2.3	8.8.8.8	0xdf8f	Standard query (0)	backupnew.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Aug 3, 2021 21:12:57.551525116 CEST	8.8.8.8	192.168.2.3	0x2fa0	No error (0)	microsoftsecurity.sytes.net	20.206.66.33	A (IP address)	IN (0x0001)
Aug 3, 2021 21:13:16.852745056 CEST	8.8.8.8	192.168.2.3	0xced5	No error (0)	microsoftsecurity.sytes.net	20.206.66.33	A (IP address)	IN (0x0001)
Aug 3, 2021 21:13:35.278100014 CEST	8.8.8.8	192.168.2.3	0x56c6	No error (0)	microsoftsecurity.sytes.net	20.206.66.33	A (IP address)	IN (0x0001)
Aug 3, 2021 21:13:53.690700054 CEST	8.8.8.8	192.168.2.3	0x3bf6	No error (0)	backupnew.duckdns.org	20.197.234.75	A (IP address)	IN (0x0001)
Aug 3, 2021 21:14:00.968957901 CEST	8.8.8.8	192.168.2.3	0x5378	No error (0)	backupnew.duckdns.org	20.197.234.75	A (IP address)	IN (0x0001)
Aug 3, 2021 21:14:07.818789959 CEST	8.8.8.8	192.168.2.3	0xa0b0	No error (0)	backupnew.duckdns.org	20.197.234.75	A (IP address)	IN (0x0001)
Aug 3, 2021 21:14:15.644599915 CEST	8.8.8.8	192.168.2.3	0xdf8f	No error (0)	backupnew.duckdns.org	20.197.234.75	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: iGZtra5EaP.exe PID: 5832 Parent PID: 5496

General

Start time:	21:12:07
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\iGZtra5EaP.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\iGZtra5EaP.exe'
Imagebase:	0x950000
File size:	788480 bytes
MD5 hash:	5ABFC84B2A671617A4930A61E218B6C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.294511650.0000000003CC9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.293558443.0000000002CC1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6008 Parent PID: 5832

General

Start time:	21:12:49
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp3997.tmp'
Imagebase:	0xae0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5896 Parent PID: 6008

General

Start time:	21:12:50
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iGZtra5EaP.exe PID: 4720 Parent PID: 5832

General

Start time:	21:12:51
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\iGZtra5EaP.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xef0000
File size:	788480 bytes
MD5 hash:	5ABFC84B2A671617A4930A61E218B6C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.482078580.0000000006E40000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.482078580.0000000006E40000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.476961664.000000000454E000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.476961664.000000000454E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.477178193.000000000465D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.482179100.0000000006E90000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.482179100.0000000006E90000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.471078718.0000000001AD0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.471078718.0000000001AD0000.00000004.00000001.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.475401082.000000000374C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.481910813.0000000006DB0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.481910813.0000000006DB0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.481995550.0000000006E00000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.481995550.0000000006E00000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.481497763.00000000069D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.481497763.00000000069D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.481497763.00000000069D0000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.482020693.0000000006E10000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.482020693.0000000006E10000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.481961618.0000000006DE0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.481961618.0000000006DE0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.481945946.0000000006DD0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.481945946.0000000006DD0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.467302367.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.482036750.0000000006E20000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.482036750.0000000006E20000.00000004.00000001.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.473787584.00000000034F7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.480093816.0000000005EC0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.480093816.0000000005EC0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.482102080.0000000006E50000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.482102080.0000000006E50000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.477941629.00000000048DF000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.477941629.00000000048DF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.480306697.0000000006760000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.480306697.0000000006760000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.476599395.00000000044C9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.476599395.00000000044C9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.476392070.0000000004481000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.476392070.0000000004481000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.481978911.0000000006DF0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.481978911.0000000006DF0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.472713339.0000000003481000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 4664 Parent PID: 4720

General

Start time:	21:12:53
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp489A.tmp'
Imagebase:	0xae0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 2588 Parent PID: 4664

General

Start time:	21:12:53
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 5556 Parent PID: 4720

General

Start time:	21:12:54
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp4CC2.tmp'
Imagebase:	0xae0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 256 Parent PID: 5556

General

Start time:	21:12:54
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iGZtra5EaP.exe PID: 1288 Parent PID: 528

General

Start time:	21:12:56
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\iGZtra5EaP.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\iGZtra5EaP.exe 0
Imagebase:	0x630000
File size:	788480 bytes
MD5 hash:	5ABFC84B2A671617A4930A61E218B6C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000011.00000002.398277931.0000000002B51000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000011.00000002.400817271.0000000003B59000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 496 Parent PID: 528

General

Start time:	21:12:57
Start date:	03/08/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0xc60000
File size:	788480 bytes
MD5 hash:	5ABFC84B2A671617A4930A61E218B6C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000012.00000002.404628541.0000000004099000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000012.00000002.400511596.0000000003091000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 64%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 5756 Parent PID: 3388

General

Start time:	21:13:03
Start date:	03/08/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0xc20000
File size:	788480 bytes
MD5 hash:	5ABFC84B2A671617A4930A61E218B6C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000014.00000002.411142657.0000000003141000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000014.00000002.412689646.0000000004149000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 5044 Parent PID: 1288

General

Start time:	21:13:37
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpF219.tmp'
Imagebase:	0xae0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5096 Parent PID: 5044

General

Start time:	21:13:38
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iGZtra5EaP.exe PID: 5016 Parent PID: 1288

General

Start time:	21:13:38
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\iGZtra5EaP.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x520000
File size:	788480 bytes
MD5 hash:	5ABFC84B2A671617A4930A61E218B6C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.417862891.0000000002A11000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.415827598.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.418018556.0000000003A19000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.418018556.0000000003A19000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 5004 Parent PID: 496

General

Start time:	21:13:38
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpF5E2.tmp'
Imagebase:	0xae0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 1324 Parent PID: 5004

General

Start time:	21:13:39
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: dhcpmon.exe PID: 3008 Parent PID: 496

General

Start time:	21:13:40
Start date:	03/08/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xb20000
File size:	788480 bytes
MD5 hash:	5ABFC84B2A671617A4930A61E218B6C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.422052368.0000000003011000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.422052368.0000000003011000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.417477798.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.423536148.0000000004019000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.423536148.0000000004019000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Analysis Process: schtasks.exe PID: 1036 Parent PID: 5756

General

Start time:	21:13:43
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp63D.tmp'
Imagebase:	0xae0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 5072 Parent PID: 1036

General

Start time:	21:13:43
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: dhcpmon.exe PID: 5200 Parent PID: 5756

General

Start time:	21:13:44
Start date:	03/08/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xb10000
File size:	788480 bytes
MD5 hash:	5ABFC84B2A671617A4930A61E218B6C6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000021.00000002.428437498.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000002.431850871.0000000003FA9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000021.00000002.431850871.0000000003FA9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000002.431679291.0000000002FA1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000021.00000002.431679291.0000000002FA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: iGZtra5EaP.exe PID: 5832 Parent PID: 5496 iGZtra5EaP.exeCOMMON

Executed Functions

Function 052AA5E4, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.297587957.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edd53a2087612f89a5bf1d641ffd3f41db741f99dc14c6f67bc200dcc20cabeb
Instruction ID: 9b9ba20601dbe6dcf1d1f194351251c210e9c6a88c4fc85ceab008e5115310d7
Opcode Fuzzy Hash: edd53a2087612f89a5bf1d641ffd3f41db741f99dc14c6f67bc200dcc20cabeb
Instruction Fuzzy Hash: B381D3313017459BC30AAB78C8557AEB7E3AFC9304F54886DC25A9B355DF71AC0ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 052A1AC0, Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.297587957.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e3349b308c1f74d57a2b0d1ea565e58e02d7b6fdd416e92190c887a2bf2704
Instruction ID: a61c1bd75fb11a1a5c76f630db3f84ba2b4ef4f462f6433a09c2d64532e1c5f1
Opcode Fuzzy Hash: 09e3349b308c1f74d57a2b0d1ea565e58e02d7b6fdd416e92190c887a2bf2704
Instruction Fuzzy Hash: 2E918D36E107198FCB04DFE0D8549DDBBBABF89314F148615E416AF7A4EB70A885CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02B57E79, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293420575.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c824b20cc2552ddf0716a21a1aefbb9c3b7652962a14c740a5bdeda54ff1156a
Instruction ID: 39f42758b4baa8a025cbbc5ebf71266b242fe020130ff2c8d1e265db347208c0
Opcode Fuzzy Hash: c824b20cc2552ddf0716a21a1aefbb9c3b7652962a14c740a5bdeda54ff1156a
Instruction Fuzzy Hash: A4515234E15209EFDB44CFA5C5456ADFFBAEF89200F24D8A99405EB268DB349F41DB04

Uniqueness

Uniqueness Score: -1.00%

Function 02B57E88, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293420575.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4476e23ce410d42e57ec12f8bf66ad51862f09f47c9dfdd61753718d411e627f
Instruction ID: 0398db904fc15e0ccebffa89406b87eab4ae9c1ddc687784567e20183890e46b
Opcode Fuzzy Hash: 4476e23ce410d42e57ec12f8bf66ad51862f09f47c9dfdd61753718d411e627f
Instruction Fuzzy Hash: 22515234E15209EFDB44CFA5C5446ADFFBAEF89200F24D8A98405EB268DB349F41DB14

Uniqueness

Uniqueness Score: -1.00%

Function 02B5AC08, Relevance: 1.7, APIs: 1, Instructions: 195COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02B5AE4E

Memory Dump Source

Source File: 00000000.00000002.293420575.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ab51b1643b9ab85d44f69e37dd46aa1fb6dc9dbea878b9f975ae28f857c202fe
Instruction ID: 1a28e46e6ca085b13ff244f372743703f96842893b077d4c4a1d5b0f91b0925f
Opcode Fuzzy Hash: ab51b1643b9ab85d44f69e37dd46aa1fb6dc9dbea878b9f975ae28f857c202fe
Instruction Fuzzy Hash: 15712570A00B158FDB64DF2AC44075ABBF5FF88204F008A6ED95ADBA50DB35E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 052A1759, Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 052A18CA

Memory Dump Source

Source File: 00000000.00000002.297587957.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 88849fe6fff4371a9ec01573d1bb0079bcb362722c82bed6528f25d62bc12d70
Instruction ID: 2169186b667a6aed17c171e1c2a24fa4fa9ebc45dc41f8c3a30e6550bb0b5b8d
Opcode Fuzzy Hash: 88849fe6fff4371a9ec01573d1bb0079bcb362722c82bed6528f25d62bc12d70
Instruction Fuzzy Hash: 125103B2C10249AFDF01CFA9C880ADEBFB1FF48310F14816AE808AB221D7759995CF50

Uniqueness

Uniqueness Score: -1.00%

Function 052A17B8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 052A18CA

Memory Dump Source

Source File: 00000000.00000002.297587957.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c972ccedb628266eb482cfab767a2e5bd94492efca4c83b2de762e313661d522
Instruction ID: 1c37f16c2f23084c9027f9b2e21632058fefa54e0f3dc5b40c9a20c60089685a
Opcode Fuzzy Hash: c972ccedb628266eb482cfab767a2e5bd94492efca4c83b2de762e313661d522
Instruction Fuzzy Hash: CF41BEB1D10309DFDB14CF9AC884ADEFBB5BF88314F24812AE819AB210D7749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02B5423C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02B55741

Memory Dump Source

Source File: 00000000.00000002.293420575.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6202cb2448a3a5268f9f676f52b2ac65990cc6f296e68787433c64a23ecd5a51
Instruction ID: 3ab5d223aa3c4e61da4b4ac0ecfb744f79bb14dfc4f50087cd9e2be59cb13836
Opcode Fuzzy Hash: 6202cb2448a3a5268f9f676f52b2ac65990cc6f296e68787433c64a23ecd5a51
Instruction Fuzzy Hash: 1741F1B0C00629CBDB24DFA9C884BDEBBB5FF88304F6080A9D508AB251DB756945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02B55685, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02B55741

Memory Dump Source

Source File: 00000000.00000002.293420575.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7886adecabcc50cc0a4d13917183998315bd10aea7fcf798813b19dc4389dbef
Instruction ID: c7990f5ddcb8140054dd4bfcc49936d6d1602431caad00418556f9d426af1da9
Opcode Fuzzy Hash: 7886adecabcc50cc0a4d13917183998315bd10aea7fcf798813b19dc4389dbef
Instruction Fuzzy Hash: 05411270C00629CFDB24CFA9C884BDEBBB5FF88308F6481AAD508AB251DB756945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 052A3D70, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 052A3E31

Memory Dump Source

Source File: 00000000.00000002.297587957.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: bedb1db47cf35c368f6998850e02afec65f6fdbc7ea80046a83a4884e57b91a6
Instruction ID: 5a618eff7af8e316733bb1e36c1f44edbd89543d018db0e97a963f1a0eba6ea8
Opcode Fuzzy Hash: bedb1db47cf35c368f6998850e02afec65f6fdbc7ea80046a83a4884e57b91a6
Instruction Fuzzy Hash: 624147B5A10245CFCB10CF89C488AAABBF6FF98314F24C859D519AB321D774A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B5B5B5, Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B5D4E6,?,?,?,?,?), ref: 02B5D5A7

Memory Dump Source

Source File: 00000000.00000002.293420575.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3082ed41a9d6995ed793ceefa6a8788d1d0594629cddd251d4d91b43b6a9c544
Instruction ID: 4f736b0b193bda0418e4b173194bc74b9591240aaa9abcda4f704af0ca7dd1fb
Opcode Fuzzy Hash: 3082ed41a9d6995ed793ceefa6a8788d1d0594629cddd251d4d91b43b6a9c544
Instruction Fuzzy Hash: 782126B5901209DFCB00CFA9D884BEEBBF8EB48314F14805AE915A7211D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B5B5C4, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B5D4E6,?,?,?,?,?), ref: 02B5D5A7

Memory Dump Source

Source File: 00000000.00000002.293420575.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: febc04dd9fa45d55d9112b9104607e947a3e8a8d31cd9c83e57541ed829f2db4
Instruction ID: 966a7483bd8806fbdb4cf07ea549da8c4a3e127e32299d5c7b62422773c9c362
Opcode Fuzzy Hash: febc04dd9fa45d55d9112b9104607e947a3e8a8d31cd9c83e57541ed829f2db4
Instruction Fuzzy Hash: 782123B5900219EFCB10CF9AD884ADEFBF8EB48324F14801AE914A7310D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B5D518, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B5D4E6,?,?,?,?,?), ref: 02B5D5A7

Memory Dump Source

Source File: 00000000.00000002.293420575.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4568c4d3cbaad8a616f588a6d389ff1bd25dadace9a4a32514cc3f7c352bcdd5
Instruction ID: 371f522607db1b8bbcb6fe004e6013811e0ef71cbb7c1bb98d2924a85a325b08
Opcode Fuzzy Hash: 4568c4d3cbaad8a616f588a6d389ff1bd25dadace9a4a32514cc3f7c352bcdd5
Instruction Fuzzy Hash: 7221E0B5900219DFDB00CFA9D584AEEBBF8EB48324F14855AE914A7310D378A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02B5B068, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B5AEC9,00000800,00000000,00000000), ref: 02B5B0DA

Memory Dump Source

Source File: 00000000.00000002.293420575.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d30640de811644a0288cbe23546ae6979a57af35ce9091ba8cbc1ee7cfa3e7c3
Instruction ID: c0eef84ea1f344f88f394cc3781384b3940636e9584cbb03055c10662898dd64
Opcode Fuzzy Hash: d30640de811644a0288cbe23546ae6979a57af35ce9091ba8cbc1ee7cfa3e7c3
Instruction Fuzzy Hash: 6D1114B29002099FCB10CF9AC844BDEFBF4FF88724F04842AD929A7600C775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02B59FB8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B5AEC9,00000800,00000000,00000000), ref: 02B5B0DA

Memory Dump Source

Source File: 00000000.00000002.293420575.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f922225026ad3a125f8a0f567ecab4a35987513ed09893cbae8f8d16ae594ae7
Instruction ID: 8708426a01927cd8cba01a0e13718a594fe8974c30ca0cb0f392d717b2656e13
Opcode Fuzzy Hash: f922225026ad3a125f8a0f567ecab4a35987513ed09893cbae8f8d16ae594ae7
Instruction Fuzzy Hash: 8B1114B29002099FCB10CF9AC444BDEFBF4FF88324F04846AD925AB200D775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02B5ADE8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02B5AE4E

Memory Dump Source

Source File: 00000000.00000002.293420575.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 438abdefbbf98aa49b9656365f8be6dcb721dcdb9af91d8a0298888b8cc9e6a0
Instruction ID: 506c7a73957bef028ef4f968b03f8c3ab372d647a3d357f19593580d2cb9d1b9
Opcode Fuzzy Hash: 438abdefbbf98aa49b9656365f8be6dcb721dcdb9af91d8a0298888b8cc9e6a0
Instruction Fuzzy Hash: 4B110FB2D006098FCB10CF9AD444BDFFBF4EB88624F10855AD869B7200C378A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 052A1A00, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 052A1A5D

Memory Dump Source

Source File: 00000000.00000002.297587957.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: d3dbf938d5948f91a8a9368a9290bb0ec093fbbec9033aa9d3751990e3fff332
Instruction ID: 20c30db233e93094595557220eeb2b815772151ce05591849e1f78cf269f1f4f
Opcode Fuzzy Hash: d3dbf938d5948f91a8a9368a9290bb0ec093fbbec9033aa9d3751990e3fff332
Instruction Fuzzy Hash: C411CEB59002099FDB10DF9AD584BDEFBF8EB88724F10841AD919A7201C374A954CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 0145D3D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293215870.000000000145D000.00000040.00000001.sdmp, Offset: 0145D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b07d27ae2714f4d11a3f2e939be4d0b007fd2494d944972eadc578603b9cb7
Instruction ID: f534b70928acd83c73eee1bad98d15baacefc510e5df88657be8b0257ba62bdc
Opcode Fuzzy Hash: 44b07d27ae2714f4d11a3f2e939be4d0b007fd2494d944972eadc578603b9cb7
Instruction Fuzzy Hash: DC210271904200DFDB05CF84C8C0B57BF65FF88224F20857ADC090B217C33AE856CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 02A8D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293298815.0000000002A8D000.00000040.00000001.sdmp, Offset: 02A8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d8c7e4a81ebbebcf730f1a14dbc40193df5556fc09adb63685292248ba0a48c
Instruction ID: b1e014ee52abb785228ad078f554bfbfc7af9104751c855a4692f30ad8b069bb
Opcode Fuzzy Hash: 5d8c7e4a81ebbebcf730f1a14dbc40193df5556fc09adb63685292248ba0a48c
Instruction Fuzzy Hash: 45210775504744DFDB14EF24D8C4B16BB75FB84328F24C969D80A4B386CB3AD857CA62

Uniqueness

Uniqueness Score: -1.00%

Function 02A8D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293298815.0000000002A8D000.00000040.00000001.sdmp, Offset: 02A8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ccf54d0751b41c67c2ef45155612529ff3d67a5ba8c29a1b8043016a2afea31
Instruction ID: af4ef4a8751a6322d78cf2b177804ea249a8b0effe0cb1bbf796ab3e9bf7a416
Opcode Fuzzy Hash: 3ccf54d0751b41c67c2ef45155612529ff3d67a5ba8c29a1b8043016a2afea31
Instruction Fuzzy Hash: E6210771504604EFDB05EF64D9C0B26FBA5FB88314F24CA69D8094B282DB3AD856CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02A8D006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293298815.0000000002A8D000.00000040.00000001.sdmp, Offset: 02A8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3592c99f4752c8427ec5519eee240c505c1523890f5bb089d89513c09c94d10f
Instruction ID: 8e84b65d7b02a8013861777cb079f33315f9bb9467d8d1458dedacdd8acd6243
Opcode Fuzzy Hash: 3592c99f4752c8427ec5519eee240c505c1523890f5bb089d89513c09c94d10f
Instruction Fuzzy Hash: 5F2180754087809FCB12DF24D9D4B11BF71EB46214F28C5DAD8458B297C73A985ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0145D3D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293215870.000000000145D000.00000040.00000001.sdmp, Offset: 0145D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
Instruction ID: 50a0e6c32e1d1b4b46517f005c3b83c8e0570d57d9cf3adedf107d04e7c1c68f
Opcode Fuzzy Hash: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
Instruction Fuzzy Hash: E411CD72804280CFDB12CF44D9C4B56BF61FB85220F24C2AAD8090B727C33AE45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A8D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293298815.0000000002A8D000.00000040.00000001.sdmp, Offset: 02A8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c1c4d15945f75f5c7145bd3be0d7b4ff171933bea9630414cfd87ddfd5d3604
Instruction ID: 411a0f4863da843bfdafcd544a093a5ce3aa425a6190c07884e63da2581c5141
Opcode Fuzzy Hash: 9c1c4d15945f75f5c7145bd3be0d7b4ff171933bea9630414cfd87ddfd5d3604
Instruction Fuzzy Hash: 8E11BB75504680DFCB12DF20C5C4B15FBA1FB84324F28C6AAD8494B696C33AD45ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0145D745, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293215870.000000000145D000.00000040.00000001.sdmp, Offset: 0145D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3dc79d5a4f397af7f08a2371f6f2a2ec0f515019daa04765b83d266b242b066
Instruction ID: 594a1cb96f02dd96cb5000dd63d5416e95c749fbeef690538e73b9a777cfe688
Opcode Fuzzy Hash: a3dc79d5a4f397af7f08a2371f6f2a2ec0f515019daa04765b83d266b242b066
Instruction Fuzzy Hash: 490147718083C0AAE7508AA9CC84B63FB98DF41224F08845BEE040A353D7799841CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0145D744, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293215870.000000000145D000.00000040.00000001.sdmp, Offset: 0145D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe0ef7f3c0fa45dd060fd6ddeff1405176295775b790557493bb52cce6721553
Instruction ID: 9a487b0e79b1208c0d12d7c1453b608895b6cb9e60e3711e5d5dcb36c94babbf
Opcode Fuzzy Hash: fe0ef7f3c0fa45dd060fd6ddeff1405176295775b790557493bb52cce6721553
Instruction Fuzzy Hash: DFF0C271804284ABE7518E19CC84B63FF98EF81634F18C45BED080B397C3799844CAB0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02B5D424, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.293420575.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506648cf5fffeff98997fa2793f960a9bb30c12822a9c60a1b276f4b5f16447f
Instruction ID: e947161470c5e297e0c11ef9b1a0d02ca12c0123ce9ffa8d60f729156423260e
Opcode Fuzzy Hash: 506648cf5fffeff98997fa2793f960a9bb30c12822a9c60a1b276f4b5f16447f
Instruction Fuzzy Hash: 54A15132E002198FCF15DFA5C9446EEB7F2FF85304B1985AAE905AF221EB35A955CF40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: iGZtra5EaP.exe PID: 4720 Parent PID: 5832 iGZtra5EaP.exeCOMMON

Executed Functions

Function 06DCBD68, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.481928516.0000000006DC0000.00000040.00000001.sdmp, Offset: 06DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e20a501793ab86a64952882bce1086f3dc6eedc74b5f90b1357ff5784d0c6c
Instruction ID: f12ad8ffdd09af92c634411b416f6e12619a11e7753370679c4049974c544f69
Opcode Fuzzy Hash: 36e20a501793ab86a64952882bce1086f3dc6eedc74b5f90b1357ff5784d0c6c
Instruction Fuzzy Hash: 5C612274D0120DDFDB04DFA8E899AAEBBB2FB49304F10806AE905A7364DB34AD45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06DCBDF0, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.481928516.0000000006DC0000.00000040.00000001.sdmp, Offset: 06DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bee6eb4032febaa9112b5b834c441bf926604d9ac2c6d7ce1643cc1879ad3f2
Instruction ID: e961c834d707b871244ca1e7090eb264dcc6aa46e1ccdd58c61f1b2560fbf1fa
Opcode Fuzzy Hash: 1bee6eb4032febaa9112b5b834c441bf926604d9ac2c6d7ce1643cc1879ad3f2
Instruction Fuzzy Hash: 4D510274E00209DFDB04DFA4E899AAEBFB2FB48310F14806AE905A7354DB356D45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0182B6C0, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0182B730
GetCurrentThread.KERNEL32 ref: 0182B76D
GetCurrentProcess.KERNEL32 ref: 0182B7AA
GetCurrentThreadId.KERNEL32 ref: 0182B803

Memory Dump Source

Source File: 0000000C.00000002.470731117.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d8e91a95be62ac80fd64d0837cedc8d56662070f2e72e48b2ca3c17e99f58941
Instruction ID: 2e0dea57b361fae683460339d404c551f6763cc5b53d9356ed4fffc88959e53f
Opcode Fuzzy Hash: d8e91a95be62ac80fd64d0837cedc8d56662070f2e72e48b2ca3c17e99f58941
Instruction Fuzzy Hash: 4F5155B09016498FDB14CFA9D588BDEBBF1EF48304F24845AE119B7350D774A988CF66

Uniqueness

Uniqueness Score: -1.00%

Function 0182B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0182B730
GetCurrentThread.KERNEL32 ref: 0182B76D
GetCurrentProcess.KERNEL32 ref: 0182B7AA
GetCurrentThreadId.KERNEL32 ref: 0182B803

Memory Dump Source

Source File: 0000000C.00000002.470731117.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 947280811942b7e7e68ae4684ae245193f5afc7b1435ebc59ade4c3edf39532b
Instruction ID: b87161d396124bf572e7f1dcbe603e71c650e480aad3da7b58a4e090f2e8f028
Opcode Fuzzy Hash: 947280811942b7e7e68ae4684ae245193f5afc7b1435ebc59ade4c3edf39532b
Instruction Fuzzy Hash: EB5166B09016498FDB14CFA9C548B9EBBF1FF48304F24845AE119B7360D774A988CF66

Uniqueness

Uniqueness Score: -1.00%

Function 06DC3549, Relevance: 1.7, APIs: 1, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.481928516.0000000006DC0000.00000040.00000001.sdmp, Offset: 06DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e590896221aa3783d41b15d16c889f467e59eac77bc69b160ae1b43db5c9a9
Instruction ID: 60d9aa1fa357d9e7aef64c9cbf0a0f5b43d125d4a61f77b5875f90da34c62104
Opcode Fuzzy Hash: c0e590896221aa3783d41b15d16c889f467e59eac77bc69b160ae1b43db5c9a9
Instruction Fuzzy Hash: EA8157B1D0424A8FDB50DFA8C8806EEBBB1FF89314F25852ED415AB250DB74994ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 018293E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0182962E

Memory Dump Source

Source File: 0000000C.00000002.470731117.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0ed48cd433e9f6a087df36231763652ff937f951df5a19127bc991d6ef018b39
Instruction ID: cb2e5bd5dea6e0238a136931f2fb400d1442c63a9cf8136bec7d4e7c557ce696
Opcode Fuzzy Hash: 0ed48cd433e9f6a087df36231763652ff937f951df5a19127bc991d6ef018b39
Instruction Fuzzy Hash: 38714670A00B158FDB25DF2AC48075ABBF5BF88308F008A2DD59AD7A40DB34E985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06DC18FC, Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06DC3738

Memory Dump Source

Source File: 0000000C.00000002.481928516.0000000006DC0000.00000040.00000001.sdmp, Offset: 06DC0000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: a88dc4e491e9205abf4bec09979b10b48cf2253a14d2961ee330b3963b4cfccb
Instruction ID: 7b0d4fe0bed80be56bb717ffd6e9fc7fe9fe950c1e15d31c7550a68aa8511ae1
Opcode Fuzzy Hash: a88dc4e491e9205abf4bec09979b10b48cf2253a14d2961ee330b3963b4cfccb
Instruction Fuzzy Hash: 27510FB1D0064D9FDB50CFA9C884ADEBBB5BF48318F258529E814AB350DB74A946CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0182FBEC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0182FD0A

Memory Dump Source

Source File: 0000000C.00000002.470731117.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9ffb6071fb8e746b4984f923166c9562a77dcd5ff75133ef986f20d56ef12a9f
Instruction ID: 68afd9c50a78756da2afdef8f7de2e1bea78659251e4bcbcfa34d199d65b0618
Opcode Fuzzy Hash: 9ffb6071fb8e746b4984f923166c9562a77dcd5ff75133ef986f20d56ef12a9f
Instruction Fuzzy Hash: 2B51D2B1D00359DFDB15CFA9D880ADEBBB5FF48314F24812AE915AB210D774A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0182FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0182FD0A

Memory Dump Source

Source File: 0000000C.00000002.470731117.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 61e39967210ceaf00b190495ba4d8fbad09de32cd061979d3c9b099ef7563416
Instruction ID: 321242abbf577cdcb0538f893c2dda19b6c067be911675ac200f009d9820bafa
Opcode Fuzzy Hash: 61e39967210ceaf00b190495ba4d8fbad09de32cd061979d3c9b099ef7563416
Instruction Fuzzy Hash: 8441B2B1D00359DFDB15CF9AC884ADEBBB5BF48314F24812AE919AB210D774A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0182BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0182BD87

Memory Dump Source

Source File: 0000000C.00000002.470731117.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 351352e86180ca2ecc0d20dd812b818589d0efb8fcc8a9d4752e0f80721fcc48
Instruction ID: 9ffb5e941f0f711bedef55fe06fe01d7474cf0defffb8f811b6731a284143fdc
Opcode Fuzzy Hash: 351352e86180ca2ecc0d20dd812b818589d0efb8fcc8a9d4752e0f80721fcc48
Instruction Fuzzy Hash: F621E2B59012489FDB10CFAAD884ADEFBF8EB48324F14801AE914A7310D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0182BCF9, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0182BD87

Memory Dump Source

Source File: 0000000C.00000002.470731117.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ca81d02c15d3e5276472d29f81cb89a7bcd54d9d5cdeaf19be3957c949c98a8c
Instruction ID: 7324dd906633c33662a73bbde06fd4925301abb523269c3b09d67896d8907945
Opcode Fuzzy Hash: ca81d02c15d3e5276472d29f81cb89a7bcd54d9d5cdeaf19be3957c949c98a8c
Instruction Fuzzy Hash: 922103B59012589FDB00CFA9D584AEEFBF4EF48314F14801AE954B3310C338A954CF61

Uniqueness

Uniqueness Score: -1.00%

Function 01828768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,018296A9,00000800,00000000,00000000), ref: 018298BA

Memory Dump Source

Source File: 0000000C.00000002.470731117.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2037bcff698c90bc07cb811450f510de75dc7800c1308fe3ddbaf884c79e0ea7
Instruction ID: 42751af72ab79fb02e8a8ff3a141745daa9d2ad0b27ad1805ea61face6cfeb74
Opcode Fuzzy Hash: 2037bcff698c90bc07cb811450f510de75dc7800c1308fe3ddbaf884c79e0ea7
Instruction Fuzzy Hash: 1D11F2B6D002598FDB10CF9AC444A9EFBF4EB88314F14842AD515A7700C3B4AA45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01829849, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,018296A9,00000800,00000000,00000000), ref: 018298BA

Memory Dump Source

Source File: 0000000C.00000002.470731117.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 282e0afd5616d0c798d31dbcfffdd3d320d10a404c15f0e2cafd343fd0e3216c
Instruction ID: 6521792a15a03e984d023c0ceb6adcca324de2c8e55b9d69c6a9edbfac14944f
Opcode Fuzzy Hash: 282e0afd5616d0c798d31dbcfffdd3d320d10a404c15f0e2cafd343fd0e3216c
Instruction Fuzzy Hash: 3C1126B2D00219CFDB10CF9AC444ADEFBF8EB88714F14842AD515A7700C774A949CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 018295C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0182962E

Memory Dump Source

Source File: 0000000C.00000002.470731117.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3d0274f345f6eec0902f3f18e3874fbf0d2e2770a75296359069bbb4341284c6
Instruction ID: 0558af6741fe56c4da2e51d4ac695a25d6ac1020cfaa6c5c819f67eaf7b7b75d
Opcode Fuzzy Hash: 3d0274f345f6eec0902f3f18e3874fbf0d2e2770a75296359069bbb4341284c6
Instruction Fuzzy Hash: 851110B1C006598FDB20CF9AC444BDEFBF4AF88328F14841AD529A7700D374A649CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0182FE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0182FE9D

Memory Dump Source

Source File: 0000000C.00000002.470731117.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 9a4ac3558ecadf0e2da44c751bc19dba1d22dbe9a588989a597212282e5e6e32
Instruction ID: 4efff11ccf3448be4370935beefbf441d75e49ef9435e080e8c0f818846453d9
Opcode Fuzzy Hash: 9a4ac3558ecadf0e2da44c751bc19dba1d22dbe9a588989a597212282e5e6e32
Instruction Fuzzy Hash: 851103B59002499FDB10CF9AD485BDEFBF8EB48724F10841AE914A7341C374AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0182FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0182FE9D

Memory Dump Source

Source File: 0000000C.00000002.470731117.0000000001820000.00000040.00000001.sdmp, Offset: 01820000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 6b77881ff877c5dd52f09d07e58861fe7e85338a1fc1e876bab8960a2eb23e6c
Instruction ID: 945b4ccaa7950172c92aa39f338fc95ef49419e7a64c7f19fa323779f31049f8
Opcode Fuzzy Hash: 6b77881ff877c5dd52f09d07e58861fe7e85338a1fc1e876bab8960a2eb23e6c
Instruction Fuzzy Hash: EC1112B58002498FDB10CF9AD484BDFFBF8EB88724F10841AD914A7340C374AA44CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0179D3B4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.470409528.000000000179D000.00000040.00000001.sdmp, Offset: 0179D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d407f35dd17bf19496fe63d8007efd8e364de88640bcfc858e147cb1de35da5b
Instruction ID: b8ecd5667ee795d5ca0ed27c29af87cdcbbc5171443ce561585873ecf6c6d6d3
Opcode Fuzzy Hash: d407f35dd17bf19496fe63d8007efd8e364de88640bcfc858e147cb1de35da5b
Instruction Fuzzy Hash: 132133B1504200DFCF25CF94E9C0B66FB65FB88324F20C5A9EC090B256C336E85AC6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0179D4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.470409528.000000000179D000.00000040.00000001.sdmp, Offset: 0179D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43de6a2b2d27582694ece0c46842b3fab06e00e505ad96b6c47ca6c3380921ed
Instruction ID: 25d66c4ad259b02453f0d3f1cf7165aa643a699b6e1aad09357db5057dcdd673
Opcode Fuzzy Hash: 43de6a2b2d27582694ece0c46842b3fab06e00e505ad96b6c47ca6c3380921ed
Instruction Fuzzy Hash: 7A2124B1504200DFDF21CF98E8C0B56FF65FB88328F2085A9E9050B216C33AD85AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 017AD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.470446537.00000000017AD000.00000040.00000001.sdmp, Offset: 017AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b91acb1e1edd4f76daa99e23141094bb94aa0b216065e7086d2cf72f6fffb3d9
Instruction ID: 69cb3fee92197604f828b18d864828bbb6cbb7eb456945bcd4e1b97eac7847f2
Opcode Fuzzy Hash: b91acb1e1edd4f76daa99e23141094bb94aa0b216065e7086d2cf72f6fffb3d9
Instruction Fuzzy Hash: 49212571544200DFCB25CF94D9C4B17FB65FB88354F60CAA9D8094B646C73AD847CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0179D3AF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.470409528.000000000179D000.00000040.00000001.sdmp, Offset: 0179D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
Instruction ID: 6b9a951113646be05cb85357e7b47bdb1f75540f73959d5310dff0bb9ba4a41d
Opcode Fuzzy Hash: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
Instruction Fuzzy Hash: 7F118C76404280CFCF16CF54D5C4B56BF61FB84224F24C6A9D8450B666C336E45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0179D49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.470409528.000000000179D000.00000040.00000001.sdmp, Offset: 0179D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
Instruction ID: 7159220bcf0439884e5546ba47f85f7dbfe231b81d2e43cce2e3682d0d2eaae0
Opcode Fuzzy Hash: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
Instruction Fuzzy Hash: B9119D76404280CFDF12CF54D5C4B16BF61FB84324F2486A9D9050B656C336D55ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 017AD017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.470446537.00000000017AD000.00000040.00000001.sdmp, Offset: 017AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c1c4d15945f75f5c7145bd3be0d7b4ff171933bea9630414cfd87ddfd5d3604
Instruction ID: 91a66a3cafecdf76fff8b1bb154816776c4a7b11447dc9e8382752a2fa3f195d
Opcode Fuzzy Hash: 9c1c4d15945f75f5c7145bd3be0d7b4ff171933bea9630414cfd87ddfd5d3604
Instruction Fuzzy Hash: B411BE75544280CFCB22CF54D5C4B16FFA1FB88314F24C6AAD8494BA56C33AD44ACBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06DCB359, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.481928516.0000000006DC0000.00000040.00000001.sdmp, Offset: 06DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 349a03ef18abe0e17c670c2c15bfd6cf82ff0273ca9983c3476d40e75eef8b98
Instruction ID: f13612b827e6910d5851f3933fd2ddbabf1ff1519606e1dde9d3a7c4cc405e6b
Opcode Fuzzy Hash: 349a03ef18abe0e17c670c2c15bfd6cf82ff0273ca9983c3476d40e75eef8b98
Instruction Fuzzy Hash: B7E0684044D2CDEFC34246A8490B376BE68E313124F9812CF90C0E70A3D109D801C2A3

Uniqueness

Uniqueness Score: -1.00%

Function 06DCB7E7, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.481928516.0000000006DC0000.00000040.00000001.sdmp, Offset: 06DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771cba27630a585b9033fa6c6f529273e46910e6d74469ed646ae0346725bb2d
Instruction ID: 09713530632a889f9a37ba2ba99ebc1fb26f78d0118cc3ad61a4de7198a98e84
Opcode Fuzzy Hash: 771cba27630a585b9033fa6c6f529273e46910e6d74469ed646ae0346725bb2d
Instruction Fuzzy Hash: 42E02060D4938F5DC7038A296CD67F17FA81F23158F15118FE5C067052E551D817829D

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: iGZtra5EaP.exe PID: 1288 Parent PID: 528 iGZtra5EaP.exeCOMMON

Executed Functions

Function 084B90D8, Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(00000000), ref: 084B9224

Memory Dump Source

Source File: 00000011.00000002.409270548.00000000084B0000.00000040.00000001.sdmp, Offset: 084B0000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 6b2e7f8fd642a00ebf16699e8883ba2ab8964f6725d5a4e55ca2256ddfe964a3
Instruction ID: 6087f91d5c37d5e7d7a781e0bd45bfbeb5bdedffb8ee31c1535f600c8e7547b2
Opcode Fuzzy Hash: 6b2e7f8fd642a00ebf16699e8883ba2ab8964f6725d5a4e55ca2256ddfe964a3
Instruction Fuzzy Hash: F751F370D002488FDB18CFA9C994BDEFBF5AF48304F24852EE916AB395D7749845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0104CEE0, Relevance: 6.1, APIs: 4, Instructions: 123threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0104CF50
GetCurrentThread.KERNEL32 ref: 0104CF8D
GetCurrentProcess.KERNEL32 ref: 0104CFCA
GetCurrentThreadId.KERNEL32 ref: 0104D023

Memory Dump Source

Source File: 00000011.00000002.397703410.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 79c9d9e3bdd7b06ac6c2fe4a1d504cf1e9b3c39a4541c2aa8feaeff6ec84268c
Instruction ID: 0a27773ad9e54acef2819c528a79d384e91fd56e44d523327bfb6dd2c94b3483
Opcode Fuzzy Hash: 79c9d9e3bdd7b06ac6c2fe4a1d504cf1e9b3c39a4541c2aa8feaeff6ec84268c
Instruction Fuzzy Hash: 645157B0D017498FEB54CFA9D688BDEBBF1AF48304F2484A9E459A7360D7345848CF66

Uniqueness

Uniqueness Score: -1.00%

Function 0104CEF0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0104CF50
GetCurrentThread.KERNEL32 ref: 0104CF8D
GetCurrentProcess.KERNEL32 ref: 0104CFCA
GetCurrentThreadId.KERNEL32 ref: 0104D023

Memory Dump Source

Source File: 00000011.00000002.397703410.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a5e4585ef89d4a9cfbe6c0e413d2c7d1856df2af2416d3254ad442acb36b9329
Instruction ID: 666d87cc4eb0a9dd1382b7f9d2e124fe317bb9f3111bb4e405cf9e9449910937
Opcode Fuzzy Hash: a5e4585ef89d4a9cfbe6c0e413d2c7d1856df2af2416d3254ad442acb36b9329
Instruction Fuzzy Hash: 965167B0D007498FDB54CFAAD688BDEBBF1AF48304F2484A9E419A7350D7345848CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0104AC08, Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0104AE4E

Memory Dump Source

Source File: 00000011.00000002.397703410.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4fe7b76e1dfc2c4097c12e43234cc67465078506962bf60616bcc3b3132e94bc
Instruction ID: 68fd12f4e7c529f4f2cc08cd9ea7a427c1a1c5c46017825b791cf02f74e5d8e8
Opcode Fuzzy Hash: 4fe7b76e1dfc2c4097c12e43234cc67465078506962bf60616bcc3b3132e94bc
Instruction Fuzzy Hash: FB7114B0A00B058FDB64DF6AD18179ABBF5BF88204F00892ED59ADBB40D735E845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 084BBA14, Relevance: 1.6, APIs: 1, Instructions: 145processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 084BBB73

Memory Dump Source

Source File: 00000011.00000002.409270548.00000000084B0000.00000040.00000001.sdmp, Offset: 084B0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9dd131f3e71e1545a629e86c64121b6bf62084b727fd17111a786def3a9e62ce
Instruction ID: defc6c60449dfe5cdfe66c9d1f75072b95e7bda3dbd11cce3e31a45be2238feb
Opcode Fuzzy Hash: 9dd131f3e71e1545a629e86c64121b6bf62084b727fd17111a786def3a9e62ce
Instruction Fuzzy Hash: BE51F671D00319DFDB20CF99C880BDEBBB5BF48314F1584AAE908A7210DB759A89CF61

Uniqueness

Uniqueness Score: -1.00%

Function 084BBA20, Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 084BBB73

Memory Dump Source

Source File: 00000011.00000002.409270548.00000000084B0000.00000040.00000001.sdmp, Offset: 084B0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f8af2c2ea819dbbf2c4af390dd0b236c1d95a9739558149b37975c95082f059b
Instruction ID: 43c7f4fa51f76083837d885b678182be4aa5011f335ec21c136e7206ddd644ca
Opcode Fuzzy Hash: f8af2c2ea819dbbf2c4af390dd0b236c1d95a9739558149b37975c95082f059b
Instruction Fuzzy Hash: F851F871D00319DFDB20CF99C880BDEBBB5BF48314F1584AAE908A7250DB759A89CF61

Uniqueness

Uniqueness Score: -1.00%

Function 084B90CC, Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(00000000), ref: 084B9224

Memory Dump Source

Source File: 00000011.00000002.409270548.00000000084B0000.00000040.00000001.sdmp, Offset: 084B0000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: d18456e6878d5e44730bc76e1e7322513ab1c99c80a08b2a323203e2957a95e7
Instruction ID: fbee9ba10a6240e383afd4f64ed8f100563ee1068015a9e72377bd9a0a0bd894
Opcode Fuzzy Hash: d18456e6878d5e44730bc76e1e7322513ab1c99c80a08b2a323203e2957a95e7
Instruction Fuzzy Hash: 69511470D002488FDB18CFA9C994BDEFBF1AF48304F25852EE816AB395D7749845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 050D17AD, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 050D18CA

Memory Dump Source

Source File: 00000011.00000002.405030599.00000000050D0000.00000040.00000001.sdmp, Offset: 050D0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 392e2f6a2cb651f4175aa0ebc76c1b378ed0152ab90098374df6d181fd24d6cf
Instruction ID: 84224b17f4dafa9f30a26c2e6a8b7b27886bef1009e46752e2035ec751cce584
Opcode Fuzzy Hash: 392e2f6a2cb651f4175aa0ebc76c1b378ed0152ab90098374df6d181fd24d6cf
Instruction Fuzzy Hash: 6751AFB1D003099FDB14CF9AD884ADEFBF5BF48314F64822AE815AB210DB749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 050D17B8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 050D18CA

Memory Dump Source

Source File: 00000011.00000002.405030599.00000000050D0000.00000040.00000001.sdmp, Offset: 050D0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7dafa91d8cc558ddf4397be97eab12ed4643111b166b0c6a71f23664823830a9
Instruction ID: 049f55754098246d709bec106b8f8abde97688292ea5c475195d3e6dc585c667
Opcode Fuzzy Hash: 7dafa91d8cc558ddf4397be97eab12ed4643111b166b0c6a71f23664823830a9
Instruction Fuzzy Hash: 01419FB1D003499FDB14CF9AD884ADEFBF5BF48314F64812AE819AB210D7759985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01045685, Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01045741

Memory Dump Source

Source File: 00000011.00000002.397703410.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c90ec2447b7c466e4613ee97eb9b611ec82fa30da1305d51155ef77c68702177
Instruction ID: 79208a160eba6e1ec24aadd0b8636c235e479b03c391b243155faeaf96f997d9
Opcode Fuzzy Hash: c90ec2447b7c466e4613ee97eb9b611ec82fa30da1305d51155ef77c68702177
Instruction Fuzzy Hash: 1D41D0B1C00619CFDB24CFA9D884BDEBBF5BF48308F20806AD409AB651DB756949CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0104423C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01045741

Memory Dump Source

Source File: 00000011.00000002.397703410.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 17aa2a2dee3f2ec2e4ac162fe383cc6c4a7e0af07bc14dcbff2957e42e9a201f
Instruction ID: 4d0476c03a7ddd259f1d253c919129e86d1ac0547c398fe4ac67cde059831c5c
Opcode Fuzzy Hash: 17aa2a2dee3f2ec2e4ac162fe383cc6c4a7e0af07bc14dcbff2957e42e9a201f
Instruction Fuzzy Hash: 2A41DFB1C00719CBDB24CFA9D884BDEBBF5BF48308F2080A9D409AB251DB756949CF91

Uniqueness

Uniqueness Score: -1.00%

Function 084B92E4, Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

FindWindowA.USER32(?), ref: 084B93C7

Memory Dump Source

Source File: 00000011.00000002.409270548.00000000084B0000.00000040.00000001.sdmp, Offset: 084B0000, based on PE: false

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: f968047288d3eac36c7a85f172c3c01bc79aa39467dcad2fb7626928df03260d
Instruction ID: 2617a41a474715cee63c3e5eee0b705fcbcd3a84efa04de7391b45cf29beebb2
Opcode Fuzzy Hash: f968047288d3eac36c7a85f172c3c01bc79aa39467dcad2fb7626928df03260d
Instruction Fuzzy Hash: 114155B0D106588FDB10CFA9D884BDEBFF1AB49314F14852EE815AB384E7749846CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 084B92F0, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

FindWindowA.USER32(?), ref: 084B93C7

Memory Dump Source

Source File: 00000011.00000002.409270548.00000000084B0000.00000040.00000001.sdmp, Offset: 084B0000, based on PE: false

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 87b3ede29c9cd9b699f7c0234a54fcf0adf655342f32f5f9963761c0f1175ef7
Instruction ID: 656ae355a6a7897c5c8d9acec8fd63fc89c10dd9f77c4221798593bc49eff244
Opcode Fuzzy Hash: 87b3ede29c9cd9b699f7c0234a54fcf0adf655342f32f5f9963761c0f1175ef7
Instruction Fuzzy Hash: D63137B1D106588FCB10CFA9D884BDEBFF1BB48714F14852AE815AB380E7749846CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 050D3D70, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 050D3E31

Memory Dump Source

Source File: 00000011.00000002.405030599.00000000050D0000.00000040.00000001.sdmp, Offset: 050D0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: e01a89f135c03cd3b46d762c313c31210d0e0a85763ee49bbc3d40cf98c1e60c
Instruction ID: 5b720f5132df5d0f3e16ac4acd04a6d0eb3cebc3e0b59ee73f7ce5dd667232e5
Opcode Fuzzy Hash: e01a89f135c03cd3b46d762c313c31210d0e0a85763ee49bbc3d40cf98c1e60c
Instruction Fuzzy Hash: CE4125B5A00345CFCB14CF89D488AAEFBF5FB88314F258858D519AB361D770A845CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 084B1B55, Relevance: 1.6, APIs: 1, Instructions: 92libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 084B1C2A

Memory Dump Source

Source File: 00000011.00000002.409270548.00000000084B0000.00000040.00000001.sdmp, Offset: 084B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5e20b187c99060f3dc7b300c2ae940b129cf188bd74f1880d389cad3843b2eac
Instruction ID: 1943a8bf739f7606e07c3aa8ada94993cf4b70ac98e60c833943305ae89da6cb
Opcode Fuzzy Hash: 5e20b187c99060f3dc7b300c2ae940b129cf188bd74f1880d389cad3843b2eac
Instruction Fuzzy Hash: 4B3134B0D042598FDB14CFA9D8947DEBBF5AB08314F10852EE815AB380D7749846CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 084B1B60, Relevance: 1.6, APIs: 1, Instructions: 86libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 084B1C2A

Memory Dump Source

Source File: 00000011.00000002.409270548.00000000084B0000.00000040.00000001.sdmp, Offset: 084B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7dcfcb51cc6338f1922c19ac4c4fdac187ac3752d9865d799fd45d02f98be4ad
Instruction ID: 75439f020e31b95936e0e21bc7cd02a8dd2aaae17ed496b85392bf273768196c
Opcode Fuzzy Hash: 7dcfcb51cc6338f1922c19ac4c4fdac187ac3752d9865d799fd45d02f98be4ad
Instruction Fuzzy Hash: AD3134B0D04249CFDB14CFA9D8947DEBBF5AB08315F10852EE815AB340E7749886CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 084B6BBA, Relevance: 1.6, APIs: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 084BC4FD

Memory Dump Source

Source File: 00000011.00000002.409270548.00000000084B0000.00000040.00000001.sdmp, Offset: 084B0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 981c8cbd584a8ba5cb146c678e17e96286077e81bd73eb9e7c740a2d20f71260
Instruction ID: 3fa7cbebd05042b3c1434a5113563b56f2a8c284d0b2dd44de9a8d29d4f8fdf6
Opcode Fuzzy Hash: 981c8cbd584a8ba5cb146c678e17e96286077e81bd73eb9e7c740a2d20f71260
Instruction Fuzzy Hash: 7421E7B18093849FCB02CF69C894BDEBFF0AF16214F05449BD545EB252C334AA48CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 084BBFC0, Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 084BC055

Memory Dump Source

Source File: 00000011.00000002.409270548.00000000084B0000.00000040.00000001.sdmp, Offset: 084B0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5a7440f40c1ca6ef57274a6efaad6d9b1b28e371aa7152c84f9db5a9f21cabed
Instruction ID: 1b8069bc272fda8608a254ac88da2a7fda059598f2b36721fcf3b131b4cf0c1e
Opcode Fuzzy Hash: 5a7440f40c1ca6ef57274a6efaad6d9b1b28e371aa7152c84f9db5a9f21cabed
Instruction Fuzzy Hash: 072122B1900249DFCB10CF9AD884BDEBBF4FB48314F40842EE818A7340E378A954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 084BBFC8, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 084BC055

Memory Dump Source

Source File: 00000011.00000002.409270548.00000000084B0000.00000040.00000001.sdmp, Offset: 084B0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5c24bec24ddac9aed7cdc9d1a923b33bb2a35468fdb3cd63e118962a3ce95d6f
Instruction ID: 145477f4720d7f0a0b4a87244169c57987cf0e7982d5c2456dbef6381f5f161e
Opcode Fuzzy Hash: 5c24bec24ddac9aed7cdc9d1a923b33bb2a35468fdb3cd63e118962a3ce95d6f
Instruction Fuzzy Hash: 0321E0B1900249DFCB10CF9AD885BDEBBF4FB48314F50842AE918A7350E778A954CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0104D518, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0104D5A7

Memory Dump Source

Source File: 00000011.00000002.397703410.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5bf7bb899a62bf0899fdff9282f5d4bfc2074564a40a04cb34db6f9011ce392f
Instruction ID: 1163dabdc7f317161021ce153720a62a93fa05d60abebcafb1b86d472d39fce5
Opcode Fuzzy Hash: 5bf7bb899a62bf0899fdff9282f5d4bfc2074564a40a04cb34db6f9011ce392f
Instruction Fuzzy Hash: B621E0B6D00208DFDB00CFAAD584ADEBBF4EB48324F14841AE915A7310D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0104D520, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0104D5A7

Memory Dump Source

Source File: 00000011.00000002.397703410.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2a4c328ea8943d3992163bf6d5dacfaa5e75cda8c5447012de91032e627ba920
Instruction ID: 67689e846f60c6769201e18369cfde97f69c0626406b09165ef7db5ef9d59260
Opcode Fuzzy Hash: 2a4c328ea8943d3992163bf6d5dacfaa5e75cda8c5447012de91032e627ba920
Instruction Fuzzy Hash: 5D21E2B5900208DFDB10CFAAD884ADEFBF8EB48324F14801AE914A7310D774A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 084BBD8A, Relevance: 1.6, APIs: 1, Instructions: 61threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 084BBE07

Memory Dump Source

Source File: 00000011.00000002.409270548.00000000084B0000.00000040.00000001.sdmp, Offset: 084B0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 614a03e6a017c083daa03ad1a8ce3943a22387c791f32c3a7aee957a0a23f521
Instruction ID: 82ff220ae9ab496e1b5dfa4109fddbb6fd6f64f8d719e5c4dc0e4bd95e442ae4
Opcode Fuzzy Hash: 614a03e6a017c083daa03ad1a8ce3943a22387c791f32c3a7aee957a0a23f521
Instruction Fuzzy Hash: 542127B1D006199FCB00CF9AC8457DEFBF4FB48624F54812AD418A7740D778A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 084BBE4E, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 084BBECF

Memory Dump Source

Source File: 00000011.00000002.409270548.00000000084B0000.00000040.00000001.sdmp, Offset: 084B0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 509220f1dc17788701e9c5340d2a67ebc21d1aa9fc7fb3f8a4ab618eda850022
Instruction ID: b0054ccfa5e171af6b0aaa8f42b287557b4d76e747f79e5805a1269ec593f44c
Opcode Fuzzy Hash: 509220f1dc17788701e9c5340d2a67ebc21d1aa9fc7fb3f8a4ab618eda850022
Instruction Fuzzy Hash: 0721DEB1900249DFCB10CF9AD884BDEFBF4FB48324F50842AE918A7250D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 084BBE50, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 084BBECF

Memory Dump Source

Source File: 00000011.00000002.409270548.00000000084B0000.00000040.00000001.sdmp, Offset: 084B0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3433900991036ed862d53199a209ece2d7f4abe40122ffac0da06424f86734bd
Instruction ID: b0751d8776abaf4064cc84d8ac4d7312a972af290167a061e5c075cdca07629a
Opcode Fuzzy Hash: 3433900991036ed862d53199a209ece2d7f4abe40122ffac0da06424f86734bd
Instruction Fuzzy Hash: D121DEB19002499FCB10CF9AD884ADEFBF4FB48320F50842AE918A7250D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 084BBD90, Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 084BBE07

Memory Dump Source

Source File: 00000011.00000002.409270548.00000000084B0000.00000040.00000001.sdmp, Offset: 084B0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: d6e708e6207fbb87eb288ab66dd56c1de2b56e99fb7d1d59645fcdc7ca3f7144
Instruction ID: 8a37b3d6fb16cdfb32d0bdc26c61e95af8d515bfab93363a2e485260aa6a35e9
Opcode Fuzzy Hash: d6e708e6207fbb87eb288ab66dd56c1de2b56e99fb7d1d59645fcdc7ca3f7144
Instruction Fuzzy Hash: 032106B1D006199FCB00CF9AC885BDEFBF8FB48624F54812AD418A7740D778A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01049FB8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0104AEC9,00000800,00000000,00000000), ref: 0104B0DA

Memory Dump Source

Source File: 00000011.00000002.397703410.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ae5156873656c61204e429eea836ac1100cb6d7a44a3822184d02db5c764996c
Instruction ID: 4b1a85af19997984be2588e441725b5a8199c612382f5fcb467532406abbf107
Opcode Fuzzy Hash: ae5156873656c61204e429eea836ac1100cb6d7a44a3822184d02db5c764996c
Instruction Fuzzy Hash: 5A1106B29003098FDB20CF9AC484B9EFBF4AB48314F14842EE565A7200C775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0104B068, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0104AEC9,00000800,00000000,00000000), ref: 0104B0DA

Memory Dump Source

Source File: 00000011.00000002.397703410.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da6b41a7c6328e57138862a44835af9d3416edbd84ae729ba100e9cdd4bd4498
Instruction ID: cb389f69ae15ee542efe9185e4ab77093208d84b16c13651e7d3c9e81a521ca8
Opcode Fuzzy Hash: da6b41a7c6328e57138862a44835af9d3416edbd84ae729ba100e9cdd4bd4498
Instruction Fuzzy Hash: D81144B6D002098FCB10CF9AD484BDEFBF4AB48310F14842EE525A7600C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 084BBF18, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 084BBF8B

Memory Dump Source

Source File: 00000011.00000002.409270548.00000000084B0000.00000040.00000001.sdmp, Offset: 084B0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 851a93e63a351b2e0a20fe1d55b995bbefb752945b01571870e1a7fa4ff23fce
Instruction ID: aefb91de4131ef899b12445e4f197b187d23850e301d02b207cf66dacf2e5b7b
Opcode Fuzzy Hash: 851a93e63a351b2e0a20fe1d55b995bbefb752945b01571870e1a7fa4ff23fce
Instruction Fuzzy Hash: E21102B5900249DFCB10CF9AC884BDEBBF5EB49324F10841AE569A7310C335A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 084BBF20, Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 084BBF8B

Memory Dump Source

Source File: 00000011.00000002.409270548.00000000084B0000.00000040.00000001.sdmp, Offset: 084B0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cd2ddbb16be7be7f64fe8d872ceac63e25a4bdf40c1c9d7cea7e4b1ae344e3c6
Instruction ID: a2641b3c2abde7e959b9fb7d05d58b9e8525a540f4ff2628e89aaa1b501652c5
Opcode Fuzzy Hash: cd2ddbb16be7be7f64fe8d872ceac63e25a4bdf40c1c9d7cea7e4b1ae344e3c6
Instruction Fuzzy Hash: 1611E0B5900649DFCB10CF9AD884BDEBBF8EB88324F10841AE569A7210D375A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 084B6BF8, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 084BC4FD

Memory Dump Source

Source File: 00000011.00000002.409270548.00000000084B0000.00000040.00000001.sdmp, Offset: 084B0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8c987c913d052e895a5bb28c7fdbe28e3228a6a9adf85ab1bd9c225a0d7eba6c
Instruction ID: 94eb7fb76c620b10b903f8b6188867145551a2cd8b0682df4ffb90ef5400aa51
Opcode Fuzzy Hash: 8c987c913d052e895a5bb28c7fdbe28e3228a6a9adf85ab1bd9c225a0d7eba6c
Instruction Fuzzy Hash: D711F5B58003499FDB10DF9AD488BDEFBF8EB48324F10841AE515A7300C374A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0104ADE8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0104AE4E

Memory Dump Source

Source File: 00000011.00000002.397703410.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5f6b8ac4905ca969e606b9a3d1ef144dc78e620c19b83f6fe6991d69b2eaa67f
Instruction ID: 6c0d7152903401aad6299bf223b4ed8804f3a8f991aadc976e1cc6be08b01206
Opcode Fuzzy Hash: 5f6b8ac4905ca969e606b9a3d1ef144dc78e620c19b83f6fe6991d69b2eaa67f
Instruction Fuzzy Hash: C91102B1D00649CFDB20CF9AD444ADEFBF4AB88324F10842AD469A7600C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 084BC498, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 084BC4FD

Memory Dump Source

Source File: 00000011.00000002.409270548.00000000084B0000.00000040.00000001.sdmp, Offset: 084B0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ecccf7edf56c98828f96fa52f63f7367af9c40f954c0388dc385ffd16ae79ec3
Instruction ID: 56e804e6743df41b76f4665b3d3d55df33e11735406007563f1361cf6f821c6f
Opcode Fuzzy Hash: ecccf7edf56c98828f96fa52f63f7367af9c40f954c0388dc385ffd16ae79ec3
Instruction Fuzzy Hash: 0811F2B58003599FDB10CF9AD484BDEFBF4EB48324F10841AD559A7200C375AA54CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 050D19F9, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 050D1A5D

Memory Dump Source

Source File: 00000011.00000002.405030599.00000000050D0000.00000040.00000001.sdmp, Offset: 050D0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 1196d3a8bdbd3da272017966a3b78ec85fd064e6aca9eb44ec86988a5de3e805
Instruction ID: 5b7aa021ae644282e5e737e5c9ea4c619fb1519139c22e468012085e4b535dc7
Opcode Fuzzy Hash: 1196d3a8bdbd3da272017966a3b78ec85fd064e6aca9eb44ec86988a5de3e805
Instruction Fuzzy Hash: BD11F2B5900349DFDB10CF9AD584BDEFBF8EB48324F10851AE915A7600C379A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 084BC178, Relevance: 1.5, APIs: 1, Instructions: 45threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 084BC1DF

Memory Dump Source

Source File: 00000011.00000002.409270548.00000000084B0000.00000040.00000001.sdmp, Offset: 084B0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4be27330b82a75833b7ae95165557c5208b26c49fc8ecca39b026c0468b752be
Instruction ID: a713c8967751c8ac89d5b71667bf3eb8d7a50bbb544246a390cdd9eb925b13d2
Opcode Fuzzy Hash: 4be27330b82a75833b7ae95165557c5208b26c49fc8ecca39b026c0468b752be
Instruction Fuzzy Hash: 9C11FEB19006498FCB20CF9AD488BDEFBF4AB88324F20846ED419A7640C775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 050D1A00, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 050D1A5D

Memory Dump Source

Source File: 00000011.00000002.405030599.00000000050D0000.00000040.00000001.sdmp, Offset: 050D0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 31db9e5ab3814109d9be7b3648212a4afe818ec6cedcb5b7c1a5ff6f0c184130
Instruction ID: e74d81305b42ea5d85e720032c29a161b2663c792242fcfe30c0aa347df3094f
Opcode Fuzzy Hash: 31db9e5ab3814109d9be7b3648212a4afe818ec6cedcb5b7c1a5ff6f0c184130
Instruction Fuzzy Hash: 4C11FEB58003098FDB10CF9AD484BDEFBF8EB88324F20841AD919A7600C378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 084BC180, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 084BC1DF

Memory Dump Source

Source File: 00000011.00000002.409270548.00000000084B0000.00000040.00000001.sdmp, Offset: 084B0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 95770326eda412ab984c11334602109f22e547a46e00da4760a20e47226a6b10
Instruction ID: 0c2bff6adf895740d5621f7a93f9170e632416342e230e642f2ccfa42fb84d45
Opcode Fuzzy Hash: 95770326eda412ab984c11334602109f22e547a46e00da4760a20e47226a6b10
Instruction Fuzzy Hash: 2D11D0B19006498FCB10DF9AD484BDEFBF8AB48324F20841AD519A7640D775A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FDD3D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.397537361.0000000000FDD000.00000040.00000001.sdmp, Offset: 00FDD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb988411a8c9b52b6b00a8ade8dbc19d73332239f448028f7d95df3a0124e146
Instruction ID: 3ead69382a0bad6ee311cf667ab0411ec839a3e0c1514ee31d3bead3476337f8
Opcode Fuzzy Hash: bb988411a8c9b52b6b00a8ade8dbc19d73332239f448028f7d95df3a0124e146
Instruction Fuzzy Hash: 27213A72504204DFDB15DF14D9C0B17BF66FB99324F28C56AD8094B346C33AE856E7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00FED01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.397568793.0000000000FED000.00000040.00000001.sdmp, Offset: 00FED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07f276e7e97af7b4aea88c3ca3c09fd8bca7ede4f8910e58602b4dd30563a1b1
Instruction ID: cc9ee7a4d28030dec475024e36595d1048d45fff50d344699421e0993895b2e1
Opcode Fuzzy Hash: 07f276e7e97af7b4aea88c3ca3c09fd8bca7ede4f8910e58602b4dd30563a1b1
Instruction Fuzzy Hash: 6C210775504280DFCB14DF14D8C4B16BB65FB84324F28C969DA094B74AC73BD857EA62

Uniqueness

Uniqueness Score: -1.00%

Function 00FED1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.397568793.0000000000FED000.00000040.00000001.sdmp, Offset: 00FED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 764b1443028bedd5345b7b62c4bcb66a22f298d870dbf7b2cd5df2f56b194f84
Instruction ID: 551d96f0af6e518beaa3596bd9b12b70cf28c1653239b53170b13dfb98c29470
Opcode Fuzzy Hash: 764b1443028bedd5345b7b62c4bcb66a22f298d870dbf7b2cd5df2f56b194f84
Instruction Fuzzy Hash: 44214975904280DFDB05CF11C9C0B16BBA5FB84324F20C96DD9094B782C33AD846EB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FED005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.397568793.0000000000FED000.00000040.00000001.sdmp, Offset: 00FED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32001d9acc492fe3e437eba961ba5bc7e9f4a175ccde3e581eb5f1abf438f704
Instruction ID: 6b1d1cf1219d17d9f8f30752ac90b16dc84b7dcac43fd6796d467af488a4dad9
Opcode Fuzzy Hash: 32001d9acc492fe3e437eba961ba5bc7e9f4a175ccde3e581eb5f1abf438f704
Instruction Fuzzy Hash: 772180755093C08FCB12CF20D994715BF71EB46324F28C5EAD8498B697C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FDD3D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.397537361.0000000000FDD000.00000040.00000001.sdmp, Offset: 00FDD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
Instruction ID: cf873cffd0ed0113073c321ed4dd4ff52cd9ce0c80bd176946cff1e89f9c4a15
Opcode Fuzzy Hash: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
Instruction Fuzzy Hash: 4611B476804240DFCB15CF10D5C4B16BF72FB95324F28C6AAD8050B756C33AE456DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FED1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.397568793.0000000000FED000.00000040.00000001.sdmp, Offset: 00FED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c1c4d15945f75f5c7145bd3be0d7b4ff171933bea9630414cfd87ddfd5d3604
Instruction ID: 32368fc935b1dff3761acfe298b189bed7a6062ae036211a6d78198d1867a6b5
Opcode Fuzzy Hash: 9c1c4d15945f75f5c7145bd3be0d7b4ff171933bea9630414cfd87ddfd5d3604
Instruction Fuzzy Hash: DA118B75904280DFCB16CF10D9C4B15BBA1FB84324F28C6AAD9494BA96C33AD85ADB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FDD745, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.397537361.0000000000FDD000.00000040.00000001.sdmp, Offset: 00FDD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 712f8470179bf554419d0acc0e664360df8c6f74a50e01c78d4bdcf4d5745bc7
Instruction ID: 2d0898259166fa24fcc2007b5bb46fc6c2348279ba7b2845547f201fdc320a3e
Opcode Fuzzy Hash: 712f8470179bf554419d0acc0e664360df8c6f74a50e01c78d4bdcf4d5745bc7
Instruction Fuzzy Hash: ED01F772808340AAE7104A25CC84B67BB9CDF41338F1C859BED084A346D7799844EAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00FDD744, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.397537361.0000000000FDD000.00000040.00000001.sdmp, Offset: 00FDD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b91cea24819649f551abcaa8ab070c156e453d9b34e73a6af71355589fb99a5c
Instruction ID: 533e581cd90fea1f0d8a632fd328041a9735d2e1e9edab16e1d1050e7b0e9871
Opcode Fuzzy Hash: b91cea24819649f551abcaa8ab070c156e453d9b34e73a6af71355589fb99a5c
Instruction Fuzzy Hash: B1F06271804384AAE7158E15DC84BA6FB98EB91734F18C55AED085B386C3799844DAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 496 Parent PID: 528 dhcpmon.exeCOMMON

Executed Functions

Function 07114A42, Relevance: 2.6, Strings: 2, Instructions: 133COMMON

Download Yara Rule

Strings

EuR, xrefs: 07114ABF
L-uI, xrefs: 07114BA4

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID: EuR$L-uI
API String ID: 0-3189475397
Opcode ID: 97b75163e859bcc56312b38086e9340926e7de21ccc9202cc5376114d5417300
Instruction ID: cfb9ebb2fe486bcdde090fb229d22473163c5add1d168eb4a1ac16503b0c762f
Opcode Fuzzy Hash: 97b75163e859bcc56312b38086e9340926e7de21ccc9202cc5376114d5417300
Instruction Fuzzy Hash: 015116B0D1520A9FCB08CFA9D481AEEFBF2FB89700F15942AD815BB254D7309A41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0711E6F8, Relevance: 2.6, Strings: 2, Instructions: 131COMMON

Download Yara Rule

Strings

Yy@+e=, xrefs: 0711E80B
Yy@, xrefs: 0711E804

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID: Yy@$Yy@+e=
API String ID: 0-3438994167
Opcode ID: 3bdd2690f5bcf2ebc7da0cd46ff2a170b266a7f369fbc4851e1eb5efbdbb7578
Instruction ID: 2a0e998108bf4088650c884775d0d58651571c55f43b5733238b2bde92d125e3
Opcode Fuzzy Hash: 3bdd2690f5bcf2ebc7da0cd46ff2a170b266a7f369fbc4851e1eb5efbdbb7578
Instruction Fuzzy Hash: AC5117B0E14219CFDB08CFEAD4456AEFBF2BF89301F14C42AD819BB254D73499418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 07114A50, Relevance: 2.6, Strings: 2, Instructions: 131COMMON

Download Yara Rule

Strings

EuR, xrefs: 07114ABF
L-uI, xrefs: 07114BA4

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID: EuR$L-uI
API String ID: 0-3189475397
Opcode ID: 02c8c2cba2c49131608d7fc4d37a405bfee081eaece6c9b1316efc7b6b95679e
Instruction ID: fc62acd9e9180086575d8d912a29e083c02e5b47a9a37b3481d28450a36973e8
Opcode Fuzzy Hash: 02c8c2cba2c49131608d7fc4d37a405bfee081eaece6c9b1316efc7b6b95679e
Instruction Fuzzy Hash: 4B5128B4E1421ACBCB08CFA9D441AEEFBF2FB89700F11942AD815BB254D7309A41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 07118990, Relevance: .7, Instructions: 724COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 038edb04fd6e8ec299b54ca47656079652604dab86ee16c2879e40efc58f6d79
Instruction ID: 92f4fd6205eeb352a8979241c7c00de352feb994efa5e9bd3886d2de1fbf77ad
Opcode Fuzzy Hash: 038edb04fd6e8ec299b54ca47656079652604dab86ee16c2879e40efc58f6d79
Instruction Fuzzy Hash: 9C5291B5B001168FDB19DF69C498AAD77B6BF88710F168069E816DF3A0DB31EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0711C5B0, Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b45c12598fc331deeedbe93d76b1c3852d180f3d4752f4f8652a3f2dfb4da489
Instruction ID: 8fa10522c529cd3668045e1cd54f78f9965ac7b3f3a4d033bf479a0ab86c82f4
Opcode Fuzzy Hash: b45c12598fc331deeedbe93d76b1c3852d180f3d4752f4f8652a3f2dfb4da489
Instruction Fuzzy Hash: 67F190B5A4021A8FCB19CF68C494AADBBB2BF85700F198479D405AF3A5DB31DC41CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 07115CB8, Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e63b192d67a01bb18a5f9fcaaaa5bfe4a309662b2aab17caa82bc01bb217d09
Instruction ID: de7f178e13c44d6dd4912ba67d55adc1fee96924abc2d4ae79e66c3c0fce812f
Opcode Fuzzy Hash: 6e63b192d67a01bb18a5f9fcaaaa5bfe4a309662b2aab17caa82bc01bb217d09
Instruction Fuzzy Hash: FE91D574E002188FDB54DFA5D895BDEBBB2FF88304F2084AAE519AB354DB309945DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0711DF70, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dfeab26d8e845c4e96c40f88e83ded4a312cd14d44bf9cff6dce4524cad4d48
Instruction ID: 9fa720a1698d9476eb2ad41782fe1eb075c59977bda812d7278463993a5cae12
Opcode Fuzzy Hash: 3dfeab26d8e845c4e96c40f88e83ded4a312cd14d44bf9cff6dce4524cad4d48
Instruction Fuzzy Hash: D781C2B4E102098FDB08CFE9D8846EEFBB2EF89300F14842AD815AB364D7319906CF55

Uniqueness

Uniqueness Score: -1.00%

Function 07115CC8, Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e85795416b00f11e556499980e2980f4a90b60dd53bf828f779d82b15a40a09
Instruction ID: fd4683e4606512ace81ad6d354c107672ed40aee124d4f2be37282d29be3d28f
Opcode Fuzzy Hash: 2e85795416b00f11e556499980e2980f4a90b60dd53bf828f779d82b15a40a09
Instruction Fuzzy Hash: BA81B474E002189FDB54DFA5D895BDEBBB2FF88300F2080AAE519AB354DB30A945DF50

Uniqueness

Uniqueness Score: -1.00%

Function 07117EB0, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c17d24c536171fbeb6bb5515121811394a35208c3e00df50d72ab386b011886
Instruction ID: 6d22902f9cb93828de8b5867d9aa3909f4361a71e48e417289100a438df9a08c
Opcode Fuzzy Hash: 5c17d24c536171fbeb6bb5515121811394a35208c3e00df50d72ab386b011886
Instruction Fuzzy Hash: 8551B4B4E042199FCB04DFA9C881AEEFBF2BF89311F14C569D414AB395D7349942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 071147E0, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2850d54545c9a50ddee18bb1b59b8373da6356d104f43a7471b8cb29f2e5d6ac
Instruction ID: 6b148ec4eefe24539b45c2a55dda6e453448aa052f96b1feb37159acc9d11705
Opcode Fuzzy Hash: 2850d54545c9a50ddee18bb1b59b8373da6356d104f43a7471b8cb29f2e5d6ac
Instruction Fuzzy Hash: 6B6129B0D1524ACBCB08CFE5D5465AEFBB2FF89700F11942AD905BB2A4D7309A42CF95

Uniqueness

Uniqueness Score: -1.00%

Function 071147D0, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7d2c4cfd8f4d7ad05ec60575f4ddc12d42c50d3cc134a59eef9bac3a6e7eea9
Instruction ID: f9f4285e9f02bd6c3337a4bd21b5f6e7d088fe6038943cd662d5a3739f2e936e
Opcode Fuzzy Hash: b7d2c4cfd8f4d7ad05ec60575f4ddc12d42c50d3cc134a59eef9bac3a6e7eea9
Instruction Fuzzy Hash: E6512BB4D1524ACFCB08CFE5D5425AEFBB2FB89700F10942AD901BB2A4D7349A42CF95

Uniqueness

Uniqueness Score: -1.00%

Function 07114D67, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d32229ba34ff96b8e3905874303c437365cd5023e5892b9d083a954e1962b6
Instruction ID: dd3b9f387edc28e2b7b8ce418ac9670e331d98e5a008e40bddcbb4e6d1e10e8a
Opcode Fuzzy Hash: 89d32229ba34ff96b8e3905874303c437365cd5023e5892b9d083a954e1962b6
Instruction Fuzzy Hash: F451F3B4E112498BCB08CFA9D9449EEFBB2FF89700F14D42AE815AB354D7349A42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07114D78, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84bdbf8a4bffc21637f299c11abd94d68ca7b0cf00f23cd4c50247c9ae5c1308
Instruction ID: e2789556488921ca283c1bbae7591421094991202935627c5b5809ef0b5981ec
Opcode Fuzzy Hash: 84bdbf8a4bffc21637f299c11abd94d68ca7b0cf00f23cd4c50247c9ae5c1308
Instruction Fuzzy Hash: B851E1B4E112198BCB08CFAAD5449EEFBB2FF89700F14942AE815AB354D7349A42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 071158F8, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d35051de2937b8df27966b7d1e86fcf4df0e5dd44367f523f4af23df491b3d22
Instruction ID: 45959e7c3adfd2224c03d082c89e0fa75b069cb83cfcb64abd82967dcf64d16d
Opcode Fuzzy Hash: d35051de2937b8df27966b7d1e86fcf4df0e5dd44367f523f4af23df491b3d22
Instruction Fuzzy Hash: 145106B4E052199FCB08CFA5DA815EEBBF2FF89310F14946AD805BB354DB349A128F51

Uniqueness

Uniqueness Score: -1.00%

Function 07115908, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b07c26ce2698a22b5858cf62f35e12f339c55d92f82d82a14d7406225a47f23
Instruction ID: b0b71d5468e6ae7ab10a1556568b33d231b7a40aef7df29a3c13c8486363d3a7
Opcode Fuzzy Hash: 5b07c26ce2698a22b5858cf62f35e12f339c55d92f82d82a14d7406225a47f23
Instruction Fuzzy Hash: DA51E4B4E152199FCB08CFAAD9415AEBBF2FF89310F14942AD815BB354DB349A018B51

Uniqueness

Uniqueness Score: -1.00%

Function 07113851, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8047a4bd310d32ca4b4c9153c12a6129290a2fd7b13f14b317ed46f84ad2305e
Instruction ID: c8800bb6b7f59352b5846d7e5b9b2f213a28a473d659075a5f9445126c66a124
Opcode Fuzzy Hash: 8047a4bd310d32ca4b4c9153c12a6129290a2fd7b13f14b317ed46f84ad2305e
Instruction Fuzzy Hash: 6E316D364493A38FD7868B74DC511D1BBB1FF5232872801A7C8D18A5A3E3650957CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07115130, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a2b621738edfe79415c5ed9d8dd997ab43ba04eaf51ee05893d75d740a1722
Instruction ID: 0652fde42c04f713f22ad9dc1230ff63e4d1bac35129321d5e14b6ae00554a17
Opcode Fuzzy Hash: 62a2b621738edfe79415c5ed9d8dd997ab43ba04eaf51ee05893d75d740a1722
Instruction Fuzzy Hash: DA4116B5E15219AFCB08CFAAD9405DEFBB2FF88300F14D46AD415A7258EB345A01CF64

Uniqueness

Uniqueness Score: -1.00%

Function 07115140, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 200424b4ff676dd80bb3a1b50c7f5bfaddcb5c9df0bb494548d74e755f6085e5
Instruction ID: f39cc319d0342bd346e4216f144e78a5646366e587a525b50635303d20e42220
Opcode Fuzzy Hash: 200424b4ff676dd80bb3a1b50c7f5bfaddcb5c9df0bb494548d74e755f6085e5
Instruction Fuzzy Hash: 9F4103B5E15219AFCB08CFAAD8405EEFBB2FF88300F15D42AD415AB254EB345A01CF64

Uniqueness

Uniqueness Score: -1.00%

Function 02E6AC08, Relevance: 1.7, APIs: 1, Instructions: 195COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02E6AE4E

Memory Dump Source

Source File: 00000012.00000002.400112140.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 29c0503a230416124a3a17e8d3907d1a34d80a7607636f800aff1617dddaa274
Instruction ID: 1a99694f0e90fc717e2b8d4da87f3a568602593681f2a92f1b3ebf51bf9fb314
Opcode Fuzzy Hash: 29c0503a230416124a3a17e8d3907d1a34d80a7607636f800aff1617dddaa274
Instruction Fuzzy Hash: 89714670A40B058FDB24DF6AC0457AAB7F2BF88248F00892EE44AD7B50DB35E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05651759, Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 056518CA

Memory Dump Source

Source File: 00000012.00000002.407046659.0000000005650000.00000040.00000001.sdmp, Offset: 05650000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4244c88cbf29670bfd04781fcb47a7118d720deffbe2f1586c471ab1c30ce2c1
Instruction ID: 925fc696669222d40363c2231762fc7c1197342104419d30afe30536d3d17864
Opcode Fuzzy Hash: 4244c88cbf29670bfd04781fcb47a7118d720deffbe2f1586c471ab1c30ce2c1
Instruction Fuzzy Hash: E251EFB1C00249EFCF11CFA9C980ADEBFB6BF49314F15816AE818AB220D7759995CF51

Uniqueness

Uniqueness Score: -1.00%

Function 056517B8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 056518CA

Memory Dump Source

Source File: 00000012.00000002.407046659.0000000005650000.00000040.00000001.sdmp, Offset: 05650000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c733a05b2681fa9d732a0bdf956de62dc85749ea671df87a4e8756ed0e6a9343
Instruction ID: c9c8ea9481d22bef13e3ae08b215e2b798dda392198471b818ad50e9e2857073
Opcode Fuzzy Hash: c733a05b2681fa9d732a0bdf956de62dc85749ea671df87a4e8756ed0e6a9343
Instruction Fuzzy Hash: 3D4191B1D00349DFDF14CF99C884ADEBBB5BF89314F24852AE819AB210D7749945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02E6423C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02E65741

Memory Dump Source

Source File: 00000012.00000002.400112140.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f387afd63bcf0c699031c4694c534a7f304893a1fb46a945ae73ff69d6664a6a
Instruction ID: 9200ab760b2f9429d7635e36fa46902f9eeba76512987e06156d245351eba4ad
Opcode Fuzzy Hash: f387afd63bcf0c699031c4694c534a7f304893a1fb46a945ae73ff69d6664a6a
Instruction Fuzzy Hash: 7741DF70D40619CFDB24DFA9C888BEEBBB5BF88308F608069D408AB251DB756945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02E65685, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02E65741

Memory Dump Source

Source File: 00000012.00000002.400112140.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7a58521e8f9a3ace7ad725bcc565166c792e48eccc606b141b8e305e26f63797
Instruction ID: e131e3b22e2d4439feb4bce5ba4ff34bb5fb677a1c4cb0cd9c258d02188f3b42
Opcode Fuzzy Hash: 7a58521e8f9a3ace7ad725bcc565166c792e48eccc606b141b8e305e26f63797
Instruction Fuzzy Hash: B5410271D40619CFDB24CFA9C888BDEBBB5BF88308F60806AD409AB251DB756945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05653D70, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05653E31

Memory Dump Source

Source File: 00000012.00000002.407046659.0000000005650000.00000040.00000001.sdmp, Offset: 05650000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: c0bd6916dab4d1b98baeb289992a5084aaf72b0a03307294cc5d9b151164df40
Instruction ID: 882b75c505e1e7501f8a2ef09499721fc241f1e653ea3e4a5f871e9c508b97aa
Opcode Fuzzy Hash: c0bd6916dab4d1b98baeb289992a5084aaf72b0a03307294cc5d9b151164df40
Instruction Fuzzy Hash: 4A413CB4A00345CFCB14CF99C448AAABBF5FF88764F15C859D519A7721D734A845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 056519C1, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.407046659.0000000005650000.00000040.00000001.sdmp, Offset: 05650000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1748479a1b64f85c49ebd62c7a4666c7867fa83b5df003ead12fca66832b9a2
Instruction ID: fe40f5c8be31731580bd688c599a8f6bb47c09a6a22f9d386c33d1770ab6f44b
Opcode Fuzzy Hash: a1748479a1b64f85c49ebd62c7a4666c7867fa83b5df003ead12fca66832b9a2
Instruction Fuzzy Hash: CC219AB5800349DFDB01CFA9E948BDABBF4FF89324F14814AE855A7211D335AA04CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E6B5B5, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E6D4E6,?,?,?,?,?), ref: 02E6D5A7

Memory Dump Source

Source File: 00000012.00000002.400112140.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a449861501bfa6969c501f333cd42370be6f14cb96d8fd228bec90bff0c93b6c
Instruction ID: 3f6d44f3cc5c05833cab5e84acd7a23c6aa75319d5dc1764da61e64896cd92a8
Opcode Fuzzy Hash: a449861501bfa6969c501f333cd42370be6f14cb96d8fd228bec90bff0c93b6c
Instruction Fuzzy Hash: BD2117B5900309DFCB10CFAAD984BEEBBF8EB48324F14805AE914A7710D374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02E6B5C4, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E6D4E6,?,?,?,?,?), ref: 02E6D5A7

Memory Dump Source

Source File: 00000012.00000002.400112140.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a63ed82172cff24916d6b0d1e30ae0869928f1e32cfcd479194ef57fbc60005f
Instruction ID: 08964f5d6c5fe445ddbe7e0ad9ee1d06d9dca211f60c72bfea298fd645068d37
Opcode Fuzzy Hash: a63ed82172cff24916d6b0d1e30ae0869928f1e32cfcd479194ef57fbc60005f
Instruction Fuzzy Hash: 3521E4B5900258EFDB10CF9AD884AEEFBF8FB48324F54801AE914A7310D774A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E6D518, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E6D4E6,?,?,?,?,?), ref: 02E6D5A7

Memory Dump Source

Source File: 00000012.00000002.400112140.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fd1900f8e35b2659ea1237d0421cc989c13db0b56c5852a0ab3d70b7890b80fc
Instruction ID: 1f27018249ed3c6e4f9e35a4279de7368b1020c73d40e21935be09b8cbc07c5d
Opcode Fuzzy Hash: fd1900f8e35b2659ea1237d0421cc989c13db0b56c5852a0ab3d70b7890b80fc
Instruction Fuzzy Hash: 9C21E4B5D00218DFDB00CF99D984AEEBBF8EB48324F14841AE914A7710D378A954CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02E6B068, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02E6AEC9,00000800,00000000,00000000), ref: 02E6B0DA

Memory Dump Source

Source File: 00000012.00000002.400112140.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f4717f024eb161b42dd9cdefc2261d7408386d2ab82f61faa7530a397b82e2d6
Instruction ID: c9d56bc172c649daa7e3ccf915654d82314a7013a40445204a59e4069e2f754c
Opcode Fuzzy Hash: f4717f024eb161b42dd9cdefc2261d7408386d2ab82f61faa7530a397b82e2d6
Instruction Fuzzy Hash: 7B1103B2900209DFCB10CF9AC444BDEFBF4AB88328F05841ED829B7600C775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02E69FB8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02E6AEC9,00000800,00000000,00000000), ref: 02E6B0DA

Memory Dump Source

Source File: 00000012.00000002.400112140.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 40085e02b8a1cb9d052cb2466fbd2bf57cd2625eef97456a464e9dcdb0c9db63
Instruction ID: 348aaa66533db245da3febe0fb212a98b6f2a05cd9c6e0cf9690fc4065857254
Opcode Fuzzy Hash: 40085e02b8a1cb9d052cb2466fbd2bf57cd2625eef97456a464e9dcdb0c9db63
Instruction Fuzzy Hash: C811F4B1944209DFCB10CF9AC448BEEFBF4AB88368F04842ED925B7200D775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02E6ADE8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02E6AE4E

Memory Dump Source

Source File: 00000012.00000002.400112140.0000000002E60000.00000040.00000001.sdmp, Offset: 02E60000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5a71ecacf12520183dfb1918d19146fd2c5f93a04442ef86d61c1c31dd1f5397
Instruction ID: 7a350a6fe185317c179317a46525fd14f979a52fdf7198f5b94fca2f10fc42e9
Opcode Fuzzy Hash: 5a71ecacf12520183dfb1918d19146fd2c5f93a04442ef86d61c1c31dd1f5397
Instruction Fuzzy Hash: 09110FB1D007498FCB10CF9AC448ADFFBF4AB88228F10842AD869B7300C378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05651A00, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 05651A5D

Memory Dump Source

Source File: 00000012.00000002.407046659.0000000005650000.00000040.00000001.sdmp, Offset: 05650000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 5c3c53b370f598d8ca33021844ea3b5935ed24ec3231b82b3d6065881be51380
Instruction ID: c9570a30dc15bf1dcaee5dd903c53623212ce83a129b134a5698f7506e9c9122
Opcode Fuzzy Hash: 5c3c53b370f598d8ca33021844ea3b5935ed24ec3231b82b3d6065881be51380
Instruction Fuzzy Hash: 1B11C2B59003499FDB10DF9AD484BDEFBF8EB88324F11841AD955A7700C374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0711CDE8, Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5abe9e8590b5b12ddc9645631b4d6de3f632343671e3944122ba06160b5b7c2
Instruction ID: a5d75133824a029b5cd6e279d165da47c1e2690958158d31f98c297b757b2a8f
Opcode Fuzzy Hash: c5abe9e8590b5b12ddc9645631b4d6de3f632343671e3944122ba06160b5b7c2
Instruction Fuzzy Hash: 18C18F70B101198FCB15DFA8E458AAE7BB6BF88714F158469E905EB3A0DF30DC41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 071171D8, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5287faebe110d386a2212e0f3ddc07c8b2c5294bcdc6c69158d4ae467168b5d
Instruction ID: 683c633b3309b62e4baf3b5c266693630b7b5e47f1a0f9b409a3df4da96808bd
Opcode Fuzzy Hash: b5287faebe110d386a2212e0f3ddc07c8b2c5294bcdc6c69158d4ae467168b5d
Instruction Fuzzy Hash: AF811370D00219DFDB25DFA5D884BDDFBB6BF89304F1484A9E408AB291DB309A85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07118630, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed2cd5f68f1926668ae081113180212ff3376ec4dbc1dc224b0e59e0236d8698
Instruction ID: f0b42e19d3defece4eecc50158ab7c5a6c3c67ccf7f8f9e33835a844287cb7f4
Opcode Fuzzy Hash: ed2cd5f68f1926668ae081113180212ff3376ec4dbc1dc224b0e59e0236d8698
Instruction Fuzzy Hash: 1A51A3B6B002068FCB15DFB8C88456EBBB6AF85324B19C579D505CF2A1EB30E881C751

Uniqueness

Uniqueness Score: -1.00%

Function 07118208, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef703be42b6d963b1510f878ed7de43c144680780dcffaf36c0d36e8b48a6efd
Instruction ID: ae71b657bec0d1aa4afef28d6b72d88b8322b372f16047ce998c8e3ac8a30d8f
Opcode Fuzzy Hash: ef703be42b6d963b1510f878ed7de43c144680780dcffaf36c0d36e8b48a6efd
Instruction Fuzzy Hash: 08616E71B102198FCB15DF68D458AAD7BB2EF89621F198479E902AB390CB70DD41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 071155CC, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56a2b7acb2241224c7b1b12d0edfcf8f1f14e9d21de0edbc22f4a89b6873aaec
Instruction ID: 58793f95f9bd8229932f938edb4624fa2ddcfa4434b9059cf4d3e67aeffd2a8c
Opcode Fuzzy Hash: 56a2b7acb2241224c7b1b12d0edfcf8f1f14e9d21de0edbc22f4a89b6873aaec
Instruction Fuzzy Hash: B7519F71B002168FCB05DBB9D8484BEBBB7EFC4214715896AE429DB390EF30DD058B91

Uniqueness

Uniqueness Score: -1.00%

Function 0711D298, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5353c40531f874c41c80ebe6e405de83274d8a18b2c7c39f039a636d886a72d4
Instruction ID: 890db097a9117b18676d87310775c7a3f389fede5410893d99ae699e48f63031
Opcode Fuzzy Hash: 5353c40531f874c41c80ebe6e405de83274d8a18b2c7c39f039a636d886a72d4
Instruction Fuzzy Hash: 2D51A0F4B14215CFCB09DF68D8889AEBBB2BF89310F158579D445EB2A0D734E941CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07118ACF, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1043fe0d28ed53fe86783f1196c08487cb21d77b5d60af4b44543d91d702ba4
Instruction ID: 5f570f863ae72c04789472bf8ff475cf659431fcea1ed62079cb716bfa537f77
Opcode Fuzzy Hash: a1043fe0d28ed53fe86783f1196c08487cb21d77b5d60af4b44543d91d702ba4
Instruction Fuzzy Hash: EF4148B171011A9FCB05DF64D889AEE7BB6FF84215F048429F8069B294DB70DD52CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07117EA0, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67316fe06431b835ee23b07d264b5fd047858d7306ae63a3c28d624bf63c2349
Instruction ID: e46f61ad8ef1e1f0c3a510eb13f99d2d4007a67c9a45b893aa8f447b8ed1cdc8
Opcode Fuzzy Hash: 67316fe06431b835ee23b07d264b5fd047858d7306ae63a3c28d624bf63c2349
Instruction Fuzzy Hash: 9341F7B5E042199FDB09DFAAC9446EEFBF2BF88300F14C56AD414AB394DB749902CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07115F67, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f104be51494dced4fef311ba03ade9d63b018e99bbd9edf4d7e7bb6ef82611b8
Instruction ID: 96a95f9282c0e12552e289793351c5bafd48fedeb2351991dc8e97f6e35b4893
Opcode Fuzzy Hash: f104be51494dced4fef311ba03ade9d63b018e99bbd9edf4d7e7bb6ef82611b8
Instruction Fuzzy Hash: 914115B5E04219DFCB15CFA4D845AEEBBB1FF49300F1081AAD519AB3A1DB359A41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07113899, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194683e6e3ef147c92713b5364ecf0c5b57f5045a8f6573974e209d3291bab83
Instruction ID: e2a63b0b3e549d5adc11e57087ac0d274267383b05b4afbcee919c0ac9c96695
Opcode Fuzzy Hash: 194683e6e3ef147c92713b5364ecf0c5b57f5045a8f6573974e209d3291bab83
Instruction Fuzzy Hash: 6E315C714583938FD792DB74DC511D6BBB1FF2232876801A7D8D0CA193E3750966CB92

Uniqueness

Uniqueness Score: -1.00%

Function 07112B20, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d58b7f9d647a4af477340dd2559c23eff5b8420bb5e7ea412ee0d853e33cb24
Instruction ID: 843e8c3dbcc071598a34f3da294ac613ec744990bf3b5439a83332a82a31b308
Opcode Fuzzy Hash: 6d58b7f9d647a4af477340dd2559c23eff5b8420bb5e7ea412ee0d853e33cb24
Instruction Fuzzy Hash: 4B314170E15649DFCB58CFA5D98159DFBB2FF8A200F24D5B9C405EB294E7349A41CB04

Uniqueness

Uniqueness Score: -1.00%

Function 07112B30, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90bb1347f3a748205eb8fc72c5c5f18778a5142993f22a0d18ee5715a70d0bc0
Instruction ID: ea3d3bb9ffd2015f20515c8d7f659e81f27a4a19187a2abb4e874b3a7b51023f
Opcode Fuzzy Hash: 90bb1347f3a748205eb8fc72c5c5f18778a5142993f22a0d18ee5715a70d0bc0
Instruction Fuzzy Hash: 14312F70E15609EFCB48DFA5D54159EFBB6FF89200F24D9BAC409EB294EB309B418B44

Uniqueness

Uniqueness Score: -1.00%

Function 071171CA, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2362adb294a0bc0b9698e50e80a0242c3576fc677bac759159150c928ac69be1
Instruction ID: 13f78a02307d57b8f49ed67e7d7d7fdffb4643ea3fe58457559ed273f842d321
Opcode Fuzzy Hash: 2362adb294a0bc0b9698e50e80a0242c3576fc677bac759159150c928ac69be1
Instruction Fuzzy Hash: 49310A70E012189FDB19CF6AD8417DDBBB2AF85304F1484AAD40CA7391EB345A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0711E9F8, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16dfd083c1dac1f301f8348e24049f6eb7911aadd88bb6c90e2e6a3497f3eaec
Instruction ID: bade148d1cd01d2bf603acb63b932ebc03ae1e90d27e53636f7e42f3550f1a36
Opcode Fuzzy Hash: 16dfd083c1dac1f301f8348e24049f6eb7911aadd88bb6c90e2e6a3497f3eaec
Instruction Fuzzy Hash: 7D313AB0E1421A9FCB48CFE9D5815AEFBF2BF89301F51C4AAC418AB254D7709A458F40

Uniqueness

Uniqueness Score: -1.00%

Function 0711E8D8, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ac3c83d78f3b8a9166c5c32e2be368d0cdc253252b5f6787e1221ee3927ece
Instruction ID: 5ccf943bc8bcee9d1b36151088dd3895b00d80921141c4568676780057087be9
Opcode Fuzzy Hash: 97ac3c83d78f3b8a9166c5c32e2be368d0cdc253252b5f6787e1221ee3927ece
Instruction Fuzzy Hash: 1131C6B4E14209DFCB84CFAAC5815AEBBF2FF89301F10956AD819A7354D734AA41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 014CD4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.399701991.00000000014CD000.00000040.00000001.sdmp, Offset: 014CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e693b733d15aa979fe78035c07f8888978894a05da6e50aaf8a3729ead73825d
Instruction ID: a7e9da8e3f9544f7a34d92ce922637e185e5abc5efc14b2dc11349c6a7cf168b
Opcode Fuzzy Hash: e693b733d15aa979fe78035c07f8888978894a05da6e50aaf8a3729ead73825d
Instruction Fuzzy Hash: DE212479904240DFCB45DF54D8C0B27BF65FB98A28F20857ED9050B356C336D856C6E2

Uniqueness

Uniqueness Score: -1.00%

Function 014ED01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.399779172.00000000014ED000.00000040.00000001.sdmp, Offset: 014ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c467f600371045bc698017fd1bb41c05ac47f1dfba96f6bbc14d38a5da0b93c
Instruction ID: cbe374f6a0f0ef02265da1a9508747fc4f8394f363bfae82ff938d549c25822b
Opcode Fuzzy Hash: 3c467f600371045bc698017fd1bb41c05ac47f1dfba96f6bbc14d38a5da0b93c
Instruction Fuzzy Hash: AC2125B1904200DFCB15CF54D8C8B17BFA5FB84359F28C96AD8094B356C33AD847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 014ED1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.399779172.00000000014ED000.00000040.00000001.sdmp, Offset: 014ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f033a121b59e6e52af31d371f84d1305729fc87eaf7a452893adb98526984f72
Instruction ID: 50faaf6654eb5a312f1ae698615f87d93958617b0847a84c8693896f25b8a3fd
Opcode Fuzzy Hash: f033a121b59e6e52af31d371f84d1305729fc87eaf7a452893adb98526984f72
Instruction Fuzzy Hash: 1F214975904200DFDB01CF94C9C8B16BBE5FB84325F20C96ED8094B352C73AD846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0711576C, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f9dfe0896891c2a447b75a19d9d3643fb82bded9a88e43472c18d3fb9b39e9b
Instruction ID: 932edefd00aaf62637dc869441c94f5676b3e344901aeb22ec2b06c7e7b0dbd8
Opcode Fuzzy Hash: 7f9dfe0896891c2a447b75a19d9d3643fb82bded9a88e43472c18d3fb9b39e9b
Instruction Fuzzy Hash: 9731B4B0D11219DFDB10DF99C588BDEBBF4AB48714F15806AE408BB290CBB55949CF91

Uniqueness

Uniqueness Score: -1.00%

Function 071162EC, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6adad1ea9efcbbc5e19c1d73c6db9c97f03769928af11ff257f4829552ca62a
Instruction ID: dd8f7ddd2f473f7cc2f37fdd37a40fe8fdafd2bd639bf43ee335841f898de12e
Opcode Fuzzy Hash: c6adad1ea9efcbbc5e19c1d73c6db9c97f03769928af11ff257f4829552ca62a
Instruction Fuzzy Hash: 7231D4B0D11218DFDB11CF99C584BDEBBF4AB48714F14806AE408BB280CB755849CF91

Uniqueness

Uniqueness Score: -1.00%

Function 071181F8, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a18cd5e9e55af7222b27d373d5f32208eced675a651bdb221a378e0c8d5a880e
Instruction ID: 2c5c5ac1ad54c7fcf66b50ed860fa944cd5c33c3adac90ae1aab0953a8582776
Opcode Fuzzy Hash: a18cd5e9e55af7222b27d373d5f32208eced675a651bdb221a378e0c8d5a880e
Instruction Fuzzy Hash: C0211972A101099FCF05DFA4D848ADDBBB2FF48321F148069E901BB2A0DB71AD54DB65

Uniqueness

Uniqueness Score: -1.00%

Function 014ED006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.399779172.00000000014ED000.00000040.00000001.sdmp, Offset: 014ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a6b428eb6fe73b26aa5c6cc2cf57257c3f596dcb856fdf73bd812b93f4ae99
Instruction ID: da2a7f0f4539c93a35ebcaac51bd039e18e205c194b574988041d5ff07e4037e
Opcode Fuzzy Hash: 68a6b428eb6fe73b26aa5c6cc2cf57257c3f596dcb856fdf73bd812b93f4ae99
Instruction Fuzzy Hash: 722180755093808FCB13CF24D994716BFB1EB46214F28C5DBD8498B667C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 071155BE, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf584fa9d366b5e4b2f3266ebceeeb3bf68df1a59aad403252710b2af761a72c
Instruction ID: 80e238e91652c1c3446b744c0fca9bde21a81a198316b756adbe282b5c6c76e7
Opcode Fuzzy Hash: bf584fa9d366b5e4b2f3266ebceeeb3bf68df1a59aad403252710b2af761a72c
Instruction Fuzzy Hash: E911BFB5A0021A9B8B15EB7988494BFBBFBFFC5250715493DD819DB280DF309A058761

Uniqueness

Uniqueness Score: -1.00%

Function 07116138, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6372ed0403cc53627737f6d29ea95657c35a7f8ba017a00d249a420612b4311
Instruction ID: 760a35abe8fa815c4babe44bff3900f26efd3beb9ab5e88f3e8c5c7a4e347641
Opcode Fuzzy Hash: b6372ed0403cc53627737f6d29ea95657c35a7f8ba017a00d249a420612b4311
Instruction Fuzzy Hash: D5119EB5A002169F8B11EB79CC444AFBBFBEFC42607154539D818DB384EF309A198761

Uniqueness

Uniqueness Score: -1.00%

Function 071153D0, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a294c4d288adb3d6a33f3095c13e6ef597b9407dcdc5b363ec410bd1bec4c054
Instruction ID: a8a5ad50c0bc07b49774e2079c571ec103ac086d85c00540212d186e393d98f8
Opcode Fuzzy Hash: a294c4d288adb3d6a33f3095c13e6ef597b9407dcdc5b363ec410bd1bec4c054
Instruction Fuzzy Hash: 19217FB4E15205DFCB44CFA8D98159EBBB2FB89341F2491BAC515AB394E7349A12CB01

Uniqueness

Uniqueness Score: -1.00%

Function 07116068, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e353be0fe0f528bc7d1cc6772e2db16c1d875b90b9076a9c174833d39e2331
Instruction ID: 0b313added677de873fa78071629e728ef7fccff1520bb993050719cd99f794d
Opcode Fuzzy Hash: 61e353be0fe0f528bc7d1cc6772e2db16c1d875b90b9076a9c174833d39e2331
Instruction Fuzzy Hash: B5117071B0021A8FCB55EBB898115EEB7F6AFC9254B14403AC505EB780EF36CD158BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0711CD18, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12608ab720b95e0d90d840400053951ece4a21ba9f1d9d443f8f34b22f4e56fd
Instruction ID: e07d197a038a5192dc578a68c518a173c4968bbfd4a0068d9c8f06c113e5511c
Opcode Fuzzy Hash: 12608ab720b95e0d90d840400053951ece4a21ba9f1d9d443f8f34b22f4e56fd
Instruction Fuzzy Hash: E711BE31525249EFCB41EFB8D80499EBFB6AF45308F1484A9E0049F261DB759E14DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 014CD4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.399701991.00000000014CD000.00000040.00000001.sdmp, Offset: 014CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
Instruction ID: 4c7392f1946782fe0a76ede45da64af6239711e37a52bdfedc1ff1edd5913211
Opcode Fuzzy Hash: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
Instruction Fuzzy Hash: 46119D76804280CFCB12CF54D9C4B16BF61FB94624F2486AAD8450B766C336D45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 071153E0, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15bc5d92b47027bdafa80a67c698a1cc36d23db3a9a092dfdbd466f9038b5298
Instruction ID: b7e587614bfc0085740d3df5efa114ee9cbf32b05c592f0f8523c01ce1a7de64
Opcode Fuzzy Hash: 15bc5d92b47027bdafa80a67c698a1cc36d23db3a9a092dfdbd466f9038b5298
Instruction Fuzzy Hash: F7115BB4E15209DFCB48CFE9D54069EBBF6FB89301F2090BA8409A7354EB309A11CB51

Uniqueness

Uniqueness Score: -1.00%

Function 014ED1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.399779172.00000000014ED000.00000040.00000001.sdmp, Offset: 014ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c1c4d15945f75f5c7145bd3be0d7b4ff171933bea9630414cfd87ddfd5d3604
Instruction ID: 0fb90202e095dee766f3886dbe9c1d5922483066664d2a13fc6865da6e24b8d8
Opcode Fuzzy Hash: 9c1c4d15945f75f5c7145bd3be0d7b4ff171933bea9630414cfd87ddfd5d3604
Instruction Fuzzy Hash: 37118B75904280DFDB12CF54D5C8B16BFA1FB84224F28C6AAD8494B7A6C33AD45ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 014CD745, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.399701991.00000000014CD000.00000040.00000001.sdmp, Offset: 014CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ace85c393fecd79ce12b62a29675e4ab56bb5554529621f42442808a5992060
Instruction ID: 873fb27b2f5e6bf62645dde1e0ccb0eb3aca0fd6814e27ac951a8b012973d41d
Opcode Fuzzy Hash: 9ace85c393fecd79ce12b62a29675e4ab56bb5554529621f42442808a5992060
Instruction Fuzzy Hash: E4014779809380AAE7515AA9CC84B63BB98DF81A38F08843FED080B356D7389845C6F1

Uniqueness

Uniqueness Score: -1.00%

Function 07116030, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1053279bb0ab95ef3c65074df12d1b6476928b6113922887b74ea7b90574f079
Instruction ID: a8d9de4357a4eddcba2c1e89fb7c2ae9f3271073f6ea64a7574df42f16e01f87
Opcode Fuzzy Hash: 1053279bb0ab95ef3c65074df12d1b6476928b6113922887b74ea7b90574f079
Instruction Fuzzy Hash: EA01D6767041458FCB02E7B4D8216EE73B7AFC5244719407AC5059F790EF2ACC25CB92

Uniqueness

Uniqueness Score: -1.00%

Function 07118078, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19519ef6820d5d1c96860f270ff8171993a4c0c65d4cdee7f4a351fa60629c9d
Instruction ID: 7e5f96ba485fe9782fedca40a87518e37e03ad51df1c65c4b4e378365d52e640
Opcode Fuzzy Hash: 19519ef6820d5d1c96860f270ff8171993a4c0c65d4cdee7f4a351fa60629c9d
Instruction Fuzzy Hash: 48F0F6B2D0805D8FCB00DBA8C8011FD7FF4EB5A251F2080A6D415EB290D3259E06DB21

Uniqueness

Uniqueness Score: -1.00%

Function 07116748, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 238ba6257f88b563ec1ceeaa83924fd9f5149a411fb86b3a1a921c6179660334
Instruction ID: 20b277c40681bd84d33e37899382547558c6661937c948c3e2856204b55703ed
Opcode Fuzzy Hash: 238ba6257f88b563ec1ceeaa83924fd9f5149a411fb86b3a1a921c6179660334
Instruction Fuzzy Hash: B3F03A767042645F9704CBAADC84CABBBE9FF89664329807AE518CB311DA309D05C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 071166AC, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d500c83c3b3d57e71dafcd9c67f96d1cf3d92923c13f89f7f7fb359651c15c
Instruction ID: fda080d847618c0729a15bedb8180f66590d2394730e82de6722389c08aa65f4
Opcode Fuzzy Hash: 95d500c83c3b3d57e71dafcd9c67f96d1cf3d92923c13f89f7f7fb359651c15c
Instruction Fuzzy Hash: 4501DEB1900229DFDB15CF65C4047ED7BF1BF49314F148669E424AF1D0DB754A44CB95

Uniqueness

Uniqueness Score: -1.00%

Function 014CD744, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.399701991.00000000014CD000.00000040.00000001.sdmp, Offset: 014CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79f6082e00f98d72dfd973f089a19fa73e72f8bfe10b43e4d466e01f011e8b9a
Instruction ID: 71d65d6bff982370c15167cb91c902ec1fdc4ee6125f55713bfed342ce782064
Opcode Fuzzy Hash: 79f6082e00f98d72dfd973f089a19fa73e72f8bfe10b43e4d466e01f011e8b9a
Instruction Fuzzy Hash: 63F06275805384AAEB519E59CCC4B63FF98EB81634F18C46AED085B396C3799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 071166B8, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f08d05c4760607015eec759def8151d732f9f742aa3255d26eacb8c8131c8a5
Instruction ID: 017fcc8e4d4d305a8928c98efa3269813a4ed77de655b4a0195935f230a1274e
Opcode Fuzzy Hash: 5f08d05c4760607015eec759def8151d732f9f742aa3255d26eacb8c8131c8a5
Instruction Fuzzy Hash: 1501FFB0800219DFDB15CF59C4043AE7AF1FF45354F148125E814AF190DB754A40CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07116758, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f19503676e186f96507c2e61f402155b2f2fabb0dcc04df6e1b8c35c6fe15e1
Instruction ID: 58be2418a15aa18cc499a3abcade7aab259eb180648a15fbba4a53d0e6609a66
Opcode Fuzzy Hash: 5f19503676e186f96507c2e61f402155b2f2fabb0dcc04df6e1b8c35c6fe15e1
Instruction Fuzzy Hash: 1EE039767001246F5704DBAAD884C6BBBEEEBCD664355813AF50CC7310DA309C0086A0

Uniqueness

Uniqueness Score: -1.00%

Function 07118620, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06feb72fbff3790f32d59aee49a879f5654880c9cf3a33683e87b2287b5f672d
Instruction ID: fb2049f19d655cf9b5c96b32fe6681663579d4273aff33d5f87217b8639e6821
Opcode Fuzzy Hash: 06feb72fbff3790f32d59aee49a879f5654880c9cf3a33683e87b2287b5f672d
Instruction Fuzzy Hash: 68F02B75A15306DFCF12ABB4E884595BFF0EF05262B058433D904CB152E7308428CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0711F4D0, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b416dcc7313a612c3aaa7e3a18806a6690d8928dd0460fa6b055a4874a4b925
Instruction ID: dd15e520f9b96d351356cdff688f6d70d6a56f30d39a7e5b18bab8932dbe3a52
Opcode Fuzzy Hash: 4b416dcc7313a612c3aaa7e3a18806a6690d8928dd0460fa6b055a4874a4b925
Instruction Fuzzy Hash: 00F0DAB0E0420A9FDB44DFA9D855BAEBFF8FB48300F1145A9D918E7340E77496058F91

Uniqueness

Uniqueness Score: -1.00%

Function 07115C68, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 995ab8049fdec18a01b4fdc8fcaea450e982a422f636dc1f5e63dab553a87936
Instruction ID: fe5172041a02542b212c62864958d2b2eec46b56577471cf22eee46b6b286b98
Opcode Fuzzy Hash: 995ab8049fdec18a01b4fdc8fcaea450e982a422f636dc1f5e63dab553a87936
Instruction Fuzzy Hash: F8F03AB4C09389AFCB15DFA8D84069DBFF0BF05304F1485EAC894AB251E3749A55CB92

Uniqueness

Uniqueness Score: -1.00%

Function 071133C9, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c69eba6e62c2df36542980c21ecea70ef5068e74c127357184c9a96c7329bb7
Instruction ID: 0f6f023314061ab56a5f448ce11af62241b8ec4666279747864e1b4b0ee19e09
Opcode Fuzzy Hash: 5c69eba6e62c2df36542980c21ecea70ef5068e74c127357184c9a96c7329bb7
Instruction Fuzzy Hash: 82F0B430D2470ACFCB09DFA4C9004ADBBB1FF8A201B015A6BC019AF150EB748A44CF55

Uniqueness

Uniqueness Score: -1.00%

Function 07115381, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad769aeb4d4281a2c12d5fd19e86adabdf35d7b139839370e9080a30e7cacf71
Instruction ID: bccfd7c5c51e1f262df3dfadaef53bf15fb84a397c494a91fdd0d9648693ac3d
Opcode Fuzzy Hash: ad769aeb4d4281a2c12d5fd19e86adabdf35d7b139839370e9080a30e7cacf71
Instruction Fuzzy Hash: 04F034789092489FC701DFA8D841AADBFF4FF49300F0445EAE458EB362E3709A11CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0711471F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62270daf7abc04510a34f2b164fe9143887f1ee36cb7c2ea120d00c2bb07c8c3
Instruction ID: 5a21b398d1ddf2557d0185166432719b996fef8c25c5c78a25d5ef37299980a0
Opcode Fuzzy Hash: 62270daf7abc04510a34f2b164fe9143887f1ee36cb7c2ea120d00c2bb07c8c3
Instruction Fuzzy Hash: 1BF082740143458FC756DF78E4859957FB4FB06218B1402A9D8509B2A6DB391C56CB41

Uniqueness

Uniqueness Score: -1.00%

Function 07111D3A, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5f4efd4fd4ff4e45b1c862a8d66ed551558869888dbdc554b38c014d4636119
Instruction ID: 82af04f205cb0b2a4117a04ae2b242fc6dc26d34f7c08041d1d40689679a2424
Opcode Fuzzy Hash: b5f4efd4fd4ff4e45b1c862a8d66ed551558869888dbdc554b38c014d4636119
Instruction Fuzzy Hash: D901A4B4D0062C8FCB69CF64CC466DCBBB1BF48301F0495DAD509A6650DB708B84CF96

Uniqueness

Uniqueness Score: -1.00%

Function 07113529, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb0a515c1bc3ac113f4540a1e719049e96d93b3acb80751793a64050a295b2de
Instruction ID: a815977c448175ad42edf91f4acc908cbf8448476da5b42071e772403880461a
Opcode Fuzzy Hash: bb0a515c1bc3ac113f4540a1e719049e96d93b3acb80751793a64050a295b2de
Instruction Fuzzy Hash: A4F0CF34A10309CFCB14CF64D559AADBBB2FB8A321F1994A6A40EA7250DB309E84CF00

Uniqueness

Uniqueness Score: -1.00%

Function 07114C80, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8804eadde219b1a2d5703d5b48989e3b62eb7de2116e88aa9ca21ba5752d472
Instruction ID: bcc1735433aa7ca1edc50296f59905770116ab4561961202b9633721b79e9f00
Opcode Fuzzy Hash: d8804eadde219b1a2d5703d5b48989e3b62eb7de2116e88aa9ca21ba5752d472
Instruction Fuzzy Hash: A2F0F2B0D092189FCB45EFA9E9406EDBBF0FF49304F1446AAC818EB241E3350A55CB92

Uniqueness

Uniqueness Score: -1.00%

Function 07112A48, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9fe47aee025310ce4406a2c9a4133dbd7240463184b9357586ee7a76b148e37
Instruction ID: 72fe6be091815cbd0a9f5b9e8230f8d137bbbf880c6e36699f334f2661f0fc62
Opcode Fuzzy Hash: e9fe47aee025310ce4406a2c9a4133dbd7240463184b9357586ee7a76b148e37
Instruction Fuzzy Hash: 8FF0E5706182D24FCB3787A8A8912DA7FB0AB07134B0803DAC8D08F2D3C7251946C783

Uniqueness

Uniqueness Score: -1.00%

Function 07113353, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e48aab8c22c438679d4467c78e8b0209dc98302db74ce624dd90ba086c6e4fca
Instruction ID: 425ffa0070efb3cb023d00428d67a66a313e65797ce67fe71e07390be9c0c0dd
Opcode Fuzzy Hash: e48aab8c22c438679d4467c78e8b0209dc98302db74ce624dd90ba086c6e4fca
Instruction Fuzzy Hash: B1F0BE31914209CFCB04AFB8C6094AEFF70BF46310F005A68D0963B194EB34A154CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07114781, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32dd5a53c128ca658956651ca25c7b632fbc6f08ee0931c8e05a5e571f2850b
Instruction ID: 49e742fb957d0c759268976c1fdc5e77579e60772fbc013b660e84a8509b085c
Opcode Fuzzy Hash: e32dd5a53c128ca658956651ca25c7b632fbc6f08ee0931c8e05a5e571f2850b
Instruction Fuzzy Hash: 28F0A0B08083AA9FCB16CFA8D84469DBFB1BF02318F1842DEC960DB392D3381551CB81

Uniqueness

Uniqueness Score: -1.00%

Function 07110E49, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3e59b38ec9aa8f728dafffceba00d3cfe98862bff2175d8e415a98b6931b9d
Instruction ID: 88cb85a5d06232c91927941050bd349777d3400afe73d211cdfd86c67f845e2b
Opcode Fuzzy Hash: ef3e59b38ec9aa8f728dafffceba00d3cfe98862bff2175d8e415a98b6931b9d
Instruction Fuzzy Hash: 29F0BD30A515598BCB64DB94DC8869EB375BF84304F104AE5C14DAB264DB31AE828F45

Uniqueness

Uniqueness Score: -1.00%

Function 071141F1, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46d4fd5ed3470e146b537f3e86d6c471bb667b32c430e95899cdd7795267bb52
Instruction ID: b10932b08b82f970f8172cfeb3b62f71ea9825cda6c26474da4abda2534cca6b
Opcode Fuzzy Hash: 46d4fd5ed3470e146b537f3e86d6c471bb667b32c430e95899cdd7795267bb52
Instruction Fuzzy Hash: 27E06D704892D59FCB16C7A0EC506A97FF1AB43215B1843DAD4A08A2D6C3390A02D752

Uniqueness

Uniqueness Score: -1.00%

Function 0711048E, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e170504c53ec7b247bf61ca675aae71ec624b5212b5bc7b3f9213580b93e80c
Instruction ID: 128dfaaabd1f036fc58e75953aab1f1b46aa56a68f16fd76e7f76f995a36973a
Opcode Fuzzy Hash: 3e170504c53ec7b247bf61ca675aae71ec624b5212b5bc7b3f9213580b93e80c
Instruction Fuzzy Hash: B7F0B734D1161A8FCB24DB60DD886DDB7B2FF84300F1089E69409BB654DB319E80CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0711EB20, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef0ee0e8035b5a11d3a9b7b5c16ff1a814743754062b391d226758237c9076f
Instruction ID: 8fe16f5d60f7d35db6442121f43e49fa76024472a0b8864d8f5343cea4a18832
Opcode Fuzzy Hash: 4ef0ee0e8035b5a11d3a9b7b5c16ff1a814743754062b391d226758237c9076f
Instruction Fuzzy Hash: E8F015B0D0020CDFCB04DFA8D545AAEBBB5FB08301F1086AAE814A3300E7719A41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 07114C38, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a22c2518ccffee6cc018551f8137bafeb707d1f76ef27cf20b659843e3fe21c
Instruction ID: 334429fa10e1fa59c8428bfae50a0362ef1ce9b3d9f3a73ab7a2a29ce02c9555
Opcode Fuzzy Hash: 3a22c2518ccffee6cc018551f8137bafeb707d1f76ef27cf20b659843e3fe21c
Instruction Fuzzy Hash: D8E06D70D09348AFC755EBF8900568CBFF4AB05204F0481FEC808DB691E3355A14CB42

Uniqueness

Uniqueness Score: -1.00%

Function 07114730, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b17e8281846794e8bb74ff2e2e669e3e728e694167f38d44bd79f116fecfc66
Instruction ID: dec209b6b7d7e8b4208a70a3984e872a03cf2a32e0fd649f56562c0ab8da2cdf
Opcode Fuzzy Hash: 3b17e8281846794e8bb74ff2e2e669e3e728e694167f38d44bd79f116fecfc66
Instruction Fuzzy Hash: 09E01AB4911308DFCB45EFB8E44AA99BBB8F709308F1046B8D804E3364EB386D94CB41

Uniqueness

Uniqueness Score: -1.00%

Function 07115C78, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50793076d9c1eeca4beef1341d7345f5ef17d74ed8cc5facaba10df875b39c55
Instruction ID: 4f34dbf84a49ee68bc4de3bd90cb1efc444ccb61f7c7a93145cf5a6eb31fec90
Opcode Fuzzy Hash: 50793076d9c1eeca4beef1341d7345f5ef17d74ed8cc5facaba10df875b39c55
Instruction Fuzzy Hash: 26E0E5B4D00218EFCB54EFE8D8006AEBBF5FB48304F1086AED864A7340E7719A51CB95

Uniqueness

Uniqueness Score: -1.00%

Function 07115390, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e17f3e7e9672277ba84c2b7fc78a425b2ce0d81c89e74f24e9c0dd1988a3565
Instruction ID: e971b54331953fd8c2f20ab6b49afdbb7a136f028f7d649c10cd2daea6daa9c9
Opcode Fuzzy Hash: 5e17f3e7e9672277ba84c2b7fc78a425b2ce0d81c89e74f24e9c0dd1988a3565
Instruction Fuzzy Hash: C7E0C2B4D00218DFCB44EFA8D8456ADBBF4FB48304F0046AAE818E7360E7705A41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 07114790, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704e46e6d4dcf7f49c3d15af50146edbab52df1547beb99fcb105f1880efbb48
Instruction ID: 7ee77d20ec04ad8045ebbb6360039f3afcf013a0ce5a60c1a9d98b26d7b8f466
Opcode Fuzzy Hash: 704e46e6d4dcf7f49c3d15af50146edbab52df1547beb99fcb105f1880efbb48
Instruction Fuzzy Hash: 35E0E5B4D0421DAFCB44EFE8D8006AEBBF4FB08300F0086AAD918E7340E7705A50DB80

Uniqueness

Uniqueness Score: -1.00%

Function 07114C90, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9626f5e7337471eb652cd84f4aeeaf3409102b5765fa08dbd7bbd62029a2ca26
Instruction ID: 932a0d0fa6fa68fa14f3d951d9588f6a04b0aed0c4edb1dae8e00a7bb66df0de
Opcode Fuzzy Hash: 9626f5e7337471eb652cd84f4aeeaf3409102b5765fa08dbd7bbd62029a2ca26
Instruction Fuzzy Hash: BEE092B4D042199FCB54EFE8E9456EEBBF4FB48304F1086AEC828A7344E7715A41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 07114C48, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c19c1eb0f39ed2a1cc933a403258ded4815c2d90c8fc4a4de7bb90709c6e15
Instruction ID: 3da0ee20a5ba2089d2c0085a173fa61a0e099cb41540f1bc55c33532b954e613
Opcode Fuzzy Hash: e0c19c1eb0f39ed2a1cc933a403258ded4815c2d90c8fc4a4de7bb90709c6e15
Instruction Fuzzy Hash: F6E0B6B0E11208AFCB54EFF9904429CBBF4EB44204F1085EEC81897340E7355A45CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0711F478, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fffa32908682fe9a602c41219b351639d6440181b29b64d9f398e9110bbc3d3c
Instruction ID: 2439ed81c00a94a37992b55fa381840595ccf7a1b45a3fa7ab54ed7ec8129ab9
Opcode Fuzzy Hash: fffa32908682fe9a602c41219b351639d6440181b29b64d9f398e9110bbc3d3c
Instruction Fuzzy Hash: 09E0B6B1D40209DFD740EFB9C905A5EBBF4BF08610F11C9B9D019EB251E77496058F91

Uniqueness

Uniqueness Score: -1.00%

Function 07112A58, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa6a72f1344be082cb4e9848ab7e8986bbf1580374b8675272b6d1845c14006c
Instruction ID: e38be126cb5d8f5f298714f4e2ab7359815fd2e9d8528e1262d20492c300bc01
Opcode Fuzzy Hash: fa6a72f1344be082cb4e9848ab7e8986bbf1580374b8675272b6d1845c14006c
Instruction Fuzzy Hash: 4BE0EC74E152089FCB64EBF8A44529DBBF4FB44215F5045E98949DB290EB311A81CB92

Uniqueness

Uniqueness Score: -1.00%

Function 07113928, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc7e702e42b0e7daff467f076e0b8f6cd1d34fa212342c565db08c5df3f7515
Instruction ID: 81a9dc3f82ffd007b7de0aa654ff04c5e8798a252610b22d7abbea8caea7f43a
Opcode Fuzzy Hash: afc7e702e42b0e7daff467f076e0b8f6cd1d34fa212342c565db08c5df3f7515
Instruction Fuzzy Hash: 6DE0EC70D112089FCB54EBF8A45979DBBF4AB44314F5005E98909DB294EB315A85C792

Uniqueness

Uniqueness Score: -1.00%

Function 07114200, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32958d1a15d495dc376e120f046eceaa727d12524a04eaea92dfac8b9acd86c7
Instruction ID: d76ccd0396d89e5984e7f109fc2e1c3d8b4c4f36e8c55977f111963c65403bea
Opcode Fuzzy Hash: 32958d1a15d495dc376e120f046eceaa727d12524a04eaea92dfac8b9acd86c7
Instruction Fuzzy Hash: 9AD0C2B0D482089FCB04EBF4A8042ACBBF4AB45300F0081F9881492240E7300A00CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0711F570, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2233274791c303853d8cb48f6eba46364227fc819cdefa44f6eb603cde489da1
Instruction ID: bf44216f481052f3b14ea96f27b22ee0ff84fb97dd77fe87504bbcb45ebcb33e
Opcode Fuzzy Hash: 2233274791c303853d8cb48f6eba46364227fc819cdefa44f6eb603cde489da1
Instruction Fuzzy Hash: 5DD0123221410C9E4B41EEA5E840C527BECAB146507448032F504CE520E721E564E755

Uniqueness

Uniqueness Score: -1.00%

Function 071132A5, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e630f2e4e07d7cf195f3dd7c4e15581f41a929d7c1bc9a2546bc96bb99dfe92c
Instruction ID: e081e3d27efd347c4aa7b399d285e1931c80e0f1f7fb3951dc1f2929c44cd42b
Opcode Fuzzy Hash: e630f2e4e07d7cf195f3dd7c4e15581f41a929d7c1bc9a2546bc96bb99dfe92c
Instruction Fuzzy Hash: B3E0BD74E0531A9BCB04CBA4CA806ADBFB2BB89240F00D856D84AA7280EB348A409F41

Uniqueness

Uniqueness Score: -1.00%

Function 07110B7F, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ef4c22d3fbf2400086d61ccd87d1a0b66c4e76d9cd8ecdcba2dc5ccc9be9ee
Instruction ID: 21b01d442df4cc489c128e9b8e23c14f29191082969f8c84f9aca2aafeaff40a
Opcode Fuzzy Hash: 08ef4c22d3fbf2400086d61ccd87d1a0b66c4e76d9cd8ecdcba2dc5ccc9be9ee
Instruction Fuzzy Hash: D3D0A9B8D046058FEB048E90C45225EFA71EB86301F00E02A8006E62A8CB3882028B00

Uniqueness

Uniqueness Score: -1.00%

Function 07112F34, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.412843844.0000000007110000.00000040.00000001.sdmp, Offset: 07110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7990c642aa4541776f3ea569c44df634eb5d7c9c999bad4e1080e89e7f2e1a2f
Instruction ID: 4aa38c445352b9f55e09f50d85eb2f2d4928277e10042bfad908c166083a0f57
Opcode Fuzzy Hash: 7990c642aa4541776f3ea569c44df634eb5d7c9c999bad4e1080e89e7f2e1a2f
Instruction Fuzzy Hash: 2BC08C72B06202DFC708CAA6C90085ABBB4FB8612074AA4A59016DB362E334D2008F96

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report iGZtra5EaP.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre