Play interactive tour

Edit tour

Windows Analysis Report SK TAX INV.exe

Overview

General Information

Sample Name:	SK TAX INV.exe
Analysis ID:	528510
MD5:	c2ee32f9d7de6b05472ceda926fd0a6f
SHA1:	d4455ac7ec0c49769b645e7471989bd7ee29f6fc
SHA256:	84b9fef1f2c0dd3e8f8dc93cf6574d30e2c6e5bc819599fea60c71876df0278d
Tags:	exeInvoice
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses dynamic DNS services

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

SK TAX INV.exe (PID: 3980 cmdline: "C:\Users\user\Desktop\SK TAX INV.exe" MD5: C2EE32F9D7DE6B05472CEDA926FD0A6F)

SK TAX INV.exe (PID: 6636 cmdline: C:\Users\user\Desktop\SK TAX INV.exe MD5: C2EE32F9D7DE6B05472CEDA926FD0A6F)

dhcpmon.exe (PID: 6980 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: C2EE32F9D7DE6B05472CEDA926FD0A6F)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "f4157c11-54e5-4893-8a60-6856b847", "Group": "Default", "Domain1": "dera31.ddns.net", "Domain2": "195.133.18.211", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000003.00000000.665941289.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000000.665941289.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000000.665941289.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000003.00000000.666335348.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000000.666335348.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000000.666335348.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.668327294.00000000028A1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1057d:$x1: NanoCore.ClientPluginHost 0x42f9d:$x1: NanoCore.ClientPluginHost 0x757bd:$x1: NanoCore.ClientPluginHost 0x105ba:$x2: IClientNetworkHost 0x42fda:$x2: IClientNetworkHost 0x757fa:$x2: IClientNetworkHost 0x140ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46b0d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7932d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x102e5:$a: NanoCore 0x102f5:$a: NanoCore 0x10529:$a: NanoCore 0x1053d:$a: NanoCore 0x1057d:$a: NanoCore 0x42d05:$a: NanoCore 0x42d15:$a: NanoCore 0x42f49:$a: NanoCore 0x42f5d:$a: NanoCore 0x42f9d:$a: NanoCore 0x75525:$a: NanoCore 0x75535:$a: NanoCore 0x75769:$a: NanoCore 0x7577d:$a: NanoCore 0x757bd:$a: NanoCore 0x10344:$b: ClientPlugin 0x10546:$b: ClientPlugin 0x10586:$b: ClientPlugin 0x42d64:$b: ClientPlugin 0x42f66:$b: ClientPlugin 0x42fa6:$b: ClientPlugin
00000000.00000002.668432779.0000000002965000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SK TAX INV.exe PID: 3980	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x104f4d:$x1: NanoCore.ClientPluginHost 0x104f8a:$x2: IClientNetworkHost 0x108a7b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x113b01:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x11fb70:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x12aeaf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: SK TAX INV.exe PID: 3980	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SK TAX INV.exe PID: 3980	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: SK TAX INV.exe PID: 3980	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x104c1a:$a: NanoCore 0x104c2a:$a: NanoCore 0x104ce9:$a: NanoCore 0x104cf8:$a: NanoCore 0x104ef9:$a: NanoCore 0x104f0d:$a: NanoCore 0x104f4d:$a: NanoCore 0x11016b:$a: NanoCore 0x11017d:$a: NanoCore 0x1101b9:$a: NanoCore 0x11c1da:$a: NanoCore 0x11c1ec:$a: NanoCore 0x11c228:$a: NanoCore 0x127519:$a: NanoCore 0x12752b:$a: NanoCore 0x127567:$a: NanoCore 0x104c79:$b: ClientPlugin 0x104d42:$b: ClientPlugin 0x104f16:$b: ClientPlugin 0x104f56:$b: ClientPlugin 0x110186:$b: ClientPlugin
Process Memory Space: SK TAX INV.exe PID: 6636	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x46b66:$x1: NanoCore.ClientPluginHost 0xaae68:$x1: NanoCore.ClientPluginHost 0x46ba3:$x2: IClientNetworkHost 0xaaea5:$x2: IClientNetworkHost 0x4a694:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5571a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: SK TAX INV.exe PID: 6636	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: SK TAX INV.exe PID: 6636	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3095f:$a: NanoCore 0x30a07:$a: NanoCore 0x46833:$a: NanoCore 0x46843:$a: NanoCore 0x46902:$a: NanoCore 0x46911:$a: NanoCore 0x46b12:$a: NanoCore 0x46b26:$a: NanoCore 0x46b66:$a: NanoCore 0x51d84:$a: NanoCore 0x51d96:$a: NanoCore 0x51dd2:$a: NanoCore 0x7bc54:$a: NanoCore 0x7bc68:$a: NanoCore 0x9106a:$a: NanoCore 0x91112:$a: NanoCore 0xaae2b:$a: NanoCore 0xaae43:$a: NanoCore 0xaae68:$a: NanoCore 0xaf5fa:$a: NanoCore 0xaf610:$a: NanoCore
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.0.SK TAX INV.exe.400000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.SK TAX INV.exe.400000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
3.0.SK TAX INV.exe.400000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.SK TAX INV.exe.400000.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
3.0.SK TAX INV.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.SK TAX INV.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
3.0.SK TAX INV.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.SK TAX INV.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
3.0.SK TAX INV.exe.400000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.SK TAX INV.exe.400000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
3.0.SK TAX INV.exe.400000.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.SK TAX INV.exe.400000.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.SK TAX INV.exe.3b43e10.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.SK TAX INV.exe.3b43e10.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.SK TAX INV.exe.3b43e10.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.SK TAX INV.exe.3b43e10.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
3.0.SK TAX INV.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.SK TAX INV.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
3.0.SK TAX INV.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.SK TAX INV.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.SK TAX INV.exe.3b113f0.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.SK TAX INV.exe.3b113f0.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.SK TAX INV.exe.3b113f0.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.SK TAX INV.exe.3b113f0.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.SK TAX INV.exe.29071c8.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
3.0.SK TAX INV.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.SK TAX INV.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
3.0.SK TAX INV.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.SK TAX INV.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.SK TAX INV.exe.2995604.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.SK TAX INV.exe.3b43e10.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x429ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x429ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.SK TAX INV.exe.3b43e10.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.SK TAX INV.exe.3b43e10.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42715:$a: NanoCore 0x42725:$a: NanoCore 0x42959:$a: NanoCore 0x4296d:$a: NanoCore 0x429ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42774:$b: ClientPlugin 0x42976:$b: ClientPlugin 0x429b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4289b:$c: ProjectData 0x10a82:$d: DESCrypto 0x432a2:$d: DESCrypto 0x1844e:$e: KeepAlive
0.2.SK TAX INV.exe.3b113f0.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x753cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x7540a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x78f3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.SK TAX INV.exe.3b113f0.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.SK TAX INV.exe.3b113f0.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0x75135:$a: NanoCore 0x75145:$a: NanoCore 0x75379:$a: NanoCore 0x7538d:$a: NanoCore 0x753cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin
Click to see the 31 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SK TAX INV.exe, ProcessId: 6636, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SK TAX INV.exe, ProcessId: 6636, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SK TAX INV.exe, ProcessId: 6636, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SK TAX INV.exe, ProcessId: 6636, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.SK TAX INV.exe.3b43e10.5.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "f4157c11-54e5-4893-8a60-6856b847", "Group": "Default", "Domain1": "dera31.ddns.net", "Domain2": "195.133.18.211", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for submitted file

Show sources

Source: SK TAX INV.exe	Virustotal: Detection: 17%			Perma Link
Source: SK TAX INV.exe	ReversingLabs: Detection: 11%

Multi AV Scanner detection for domain / URL

Show sources

Source: dera31.ddns.net	Virustotal: Detection: 6%	Perma Link
Source: dera31.ddns.net	Virustotal: Detection: 6%	Perma Link
Source: 195.133.18.211	Virustotal: Detection: 6%	Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Virustotal: Detection: 17%			Perma Link
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 20%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 3.0.SK TAX INV.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.SK TAX INV.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.SK TAX INV.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SK TAX INV.exe.3b43e10.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.SK TAX INV.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SK TAX INV.exe.3b113f0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.SK TAX INV.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SK TAX INV.exe.3b43e10.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SK TAX INV.exe.3b113f0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.665941289.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.666335348.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SK TAX INV.exe PID: 3980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SK TAX INV.exe PID: 6636, type: MEMORYSTR

Source: 3.0.SK TAX INV.exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.SK TAX INV.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.SK TAX INV.exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.SK TAX INV.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.SK TAX INV.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: SK TAX INV.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: SK TAX INV.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49777 -> 194.85.248.250:1187
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49778 -> 194.85.248.250:1187
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49779 -> 194.85.248.250:1187
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49780 -> 194.85.248.250:1187
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49783 -> 194.85.248.250:1187
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49784 -> 194.85.248.250:1187
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49785 -> 194.85.248.250:1187
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49793 -> 194.85.248.250:1187
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49821 -> 194.85.248.250:1187
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49824 -> 194.85.248.250:1187
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49829 -> 194.85.248.250:1187
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49831 -> 194.85.248.250:1187
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49853 -> 194.85.248.250:1187
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49856 -> 194.85.248.250:1187
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49857 -> 194.85.248.250:1187
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49859 -> 194.85.248.250:1187
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49863 -> 194.85.248.250:1187
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49864 -> 194.85.248.250:1187
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49865 -> 194.85.248.250:1187
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49866 -> 194.85.248.250:1187

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: dera31.ddns.net
Source: Malware configuration extractor	URLs: 195.133.18.211

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: dera31.ddns.net

Source: Joe Sandbox View

ASN Name: DATACENTERRO DATACENTERRO

Source: global traffic

TCP traffic: 192.168.2.4:49777 -> 194.85.248.250:1187

Source: SK TAX INV.exe, 00000000.00000002.668327294.00000000028A1000.00000004.00000001.sdmp, SK TAX INV.exe, 00000000.00000002.668432779.0000000002965000.00000004.00000001.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: unknown

DNS traffic detected: queries for: dera31.ddns.net

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 3.0.SK TAX INV.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.SK TAX INV.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.SK TAX INV.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SK TAX INV.exe.3b43e10.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.SK TAX INV.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SK TAX INV.exe.3b113f0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.SK TAX INV.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SK TAX INV.exe.3b43e10.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SK TAX INV.exe.3b113f0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.665941289.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.666335348.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SK TAX INV.exe PID: 3980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SK TAX INV.exe PID: 6636, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 3.0.SK TAX INV.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.SK TAX INV.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.SK TAX INV.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.SK TAX INV.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.SK TAX INV.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.SK TAX INV.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.SK TAX INV.exe.3b43e10.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.SK TAX INV.exe.3b43e10.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.SK TAX INV.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.SK TAX INV.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.SK TAX INV.exe.3b113f0.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.SK TAX INV.exe.3b113f0.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.SK TAX INV.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.SK TAX INV.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.SK TAX INV.exe.3b43e10.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.SK TAX INV.exe.3b43e10.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.SK TAX INV.exe.3b113f0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.SK TAX INV.exe.3b113f0.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000000.665941289.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000000.665941289.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000000.666335348.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000000.666335348.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SK TAX INV.exe PID: 3980, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SK TAX INV.exe PID: 3980, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SK TAX INV.exe PID: 6636, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SK TAX INV.exe PID: 6636, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: SK TAX INV.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 3.0.SK TAX INV.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.SK TAX INV.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.SK TAX INV.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.SK TAX INV.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.SK TAX INV.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.SK TAX INV.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.SK TAX INV.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.SK TAX INV.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.SK TAX INV.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.SK TAX INV.exe.3b43e10.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.SK TAX INV.exe.3b43e10.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SK TAX INV.exe.3b43e10.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.SK TAX INV.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.SK TAX INV.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.SK TAX INV.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.SK TAX INV.exe.3b113f0.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.SK TAX INV.exe.3b113f0.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SK TAX INV.exe.3b113f0.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.SK TAX INV.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.SK TAX INV.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.SK TAX INV.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.SK TAX INV.exe.3b43e10.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.SK TAX INV.exe.3b43e10.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.SK TAX INV.exe.3b113f0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.SK TAX INV.exe.3b113f0.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000000.665941289.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000000.665941289.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000000.666335348.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000000.666335348.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: SK TAX INV.exe PID: 3980, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: SK TAX INV.exe PID: 3980, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: SK TAX INV.exe PID: 6636, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: SK TAX INV.exe PID: 6636, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\Desktop\SK TAX INV.exe	Code function: 0_2_00426BFF	0_2_00426BFF
Source: C:\Users\user\Desktop\SK TAX INV.exe	Code function: 0_2_00DF8250	0_2_00DF8250
Source: C:\Users\user\Desktop\SK TAX INV.exe	Code function: 0_2_00DFD2E8	0_2_00DFD2E8

Source: SK TAX INV.exe	Binary or memory string: OriginalFilename vs SK TAX INV.exe
Source: SK TAX INV.exe, 00000000.00000002.671989261.0000000005CF0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll@ vs SK TAX INV.exe
Source: SK TAX INV.exe, 00000000.00000002.668843928.00000000038AD000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dll@ vs SK TAX INV.exe
Source: SK TAX INV.exe, 00000000.00000002.671752533.0000000005760000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameInnerException.dll" vs SK TAX INV.exe
Source: SK TAX INV.exe, 00000000.00000002.668327294.00000000028A1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameInnerException.dll" vs SK TAX INV.exe
Source: SK TAX INV.exe, 00000000.00000002.668432779.0000000002965000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameInnerException.dll" vs SK TAX INV.exe
Source: SK TAX INV.exe, 00000003.00000003.684774036.00000000012F3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs SK TAX INV.exe
Source: SK TAX INV.exe	Binary or memory string: OriginalFilenameTypeLibTypeAttribu.exe. vs SK TAX INV.exe

Source: SK TAX INV.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: SK TAX INV.exe	Virustotal: Detection: 17%
Source: SK TAX INV.exe	ReversingLabs: Detection: 11%

Source: C:\Users\user\Desktop\SK TAX INV.exe

File read: C:\Users\user\Desktop\SK TAX INV.exe:Zone.Identifier

Jump to behavior

Source: SK TAX INV.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SK TAX INV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SK TAX INV.exe "C:\Users\user\Desktop\SK TAX INV.exe"
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process created: C:\Users\user\Desktop\SK TAX INV.exe C:\Users\user\Desktop\SK TAX INV.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process created: C:\Users\user\Desktop\SK TAX INV.exe C:\Users\user\Desktop\SK TAX INV.exe	Jump to behavior

Source: C:\Users\user\Desktop\SK TAX INV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\SK TAX INV.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SK TAX INV.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/7@20/1

Source: 3.0.SK TAX INV.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.0.SK TAX INV.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.0.SK TAX INV.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.0.SK TAX INV.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.0.SK TAX INV.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.0.SK TAX INV.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.0.SK TAX INV.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.0.SK TAX INV.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.0.SK TAX INV.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.0.SK TAX INV.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\SK TAX INV.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\SK TAX INV.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{f4157c11-54e5-4893-8a60-6856b8471d8c}
Source: C:\Users\user\Desktop\SK TAX INV.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver

Source: C:\Users\user\Desktop\SK TAX INV.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: SK TAX INV.exe	String found in binary or memory: /TypeLibTypeAttribu;component/views/addbook.xaml
Source: SK TAX INV.exe	String found in binary or memory: views/addbook.baml
Source: SK TAX INV.exe	String found in binary or memory: views/addcustomer.baml
Source: SK TAX INV.exe	String found in binary or memory: /TypeLibTypeAttribu;component/views/addcustomer.xaml
Source: SK TAX INV.exe	String found in binary or memory: a/TypeLibTypeAttribu;component/views/addbook.xamlw/TypeLibTypeAttribu;component/views/borrowfrombookview.xamlm/TypeLibTypeAttribu;component/views/borrowingview.xamlg/TypeLibTypeAttribu;component/views/changebook.xamlo/TypeLibTypeAttribu;component/views/changecustomer.xamlk/TypeLibTypeAttribu;component/views/customerview.xamlo/TypeLibTypeAttribu;component/views/deletecustomer.xamle/TypeLibTypeAttribu;component/views/errorview.xamli/TypeLibTypeAttribu;component/views/smallextras.xamli/TypeLibTypeAttribu;component/views/addcustomer.xaml
Source: SK TAX INV.exe	String found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml

Source: 3.0.SK TAX INV.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.SK TAX INV.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.SK TAX INV.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.0.SK TAX INV.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.SK TAX INV.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.SK TAX INV.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.0.SK TAX INV.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.SK TAX INV.exe.400000.12.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.SK TAX INV.exe.400000.12.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\SK TAX INV.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SK TAX INV.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SK TAX INV.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: SK TAX INV.exe, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.SK TAX INV.exe.420000.0.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.SK TAX INV.exe.420000.0.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.3.dr, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.SK TAX INV.exe.b10000.5.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.SK TAX INV.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.SK TAX INV.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.SK TAX INV.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.SK TAX INV.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.SK TAX INV.exe.b10000.1.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.SK TAX INV.exe.b10000.2.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.SK TAX INV.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.SK TAX INV.exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.SK TAX INV.exe.b10000.7.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.SK TAX INV.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.SK TAX INV.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.SK TAX INV.exe.b10000.9.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.SK TAX INV.exe.b10000.13.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.SK TAX INV.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.SK TAX INV.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.SK TAX INV.exe.b10000.11.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.SK TAX INV.exe.b10000.0.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.SK TAX INV.exe.b10000.3.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.dhcpmon.exe.920000.0.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.dhcpmon.exe.920000.0.unpack, Biblan/Views/MainWindow.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\SK TAX INV.exe	Code function: 0_2_00429347 push ds; ret	0_2_0042934C
Source: C:\Users\user\Desktop\SK TAX INV.exe	Code function: 0_2_00429361 push ds; retf	0_2_00429364
Source: C:\Users\user\Desktop\SK TAX INV.exe	Code function: 0_2_004292F5 push ds; ret	0_2_00429340

Source: initial sample	Static PE information: section name: .text entropy: 7.87847086948
Source: initial sample	Static PE information: section name: .text entropy: 7.87847086948

Source: 3.0.SK TAX INV.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 3.0.SK TAX INV.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 3.0.SK TAX INV.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 3.0.SK TAX INV.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 3.0.SK TAX INV.exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 3.0.SK TAX INV.exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 3.0.SK TAX INV.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 3.0.SK TAX INV.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 3.0.SK TAX INV.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 3.0.SK TAX INV.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\SK TAX INV.exe

File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\SK TAX INV.exe

File opened: C:\Users\user\Desktop\SK TAX INV.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 0.2.SK TAX INV.exe.29071c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SK TAX INV.exe.2995604.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.668327294.00000000028A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.668432779.0000000002965000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SK TAX INV.exe PID: 3980, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: SK TAX INV.exe, 00000000.00000002.668327294.00000000028A1000.00000004.00000001.sdmp, SK TAX INV.exe, 00000000.00000002.668432779.0000000002965000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SK TAX INV.exe, 00000000.00000002.668327294.00000000028A1000.00000004.00000001.sdmp, SK TAX INV.exe, 00000000.00000002.668432779.0000000002965000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6676	Thread sleep count: 684 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680	Thread sleep time: -239859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6676	Thread sleep count: 1731 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 3184	Thread sleep time: -31962s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680	Thread sleep time: -239742s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680	Thread sleep time: -239641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680	Thread sleep time: -239500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680	Thread sleep time: -239390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680	Thread sleep time: -239280s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680	Thread sleep time: -239155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680	Thread sleep time: -239047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680	Thread sleep time: -238937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680	Thread sleep time: -238828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680	Thread sleep time: -238717s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680	Thread sleep time: -238250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680	Thread sleep time: -237406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680	Thread sleep time: -237063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680	Thread sleep time: -236750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680	Thread sleep time: -236422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 6680	Thread sleep time: -236312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe TID: 5912	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 239859	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 239742	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 239641	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 239500	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 239390	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 239280	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 239155	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 239047	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 238937	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 238828	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 238717	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 238250	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 237406	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 237063	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 236750	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 236422	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 236312	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\SK TAX INV.exe	Window / User API: threadDelayed 684	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Window / User API: threadDelayed 1731	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Window / User API: threadDelayed 2909	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Window / User API: threadDelayed 6615	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Window / User API: foregroundWindowGot 671	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Window / User API: foregroundWindowGot 704	Jump to behavior

Source: C:\Users\user\Desktop\SK TAX INV.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 239859	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 31962	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 239742	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 239641	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 239500	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 239390	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 239280	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 239155	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 239047	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 238937	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 238828	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 238717	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 238250	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 237406	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 237063	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 236750	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 236422	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 236312	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: SK TAX INV.exe, 00000000.00000002.668432779.0000000002965000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: SK TAX INV.exe, 00000000.00000002.668432779.0000000002965000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SK TAX INV.exe, 00000000.00000002.668432779.0000000002965000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: SK TAX INV.exe, 00000003.00000003.732893418.00000000012B9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SK TAX INV.exe, 00000000.00000002.668432779.0000000002965000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\SK TAX INV.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SK TAX INV.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SK TAX INV.exe

Process created: C:\Users\user\Desktop\SK TAX INV.exe C:\Users\user\Desktop\SK TAX INV.exe

Jump to behavior

Source: C:\Users\user\Desktop\SK TAX INV.exe	Queries volume information: C:\Users\user\Desktop\SK TAX INV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Queries volume information: C:\Users\user\Desktop\SK TAX INV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SK TAX INV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SK TAX INV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\SK TAX INV.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 3.0.SK TAX INV.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.SK TAX INV.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.SK TAX INV.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SK TAX INV.exe.3b43e10.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.SK TAX INV.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SK TAX INV.exe.3b113f0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.SK TAX INV.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SK TAX INV.exe.3b43e10.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SK TAX INV.exe.3b113f0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.665941289.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.666335348.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SK TAX INV.exe PID: 3980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SK TAX INV.exe PID: 6636, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: SK TAX INV.exe, 00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: SK TAX INV.exe, 00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: SK TAX INV.exe, 00000003.00000003.684774036.00000000012F3000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 3.0.SK TAX INV.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.SK TAX INV.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.SK TAX INV.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SK TAX INV.exe.3b43e10.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.SK TAX INV.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SK TAX INV.exe.3b113f0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.SK TAX INV.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SK TAX INV.exe.3b43e10.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SK TAX INV.exe.3b113f0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.665941289.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.666335348.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SK TAX INV.exe PID: 3980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SK TAX INV.exe PID: 6636, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Path Interception	Process Injection11	Masquerading2	OS Credential Dumping	Security Software Discovery211	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter2	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection11	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Information Discovery12	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol21	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing13	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SK TAX INV.exe	18%	Virustotal		Browse
SK TAX INV.exe	11%	ReversingLabs	Win32.Trojan.AgentTesla

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	18%	Virustotal		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	20%	ReversingLabs	Win32.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.0.SK TAX INV.exe.400000.10.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
3.0.SK TAX INV.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
3.0.SK TAX INV.exe.400000.12.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
3.0.SK TAX INV.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
3.0.SK TAX INV.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

Source	Detection	Scanner	Label	Link
dera31.ddns.net	6%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
dera31.ddns.net	6%	Virustotal		Browse
dera31.ddns.net	0%	Avira URL Cloud	safe
195.133.18.211	6%	Virustotal		Browse
195.133.18.211	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dera31.ddns.net	194.85.248.250	true	true	6%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
dera31.ddns.net	true	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
195.133.18.211	true	6%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SK TAX INV.exe, 00000000.00000002.668327294.00000000028A1000.00000004.00000001.sdmp, SK TAX INV.exe, 00000000.00000002.668432779.0000000002965000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.85.248.250	dera31.ddns.net	Russian Federation		35478	DATACENTERRO	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528510
Start date:	25.11.2021
Start time:	11:55:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SK TAX INV.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/7@20/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 5 Number of non-executed functions: 1
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:56:12	API Interceptor	1029x Sleep call for process: SK TAX INV.exe modified
11:56:20	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
194.85.248.250	CV.exe	Get hash	malicious	Browse
	INV.exe	Get hash	malicious	Browse
	CV.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
dera31.ddns.net	CV.exe	Get hash	malicious	Browse	194.85.248.250
	INV.exe	Get hash	malicious	Browse	194.85.248.250
	CV.exe	Get hash	malicious	Browse	194.85.248.250
	circular_11_17_21.exe	Get hash	malicious	Browse	195.133.18.211
	Bank Report.exe	Get hash	malicious	Browse	195.133.18.211
	cliff.kuhfeldt's CV.exe	Get hash	malicious	Browse	195.133.18.211
	Jessica Ohnesorge'CV.exe	Get hash	malicious	Browse	195.133.18.211
	Change Of Registration Form.exe	Get hash	malicious	Browse	195.133.18.211
	Payment invoice.exe	Get hash	malicious	Browse	195.133.18.211
	Wire Transfer Slip.exe	Get hash	malicious	Browse	195.133.18.211
	Advise.exe	Get hash	malicious	Browse	195.133.18.211
	Bank Report.exe	Get hash	malicious	Browse	195.133.18.211
	N5HlpHINh2.exe	Get hash	malicious	Browse	195.133.18.211
	BL draft.exe	Get hash	malicious	Browse	195.133.18.211

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DATACENTERRO	xA7ry4Ewuk.exe	Get hash	malicious	Browse	194.85.248.167
	Sales Pro forma invoice_SO0005303101427.docx	Get hash	malicious	Browse	194.85.248.219
	Statement from QNB.exe	Get hash	malicious	Browse	194.85.248.156
	CV.exe	Get hash	malicious	Browse	194.85.248.250
	INV.exe	Get hash	malicious	Browse	194.85.248.250
	CV.exe	Get hash	malicious	Browse	194.85.248.250
	TMR590241368.exe	Get hash	malicious	Browse	194.85.248.115
	vIyyHkRXJn	Get hash	malicious	Browse	194.85.250.154
	267A80yAhp	Get hash	malicious	Browse	194.85.250.154
	QJYxAALd23	Get hash	malicious	Browse	194.85.250.154
	z4bJfjXDDQ	Get hash	malicious	Browse	194.85.250.154
	XXaLHoecGp	Get hash	malicious	Browse	194.85.250.154
	AGiCic4uDz	Get hash	malicious	Browse	194.85.250.154
	3B3BMxYG8n	Get hash	malicious	Browse	194.85.250.154
	6WMo1OYmk3	Get hash	malicious	Browse	194.85.250.154
	dycuTng5W8	Get hash	malicious	Browse	194.85.250.154
	xINX4f5M8s	Get hash	malicious	Browse	194.85.250.154
	SSIuSyaBAF	Get hash	malicious	Browse	194.85.250.154
	IMG600094173852.exe	Get hash	malicious	Browse	194.85.248.115
	cdQc14SeRu	Get hash	malicious	Browse	194.85.248.128

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Users\user\Desktop\SK TAX INV.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	493568
Entropy (8bit):	7.8676652949902195
Encrypted:	false
SSDEEP:	12288:D1UFM0gixBFm0Ud7zqdz66fMPZl2t4v0f1zo0naysDDayUyhD2:D18M0gi1Kd73LD2tp3HwDRUyhD
MD5:	C2EE32F9D7DE6B05472CEDA926FD0A6F
SHA1:	D4455AC7EC0C49769B645E7471989BD7EE29F6FC
SHA-256:	84B9FEF1F2C0DD3E8F8DC93CF6574D30E2C6E5BC819599FEA60C71876DF0278D
SHA-512:	7BD853A9B3B14FEDC2CB4F14859E2A38F4AB38A6A6AAA5EA2C44BAB5D0EDF488F3BD422E8DA61DD74429E4508C09C8D0349E4995E0C8900F57E4FCD90B8004D3
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 18%, Browse Antivirus: ReversingLabs, Detection: 20%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...dE.a..............0..~.............. ........@.. ....................................@.................................p...O.................................................................................... ............... ..H............text....\|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B........................H........e..Xv..............p.............................................{ .....{!.....{".....{#.....($.....} .....}!.....}"......}#.......0..s........u........f.,`(%....{ ....{ ...o&...,H('....{!....{!...o(...,0()....{"....{"...o...,.(+....{#....{#...o,...+..+....0..b....... .@d )UU.Z(%....{ ...o-...X )UU.Z('....{!...o....X )UU.Z()....{"...o/...X )UU.Z(+....{#...o0...X...0...........r...p......%..{ ......%q.........-.&.+.......o1....%..{!......%q.........-.&.+.....

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\SK TAX INV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SK TAX INV.exe.log Download File
Process:	C:\Users\user\Desktop\SK TAX INV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2239
Entropy (8bit):	5.354287817410997
Encrypted:	false
SSDEEP:	48:MxHKXeHKlEHU0YHKhQnouHIW7HKjntHoxHhAHKzvr1qHXHK2HKgmHKovjHKs:iqXeqm00YqhQnouRqjntIxHeqzTw3q2W
MD5:	913D1EEA179415C6D08FB255AE42B99D
SHA1:	E994C612C0596994AAE55FBCE35B7A4FBE312FD7
SHA-256:	473B4000084ACF4C7D701CE72EBF71BD304054231B3BDF7CAF49898A1FDA13D0
SHA-512:	768045C288CEEE8FE1A099FC8CEA713B685F6ED3FD8BFA1C8E64CA09F7AF9FEBEA90F5277B28444AFF8F2AC7CD857DFCDF7D3A98CD86288925DB7A4A42346185
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\SK TAX INV.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.117516745217376
Encrypted:	false
SSDEEP:	6:X4LDAnybgCFcpJSQwP4d7V9Nhyleajl0fuONKcpMe5i:X4LEnybgCFCtvd7V9NYRj+GONKaMv
MD5:	CF55DF705B79F961ED069D8E84D2AF1C
SHA1:	574CDF36753CF356A25872BCCAA3CC6FFCD5D23F
SHA-256:	DF982E10764D21FCB1469EB6EA1175AC69544C68900B0DD8C79A0FE8A8F300F5
SHA-512:	518A037DF1D6FBC8A296DA5B96B67E073FB1F674090AFE3243E52A65B169DE35FC041C2C05F7EEF9EC74A0100A422E53B3D7D920E5ADF6CE42B82FE94244F5DE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL...Q.F...@.h.......y.[....e..<..n....B...PP...azZ).~..Uj.>..H.b.O..AX.E.S&.O.k.3O'.Lge...$..teI....Hw.CT.].Z.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\SK TAX INV.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:Moqn:Moq
MD5:	91513139ABA0F3219DD4AA39A2E0A8A1
SHA1:	F5DBA8D934ECEA79560BCF4FD578CFA1E90CD872
SHA-256:	F3708BADFB95D6F51D0611DA1DEDDD44676D73D5075C2E358F843C0AC6AA4FEB
SHA-512:	BB0CDA8E32B96AA07E5365C7AA0416F256ADA772D8C02BF70611007603895E2248034984696E6B579314B7F0EBCA8674AAB58F52B2370B4923868EB34B68AB96
Malicious:	true
Reputation:	low
Preview:	^..4...H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin Download File
Process:	C:\Users\user\Desktop\SK TAX INV.exe
File Type:	data
Category:	modified
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Users\user\Desktop\SK TAX INV.exe
File Type:	data
Category:	dropped
Size (bytes):	315080
Entropy (8bit):	7.999403263872478
Encrypted:	true
SSDEEP:	6144:m8aeVE5MlgWfxwY/8uvJYRDMVpXUhXQrEBPgzC2D4Toqhs22DJM+iaPnW:mfwiMdxwYEYyWzw0TqC2kM+lnW
MD5:	981C80683A41E2D9DD9C297DAA691C54
SHA1:	7A1F5DDFFB3E630FE19E19F6AA923427DE72217B
SHA-256:	6C67B680BB9CF41F30C37D791D9EE52582977C1D9D5696FEAE1613FC0C5E2DBE
SHA-512:	72E4198AE2A65B7E1698925DF537CBA63A2877677C7C8FEA475E52B99E631272CFBEDCD5A4E1949EB7F8073C01229E89CCCD1ABBFD8832533346A6568750ADAE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..f# ....)1\.....5....;.T..u.. .3.Xd... ....u(..._.V.{L..Y.8....~...S79.f0V...=.}...SJg\|.lh.J..^Ge.........3h?n..:..r....,o."a.I....\..0Z.D..........^....[..f.I....@/_..".5+...I...J`./s..p-.....c..?..... .&.....>.Ye$=.pG.....9D...'7.w.a.[3.d.-..V..]..B.b.zA?..M..3...%A....K5@.. j.U.h.B....'...0."..u.V...d..c,r"..@9.9.>..cDgP~d9..St...{..24.s.'.....9.D..P4.....I...G..G5......u.-2...z1[.....C..n.6.!..'.%@&.l4..P..rc+vq..C5B.b..j.W,..T..z......)BX4...>A.~#..A....8..B....5....w....GC..........y......7...?.T.....!.....7A.........C.3......A.....hC..5'..42..zS.*2.m7....A.'/.R..X....}e...>........}...n.A...4..?.P.l..n.0.I`...".d1.(e\|..f.....i.9.#...n..+..l....Xz.q...6".Hl...+...1^pgs...%.FR.T....(...=.rHX.d.9%...?..f?.Q.yi.D9/>....V..5......q...nP'...S.Y.....pu.!..-..\..\|/....V.......NX....../.8..V.0.5`m$.{b..lw.K.3-..C3...-.2.Qb.....o...6z....`H...(..o.ag.-7../F..RoI..O#.u\|.U.@....$;.....s.~.M...j?...q#.l..y..M.[../.....=T.......5HX.QJ...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.8676652949902195
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SK TAX INV.exe
File size:	493568
MD5:	c2ee32f9d7de6b05472ceda926fd0a6f
SHA1:	d4455ac7ec0c49769b645e7471989bd7ee29f6fc
SHA256:	84b9fef1f2c0dd3e8f8dc93cf6574d30e2c6e5bc819599fea60c71876df0278d
SHA512:	7bd853a9b3b14fedc2cb4f14859e2a38f4ab38a6a6aaa5ea2c44bab5d0edf488f3bd422e8da61dd74429e4508c09c8d0349e4995e0c8900f57e4fcd90b8004d3
SSDEEP:	12288:D1UFM0gixBFm0Ud7zqdz66fMPZl2t4v0f1zo0naysDDayUyhD2:D18M0gi1Kd73LD2tp3HwDRUyhD
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...dE.a..............0..~............... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x479cc2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x619F4564 [Thu Nov 25 08:12:20 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [ebp+0800000Eh], ch
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x79c70	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7a000	0x5ec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x77cd8	0x77e00	False	0.894757315563	data	7.87847086948	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x7a000	0x5ec	0x600	False	0.438151041667	data	4.21773046757	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7c000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x7a090	0x35c	data
RT_MANIFEST	0x7a3fc	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Rogers Peet
Assembly Version	8.0.6.0
InternalName	TypeLibTypeAttribu.exe
FileVersion	5.6.0.0
CompanyName	Rogers Peet
LegalTrademarks
Comments
ProductName	Biblan
ProductVersion	5.6.0.0
FileDescription	Biblan
OriginalFilename	TypeLibTypeAttribu.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/25/21-11:56:19.002612	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	49714	8.8.8.8	192.168.2.4
11/25/21-11:56:19.127979	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49777	1187	192.168.2.4	194.85.248.250
11/25/21-11:56:23.493869	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	58028	8.8.8.8	192.168.2.4
11/25/21-11:56:23.526666	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49778	1187	192.168.2.4	194.85.248.250
11/25/21-11:56:31.344296	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	53097	8.8.8.8	192.168.2.4
11/25/21-11:56:31.408131	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49779	1187	192.168.2.4	194.85.248.250
11/25/21-11:56:37.956129	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	49257	8.8.8.8	192.168.2.4
11/25/21-11:56:38.014996	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49780	1187	192.168.2.4	194.85.248.250
11/25/21-11:56:43.972123	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49783	1187	192.168.2.4	194.85.248.250
11/25/21-11:56:51.220530	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49784	1187	192.168.2.4	194.85.248.250
11/25/21-11:56:57.214815	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49785	1187	192.168.2.4	194.85.248.250
11/25/21-11:57:03.772463	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49793	1187	192.168.2.4	194.85.248.250
11/25/21-11:57:10.856473	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49821	1187	192.168.2.4	194.85.248.250
11/25/21-11:57:17.160697	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	51255	8.8.8.8	192.168.2.4
11/25/21-11:57:17.190251	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49824	1187	192.168.2.4	194.85.248.250
11/25/21-11:57:22.257795	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	52337	8.8.8.8	192.168.2.4
11/25/21-11:57:22.287984	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49829	1187	192.168.2.4	194.85.248.250
11/25/21-11:57:29.921734	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	55046	8.8.8.8	192.168.2.4
11/25/21-11:57:29.951099	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49831	1187	192.168.2.4	194.85.248.250
11/25/21-11:57:36.010921	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49853	1187	192.168.2.4	194.85.248.250
11/25/21-11:57:42.243149	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	49285	8.8.8.8	192.168.2.4
11/25/21-11:57:42.274632	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49856	1187	192.168.2.4	194.85.248.250
11/25/21-11:57:48.301653	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	50601	8.8.8.8	192.168.2.4
11/25/21-11:57:48.330829	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49857	1187	192.168.2.4	194.85.248.250
11/25/21-11:57:53.343018	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49859	1187	192.168.2.4	194.85.248.250
11/25/21-11:57:59.367307	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	62420	8.8.8.8	192.168.2.4
11/25/21-11:57:59.485426	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49863	1187	192.168.2.4	194.85.248.250
11/25/21-11:58:06.648552	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49864	1187	192.168.2.4	194.85.248.250
11/25/21-11:58:11.655619	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49865	1187	192.168.2.4	194.85.248.250
11/25/21-11:58:17.612799	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49866	1187	192.168.2.4	194.85.248.250

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 11:56:19.011879921 CET	49777	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:19.039516926 CET	1187	49777	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:19.041583061 CET	49777	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:19.127979040 CET	49777	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:19.188199997 CET	1187	49777	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:19.197592020 CET	49777	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:19.225462914 CET	1187	49777	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:19.276729107 CET	49777	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:19.305382967 CET	1187	49777	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:19.354899883 CET	49777	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:19.405925035 CET	49777	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:23.496416092 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:23.525118113 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:23.525358915 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:23.526665926 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:23.608026981 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:23.630558014 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:23.631059885 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:23.661622047 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:23.714677095 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:23.850044012 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:23.930211067 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.080091000 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.080143929 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.080183983 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.080221891 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.080296040 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.080348969 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.116147041 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.116200924 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.116239071 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.116276979 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.116314888 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.116314888 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.116349936 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.116355896 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.116396904 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.116406918 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.116437912 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.116478920 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.144262075 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.144313097 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.144352913 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.144392014 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.144429922 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.144445896 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.144468069 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.144478083 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.144507885 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.144511938 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.144545078 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.144583941 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.144598961 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.144622087 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.144660950 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.144675016 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.144701004 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.144737959 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.144752026 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.144776106 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.144815922 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.144829035 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.144882917 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.144934893 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.175323963 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.175379038 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.175420046 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.175461054 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.175501108 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.175501108 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.175539017 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.175540924 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.175581932 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.175609112 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.175636053 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.175677061 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.175685883 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.175718069 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.175754070 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.175766945 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.175792933 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.175832033 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.175839901 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.175868988 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.175910950 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.175920010 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.175955057 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.175993919 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.176008940 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.176033974 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.176069975 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.176085949 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.176109076 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.176146984 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.176156044 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.176186085 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.176223993 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.176238060 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.176263094 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.176301956 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.176310062 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.176343918 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.176383018 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.176398039 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.176422119 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.176461935 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.176470041 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.176501036 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.176541090 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.176551104 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.176580906 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.176629066 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.207313061 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.207369089 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.207411051 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.207448006 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.207499027 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.207514048 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.207539082 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.207545996 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.207578897 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.207607985 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.207618952 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.207655907 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.207674026 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.207698107 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.207737923 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.207751989 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.207776070 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.207814932 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.207828999 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.207854033 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.207896948 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.207912922 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.207937002 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.207987070 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.208003044 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.208024979 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.208065033 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.208079100 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.208101988 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.208141088 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.208154917 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.208179951 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.208215952 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.208231926 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.208256006 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.208293915 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.208307981 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.208332062 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.208372116 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.208385944 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.208409071 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.208446980 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.208461046 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.208486080 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.208523035 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.208534956 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.208560944 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.208600044 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.208611965 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.208637953 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.208678007 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.208690882 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.208714962 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.208753109 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.208767891 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.208792925 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.208828926 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.208846092 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.208898067 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.208940029 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.208959103 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.208977938 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.209017992 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.209033012 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.209058046 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.209095001 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.209106922 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.209134102 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.209172010 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.209209919 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.209233046 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.209264040 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.237495899 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.237556934 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.237596035 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.237636089 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.237677097 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.237692118 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.237715006 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.237729073 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.237756968 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.237796068 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.237799883 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.237835884 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.237879038 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.237886906 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.237926960 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.237968922 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.237987041 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.238024950 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.238053083 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.238064051 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.238101959 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.238136053 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.238140106 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.238182068 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.238213062 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.238219976 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.238260031 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.238291025 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.238298893 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.238339901 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.238367081 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.238379002 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.238418102 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.238442898 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.238459110 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.238500118 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.238538980 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.238578081 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.238581896 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.238616943 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.238653898 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.238692045 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.238714933 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.238729954 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.238770008 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.238795042 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.238810062 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.238847017 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.238848925 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.238884926 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.238902092 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.238926888 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.238962889 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.239001036 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.239010096 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.239039898 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.239062071 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.239079952 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.239120007 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.239156961 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.239192009 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.239197016 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.239236116 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.239270926 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.239273071 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.239312887 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.239320993 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.239351034 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.239391088 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.239392042 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.239483118 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.273179054 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.273233891 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.273272991 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.273302078 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.273313046 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.273353100 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.273360968 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.273391962 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.273432016 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.273436069 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.273469925 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.273509979 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.273514032 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.273549080 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.273586035 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.273592949 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.273626089 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.273664951 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.273673058 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.273703098 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.273741961 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.273760080 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.273778915 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.273818016 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.273822069 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.273855925 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.273895025 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.273901939 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.273932934 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.273971081 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.273979902 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.274009943 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.274049044 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.274055958 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.274086952 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.274125099 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.274131060 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.274178028 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.274214029 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.274223089 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.274252892 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.274292946 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.274298906 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.274332047 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.274369955 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.274375916 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.274409056 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.274446964 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.274452925 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.274487019 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.274523973 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.274533987 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.274564981 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.274602890 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.274611950 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.274641037 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.274678946 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.274683952 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.274717093 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.274761915 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.274816036 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.274857044 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.274898052 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.274904966 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.274935007 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.274974108 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.275012016 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.275012970 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.275052071 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.275059938 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.275194883 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.275252104 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.306587934 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.306649923 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.306693077 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.306735039 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.306777954 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.306777954 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.306813955 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.306817055 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.306858063 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.306864977 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.306900978 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.306938887 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.306952953 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.306978941 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.307018042 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.307025909 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.307056904 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.307101965 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.307106972 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.307141066 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.307179928 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.307195902 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.307229996 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.307267904 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.307277918 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.307307959 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.307346106 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.307354927 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.307387114 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.307427883 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.307441950 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.307465076 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.307503939 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.307511091 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.307542086 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.307579994 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.307586908 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.307619095 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.307657003 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.307663918 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.307696104 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.307735920 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.307743073 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.307775021 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.307812929 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.307817936 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.307852030 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.307898998 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.307900906 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.307941914 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.307980061 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.307998896 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.308017015 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.308057070 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.308062077 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.308094978 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.308132887 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.308140039 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.308173895 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.308211088 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.308216095 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.308248997 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.308286905 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.308294058 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.308324099 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.308362007 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.308377981 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.308399916 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.308439016 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.308444977 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.308479071 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.308516979 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.308532000 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.308556080 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.308593988 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.308602095 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.308630943 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.308669090 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.308677912 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.308708906 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.308747053 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.308753014 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.308784008 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:24.308835030 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.516253948 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:24.601074934 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:25.256201029 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:25.331156015 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:25.371762037 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:25.459532022 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:25.580811024 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:25.621056080 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:25.648976088 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:25.682441950 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:25.775243044 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:25.775376081 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:25.811562061 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:25.855386972 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:25.883059978 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:25.933523893 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:26.049937010 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:26.105448008 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:26.109340906 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:26.182861090 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:26.186158895 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:26.268455029 CET	1187	49778	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:27.268814087 CET	49778	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:31.379357100 CET	49779	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:31.407011986 CET	1187	49779	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:31.407179117 CET	49779	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:31.408130884 CET	49779	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:31.486176968 CET	1187	49779	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:31.498502016 CET	1187	49779	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:31.498939991 CET	49779	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:31.530711889 CET	1187	49779	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:31.574733973 CET	49779	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:31.706957102 CET	49779	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:31.779186964 CET	1187	49779	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:31.841496944 CET	49779	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:31.911839962 CET	1187	49779	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:31.984256983 CET	1187	49779	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:31.985249996 CET	49779	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:32.013782978 CET	1187	49779	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:32.059179068 CET	49779	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:32.086772919 CET	1187	49779	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:32.087491989 CET	49779	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:32.126899958 CET	1187	49779	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:32.127125978 CET	49779	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:32.165683031 CET	1187	49779	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:32.215440989 CET	49779	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:32.841808081 CET	49779	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:32.931896925 CET	1187	49779	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:33.841578960 CET	49779	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:37.982096910 CET	49780	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:38.014341116 CET	1187	49780	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:38.014441967 CET	49780	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:38.014996052 CET	49780	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:38.091718912 CET	1187	49780	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:38.128983021 CET	1187	49780	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:38.129244089 CET	49780	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:38.158379078 CET	1187	49780	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:38.200227022 CET	49780	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:38.532120943 CET	49780	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:38.614304066 CET	1187	49780	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:38.759258032 CET	1187	49780	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:38.760124922 CET	49780	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:38.790343046 CET	1187	49780	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:38.791387081 CET	49780	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:38.820477009 CET	1187	49780	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:38.820555925 CET	49780	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:38.850534916 CET	1187	49780	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:38.850636005 CET	49780	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:38.926157951 CET	1187	49780	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:39.842261076 CET	49780	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:43.938407898 CET	49783	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:43.970992088 CET	1187	49783	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:43.971085072 CET	49783	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:43.972122908 CET	49783	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:44.023747921 CET	1187	49783	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:44.024240017 CET	49783	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:44.052717924 CET	1187	49783	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:44.106947899 CET	49783	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:44.363641024 CET	49783	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:44.450459003 CET	1187	49783	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:44.616435051 CET	1187	49783	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:44.626842022 CET	49783	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:44.654642105 CET	1187	49783	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:44.658462048 CET	49783	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:44.687272072 CET	1187	49783	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:44.687412024 CET	49783	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:44.720979929 CET	1187	49783	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:44.721123934 CET	49783	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:44.814408064 CET	1187	49783	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:44.892654896 CET	49783	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:44.975272894 CET	1187	49783	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:46.781092882 CET	49783	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:46.859515905 CET	1187	49783	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:47.065407038 CET	49783	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:51.192394972 CET	49784	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:51.219846010 CET	1187	49784	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:51.220000982 CET	49784	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:51.220530033 CET	49784	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:51.298059940 CET	1187	49784	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:51.304531097 CET	1187	49784	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:51.316977024 CET	49784	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:51.344744921 CET	1187	49784	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:51.576375961 CET	49784	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:51.612772942 CET	49784	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:51.697870016 CET	1187	49784	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:51.911709070 CET	1187	49784	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:51.967073917 CET	49784	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:51.994463921 CET	1187	49784	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:51.997807026 CET	49784	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:52.025724888 CET	1187	49784	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:52.028247118 CET	49784	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:52.056140900 CET	1187	49784	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:52.107584000 CET	49784	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:52.129769087 CET	49784	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:52.202416897 CET	1187	49784	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:52.283755064 CET	49784	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:52.360615969 CET	1187	49784	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:53.124447107 CET	49784	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:57.185821056 CET	49785	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:57.213615894 CET	1187	49785	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:57.213818073 CET	49785	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:57.214814901 CET	49785	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:57.267280102 CET	1187	49785	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:57.267543077 CET	49785	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:57.295723915 CET	1187	49785	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:57.342392921 CET	49785	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:57.530957937 CET	49785	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:57.599148989 CET	1187	49785	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:57.724797010 CET	1187	49785	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:57.725680113 CET	49785	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:57.753446102 CET	1187	49785	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:57.765491009 CET	49785	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:57.793709040 CET	1187	49785	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:57.794022083 CET	49785	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:57.822129011 CET	1187	49785	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:57.840032101 CET	49785	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:57.913182974 CET	1187	49785	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:58.139848948 CET	49785	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:58.215282917 CET	1187	49785	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:58.243486881 CET	1187	49785	194.85.248.250	192.168.2.4
Nov 25, 2021 11:56:58.295583963 CET	49785	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:56:59.125045061 CET	49785	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:03.275918007 CET	49793	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:03.307837963 CET	1187	49793	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:03.307957888 CET	49793	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:03.772463083 CET	49793	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:03.819019079 CET	1187	49793	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:03.823889017 CET	49793	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:03.851722002 CET	1187	49793	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:03.967963934 CET	49793	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:04.207578897 CET	49793	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:04.285253048 CET	1187	49793	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:04.396956921 CET	1187	49793	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:04.468080044 CET	49793	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:04.504679918 CET	1187	49793	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:04.577470064 CET	49793	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:05.569777966 CET	49793	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:05.644448996 CET	1187	49793	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:05.644547939 CET	49793	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:05.673083067 CET	1187	49793	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:05.673163891 CET	49793	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:05.700767040 CET	1187	49793	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:05.764986038 CET	49793	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:06.578289986 CET	49793	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:10.827543020 CET	49821	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:10.855596066 CET	1187	49821	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:10.855725050 CET	49821	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:10.856472969 CET	49821	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:10.906008959 CET	1187	49821	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:10.907197952 CET	49821	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:10.936712027 CET	1187	49821	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:10.984209061 CET	49821	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:11.358695030 CET	49821	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:11.436428070 CET	1187	49821	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:11.552953959 CET	1187	49821	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:11.553935051 CET	49821	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:11.585086107 CET	1187	49821	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:11.586049080 CET	49821	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:11.615207911 CET	1187	49821	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:11.615305901 CET	49821	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:11.643261909 CET	1187	49821	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:11.643362999 CET	49821	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:11.721148968 CET	1187	49821	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:11.845655918 CET	49821	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:11.921778917 CET	1187	49821	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:12.895417929 CET	49821	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:17.161636114 CET	49824	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:17.189527035 CET	1187	49824	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:17.189639091 CET	49824	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:17.190251112 CET	49824	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:17.229095936 CET	1187	49824	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:17.281560898 CET	49824	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:17.309398890 CET	1187	49824	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:17.312442064 CET	49824	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:17.344093084 CET	1187	49824	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:17.391104937 CET	49824	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:18.043365002 CET	49824	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:22.259042978 CET	49829	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:22.286876917 CET	1187	49829	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:22.287579060 CET	49829	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:22.287983894 CET	49829	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:22.332451105 CET	1187	49829	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:22.334508896 CET	49829	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:22.363224030 CET	1187	49829	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:22.407044888 CET	49829	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:22.671209097 CET	49829	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:22.749155045 CET	1187	49829	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:22.849644899 CET	1187	49829	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:22.891535044 CET	49829	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:22.919224024 CET	1187	49829	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:22.969649076 CET	49829	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:23.319216967 CET	1187	49829	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:23.407104015 CET	49829	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:23.755868912 CET	49829	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:23.829320908 CET	1187	49829	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:23.910912037 CET	49829	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:23.983854055 CET	1187	49829	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:23.985188961 CET	49829	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:24.013353109 CET	1187	49829	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:24.016784906 CET	49829	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:24.045032978 CET	1187	49829	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:24.110299110 CET	49829	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:24.798362017 CET	49829	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:24.877701998 CET	1187	49829	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:25.817747116 CET	49829	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:29.922804117 CET	49831	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:29.950402975 CET	1187	49831	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:29.950582027 CET	49831	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:29.951098919 CET	49831	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:29.997822046 CET	1187	49831	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:30.006211042 CET	49831	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:30.034090042 CET	1187	49831	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:30.079551935 CET	49831	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:30.555936098 CET	49831	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:30.634968996 CET	1187	49831	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:30.786884069 CET	1187	49831	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:30.788217068 CET	49831	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:30.815795898 CET	1187	49831	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:30.818123102 CET	49831	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:30.846262932 CET	1187	49831	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:30.846503019 CET	49831	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:30.874397039 CET	1187	49831	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:30.877418041 CET	49831	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:30.950719118 CET	1187	49831	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:30.950876951 CET	49831	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:31.019220114 CET	1187	49831	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:31.877157927 CET	49831	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:35.981817007 CET	49853	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:36.010345936 CET	1187	49853	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:36.010432005 CET	49853	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:36.010921001 CET	49853	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:36.062601089 CET	1187	49853	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:36.085913897 CET	49853	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:36.116188049 CET	1187	49853	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:36.158252954 CET	49853	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:36.307584047 CET	49853	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:36.385253906 CET	1187	49853	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:36.490442038 CET	1187	49853	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:36.496752024 CET	49853	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:36.524197102 CET	1187	49853	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:36.525687933 CET	49853	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:36.557921886 CET	1187	49853	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:36.558001041 CET	49853	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:36.585848093 CET	1187	49853	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:36.585937977 CET	49853	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:36.666099072 CET	1187	49853	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:36.878217936 CET	49853	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:36.959409952 CET	1187	49853	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:37.877599001 CET	49853	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:42.245685101 CET	49856	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:42.273993015 CET	1187	49856	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:42.274122000 CET	49856	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:42.274631977 CET	49856	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:42.332103014 CET	1187	49856	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:42.332396984 CET	49856	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:42.360955954 CET	1187	49856	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:42.408678055 CET	49856	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:42.569163084 CET	49856	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:42.647313118 CET	1187	49856	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:42.771549940 CET	1187	49856	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:42.772373915 CET	49856	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:42.800271034 CET	1187	49856	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:42.801196098 CET	49856	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:42.838268995 CET	1187	49856	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:42.838474035 CET	49856	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:42.866640091 CET	1187	49856	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:42.908771038 CET	49856	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:43.191144943 CET	49856	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:43.277307034 CET	1187	49856	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:44.191261053 CET	49856	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:48.302664042 CET	49857	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:48.330198050 CET	1187	49857	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:48.330338955 CET	49857	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:48.330828905 CET	49857	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:48.377876997 CET	1187	49857	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:48.378217936 CET	49857	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:48.406574965 CET	1187	49857	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:48.456037045 CET	49857	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:48.591248989 CET	49857	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:48.659168959 CET	1187	49857	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:48.771867037 CET	1187	49857	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:48.772666931 CET	49857	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:48.802257061 CET	1187	49857	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:48.814558029 CET	49857	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:48.842505932 CET	1187	49857	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:48.842653036 CET	49857	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:48.871387959 CET	1187	49857	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:48.873498917 CET	49857	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:48.901122093 CET	1187	49857	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:48.940476894 CET	49857	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:49.190989971 CET	49857	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:53.314320087 CET	49859	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:53.342032909 CET	1187	49859	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:53.342139006 CET	49859	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:53.343018055 CET	49859	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:53.386104107 CET	1187	49859	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:53.386410952 CET	49859	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:53.417824984 CET	1187	49859	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:53.460530996 CET	49859	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:53.683876038 CET	49859	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:53.766441107 CET	1187	49859	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:53.865909100 CET	1187	49859	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:53.867777109 CET	49859	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:53.895435095 CET	1187	49859	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:53.897571087 CET	49859	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:53.925575972 CET	1187	49859	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:53.925719976 CET	49859	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:53.953929901 CET	1187	49859	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:54.003396034 CET	49859	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:54.223069906 CET	49859	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:54.303000927 CET	1187	49859	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:55.286015987 CET	49859	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:59.433043003 CET	49863	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:59.461489916 CET	1187	49863	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:59.461611986 CET	49863	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:59.485425949 CET	49863	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:57:59.541719913 CET	1187	49863	194.85.248.250	192.168.2.4
Nov 25, 2021 11:57:59.597661018 CET	49863	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:00.490904093 CET	49863	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:00.519244909 CET	1187	49863	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:00.519331932 CET	49863	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:00.595498085 CET	1187	49863	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:00.730424881 CET	49863	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:00.800137043 CET	1187	49863	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:00.947887897 CET	1187	49863	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:00.959309101 CET	49863	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:00.987207890 CET	1187	49863	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:00.988251925 CET	49863	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:01.016745090 CET	1187	49863	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:01.016948938 CET	49863	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:01.044941902 CET	1187	49863	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:01.097750902 CET	49863	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:01.496112108 CET	49863	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:01.575295925 CET	1187	49863	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:02.489830971 CET	49863	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:06.620460987 CET	49864	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:06.647928953 CET	1187	49864	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:06.648027897 CET	49864	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:06.648551941 CET	49864	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:06.683993101 CET	1187	49864	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:06.738845110 CET	49864	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:06.766452074 CET	1187	49864	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:06.766774893 CET	49864	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:06.794651031 CET	1187	49864	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:06.848216057 CET	49864	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:06.987791061 CET	49864	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:07.068136930 CET	1187	49864	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:07.194235086 CET	1187	49864	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:07.196223021 CET	49864	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:07.224029064 CET	1187	49864	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:07.226181984 CET	49864	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:07.253917933 CET	1187	49864	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:07.254153013 CET	49864	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:07.282705069 CET	1187	49864	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:07.332932949 CET	49864	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:07.542408943 CET	49864	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:11.626770973 CET	49865	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:11.654556990 CET	1187	49865	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:11.654763937 CET	49865	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:11.655618906 CET	49865	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:11.699848890 CET	1187	49865	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:11.700248003 CET	49865	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:11.729582071 CET	1187	49865	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:11.770524025 CET	49865	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:11.940305948 CET	49865	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:12.027419090 CET	1187	49865	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:12.114479065 CET	1187	49865	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:12.116380930 CET	49865	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:12.144370079 CET	1187	49865	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:12.145437956 CET	49865	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:12.173504114 CET	1187	49865	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:12.173649073 CET	49865	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:12.202466011 CET	1187	49865	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:12.255939960 CET	49865	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:12.536940098 CET	49865	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:12.616967916 CET	1187	49865	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:13.537324905 CET	49865	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:17.584651947 CET	49866	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:17.612416983 CET	1187	49866	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:17.612524986 CET	49866	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:17.612798929 CET	49866	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:17.650521040 CET	1187	49866	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:17.692940950 CET	49866	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:17.720630884 CET	1187	49866	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:17.771119118 CET	49866	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:17.771852970 CET	49866	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:17.799792051 CET	1187	49866	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:17.800342083 CET	49866	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:17.872992992 CET	1187	49866	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:17.975944996 CET	1187	49866	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:17.994520903 CET	49866	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:18.022124052 CET	1187	49866	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:18.068048000 CET	49866	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:18.845566988 CET	49866	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:18.873820066 CET	1187	49866	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:18.873955011 CET	49866	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:18.902223110 CET	1187	49866	194.85.248.250	192.168.2.4
Nov 25, 2021 11:58:18.914572001 CET	49866	1187	192.168.2.4	194.85.248.250
Nov 25, 2021 11:58:18.996192932 CET	1187	49866	194.85.248.250	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 11:56:18.956589937 CET	49714	53	192.168.2.4	8.8.8.8
Nov 25, 2021 11:56:19.002612114 CET	53	49714	8.8.8.8	192.168.2.4
Nov 25, 2021 11:56:23.464132071 CET	58028	53	192.168.2.4	8.8.8.8
Nov 25, 2021 11:56:23.493869066 CET	53	58028	8.8.8.8	192.168.2.4
Nov 25, 2021 11:56:31.314296007 CET	53097	53	192.168.2.4	8.8.8.8
Nov 25, 2021 11:56:31.344295979 CET	53	53097	8.8.8.8	192.168.2.4
Nov 25, 2021 11:56:37.910442114 CET	49257	53	192.168.2.4	8.8.8.8
Nov 25, 2021 11:56:37.956129074 CET	53	49257	8.8.8.8	192.168.2.4
Nov 25, 2021 11:56:43.899588108 CET	49910	53	192.168.2.4	8.8.8.8
Nov 25, 2021 11:56:43.937406063 CET	53	49910	8.8.8.8	192.168.2.4
Nov 25, 2021 11:56:51.154023886 CET	55854	53	192.168.2.4	8.8.8.8
Nov 25, 2021 11:56:51.191472054 CET	53	55854	8.8.8.8	192.168.2.4
Nov 25, 2021 11:56:57.167371988 CET	64549	53	192.168.2.4	8.8.8.8
Nov 25, 2021 11:56:57.183079004 CET	53	64549	8.8.8.8	192.168.2.4
Nov 25, 2021 11:57:03.236888885 CET	56627	53	192.168.2.4	8.8.8.8
Nov 25, 2021 11:57:03.274627924 CET	53	56627	8.8.8.8	192.168.2.4
Nov 25, 2021 11:57:10.784302950 CET	61721	53	192.168.2.4	8.8.8.8
Nov 25, 2021 11:57:10.822038889 CET	53	61721	8.8.8.8	192.168.2.4
Nov 25, 2021 11:57:17.130686998 CET	51255	53	192.168.2.4	8.8.8.8
Nov 25, 2021 11:57:17.160696983 CET	53	51255	8.8.8.8	192.168.2.4
Nov 25, 2021 11:57:22.228977919 CET	52337	53	192.168.2.4	8.8.8.8
Nov 25, 2021 11:57:22.257795095 CET	53	52337	8.8.8.8	192.168.2.4
Nov 25, 2021 11:57:29.875340939 CET	55046	53	192.168.2.4	8.8.8.8
Nov 25, 2021 11:57:29.921734095 CET	53	55046	8.8.8.8	192.168.2.4
Nov 25, 2021 11:57:35.943232059 CET	49612	53	192.168.2.4	8.8.8.8
Nov 25, 2021 11:57:35.980635881 CET	53	49612	8.8.8.8	192.168.2.4
Nov 25, 2021 11:57:42.213505030 CET	49285	53	192.168.2.4	8.8.8.8
Nov 25, 2021 11:57:42.243149042 CET	53	49285	8.8.8.8	192.168.2.4
Nov 25, 2021 11:57:48.256104946 CET	50601	53	192.168.2.4	8.8.8.8
Nov 25, 2021 11:57:48.301652908 CET	53	50601	8.8.8.8	192.168.2.4
Nov 25, 2021 11:57:53.275501013 CET	56448	53	192.168.2.4	8.8.8.8
Nov 25, 2021 11:57:53.313308001 CET	53	56448	8.8.8.8	192.168.2.4
Nov 25, 2021 11:57:59.320873022 CET	62420	53	192.168.2.4	8.8.8.8
Nov 25, 2021 11:57:59.367306948 CET	53	62420	8.8.8.8	192.168.2.4
Nov 25, 2021 11:58:06.567533970 CET	60579	53	192.168.2.4	8.8.8.8
Nov 25, 2021 11:58:06.605303049 CET	53	60579	8.8.8.8	192.168.2.4
Nov 25, 2021 11:58:11.587215900 CET	50183	53	192.168.2.4	8.8.8.8
Nov 25, 2021 11:58:11.625068903 CET	53	50183	8.8.8.8	192.168.2.4
Nov 25, 2021 11:58:17.558532953 CET	61531	53	192.168.2.4	8.8.8.8
Nov 25, 2021 11:58:17.579953909 CET	53	61531	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 25, 2021 11:56:18.956589937 CET	192.168.2.4	8.8.8.8	0xaff9	Standard query (0)	dera31.ddns.net	A (IP address)	IN (0x0001)
Nov 25, 2021 11:56:23.464132071 CET	192.168.2.4	8.8.8.8	0x2005	Standard query (0)	dera31.ddns.net	A (IP address)	IN (0x0001)
Nov 25, 2021 11:56:31.314296007 CET	192.168.2.4	8.8.8.8	0xa309	Standard query (0)	dera31.ddns.net	A (IP address)	IN (0x0001)
Nov 25, 2021 11:56:37.910442114 CET	192.168.2.4	8.8.8.8	0xf45d	Standard query (0)	dera31.ddns.net	A (IP address)	IN (0x0001)
Nov 25, 2021 11:56:43.899588108 CET	192.168.2.4	8.8.8.8	0x24c	Standard query (0)	dera31.ddns.net	A (IP address)	IN (0x0001)
Nov 25, 2021 11:56:51.154023886 CET	192.168.2.4	8.8.8.8	0x81cf	Standard query (0)	dera31.ddns.net	A (IP address)	IN (0x0001)
Nov 25, 2021 11:56:57.167371988 CET	192.168.2.4	8.8.8.8	0xbdfb	Standard query (0)	dera31.ddns.net	A (IP address)	IN (0x0001)
Nov 25, 2021 11:57:03.236888885 CET	192.168.2.4	8.8.8.8	0x5506	Standard query (0)	dera31.ddns.net	A (IP address)	IN (0x0001)
Nov 25, 2021 11:57:10.784302950 CET	192.168.2.4	8.8.8.8	0xcbd	Standard query (0)	dera31.ddns.net	A (IP address)	IN (0x0001)
Nov 25, 2021 11:57:17.130686998 CET	192.168.2.4	8.8.8.8	0xecb1	Standard query (0)	dera31.ddns.net	A (IP address)	IN (0x0001)
Nov 25, 2021 11:57:22.228977919 CET	192.168.2.4	8.8.8.8	0x62f4	Standard query (0)	dera31.ddns.net	A (IP address)	IN (0x0001)
Nov 25, 2021 11:57:29.875340939 CET	192.168.2.4	8.8.8.8	0x121a	Standard query (0)	dera31.ddns.net	A (IP address)	IN (0x0001)
Nov 25, 2021 11:57:35.943232059 CET	192.168.2.4	8.8.8.8	0xe785	Standard query (0)	dera31.ddns.net	A (IP address)	IN (0x0001)
Nov 25, 2021 11:57:42.213505030 CET	192.168.2.4	8.8.8.8	0x5911	Standard query (0)	dera31.ddns.net	A (IP address)	IN (0x0001)
Nov 25, 2021 11:57:48.256104946 CET	192.168.2.4	8.8.8.8	0x8df6	Standard query (0)	dera31.ddns.net	A (IP address)	IN (0x0001)
Nov 25, 2021 11:57:53.275501013 CET	192.168.2.4	8.8.8.8	0x520d	Standard query (0)	dera31.ddns.net	A (IP address)	IN (0x0001)
Nov 25, 2021 11:57:59.320873022 CET	192.168.2.4	8.8.8.8	0x83c	Standard query (0)	dera31.ddns.net	A (IP address)	IN (0x0001)
Nov 25, 2021 11:58:06.567533970 CET	192.168.2.4	8.8.8.8	0xc148	Standard query (0)	dera31.ddns.net	A (IP address)	IN (0x0001)
Nov 25, 2021 11:58:11.587215900 CET	192.168.2.4	8.8.8.8	0x5e4	Standard query (0)	dera31.ddns.net	A (IP address)	IN (0x0001)
Nov 25, 2021 11:58:17.558532953 CET	192.168.2.4	8.8.8.8	0x2196	Standard query (0)	dera31.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Nov 25, 2021 11:56:19.002612114 CET	8.8.8.8	192.168.2.4	0xaff9	No error (0)	dera31.ddns.net	194.85.248.250	A (IP address)	IN (0x0001)
Nov 25, 2021 11:56:23.493869066 CET	8.8.8.8	192.168.2.4	0x2005	No error (0)	dera31.ddns.net	194.85.248.250	A (IP address)	IN (0x0001)
Nov 25, 2021 11:56:31.344295979 CET	8.8.8.8	192.168.2.4	0xa309	No error (0)	dera31.ddns.net	194.85.248.250	A (IP address)	IN (0x0001)
Nov 25, 2021 11:56:37.956129074 CET	8.8.8.8	192.168.2.4	0xf45d	No error (0)	dera31.ddns.net	194.85.248.250	A (IP address)	IN (0x0001)
Nov 25, 2021 11:56:43.937406063 CET	8.8.8.8	192.168.2.4	0x24c	No error (0)	dera31.ddns.net	194.85.248.250	A (IP address)	IN (0x0001)
Nov 25, 2021 11:56:51.191472054 CET	8.8.8.8	192.168.2.4	0x81cf	No error (0)	dera31.ddns.net	194.85.248.250	A (IP address)	IN (0x0001)
Nov 25, 2021 11:56:57.183079004 CET	8.8.8.8	192.168.2.4	0xbdfb	No error (0)	dera31.ddns.net	194.85.248.250	A (IP address)	IN (0x0001)
Nov 25, 2021 11:57:03.274627924 CET	8.8.8.8	192.168.2.4	0x5506	No error (0)	dera31.ddns.net	194.85.248.250	A (IP address)	IN (0x0001)
Nov 25, 2021 11:57:10.822038889 CET	8.8.8.8	192.168.2.4	0xcbd	No error (0)	dera31.ddns.net	194.85.248.250	A (IP address)	IN (0x0001)
Nov 25, 2021 11:57:17.160696983 CET	8.8.8.8	192.168.2.4	0xecb1	No error (0)	dera31.ddns.net	194.85.248.250	A (IP address)	IN (0x0001)
Nov 25, 2021 11:57:22.257795095 CET	8.8.8.8	192.168.2.4	0x62f4	No error (0)	dera31.ddns.net	194.85.248.250	A (IP address)	IN (0x0001)
Nov 25, 2021 11:57:29.921734095 CET	8.8.8.8	192.168.2.4	0x121a	No error (0)	dera31.ddns.net	194.85.248.250	A (IP address)	IN (0x0001)
Nov 25, 2021 11:57:35.980635881 CET	8.8.8.8	192.168.2.4	0xe785	No error (0)	dera31.ddns.net	194.85.248.250	A (IP address)	IN (0x0001)
Nov 25, 2021 11:57:42.243149042 CET	8.8.8.8	192.168.2.4	0x5911	No error (0)	dera31.ddns.net	194.85.248.250	A (IP address)	IN (0x0001)
Nov 25, 2021 11:57:48.301652908 CET	8.8.8.8	192.168.2.4	0x8df6	No error (0)	dera31.ddns.net	194.85.248.250	A (IP address)	IN (0x0001)
Nov 25, 2021 11:57:53.313308001 CET	8.8.8.8	192.168.2.4	0x520d	No error (0)	dera31.ddns.net	194.85.248.250	A (IP address)	IN (0x0001)
Nov 25, 2021 11:57:59.367306948 CET	8.8.8.8	192.168.2.4	0x83c	No error (0)	dera31.ddns.net	194.85.248.250	A (IP address)	IN (0x0001)
Nov 25, 2021 11:58:06.605303049 CET	8.8.8.8	192.168.2.4	0xc148	No error (0)	dera31.ddns.net	194.85.248.250	A (IP address)	IN (0x0001)
Nov 25, 2021 11:58:11.625068903 CET	8.8.8.8	192.168.2.4	0x5e4	No error (0)	dera31.ddns.net	194.85.248.250	A (IP address)	IN (0x0001)
Nov 25, 2021 11:58:17.579953909 CET	8.8.8.8	192.168.2.4	0x2196	No error (0)	dera31.ddns.net	194.85.248.250	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SK TAX INV.exe PID: 3980 Parent PID: 5296

General

Start time:	11:56:10
Start date:	25/11/2021
Path:	C:\Users\user\Desktop\SK TAX INV.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SK TAX INV.exe"
Imagebase:	0x420000
File size:	493568 bytes
MD5 hash:	C2EE32F9D7DE6B05472CEDA926FD0A6F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.668327294.00000000028A1000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.670484046.0000000003B11000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.668432779.0000000002965000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: SK TAX INV.exe PID: 6636 Parent PID: 3980

General

Start time:	11:56:13
Start date:	25/11/2021
Path:	C:\Users\user\Desktop\SK TAX INV.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SK TAX INV.exe
Imagebase:	0xb10000
File size:	493568 bytes
MD5 hash:	C2EE32F9D7DE6B05472CEDA926FD0A6F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000000.665221730.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000000.665589656.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.665941289.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.665941289.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000000.665941289.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.666335348.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.666335348.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000000.666335348.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6980 Parent PID: 3424

General

Start time:	11:56:28
Start date:	25/11/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Imagebase:	0x360000
File size:	493568 bytes
MD5 hash:	C2EE32F9D7DE6B05472CEDA926FD0A6F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 18%, Virustotal, Browse Detection: 20%, ReversingLabs
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SK TAX INV.exe PID: 3980 Parent PID: 5296 SK TAX INV.exeCOMMON

Executed Functions

Function 00DFD2E8, Relevance: 2.5, Strings: 1, Instructions: 1291COMMON

Download Yara Rule

Strings

d, xrefs: 00DFD80A

Memory Dump Source

Source File: 00000000.00000002.668127193.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: f0af031cb57e4b5e8956f52b1d1a0858126a6951ce1681b3c6fbb17d035a0c8c
Instruction ID: eb1010661c5c5e6e3493512b481f90b69f5596fde0231de913d19aa6521ca541
Opcode Fuzzy Hash: f0af031cb57e4b5e8956f52b1d1a0858126a6951ce1681b3c6fbb17d035a0c8c
Instruction Fuzzy Hash: A4C22D34A00219CFDB18DF64D469AA9B7B3FB89304F25C4A5D9099B765EB34EC81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00DF8250, Relevance: .5, Instructions: 516COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.668127193.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5acf944ac4d6466f14dd4627964a3ebdd2727dc2221f9e708ded6a96e11e027a
Instruction ID: 5460f4fdabc947f98929af1e2bbf0218b61b38d2ad0d62dad59ef8e9ca322d99
Opcode Fuzzy Hash: 5acf944ac4d6466f14dd4627964a3ebdd2727dc2221f9e708ded6a96e11e027a
Instruction Fuzzy Hash: B702F035A002198FDF14DB68C4903BD77A2AF81304F1AC865DA46EB391DF38DD40ABA3

Uniqueness

Uniqueness Score: -1.00%

Function 00DF4747, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 00DF47CD

Memory Dump Source

Source File: 00000000.00000002.668127193.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: d7834689e2babc04506def0c8ed46fbd2e89825b816e33074050f39f0f293880
Instruction ID: dfc5ecfddb88c6f565a271e0a8fb3581b46bf6ef5adf34d49b3e096baff2ea26
Opcode Fuzzy Hash: d7834689e2babc04506def0c8ed46fbd2e89825b816e33074050f39f0f293880
Instruction Fuzzy Hash: 6521AE788053888FDB10EFA8D5443ABBBF4EB05318F158429D604E7781D779A908CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DF4497, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 00DF4522

Memory Dump Source

Source File: 00000000.00000002.668127193.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 8f50bca20f05e20cb189a5f80c9944e6b47776baaf4f9d3f7585e8440808b098
Instruction ID: 63c2f42e389dda377cbc1d19101c05f986efd67e7f3a9a633f978315d8cd1ee3
Opcode Fuzzy Hash: 8f50bca20f05e20cb189a5f80c9944e6b47776baaf4f9d3f7585e8440808b098
Instruction Fuzzy Hash: 9421A9B18043888FDB10DFA8D54939FBFF4EB49328F248429C846A7342D7795944CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DF44A8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 00DF4522

Memory Dump Source

Source File: 00000000.00000002.668127193.0000000000DF0000.00000040.00000001.sdmp, Offset: 00DF0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 4074a21845e4e9763f6e3df77696cbdde33c105b6880f3b5419a411bb04779ce
Instruction ID: 0bea2d7e67e2c5c98d35099502c64e8f0f85c7d48206ed6523ba9cd055eff723
Opcode Fuzzy Hash: 4074a21845e4e9763f6e3df77696cbdde33c105b6880f3b5419a411bb04779ce
Instruction Fuzzy Hash: 65119A709002488FDF10DFA9D6097AFBBF4FB49328F108429D905A7741D779A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00426BFF, Relevance: .6, Instructions: 621COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.667390652.0000000000422000.00000002.00020000.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.667376670.0000000000420000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f88c12bd67c8dbf2e4b8e6fb4258955538a696f9f102a7b31b602d16e0d4770
Instruction ID: 376310fd8a2f940de787246bb95c2de949483ab7ed766b9015ccfb795a6e2e1e
Opcode Fuzzy Hash: 2f88c12bd67c8dbf2e4b8e6fb4258955538a696f9f102a7b31b602d16e0d4770
Instruction Fuzzy Hash: 14223C3644A3929FD343CF70D892AE27BF0EF1731434905D6E480CB562D369AA69CBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SK TAX INV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution