Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
plugmanzx.exe

Overview

General Information

Sample Name:plugmanzx.exe
Analysis ID:558864
MD5:7031570aa150b893f68a32900327b2ae
SHA1:caeb6580b9d33eedea97c7775ad0853a33a59b3a
SHA256:f515a9d2910da428d7803afc2244476a5b185f30361482cc1dd49670513281a5
Tags:exeNanoCore
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicious Remote Thread Created
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
.NET source code contains potential unpacker
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
Sigma detected: Accessing WinAPI in PowerShell. Code Injection.
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Sigma detected: Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • plugmanzx.exe (PID: 6396 cmdline: "C:\Users\user\Desktop\plugmanzx.exe" MD5: 7031570AA150B893F68A32900327B2AE)
    • powershell.exe (PID: 396 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 576 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp2B3E.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 5952 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • schtasks.exe (PID: 6828 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1F0B.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 2144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5860 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp2862.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 1496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegSvcs.exe (PID: 1036 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 1688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 1940 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 4132 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 3604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000000.304626341.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000F.00000000.304626341.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000F.00000000.304626341.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    0000000F.00000002.521794334.0000000001450000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x5b99:$x1: NanoCore.ClientPluginHost
    • 0x5bb3:$x2: IClientNetworkHost
    0000000F.00000002.521794334.0000000001450000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x5b99:$x2: NanoCore.ClientPluginHost
    • 0x6bce:$s4: PipeCreated
    • 0x5b86:$s5: IClientLoggingHost
    Click to see the 61 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    15.2.RegSvcs.exe.13e0000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x16e3:$x1: NanoCore.ClientPluginHost
    • 0x171c:$x2: IClientNetworkHost
    15.2.RegSvcs.exe.13e0000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x16e3:$x2: NanoCore.ClientPluginHost
    • 0x1800:$s4: PipeCreated
    • 0x16fd:$s5: IClientLoggingHost
    15.2.RegSvcs.exe.1410000.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x605:$x1: NanoCore.ClientPluginHost
    • 0x63e:$x2: IClientNetworkHost
    15.2.RegSvcs.exe.1410000.5.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x605:$x2: NanoCore.ClientPluginHost
    • 0x720:$s4: PipeCreated
    • 0x61f:$s5: IClientLoggingHost
    15.2.RegSvcs.exe.1484c9f.12.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1a53c:$x1: NanoCore.ClientPluginHost
    • 0x1a556:$x2: IClientNetworkHost
    Click to see the 168 entries

    Sigma Overview

    AV Detection

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5952, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    E-Banking Fraud

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5952, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    System Summary

    barindex
    Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
    Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\plugmanzx.exe" , ParentImage: C:\Users\user\Desktop\plugmanzx.exe, ParentProcessId: 6396, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5952
    Sigma detected: Suspicious Remote Thread Created
    Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, SourceProcessId: 396, StartAddress: 6E9E8BB0, TargetImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, TargetProcessId: 396
    Sigma detected: Suspicius Add Task From User AppData Temp
    Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp2B3E.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp2B3E.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\plugmanzx.exe" , ParentImage: C:\Users\user\Desktop\plugmanzx.exe, ParentProcessId: 6396, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp2B3E.tmp, ProcessId: 576
    Sigma detected: Powershell Defender Exclusion
    Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\plugmanzx.exe" , ParentImage: C:\Users\user\Desktop\plugmanzx.exe, ParentProcessId: 6396, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe, ProcessId: 396
    Sigma detected: Accessing WinAPI in PowerShell. Code Injection.
    Source: Threat createdAuthor: Nikita Nazarov, oscd.community: Data: EventID: 8, SourceImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, SourceProcessId: 396, StartAddress: 6E9E8BB0, TargetImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, TargetProcessId: 396
    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5952, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Monitor
    Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\plugmanzx.exe" , ParentImage: C:\Users\user\Desktop\plugmanzx.exe, ParentProcessId: 6396, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5952
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\plugmanzx.exe" , ParentImage: C:\Users\user\Desktop\plugmanzx.exe, ParentProcessId: 6396, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe, ProcessId: 396
    Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132875411481663754.396.DefaultAppDomain.powershell

    Stealing of Sensitive Information

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5952, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Remote Access Functionality

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5952, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: plugmanzx.exeVirustotal: Detection: 46%Perma Link
    Source: plugmanzx.exeReversingLabs: Detection: 39%
    Multi AV Scanner detection for dropped file
    Source: C:\Users\user\AppData\Roaming\ZdNnwVcb.exeVirustotal: Detection: 46%Perma Link
    Source: C:\Users\user\AppData\Roaming\ZdNnwVcb.exeReversingLabs: Detection: 39%
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.plugmanzx.exe.3afa0d0.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.50d74b8.32.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.5a30000.36.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4f76918.27.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4f71ae2.26.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4f76918.27.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.424b7be.19.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.42505f4.20.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.plugmanzx.exe.3b2ccf0.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.plugmanzx.exe.3afa0d0.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.5a34629.35.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.5a30000.36.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.50dbae1.33.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.42505f4.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4254c1d.21.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4e5c3a5.23.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.50d2682.31.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4e50171.22.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.50d74b8.32.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4f7af41.25.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.plugmanzx.exe.3b2ccf0.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4e709d2.24.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000000F.00000000.304626341.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000000.304191384.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.526281025.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000000.305001052.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.518339869.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.524023991.0000000004201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.525653853.0000000004F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000000.303720416.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.311012265.0000000003A1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: plugmanzx.exe PID: 6396, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5952, type: MEMORYSTR
    Machine Learning detection for sample
    Source: plugmanzx.exeJoe Sandbox ML: detected
    Machine Learning detection for dropped file
    Source: C:\Users\user\AppData\Roaming\ZdNnwVcb.exeJoe Sandbox ML: detected
    Source: 15.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 15.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 15.2.RegSvcs.exe.5a30000.36.unpackAvira: Label: TR/NanoCore.fadte
    Source: 15.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 15.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 15.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 15.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: plugmanzx.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: plugmanzx.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: RegSvcs.pdb, source: dhcpmon.exe, 00000019.00000000.342255781.0000000000D42000.00000002.00000001.01000000.00000008.sdmp, dhcpmon.exe, 0000001C.00000002.357912344.00000000004C2000.00000002.00000001.01000000.00000008.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegSvcs.exe, 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.522822443.000000000326E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.521673024.0000000001400000.00000004.08000000.00040000.00000000.sdmp
    Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe, 0000001C.00000002.357912344.00000000004C2000.00000002.00000001.01000000.00000008.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.522822443.000000000326E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525653853.0000000004F71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.521729554.0000000001420000.00000004.08000000.00040000.00000000.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525737739.0000000004FE7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.522822443.000000000326E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.521778543.0000000001440000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525653853.0000000004F71000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.522822443.000000000326E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.521545573.00000000013E0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525653853.0000000004F71000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525737739.0000000004FE7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.522822443.000000000326E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.521751519.0000000001430000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525653853.0000000004F71000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.522822443.000000000326E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525653853.0000000004F71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.521716903.0000000001410000.00000004.08000000.00040000.00000000.sdmp

    Networking

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49775 -> 103.153.78.234:3132
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49779 -> 103.153.78.234:3132
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49782 -> 103.153.78.234:3132
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49790 -> 103.153.78.234:3132
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49791 -> 103.153.78.234:3132
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49798 -> 103.153.78.234:3132
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49801 -> 103.153.78.234:3132
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49802 -> 103.153.78.234:3132
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49830 -> 103.153.78.234:3132
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49834 -> 103.153.78.234:3132
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49835 -> 103.153.78.234:3132
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49836 -> 103.153.78.234:3132
    Source: global trafficTCP traffic: 192.168.2.5:49775 -> 103.153.78.234:3132
    Source: RegSvcs.exe, 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525737739.0000000004FE7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.522822443.000000000326E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.521751519.0000000001430000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525653853.0000000004F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://google.com
    Source: plugmanzx.exe, 00000000.00000002.308524154.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, plugmanzx.exe, 00000000.00000002.308781771.0000000002B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: unknownDNS traffic detected: queries for: vijayikohli1.bounceme.net
    Source: RegSvcs.exe, 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud

    barindex
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.plugmanzx.exe.3afa0d0.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.50d74b8.32.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.5a30000.36.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4f76918.27.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4f71ae2.26.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4f76918.27.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.424b7be.19.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.42505f4.20.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.plugmanzx.exe.3b2ccf0.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.plugmanzx.exe.3afa0d0.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.5a34629.35.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.5a30000.36.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.50dbae1.33.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.42505f4.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4254c1d.21.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4e5c3a5.23.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.50d2682.31.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4e50171.22.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.50d74b8.32.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4f7af41.25.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.plugmanzx.exe.3b2ccf0.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4e709d2.24.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000000F.00000000.304626341.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000000.304191384.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.526281025.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000000.305001052.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.518339869.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.524023991.0000000004201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.525653853.0000000004F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000000.303720416.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.311012265.0000000003A1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: plugmanzx.exe PID: 6396, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5952, type: MEMORYSTR

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 15.2.RegSvcs.exe.13e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.1410000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.1484c9f.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.1440000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.148e8a4.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.505a5ee.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.14c0000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.RegSvcs.exe.1260000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.plugmanzx.exe.3afa0d0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.plugmanzx.exe.3afa0d0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.RegSvcs.exe.50d74b8.32.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.1480000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.5a30000.36.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.1260000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.322cc7c.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.4e5c3a5.23.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.1270000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.4f76918.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.3296b48.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.3296b48.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.RegSvcs.exe.5980000.34.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.RegSvcs.exe.3296b48.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.4f71ae2.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.4f71ae2.26.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.RegSvcs.exe.4f76918.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.4f76918.27.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.RegSvcs.exe.504338f.28.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.424b7be.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.424b7be.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.RegSvcs.exe.1430000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.1410000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.1400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.1470000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.14c0000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.1400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.RegSvcs.exe.1440000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.1470000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.4e50171.22.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.1450000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.RegSvcs.exe.1480000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.42505f4.20.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.505a5ee.30.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.plugmanzx.exe.3b2ccf0.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.plugmanzx.exe.3b2ccf0.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.RegSvcs.exe.1450000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.plugmanzx.exe.3afa0d0.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.plugmanzx.exe.3afa0d0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.RegSvcs.exe.1270000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.504338f.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.504338f.28.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.RegSvcs.exe.5a34629.35.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.504c1be.29.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.5a30000.36.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.328a900.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.1420000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.1430000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.50dbae1.33.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.RegSvcs.exe.504c1be.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.328a900.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.328a900.16.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.RegSvcs.exe.42505f4.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.4254c1d.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.4e5c3a5.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.RegSvcs.exe.4f7af41.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.50d2682.31.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.RegSvcs.exe.32ab184.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.4e50171.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.RegSvcs.exe.50d74b8.32.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.plugmanzx.exe.3b2ccf0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.32ab184.18.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.RegSvcs.exe.4f7af41.25.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.plugmanzx.exe.3b2ccf0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.RegSvcs.exe.4e709d2.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.RegSvcs.exe.4e709d2.24.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000000.304626341.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000000.304626341.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.521794334.0000000001450000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.521832008.0000000001480000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000000.304191384.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000000.304191384.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.525737739.0000000004FE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.526281025.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.521778543.0000000001440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.521862470.00000000014C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000000.305001052.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000000.305001052.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.520201704.0000000001270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.521819671.0000000001470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.521545573.00000000013E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.521751519.0000000001430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.518339869.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.518339869.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.521729554.0000000001420000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.521673024.0000000001400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.522822443.000000000326E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.524023991.0000000004201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.525653853.0000000004F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.526212800.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.521716903.0000000001410000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000000.303720416.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000000.303720416.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.518644144.0000000001260000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.311012265.0000000003A1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.311012265.0000000003A1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: plugmanzx.exe PID: 6396, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: plugmanzx.exe PID: 6396, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: RegSvcs.exe PID: 5952, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: RegSvcs.exe PID: 5952, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: plugmanzx.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: 15.2.RegSvcs.exe.13e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.13e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.1410000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.1410000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.1484c9f.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.1484c9f.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.1440000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.1440000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.148e8a4.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.148e8a4.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.505a5ee.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.505a5ee.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.14c0000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.14c0000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.RegSvcs.exe.1260000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.1260000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.plugmanzx.exe.3afa0d0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.plugmanzx.exe.3afa0d0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.RegSvcs.exe.50d74b8.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.50d74b8.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.1480000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.1480000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.5a30000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.5a30000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.1260000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.1260000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.322cc7c.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.322cc7c.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.4e5c3a5.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.4e5c3a5.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.1270000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.1270000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.4f76918.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.4f76918.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.3296b48.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.3296b48.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.RegSvcs.exe.5980000.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.5980000.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.RegSvcs.exe.3296b48.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.3296b48.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.4f71ae2.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.4f71ae2.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.4f71ae2.26.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.RegSvcs.exe.4f76918.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.4f76918.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.4f76918.27.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.RegSvcs.exe.504338f.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.504338f.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.424b7be.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.424b7be.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.424b7be.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.RegSvcs.exe.1430000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.1430000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.1410000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.1410000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.1400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.1400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.1470000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.1470000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.14c0000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.14c0000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.1400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.1400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.RegSvcs.exe.1440000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.1440000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.1470000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.1470000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.4e50171.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.4e50171.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.1450000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.1450000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.RegSvcs.exe.1480000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.1480000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.42505f4.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.42505f4.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.505a5ee.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.505a5ee.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.plugmanzx.exe.3b2ccf0.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.plugmanzx.exe.3b2ccf0.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.plugmanzx.exe.3b2ccf0.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.RegSvcs.exe.1450000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.1450000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.plugmanzx.exe.3afa0d0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.plugmanzx.exe.3afa0d0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.plugmanzx.exe.3afa0d0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.RegSvcs.exe.1270000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.1270000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.504338f.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.504338f.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.504338f.28.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.RegSvcs.exe.5a34629.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.5a34629.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.504c1be.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.504c1be.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.5a30000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.5a30000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.328a900.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.328a900.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.1420000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.1420000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.1430000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.1430000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.50dbae1.33.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.RegSvcs.exe.504c1be.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.504c1be.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.328a900.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.328a900.16.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.RegSvcs.exe.42505f4.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.42505f4.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.4254c1d.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.4254c1d.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.4e5c3a5.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.RegSvcs.exe.4f7af41.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.4f7af41.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.50d2682.31.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.RegSvcs.exe.32ab184.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.4e50171.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.RegSvcs.exe.50d74b8.32.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.plugmanzx.exe.3b2ccf0.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.plugmanzx.exe.3b2ccf0.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 15.2.RegSvcs.exe.32ab184.18.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.RegSvcs.exe.4f7af41.25.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.plugmanzx.exe.3b2ccf0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.RegSvcs.exe.4e709d2.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.RegSvcs.exe.4e709d2.24.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000000.304626341.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000000.304626341.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.521794334.0000000001450000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.521794334.0000000001450000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000F.00000002.521832008.0000000001480000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.521832008.0000000001480000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000F.00000000.304191384.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000000.304191384.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.525737739.0000000004FE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.526281025.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.526281025.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000F.00000002.521778543.0000000001440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.521778543.0000000001440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000F.00000002.521862470.00000000014C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.521862470.00000000014C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000F.00000000.305001052.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000000.305001052.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.520201704.0000000001270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.520201704.0000000001270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000F.00000002.521819671.0000000001470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.521819671.0000000001470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000F.00000002.521545573.00000000013E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.521545573.00000000013E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000F.00000002.521751519.0000000001430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.521751519.0000000001430000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000F.00000002.518339869.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.518339869.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.521729554.0000000001420000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.521729554.0000000001420000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.521673024.0000000001400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.521673024.0000000001400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000F.00000002.522822443.000000000326E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.524023991.0000000004201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.525653853.0000000004F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.526212800.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.526212800.0000000005980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000F.00000002.521716903.0000000001410000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.521716903.0000000001410000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000F.00000000.303720416.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000000.303720416.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.518644144.0000000001260000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.518644144.0000000001260000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000000.00000002.311012265.0000000003A1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.311012265.0000000003A1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: plugmanzx.exe PID: 6396, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: plugmanzx.exe PID: 6396, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: RegSvcs.exe PID: 5952, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: RegSvcs.exe PID: 5952, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: C:\Users\user\Desktop\plugmanzx.exeCode function: 0_2_00E3E8A80_2_00E3E8A8
    Source: C:\Users\user\Desktop\plugmanzx.exeCode function: 0_2_00E3E8B80_2_00E3E8B8
    Source: C:\Users\user\Desktop\plugmanzx.exeCode function: 0_2_00E3BEDC0_2_00E3BEDC
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014D334015_2_014D3340
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014C332415_2_014C3324
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014C46D315_2_014C46D3
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_014C42EB15_2_014C42EB
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0317E47115_2_0317E471
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0317E48015_2_0317E480
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0317BBD415_2_0317BBD4
    Source: plugmanzx.exe, 00000000.00000000.245668175.0000000000496000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBindableVectorToListAdapt.exeH vs plugmanzx.exe
    Source: plugmanzx.exe, 00000000.00000002.319309126.0000000005AE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs plugmanzx.exe
    Source: plugmanzx.exe, 00000000.00000002.308524154.0000000002A11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSafeSerializationManager.dll: vs plugmanzx.exe
    Source: plugmanzx.exe, 00000000.00000002.312871031.0000000003BC4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs plugmanzx.exe
    Source: plugmanzx.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: ZdNnwVcb.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: plugmanzx.exeVirustotal: Detection: 46%
    Source: plugmanzx.exeReversingLabs: Detection: 39%
    Source: C:\Users\user\Desktop\plugmanzx.exeFile read: C:\Users\user\Desktop\plugmanzx.exeJump to behavior
    Source: plugmanzx.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\plugmanzx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\plugmanzx.exe "C:\Users\user\Desktop\plugmanzx.exe"
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp2B3E.tmp
    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1F0B.tmp
    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp2862.tmp
    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0
    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exeJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp2B3E.tmpJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1F0B.tmpJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp2862.tmpJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeFile created: C:\Users\user\AppData\Roaming\ZdNnwVcb.exeJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeFile created: C:\Users\user\AppData\Local\Temp\tmp2B3E.tmpJump to behavior
    Source: classification engineClassification label: mal100.troj.evad.winEXE@21/21@12/1
    Source: C:\Users\user\Desktop\plugmanzx.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: 15.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 15.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: 15.0.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 15.0.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: 15.0.RegSvcs.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 15.0.RegSvcs.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: 15.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 15.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: 15.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 15.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: 15.0.RegSvcs.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 15.0.RegSvcs.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: C:\Users\user\Desktop\plugmanzx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1688:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2144:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6972:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1496:120:WilError_01
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{910523a1-2f72-4f3f-a340-f1a8b5f90deb}
    Source: C:\Users\user\Desktop\plugmanzx.exeMutant created: \Sessions\1\BaseNamedObjects\bigbkIthbt
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4952:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2924:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3604:120:WilError_01
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
    Source: 15.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 15.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 15.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: 15.0.RegSvcs.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 15.0.RegSvcs.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 15.0.RegSvcs.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: 15.0.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 15.0.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 15.0.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Users\user\Desktop\plugmanzx.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: plugmanzx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: plugmanzx.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: RegSvcs.pdb, source: dhcpmon.exe, 00000019.00000000.342255781.0000000000D42000.00000002.00000001.01000000.00000008.sdmp, dhcpmon.exe, 0000001C.00000002.357912344.00000000004C2000.00000002.00000001.01000000.00000008.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegSvcs.exe, 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.522822443.000000000326E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.521673024.0000000001400000.00000004.08000000.00040000.00000000.sdmp
    Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe, 0000001C.00000002.357912344.00000000004C2000.00000002.00000001.01000000.00000008.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.522822443.000000000326E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525653853.0000000004F71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.521729554.0000000001420000.00000004.08000000.00040000.00000000.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525737739.0000000004FE7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.522822443.000000000326E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.521778543.0000000001440000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525653853.0000000004F71000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.522822443.000000000326E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.521545573.00000000013E0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525653853.0000000004F71000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525737739.0000000004FE7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.522822443.000000000326E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.521751519.0000000001430000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525653853.0000000004F71000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.522822443.000000000326E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525653853.0000000004F71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.521716903.0000000001410000.00000004.08000000.00040000.00000000.sdmp

    Data Obfuscation

    barindex
    .NET source code contains potential unpacker
    Source: 15.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 15.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 15.0.RegSvcs.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 15.0.RegSvcs.exe.400000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 15.0.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 15.0.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 15.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 15.0.RegSvcs.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 15.0.RegSvcs.exe.400000.2.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 15.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 15.0.RegSvcs.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 15.0.RegSvcs.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: C:\Users\user\Desktop\plugmanzx.exeCode function: 0_2_00425B04 push ecx; ret 0_2_00425B19
    Source: C:\Users\user\Desktop\plugmanzx.exeCode function: 0_2_00E3D500 push C3FFFFE9h; ret 0_2_00E3D524
    Source: initial sampleStatic PE information: section name: .text entropy: 7.85251409286
    Source: initial sampleStatic PE information: section name: .text entropy: 7.85251409286
    Source: 15.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 15.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: 15.0.RegSvcs.exe.400000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 15.0.RegSvcs.exe.400000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: 15.0.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 15.0.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: 15.0.RegSvcs.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: 15.0.RegSvcs.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 15.0.RegSvcs.exe.400000.2.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 15.0.RegSvcs.exe.400000.2.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: 15.0.RegSvcs.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 15.0.RegSvcs.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: C:\Users\user\Desktop\plugmanzx.exeFile created: C:\Users\user\AppData\Roaming\ZdNnwVcb.exeJump to dropped file
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

    Boot Survival

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedules
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp2B3E.tmp

    Hooking and other Techniques for Hiding and Protection

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Yara detected AntiVM3
    Source: Yara matchFile source: 0.2.plugmanzx.exe.2a3b058.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.plugmanzx.exe.2a43064.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000000.00000002.308524154.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.308781771.0000000002B9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: plugmanzx.exe PID: 6396, type: MEMORYSTR
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
    Source: plugmanzx.exe, 00000000.00000002.308524154.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, plugmanzx.exe, 00000000.00000002.308781771.0000000002B9B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
    Source: plugmanzx.exe, 00000000.00000002.308524154.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, plugmanzx.exe, 00000000.00000002.308781771.0000000002B9B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
    Source: C:\Users\user\Desktop\plugmanzx.exe TID: 6400Thread sleep time: -36650s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exe TID: 6420Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exe TID: 6480Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4552Thread sleep time: -3689348814741908s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1544Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4416Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6776Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\plugmanzx.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7229Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 825Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 6632Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2705Jump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeThread delayed: delay time: 36650Jump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: plugmanzx.exe, 00000000.00000002.308781771.0000000002B9B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
    Source: plugmanzx.exe, 00000000.00000002.308781771.0000000002B9B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: plugmanzx.exe, 00000000.00000002.308781771.0000000002B9B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
    Source: RegSvcs.exe, 0000000F.00000002.521526197.00000000013D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt
    Source: plugmanzx.exe, 00000000.00000002.308781771.0000000002B9B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Adds a directory exclusion to Windows Defender
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exeJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exeJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp2B3E.tmpJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1F0B.tmpJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp2862.tmpJump to behavior
    Source: RegSvcs.exe, 0000000F.00000002.523516107.0000000003600000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.526512458.000000000669C000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.523533010.0000000003603000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.523225983.000000000345A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.523577559.000000000362B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.524004550.00000000037CD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.522822443.000000000326E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.523607258.000000000364D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.528013764.00000000088EE000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.523261809.000000000348E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.523277049.0000000003494000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.528429385.000000000990B000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.526751060.0000000006DAC000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.523253304.000000000348C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.527973557.00000000086EB000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.523563776.0000000003629000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.523269536.0000000003492000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.523460739.00000000035E3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.523199576.0000000003438000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.523684367.00000000036C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.528096924.0000000008A2B000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.523079981.0000000003370000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.528177609.0000000008DAC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager
    Source: RegSvcs.exe, 0000000F.00000002.527201198.00000000074ED000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Managerram Managerp
    Source: RegSvcs.exe, 0000000F.00000002.528520817.0000000009CCE000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Managerram Manager
    Source: RegSvcs.exe, 0000000F.00000002.523277049.0000000003494000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerp
    Source: RegSvcs.exe, 0000000F.00000002.523277049.0000000003494000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.523684367.00000000036C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.523079981.0000000003370000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager`
    Source: C:\Users\user\Desktop\plugmanzx.exeQueries volume information: C:\Users\user\Desktop\plugmanzx.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\plugmanzx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
    Source: C:\Users\user\Desktop\plugmanzx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

    Stealing of Sensitive Information

    barindex
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.plugmanzx.exe.3afa0d0.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.50d74b8.32.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.5a30000.36.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4f76918.27.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4f71ae2.26.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4f76918.27.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.424b7be.19.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.42505f4.20.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.plugmanzx.exe.3b2ccf0.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.plugmanzx.exe.3afa0d0.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.5a34629.35.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.5a30000.36.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.50dbae1.33.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.42505f4.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4254c1d.21.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4e5c3a5.23.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.50d2682.31.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4e50171.22.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.50d74b8.32.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4f7af41.25.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.plugmanzx.exe.3b2ccf0.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4e709d2.24.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000000F.00000000.304626341.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000000.304191384.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.526281025.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000000.305001052.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.518339869.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.524023991.0000000004201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.525653853.0000000004F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000000.303720416.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.311012265.0000000003A1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: plugmanzx.exe PID: 6396, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5952, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Detected Nanocore Rat
    Source: plugmanzx.exe, 00000000.00000002.311012265.0000000003A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exeString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 0000000F.00000000.304626341.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 0000000F.00000002.522735844.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 0000000F.00000002.522735844.0000000003201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: RegSvcs.exe, 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: RegSvcs.exe, 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: RegSvcs.exe, 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: RegSvcs.exe, 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: RegSvcs.exe, 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: RegSvcs.exe, 0000000F.00000002.521794334.0000000001450000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 0000000F.00000002.521832008.0000000001480000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: RegSvcs.exe, 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: RegSvcs.exe, 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: RegSvcs.exe, 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: RegSvcs.exe, 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: RegSvcs.exe, 0000000F.00000002.525737739.0000000004FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 0000000F.00000002.525737739.0000000004FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: RegSvcs.exe, 0000000F.00000002.522822443.000000000326E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 0000000F.00000002.522822443.000000000326E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: RegSvcs.exe, 0000000F.00000002.522822443.000000000326E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: RegSvcs.exe, 0000000F.00000002.522822443.000000000326E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: RegSvcs.exe, 0000000F.00000002.522822443.000000000326E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: RegSvcs.exe, 0000000F.00000002.521862470.00000000014C0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 0000000F.00000002.521778543.0000000001440000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 0000000F.00000002.521778543.0000000001440000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: RegSvcs.exe, 0000000F.00000002.524023991.0000000004201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 0000000F.00000002.524023991.0000000004201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: RegSvcs.exe, 0000000F.00000002.521751519.0000000001430000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 0000000F.00000002.521545573.00000000013E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 0000000F.00000002.521545573.00000000013E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: RegSvcs.exe, 0000000F.00000002.521819671.0000000001470000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 0000000F.00000002.525653853.0000000004F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 0000000F.00000002.525653853.0000000004F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: RegSvcs.exe, 0000000F.00000002.525653853.0000000004F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: RegSvcs.exe, 0000000F.00000002.525653853.0000000004F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: RegSvcs.exe, 0000000F.00000002.525653853.0000000004F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: RegSvcs.exe, 0000000F.00000002.525653853.0000000004F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: RegSvcs.exe, 0000000F.00000002.521729554.0000000001420000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 0000000F.00000002.521729554.0000000001420000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: RegSvcs.exe, 0000000F.00000002.521673024.0000000001400000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 0000000F.00000002.521716903.0000000001410000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 0000000F.00000002.521716903.0000000001410000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: RegSvcs.exe, 0000000F.00000003.443139537.0000000006DEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.plugmanzx.exe.3afa0d0.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.50d74b8.32.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.5a30000.36.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4f76918.27.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4f71ae2.26.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4f76918.27.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.424b7be.19.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.42505f4.20.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.plugmanzx.exe.3b2ccf0.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.plugmanzx.exe.3afa0d0.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.5a34629.35.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.5a30000.36.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.50dbae1.33.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.42505f4.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4254c1d.21.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4e5c3a5.23.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.50d2682.31.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4e50171.22.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.50d74b8.32.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4f7af41.25.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.plugmanzx.exe.3b2ccf0.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.RegSvcs.exe.4e709d2.24.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000000F.00000000.304626341.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000000.304191384.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.526281025.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000000.305001052.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.518339869.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.524023991.0000000004201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.525653853.0000000004F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000000.303720416.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.311012265.0000000003A1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: plugmanzx.exe PID: 6396, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5952, type: MEMORYSTR

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1
    Windows Management Instrumentation    		1
    Scheduled Task/Job    		12
    Process Injection    		2
    Masquerading    		11
    Input Capture    		1
    Query Registry    		Remote Services11
    Input Capture    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default Accounts1
    Scheduled Task/Job    		Boot or Logon Initialization Scripts1
    Scheduled Task/Job    		11
    Disable or Modify Tools    		LSASS Memory211
    Security Software Discovery    		Remote Desktop Protocol11
    Archive Collected Data    		Exfiltration Over Bluetooth1
    Non-Standard Port    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
    Virtualization/Sandbox Evasion    		Security Account Manager2
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
    Remote Access Software    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)12
    Process Injection    		NTDS21
    Virtualization/Sandbox Evasion    		Distributed Component Object ModelInput CaptureScheduled Transfer1
    Non-Application Layer Protocol    		SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    Deobfuscate/Decode Files or Information    		LSA Secrets1
    Application Window Discovery    		SSHKeyloggingData Transfer Size Limits1
    Application Layer Protocol    		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common1
    Hidden Files and Directories    		Cached Domain Credentials1
    File and Directory Discovery    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup Items2
    Obfuscated Files or Information    		DCSync12
    System Information Discovery    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job13
    Software Packing    		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 558864 Sample: plugmanzx.exe Startdate: 24/01/2022 Architecture: WINDOWS Score: 100 60 vijayikohli1.bounceme.net 2->60 64 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Multi AV Scanner detection for dropped file 2->68 70 14 other signatures 2->70 9 plugmanzx.exe 7 2->9         started        13 RegSvcs.exe 2 2->13         started        15 dhcpmon.exe 2->15         started        17 dhcpmon.exe 2->17         started        signatures3 process4 file5 50 C:\Users\user\AppData\Roaming\ZdNnwVcb.exe, PE32 9->50 dropped 52 C:\Users\...\ZdNnwVcb.exe:Zone.Identifier, ASCII 9->52 dropped 54 C:\Users\user\AppData\Local\...\tmp2B3E.tmp, XML 9->54 dropped 56 C:\Users\user\AppData\...\plugmanzx.exe.log, ASCII 9->56 dropped 74 Uses schtasks.exe or at.exe to add and modify task schedules 9->74 76 Adds a directory exclusion to Windows Defender 9->76 19 RegSvcs.exe 1 14 9->19         started        24 powershell.exe 25 9->24         started        26 schtasks.exe 1 9->26         started        58 C:\Users\user\AppData\...\RegSvcs.exe.log, ASCII 13->58 dropped 28 conhost.exe 13->28         started        30 conhost.exe 15->30         started        32 conhost.exe 17->32         started        signatures6 process7 dnsIp8 62 vijayikohli1.bounceme.net 103.153.78.234, 3132, 49775, 49779 TWIDC-AS-APTWIDCLimitedHK unknown 19->62 46 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 19->46 dropped 48 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->48 dropped 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->72 34 schtasks.exe 1 19->34         started        36 schtasks.exe 1 19->36         started        38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        file9 signatures10 process11 process12 42 conhost.exe 34->42         started        44 conhost.exe 36->44         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    plugmanzx.exe47%VirustotalBrowse
    plugmanzx.exe40%ReversingLabsByteCode-MSIL.Backdoor.NanoBot
    plugmanzx.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Roaming\ZdNnwVcb.exe100%Joe Sandbox ML
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%VirustotalBrowse
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
    C:\Users\user\AppData\Roaming\ZdNnwVcb.exe47%VirustotalBrowse
    C:\Users\user\AppData\Roaming\ZdNnwVcb.exe40%ReversingLabsByteCode-MSIL.Backdoor.NanoBot

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    15.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    15.0.RegSvcs.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    15.2.RegSvcs.exe.5a30000.36.unpack100%AviraTR/NanoCore.fadteDownload File
    15.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    15.0.RegSvcs.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    15.0.RegSvcs.exe.400000.2.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    15.0.RegSvcs.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    vijayikohli1.bounceme.net
    		103.153.78.234
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      0,0,245672528,0000000000498000,00000002,00000001,01000000,00000003,3,2C678C69C60A9225true
        		low

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://google.comRegSvcs.exe, 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525737739.0000000004FE7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.522822443.000000000326E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.521751519.0000000001430000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.525653853.0000000004F71000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameplugmanzx.exe, 00000000.00000002.308524154.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, plugmanzx.exe, 00000000.00000002.308781771.0000000002B9B000.00000004.00000800.00020000.00000000.sdmpfalse
            		high

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            103.153.78.234
            		vijayikohli1.bounceme.netunknown
            		134687TWIDC-AS-APTWIDCLimitedHKfalse

            General Information

            Joe Sandbox Version:34.0.0 Boulder Opal
            Analysis ID:558864
            Start date:24.01.2022
            Start time:15:37:47
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 14m 19s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:plugmanzx.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:36
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@21/21@12/1
            EGA Information:
            • Successful, ratio: 60%
            HDC Information:
            • Successful, ratio: 1.5% (good quality ratio 0.9%)
            • Quality average: 43%
            • Quality standard deviation: 39.5%
            HCA Information:
            • Successful, ratio: 87%
            • Number of executed functions: 38
            • Number of non-executed functions: 3
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.54.104.15, 40.91.112.76
            • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
            • Execution Graph export aborted for target dhcpmon.exe, PID 1940 because there are no executed function
            • Execution Graph export aborted for target dhcpmon.exe, PID 4132 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report creation exceeded maximum time and may have missing disassembly code information.
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtDeviceIoControlFile calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            15:38:50API Interceptor1x Sleep call for process: plugmanzx.exe modified
            15:39:12API Interceptor37x Sleep call for process: powershell.exe modified
            15:39:28Task SchedulerRun new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" s>$(Arg0)
            15:39:28AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            15:39:30API Interceptor678x Sleep call for process: RegSvcs.exe modified
            15:39:31Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

            Download File
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):45152
            Entropy (8bit):6.149629800481177
            Encrypted:false
            SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
            MD5:2867A3817C9245F7CF518524DFD18F28
            SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
            SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
            SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
            Malicious:false
            Antivirus:
            • Antivirus: Virustotal, Detection: 0%, Browse
            • Antivirus: Metadefender, Detection: 0%, Browse
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

            Download File
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            File Type:ASCII text, with CRLF line terminators
            Category:modified
            Size (bytes):142
            Entropy (8bit):5.090621108356562
            Encrypted:false
            SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
            MD5:8C0458BB9EA02D50565175E38D577E35
            SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
            SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
            SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
            Malicious:true
            Reputation:unknown
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

            Download File
            Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            File Type:ASCII text, with CRLF line terminators
            Category:modified
            Size (bytes):142
            Entropy (8bit):5.090621108356562
            Encrypted:false
            SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
            MD5:8C0458BB9EA02D50565175E38D577E35
            SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
            SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
            SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
            Malicious:false
            Reputation:unknown
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\plugmanzx.exe.log

            Download File
            Process:C:\Users\user\Desktop\plugmanzx.exe
            File Type:ASCII text, with CRLF line terminators
            Category:modified
            Size (bytes):1216
            Entropy (8bit):5.355304211458859
            Encrypted:false
            SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
            MD5:FED34146BF2F2FA59DCF8702FCC8232E
            SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
            SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
            SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
            Malicious:true
            Reputation:unknown
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:dropped
            Size (bytes):22160
            Entropy (8bit):5.604741390376867
            Encrypted:false
            SSDEEP:384:ctCDG0SkCc165byRYSBKnMjultI+77Y9g9SJ3xOT1Ma7ZlbAV7GWD65ZBDI+iiS:P51+/4KMClthf9cUCafwcVq
            MD5:3D66A200972253EFD3F41506F514FA25
            SHA1:A6E8CD02BD60CAC0C12B342F48C63C302F8948E2
            SHA-256:814D6E5651FDFDAF379AD7DF017F1D0C92043AD6D9103620C3D7993DF1D45148
            SHA-512:06D8B7F9776602C0841149A7B3762487DCE5075230C3737A414DD037DA367613A3D21D101355B0C9B1AFF5692FFD8E77E0B820ABCAE30FC7A54DB88CEA36537C
            Malicious:false
            Reputation:unknown
            Preview:@...e...........].......h.....y.v.....n...H..........@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e3ged2fv.nhj.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Reputation:unknown
            Preview:1

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wol01yk4.coh.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Reputation:unknown
            Preview:1

            C:\Users\user\AppData\Local\Temp\tmp1F0B.tmp

            Download File
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1320
            Entropy (8bit):5.135668813522653
            Encrypted:false
            SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mXxtn:cbk4oL600QydbQxIYODOLedq3ZXj
            MD5:8CAD1B41587CED0F1E74396794F31D58
            SHA1:11054BF74FCF5E8E412768035E4DAE43AA7B710F
            SHA-256:3086D914F6B23268F8A12CB1A05516CD5465C2577E1D1E449F1B45C8E5E8F83C
            SHA-512:99C2EF89029DE51A866DF932841684B7FC912DF21E10E2DD0D09E400203BBDC6CBA6319A31780B7BF8B286D2CEA8EA3FC7D084348BF2F002AB4F5A34218CCBEF
            Malicious:false
            Reputation:unknown
            Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

            C:\Users\user\AppData\Local\Temp\tmp2862.tmp

            Download File
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1310
            Entropy (8bit):5.109425792877704
            Encrypted:false
            SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
            MD5:5C2F41CFC6F988C859DA7D727AC2B62A
            SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
            SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
            SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
            Malicious:false
            Reputation:unknown
            Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

            C:\Users\user\AppData\Local\Temp\tmp2B3E.tmp

            Download File
            Process:C:\Users\user\Desktop\plugmanzx.exe
            File Type:XML 1.0 document, ASCII text
            Category:dropped
            Size (bytes):1599
            Entropy (8bit):5.132635023580795
            Encrypted:false
            SSDEEP:24:2di4+S2qh/a1Kby1moqUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtMxvn:cgeCaYrFdOFzOzN33ODOiDdKrsuTMv
            MD5:B4F263ACB7AF1902CC8C885505F8F9CE
            SHA1:3227E2BCA0CC2CDE0C7418BB8E71A49F4F70DAAB
            SHA-256:06133FEBB60ED7D01606A57F5AD5BC02FA26DCC8097223EF7466DC00F3BF26F8
            SHA-512:DB02B4B9C42CE66E969C647FDCAA2808A0AF36ABB16F3404361DD2AFA92F4C9E181FAA379835E9828E2600396459CA27E463F81E5B825DEC74BDD46DA9C819E8
            Malicious:true
            Reputation:unknown
            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

            Download File
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            File Type:data
            Category:dropped
            Size (bytes):232
            Entropy (8bit):7.024371743172393
            Encrypted:false
            SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
            MD5:32D0AAE13696FF7F8AF33B2D22451028
            SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
            SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
            SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
            Malicious:false
            Reputation:unknown
            Preview:Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Download File
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            File Type:Non-ISO extended-ASCII text, with no line terminators
            Category:dropped
            Size (bytes):8
            Entropy (8bit):3.0
            Encrypted:false
            SSDEEP:3:wntn:wtn
            MD5:627C061FD220A043BEE79F74A0FE95BD
            SHA1:DA256F89A4A896887A5FE31F9365C827260FBC5C
            SHA-256:86CC0F6812D9BE9646C5D657C17CD91A79AC3A33D0C2F747F55DE7FC2C57B4A5
            SHA-512:E4010EDE0C289070C1C743E20D09078AAA4006983AE816F27ECCD0BB190E67401E03A4077D13E2CE078FAF43064337E4D0CF9CF2E0169FCE1AB9D42BBECFEF77
            Malicious:true
            Reputation:unknown
            Preview:1^.....H

            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

            Download File
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            File Type:data
            Category:dropped
            Size (bytes):40
            Entropy (8bit):5.221928094887364
            Encrypted:false
            SSDEEP:3:9bzY6oRDMjmPl:RzWDMCd
            MD5:AE0F5E6CE7122AF264EC533C6B15A27B
            SHA1:1265A495C42EED76CC043D50C60C23297E76CCE1
            SHA-256:73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
            SHA-512:DD44C2D24D4E3A0F0B988AD3D04683B5CB128298043134649BBE33B2512CE0C9B1A8E7D893B9F66FBBCDD901E2B0646C4533FB6C0C8C4AFCB95A0EFB95D446F8
            Malicious:false
            Reputation:unknown
            Preview:9iH...}Z.4..f..... 8.j....|.&X..e.F.*.

            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

            Download File
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            File Type:data
            Category:dropped
            Size (bytes):327432
            Entropy (8bit):7.99938831605763
            Encrypted:true
            SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
            MD5:7E8F4A764B981D5B82D1CC49D341E9C6
            SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
            SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
            SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
            Malicious:false
            Reputation:unknown
            Preview:pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7

            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

            Download File
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):57
            Entropy (8bit):4.830795005765378
            Encrypted:false
            SSDEEP:3:oMty8WddSWA1KMNn:oMLW6WA1j
            MD5:08E799E8E9B4FDA648F2500A40A11933
            SHA1:AC76B5E20DED247803448A2F586731ED7D84B9F3
            SHA-256:D46E34924067EB071D1F031C0BC015F4B711EDCE64D8AE00F24F29E73ECB71DB
            SHA-512:5C5701A86156D573BE274E73615FD6236AC89630714863A4CB2639EEC8EC1BE746839EBF8A9AEBA0A9BE326AF6FA02D8F9BD7A93D3FFB139BADE945572DF5FE9
            Malicious:false
            Reputation:unknown
            Preview:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

            C:\Users\user\AppData\Roaming\ZdNnwVcb.exe

            Download File
            Process:C:\Users\user\Desktop\plugmanzx.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):473088
            Entropy (8bit):7.83796766223819
            Encrypted:false
            SSDEEP:12288:d3jmSsNIXVfqxWnvkrWOzAG30uYs8VGriQ:dySsNFcGzkJV
            MD5:7031570AA150B893F68A32900327B2AE
            SHA1:CAEB6580B9D33EEDEA97C7775AD0853A33A59B3A
            SHA-256:F515A9D2910DA428D7803AFC2244476A5B185F30361482CC1DD49670513281A5
            SHA-512:CFA535B9A5931D41E2177447D6A255ACFB97BA4A0672A776CD6B741515DD9F473CD834A8E119BD096934B954590A2368EECF62A1953C77A5DF7B8AB8152A8773
            Malicious:true
            Antivirus:
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Virustotal, Detection: 47%, Browse
            • Antivirus: ReversingLabs, Detection: 40%
            Reputation:unknown
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{.a..............0..,...........J... ...`....@.. ....................................@.................................<J..O....`.. ............................................................................ ............... ..H............text....*... ...,.................. ..`.rsrc... ....`......................@..@.reloc...............6..............@..B................pJ......H.......`..........0...(...8............................................................................0..........*....0...........{....*..0............}....*.0..N........ =.G. ....a%..^E....'...............+%.{...... .*.Z ....a+.. ..T.Z ....a+..*...0..;........ TQs. c]i.a%..^E................+..{...... v._.Z w...a+..*..0.............}....*....0..;.........{..... .. .GJ.a%..^E................+.. x~..Z ...a+..*..0............}......}.....(!... ..$. .1.Wa%...^E....-......

            C:\Users\user\AppData\Roaming\ZdNnwVcb.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\plugmanzx.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Reputation:unknown
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Users\user\Documents\20220124\PowerShell_transcript.302494.Nx1BNBlK.20220124153909.txt

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
            Category:dropped
            Size (bytes):5788
            Entropy (8bit):5.393324346946901
            Encrypted:false
            SSDEEP:96:BZl/AZNMqDo1ZBZ+/AZNMqDo1ZcwmojZ+/AZNMqDo1Zkp44aZi:c
            MD5:322EAB80A082DBF7468601BEE9B89D84
            SHA1:120C227A4DC7419A0F64FBAAD48A1EF08D2056F2
            SHA-256:5538E36B6AF96117170A0165424A8688EB63572F87171D7DD1D2E093D04B413F
            SHA-512:204C803D29E60D2147FEAE394D58CD58ACF6BC60E900ED2E9A9E1D54FFFD2CA6825C837E3B93CFBECB36E74D091B4F2FAE1F90521EE43BEB3EA685751D486887
            Malicious:false
            Reputation:unknown
            Preview:.**********************..Windows PowerShell transcript start..Start time: 20220124153911..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 302494 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\ZdNnwVcb.exe..Process ID: 396..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220124153911..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\ZdNnwVcb.exe..**********************..Windows PowerShell transcript start..Start time: 20220124154326..Username: computer\user..RunAs User: computer\alfo

            \Device\ConDrv

            Download File
            Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1141
            Entropy (8bit):4.44831826838854
            Encrypted:false
            SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
            MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
            SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
            SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
            SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
            Malicious:false
            Reputation:unknown
            Preview:Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):7.83796766223819
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            • Win32 Executable (generic) a (10002005/4) 49.78%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Generic Win/DOS Executable (2004/3) 0.01%
            • DOS Executable Generic (2002/1) 0.01%
            File name:plugmanzx.exe
            File size:473088
            MD5:7031570aa150b893f68a32900327b2ae
            SHA1:caeb6580b9d33eedea97c7775ad0853a33a59b3a
            SHA256:f515a9d2910da428d7803afc2244476a5b185f30361482cc1dd49670513281a5
            SHA512:cfa535b9a5931d41e2177447d6a255acfb97ba4a0672a776cd6b741515dd9f473cd834a8e119bd096934b954590a2368eecf62a1953c77a5df7b8ab8152a8773
            SSDEEP:12288:d3jmSsNIXVfqxWnvkrWOzAG30uYs8VGriQ:dySsNFcGzkJV
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{.a..............0..,...........J... ...`....@.. ....................................@................................

            File Icon

            Icon Hash:00828e8e8686b000

            Static PE Info

            General

            Entrypoint:0x474a8e
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Time Stamp:0x61EE7B07 [Mon Jan 24 10:10:15 2022 UTC]
            TLS Callbacks:
            CLR (.Net) Version:v4.0.30319
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x74a3c0x4f.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x620.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x780000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000x72a940x72c00False0.906047879221data7.85251409286IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rsrc0x760000x6200x800False0.3369140625data3.4742023417IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x780000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_VERSION0x760a00x390data
            RT_MANIFEST0x764300x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Version Infos

            DescriptionData
            Translation0x0000 0x04b0
            LegalCopyright2008 Mazda Rustler
            Assembly Version1.0.4.0
            InternalNameBindableVectorToListAdapt.exe
            FileVersion1.0.0.0
            CompanyNameMazda
            LegalTrademarks
            Comments
            ProductNameYesterday's Records
            ProductVersion1.0.0.0
            FileDescriptionYesterday's Records
            OriginalFilenameBindableVectorToListAdapt.exe

            Network Behavior

            Snort IDS Alerts

            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
            01/24/22-15:39:33.697780UDP254DNS SPOOF query response with TTL of 1 min. and no authority53547918.8.8.8192.168.2.5
            01/24/22-15:39:34.182180TCP2025019ET TROJAN Possible NanoCore C2 60B497753132192.168.2.5103.153.78.234
            01/24/22-15:39:40.311548UDP254DNS SPOOF query response with TTL of 1 min. and no authority53503948.8.8.8192.168.2.5
            01/24/22-15:39:41.080428TCP2025019ET TROJAN Possible NanoCore C2 60B497793132192.168.2.5103.153.78.234
            01/24/22-15:39:47.320846UDP254DNS SPOOF query response with TTL of 1 min. and no authority53538138.8.8.8192.168.2.5
            01/24/22-15:39:47.671554TCP2025019ET TROJAN Possible NanoCore C2 60B497823132192.168.2.5103.153.78.234
            01/24/22-15:39:54.654419TCP2025019ET TROJAN Possible NanoCore C2 60B497903132192.168.2.5103.153.78.234
            01/24/22-15:40:01.488200UDP254DNS SPOOF query response with TTL of 1 min. and no authority53592618.8.8.8192.168.2.5
            01/24/22-15:40:01.717451TCP2025019ET TROJAN Possible NanoCore C2 60B497913132192.168.2.5103.153.78.234
            01/24/22-15:40:08.749252TCP2025019ET TROJAN Possible NanoCore C2 60B497983132192.168.2.5103.153.78.234
            01/24/22-15:40:15.540029UDP254DNS SPOOF query response with TTL of 1 min. and no authority53516498.8.8.8192.168.2.5
            01/24/22-15:40:15.761237TCP2025019ET TROJAN Possible NanoCore C2 60B498013132192.168.2.5103.153.78.234
            01/24/22-15:40:24.410691UDP254DNS SPOOF query response with TTL of 1 min. and no authority53650868.8.8.8192.168.2.5
            01/24/22-15:40:24.846565TCP2025019ET TROJAN Possible NanoCore C2 60B498023132192.168.2.5103.153.78.234
            01/24/22-15:40:33.220353UDP254DNS SPOOF query response with TTL of 1 min. and no authority53643178.8.8.8192.168.2.5
            01/24/22-15:40:33.465110TCP2025019ET TROJAN Possible NanoCore C2 60B498303132192.168.2.5103.153.78.234
            01/24/22-15:40:41.954242UDP254DNS SPOOF query response with TTL of 1 min. and no authority53610048.8.8.8192.168.2.5
            01/24/22-15:40:42.207685TCP2025019ET TROJAN Possible NanoCore C2 60B498343132192.168.2.5103.153.78.234
            01/24/22-15:40:49.302272TCP2025019ET TROJAN Possible NanoCore C2 60B498353132192.168.2.5103.153.78.234
            01/24/22-15:40:55.320348UDP254DNS SPOOF query response with TTL of 1 min. and no authority53623728.8.8.8192.168.2.5
            01/24/22-15:40:55.613006TCP2025019ET TROJAN Possible NanoCore C2 60B498363132192.168.2.5103.153.78.234

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jan 24, 2022 15:39:33.724174023 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:33.945736885 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:33.945862055 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:34.182179928 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:34.415932894 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:34.461893082 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:34.684370995 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:34.728558064 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:34.855704069 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:35.126364946 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.127350092 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:35.407680035 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.413408041 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.413649082 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.413983107 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.414064884 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:35.414273024 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.418610096 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:35.635863066 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.636106014 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.636132002 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.636197090 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:35.636374950 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.636646032 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.636723042 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:35.636769056 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.638686895 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:35.641047001 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.641082048 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.641155958 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:35.858081102 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.858129978 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.858273983 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:35.858447075 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.858609915 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.858716965 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.858795881 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:35.858906984 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.859181881 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:35.859321117 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.859589100 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.859625101 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.859653950 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.859678984 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:35.859734058 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:35.860111952 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.860161066 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.860244989 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:35.862473965 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.862515926 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.862546921 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.862575054 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:35.862653971 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:35.862694025 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:35.903006077 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:36.079900026 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.079916954 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.079935074 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.079946995 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.079963923 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.079977036 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.079989910 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.080003023 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.080018044 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.080030918 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:36.080034018 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.080070972 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:36.080112934 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:36.080749035 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.080765963 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.080826044 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:36.080853939 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:36.081248045 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.081264019 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.081278086 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.081290960 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.081305027 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.081317902 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.081331968 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.081335068 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:36.081345081 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.081376076 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:36.081453085 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.081470966 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.081484079 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.081496954 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.081505060 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:36.081525087 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:36.081543922 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:36.084765911 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.084791899 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.084810019 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.084827900 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.084841013 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.084855080 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.084868908 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.084886074 CET313249775103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:36.084904909 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:36.084929943 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:36.084935904 CET497753132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:40.313060999 CET497793132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:40.542057037 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:40.542247057 CET497793132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:41.080427885 CET497793132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:41.318619013 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:41.318857908 CET497793132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:41.591419935 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:41.591594934 CET497793132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:41.819222927 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:42.010391951 CET497793132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:42.144996881 CET497793132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:42.435328960 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:42.523344040 CET497793132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:42.798240900 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:42.802268028 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:42.802297115 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:42.802392006 CET497793132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:42.802668095 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:42.802685976 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:42.802745104 CET497793132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:43.030109882 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:43.030136108 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:43.030226946 CET497793132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:43.030415058 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:43.030433893 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:43.030493021 CET497793132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:43.030914068 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:43.030939102 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:43.030988932 CET497793132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:43.031097889 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:43.031116009 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:43.031156063 CET497793132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:43.192028046 CET497793132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:43.256946087 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:43.256957054 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:43.256973982 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:43.256997108 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:43.257016897 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:43.257034063 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:43.257045984 CET497793132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:43.257051945 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:43.257071018 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:43.257086992 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:43.257102966 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:43.257112980 CET497793132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:43.257118940 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:43.257134914 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:43.257160902 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:43.257170916 CET497793132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:43.257184029 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:43.257205963 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:43.257214069 CET497793132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:43.257225990 CET313249779103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:43.257232904 CET497793132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:43.257273912 CET497793132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:47.445959091 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:47.670500040 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:47.670661926 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:47.671554089 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:47.908929110 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:47.909334898 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:48.132885933 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:48.214081049 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:48.246110916 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:48.516001940 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:48.516125917 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:48.796103954 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:48.796132088 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:48.796237946 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:48.796412945 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:48.796529055 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:48.796591043 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.019098043 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.019124985 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.019228935 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.019249916 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.019678116 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.019763947 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.020169973 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.020359993 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.020442009 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.020858049 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.021049976 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.021109104 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.217072010 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.241309881 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.241806984 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.241833925 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.241911888 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.241960049 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.241966963 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.242074966 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.242125034 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.242224932 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.242275953 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.242366076 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.242429972 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.242506981 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.242563009 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.242733955 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.242752075 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.242769003 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.242784023 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.242784977 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.242815971 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.242886066 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.242893934 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.243539095 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.243556976 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.243573904 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.243591070 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.243616104 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.243676901 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.463798046 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.463828087 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.463850975 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.463871956 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.463896036 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.463917971 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.463926077 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.463937044 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.463963032 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.463984966 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.464001894 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.464006901 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.464056015 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.464083910 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.464086056 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.464091063 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.464109898 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.464133978 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.464193106 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.464202881 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.464346886 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.464370966 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.464391947 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.464413881 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.464420080 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.464437008 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.464461088 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.464481115 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.464482069 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.464509964 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.464524031 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.464545965 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.464571953 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.464576960 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.464808941 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.466303110 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.466329098 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.466356993 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.466368914 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.466389894 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.466409922 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.466433048 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.466453075 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.466484070 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.466507912 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.466511965 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.685770035 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.685790062 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.685806036 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.685822964 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.685838938 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.685863018 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.685879946 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.685894012 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.685909986 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.685925007 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.685930967 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.685940981 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.685950041 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.685961962 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.685971975 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.685988903 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686005116 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686021090 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686039925 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686057091 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686073065 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686075926 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.686080933 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.686090946 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686106920 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686124086 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686139107 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686153889 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686161995 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.686166048 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.686171055 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686188936 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686206102 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686225891 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686233997 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686240911 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.686244011 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.686252117 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686269045 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686284065 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686300993 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686310053 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.686314106 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.686317921 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686333895 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686350107 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686366081 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686382055 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686393976 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.686398029 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.686398983 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686415911 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686430931 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.686466932 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.686471939 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.688659906 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.688678980 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.688694954 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.688711882 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.688730001 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.688744068 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.688760042 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.688775063 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.688774109 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.688795090 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.689723969 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.909040928 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909066916 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909084082 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909100056 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909117937 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909133911 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909149885 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909166098 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909182072 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909198046 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909214020 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909229994 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909248114 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909250975 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.909265041 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909285069 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909301996 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909318924 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909334898 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909352064 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909368992 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909384966 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909398079 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.909401894 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909404993 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.909419060 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909437895 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909452915 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909467936 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909476995 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.909481049 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.909485102 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909502029 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909518957 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909533978 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909548998 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909564018 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909569025 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.909574032 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.909581900 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909596920 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909612894 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909621954 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.909626961 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.909629107 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909646988 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909662008 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909677029 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.909693956 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.909698009 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.910258055 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.910463095 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.910480022 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.910492897 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.910505056 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.910545111 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.910587072 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.911587954 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.911608934 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.911624908 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.911643028 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.911655903 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:49.911674976 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:49.911746025 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.132428885 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132457018 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132473946 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132491112 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132508993 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132524967 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132541895 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132559061 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132571936 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132585049 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132602930 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132602930 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.132621050 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132639885 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132658005 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132675886 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132694960 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132704973 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.132711887 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.132714033 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132731915 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132750988 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132769108 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132778883 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.132786036 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132802963 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132818937 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132818937 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.132836103 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132848024 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.132853031 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132872105 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132889032 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132904053 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132920027 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132930040 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.132936001 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.132936001 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132953882 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132971048 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.132987022 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.133003950 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.133013964 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.133021116 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.133022070 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.133044958 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.133253098 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.133272886 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.133289099 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.133306026 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.133321047 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.133337021 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.133347034 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.133353949 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.133358955 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.133372068 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.133394003 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.133409023 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.133411884 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.133430004 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.133446932 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.133464098 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.133507013 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.133519888 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.247155905 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.354610920 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.354633093 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.354649067 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.354665041 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.354681969 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.354701996 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.354715109 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.354720116 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.354737043 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.354737997 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.354754925 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.354773045 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.354789972 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.354801893 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.354806900 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.354806900 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.354825974 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.354841948 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.354860067 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.354875088 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.354891062 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.354902029 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.354907990 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.354907990 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.354924917 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.354940891 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.354953051 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.354954004 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.354959011 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.354970932 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.354979992 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.354990005 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355003119 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355019093 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355024099 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.355029106 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.355036020 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355051994 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355058908 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.355068922 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355084896 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355101109 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355117083 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355132103 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355133057 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.355139017 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.355149031 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355165005 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355180025 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355195999 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355199099 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.355205059 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.355214119 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355231047 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355247974 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355263948 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.355268002 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355268955 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.355276108 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355294943 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355312109 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355324984 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.355329037 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355331898 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.355345964 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355360985 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355374098 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.355377913 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355380058 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.355395079 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355411053 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355427027 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355443001 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355451107 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.355457067 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.355458975 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355472088 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355483055 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355494976 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355508089 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355518103 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355530024 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355551004 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355557919 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355570078 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355586052 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355601072 CET313249782103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:50.355612993 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.355619907 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.356910944 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:50.358047009 CET497823132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:54.425760031 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:54.653409958 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:54.653657913 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:54.654418945 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:54.895806074 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:54.900888920 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:55.129524946 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:55.214905024 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:55.247008085 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:55.525207996 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:55.985682011 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.267863989 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.268043041 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.268095970 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.268115997 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.268553019 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.268634081 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.268805981 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.269090891 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.496431112 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.496604919 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.496978045 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.497337103 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.497392893 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.497420073 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.497445107 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.497734070 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.497787952 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.498112917 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.498143911 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.498388052 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.726090908 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.726260900 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.726279974 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.726296902 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.726314068 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.726331949 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.726337910 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.726350069 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.726367950 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.726386070 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.726402998 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.726418972 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.726428986 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.726433992 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.726435900 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.726454973 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.726471901 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.726490021 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.726491928 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.726495981 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.726507902 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.726558924 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.726562977 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.954869032 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.954899073 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.954917908 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.954943895 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.954967976 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.954993010 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955018044 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955043077 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955059052 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.955066919 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955091000 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955111027 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.955115080 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955121994 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.955140114 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955163956 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955185890 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955197096 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.955203056 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.955205917 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955228090 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955248117 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955266953 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955280066 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.955285072 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.955288887 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955312014 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955332994 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955347061 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.955354929 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955374956 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955394030 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955414057 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955434084 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955434084 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.955440044 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.955456972 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955477953 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955499887 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955502033 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.955511093 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.955519915 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955539942 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955569029 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:56.955574989 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.955579996 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:56.955799103 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.183929920 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.183970928 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.183996916 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184022903 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184047937 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184072971 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184098959 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184124947 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184140921 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.184149981 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184178114 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184205055 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184220076 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.184231043 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184257030 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184283018 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184308052 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184319019 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.184324026 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.184338093 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184360027 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184386015 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.184386969 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184391022 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.184412956 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184437990 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184462070 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184488058 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184498072 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.184503078 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.184515953 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184541941 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184566975 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184591055 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184593916 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.184598923 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.184617043 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184643984 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184668064 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184689999 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.184695005 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.184698105 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184724092 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184748888 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184772968 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184796095 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.184798956 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184801102 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.184824944 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184849977 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184875011 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184900045 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.184900999 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184906006 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.184926987 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184951067 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.184977055 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.185003042 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.185029984 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.185030937 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.185035944 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.185058117 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.185082912 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.185106993 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.185107946 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.185111046 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.185134888 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.185158968 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.185229063 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.185235977 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.265117884 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.412942886 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.412981987 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413005114 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413027048 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413049936 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413055897 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413073063 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413074017 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413098097 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413114071 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413119078 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413120985 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413146019 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413167953 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413168907 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413172007 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413192987 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413207054 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413212061 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413217068 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413240910 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413254976 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413259029 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413264036 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413289070 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413301945 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413306952 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413311958 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413333893 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413353920 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413360119 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413361073 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413382053 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413398981 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413403034 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413408995 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413433075 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413449049 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413454056 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413455963 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413480997 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413501978 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413506985 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413512945 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413526058 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413551092 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413552046 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413557053 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413573027 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413590908 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413594961 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413599014 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413640976 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413645983 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413780928 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413806915 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413832903 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413868904 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413878918 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413882971 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413891077 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413913965 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413935900 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413937092 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.413975954 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.413980007 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.431780100 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.431824923 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.431849957 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.431875944 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.431900978 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.431926012 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.431930065 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.431951046 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.431951046 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.431974888 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.431977034 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.432003021 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.432028055 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.432030916 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.432035923 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.432054043 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.432077885 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.432080030 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.432082891 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.432106018 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.432127953 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.432131052 CET313249790103.153.78.234192.168.2.5
            Jan 24, 2022 15:39:57.432132006 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.432168961 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:39:57.432173967 CET497903132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:01.490134001 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:01.714705944 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:01.716500044 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:01.717451096 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:01.952058077 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:01.953213930 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:02.177694082 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:02.381234884 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:02.659399033 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:02.659914970 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:02.937742949 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:02.937839031 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:02.937870979 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:02.937971115 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:02.938297987 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:02.938397884 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.162826061 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.162856102 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.162988901 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.163347960 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.163366079 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.163378954 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.163435936 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.163614988 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.164011955 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.164076090 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.164716959 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.164818048 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.341492891 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.387736082 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.387764931 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.387914896 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.388206959 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.388225079 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.388242006 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.388310909 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.388340950 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.388562918 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.388751984 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.388768911 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.388782024 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.388798952 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.388808012 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.388823986 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.388835907 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.388840914 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.388859987 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.388878107 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.388916969 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.388957977 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.389578104 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.389597893 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.389658928 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.612129927 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.612164021 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.612183094 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.612205029 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.612313986 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.612353086 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.612489939 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.612515926 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.612536907 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.612556934 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.612569094 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.612577915 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.612606049 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.613605976 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.613636017 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.613656998 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.613684893 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.613707066 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.613713980 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.613729000 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.613744974 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.613751888 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.613774061 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.613775015 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.613799095 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.613802910 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.613821983 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.613842964 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.613878965 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.613900900 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.613924026 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.613954067 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.613960028 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.613977909 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.613996983 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.614016056 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.614017963 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.614039898 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.614062071 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.614062071 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.614083052 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.614085913 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.614104033 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.614125013 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.614175081 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.836369038 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.836405039 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.836425066 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.836447001 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.836467028 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.836488962 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.836509943 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.836561918 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.836604118 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.836788893 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.836813927 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.836870909 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.836926937 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.836951017 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.836972952 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.836983919 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.836992979 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.837018967 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.837033987 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.837043047 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.837064028 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.837069035 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.837126970 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.838193893 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838223934 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838244915 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838265896 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838285923 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838305950 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838326931 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838346958 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838366985 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838387966 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838407993 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838428020 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838449001 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838469028 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838478088 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.838491917 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838515043 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838536978 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838540077 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.838560104 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838578939 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838601112 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838628054 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838640928 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838660002 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838669062 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.838681936 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838704109 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.838705063 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838726997 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838747025 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838756084 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.838768959 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838788986 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838809013 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838818073 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.838829994 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838850021 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:03.838860989 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:03.838901043 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.060899019 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.060945034 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.060971022 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.060995102 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.061017036 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.061041117 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.061064005 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.061088085 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.061110020 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.061134100 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.061148882 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.061196089 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.061494112 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.061522007 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.061547995 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.061573029 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.061597109 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.061619997 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.061723948 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.063280106 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063314915 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063339949 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063363075 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063366890 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.063388109 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063410997 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.063411951 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063438892 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063455105 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.063462973 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063487053 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063502073 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.063509941 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063534975 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063548088 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.063559055 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063590050 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063602924 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063605070 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.063622952 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063643932 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063666105 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063689947 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063713074 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063714981 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.063738108 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063759089 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.063760042 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063783884 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063796997 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.063807011 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063828945 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.063832045 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063854933 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063878059 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063884020 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.063903093 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063926935 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063927889 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.063950062 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063972950 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.063993931 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.063996077 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.064018965 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.064029932 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.064059973 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.285461903 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.285492897 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.285516024 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.285545111 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.285557985 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.285567999 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.285593033 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.285608053 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.285618067 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.285644054 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.285649061 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.285667896 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.285689116 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.285700083 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.285708904 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.285726070 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.285736084 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.285762072 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.285785913 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.285785913 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.285811901 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.285830975 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.285836935 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.285883904 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.288043022 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288079023 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288103104 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288134098 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288147926 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288172960 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288172960 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.288203955 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288203955 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.288229942 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288254976 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288258076 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.288280010 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288284063 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.288305044 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288320065 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.288330078 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288353920 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288374901 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288394928 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288414001 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288431883 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288455963 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288480997 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288491011 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.288506031 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288531065 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288536072 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.288554907 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288579941 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288580894 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.288593054 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.288604975 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288629055 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288651943 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288669109 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.288676977 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288697958 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288702011 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.288724899 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288738966 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.288749933 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288774967 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.288784981 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.289170980 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.289254904 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.342459917 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.509757996 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.509805918 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.509828091 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.509833097 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.509865046 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.509874105 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.509898901 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.509907961 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.509922028 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.509923935 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.509939909 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.509949923 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.509963036 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.509974957 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.509988070 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.509996891 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.510010958 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.510021925 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.510039091 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.510046005 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.510059118 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.510071993 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.510085106 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.510094881 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.510116100 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.510117054 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.510137081 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.510140896 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.510153055 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.510165930 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.510190010 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.510193110 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.510205030 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.510226011 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.510227919 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.510250092 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.510266066 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.510273933 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.510284901 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.510304928 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.510313034 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.510328054 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.510343075 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.510349989 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.510368109 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.510373116 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.510389090 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.510395050 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.510417938 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.510440111 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.510447025 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.510462999 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.510483980 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.510485888 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.510504007 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.510509968 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.510535955 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.510535955 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.510581017 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.510677099 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.510725021 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.513653994 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.513684988 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.513705969 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.513726950 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.513747931 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.513750076 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.513772964 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.513776064 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.513797045 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.513813972 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.513819933 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.513843060 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.513886929 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.513892889 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.513902903 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.513909101 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.513931990 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.513956070 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.513961077 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.513978004 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.514003992 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.514020920 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.514039993 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.514046907 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.514048100 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.514051914 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.514074087 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.514075041 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.514105082 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.514107943 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.514128923 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.514138937 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.514153004 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.514156103 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.514174938 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.514177084 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.514198065 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.514204025 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.514214039 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.514225006 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.514238119 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.514250040 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.514262915 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.514276028 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.514287949 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.514301062 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.514312029 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.514327049 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.514342070 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.514350891 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.514363050 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.514375925 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.514390945 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.514400005 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.514414072 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.514424086 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.514437914 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.514446974 CET313249791103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:04.514460087 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:04.514483929 CET497913132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:08.452256918 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:08.670185089 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:08.670787096 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:08.749252081 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:08.977958918 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:08.983566046 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:09.202105045 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:09.345459938 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:09.628631115 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:09.703830004 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:09.972177029 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:09.976605892 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:09.976983070 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:09.977052927 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:09.978389025 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:09.978480101 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:09.978507042 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.196134090 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.196171045 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.196424961 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.196553946 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.196701050 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.196747065 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.196765900 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.197101116 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.197125912 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.197213888 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.198349953 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.198367119 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.392774105 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.416589022 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.416627884 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.416651964 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.416673899 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.416697025 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.416719913 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.416743040 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.416743994 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.416765928 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.416789055 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.416802883 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.416807890 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.416811943 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.416834116 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.416856050 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.416858912 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.416862965 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.416879892 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.416903019 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.416920900 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.416925907 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.416925907 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.416948080 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.416973114 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.417304993 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.634489059 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634520054 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634537935 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634555101 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634571075 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634586096 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634603977 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634607077 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.634620905 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634638071 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634651899 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634669065 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634685993 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634694099 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.634702921 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634720087 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634737015 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634744883 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.634752989 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634768009 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634783983 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634795904 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.634799957 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634815931 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634830952 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634838104 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.634848118 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634864092 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634879112 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634895086 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634911060 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634913921 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.634927034 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634943008 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634958982 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634964943 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.634975910 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.634991884 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.635003090 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.635006905 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.635055065 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.635085106 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.853490114 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853518009 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853535891 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853554964 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853571892 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853584051 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853599072 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853610039 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.853615046 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853631973 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853648901 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853648901 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.853666067 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853673935 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.853682995 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853693008 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.853697062 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853710890 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853727102 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853734016 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.853744030 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853760958 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853776932 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853780985 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.853789091 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.853792906 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853811026 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853827953 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853837013 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.853841066 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853868961 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853868008 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.853887081 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853893995 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.853904009 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853921890 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853936911 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853939056 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.853954077 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853959084 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.853970051 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853986025 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.853993893 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.854002953 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.854020119 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.854034901 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.854043007 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.854053020 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.854068995 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.854078054 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.854085922 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.854094982 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.854101896 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.854119062 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.854125977 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.854135036 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.854151011 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.854157925 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.854167938 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.854185104 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.854199886 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.854203939 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.854217052 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.854233027 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.854244947 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.854249001 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.854265928 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.854281902 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:10.854281902 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.854286909 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:10.854322910 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.072184086 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072212934 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072230101 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072246075 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072263002 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072278023 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.072279930 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072297096 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072309971 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072331905 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072340965 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.072355032 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072365999 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.072370052 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.072380066 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072398901 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072400093 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.072412968 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072431087 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072448015 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072463989 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072480917 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072484016 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.072494030 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072510958 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072531939 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072537899 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.072550058 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072565079 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.072568893 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072592974 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072592974 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.072616100 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072617054 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.072635889 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072659016 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072664976 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.072683096 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072700977 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072720051 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072743893 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072758913 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.072766066 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072788000 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072794914 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.072808981 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072832108 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072845936 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.072854042 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072875977 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072877884 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.072899103 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072921991 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072928905 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.072943926 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072963953 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.072967052 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.072988987 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.073004961 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.073010921 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.073031902 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.073052883 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.073062897 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.073076010 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.073096037 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.073100090 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.073120117 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.073139906 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.073139906 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.073179007 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.291292906 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.291749954 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.291769981 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.291790009 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.291807890 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.291826963 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.291846037 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.291846991 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.291862965 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.291886091 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.291888952 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.291904926 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.291907072 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.291920900 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.291934967 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.291937113 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.291954041 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.291958094 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.291971922 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.291989088 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.291990995 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.292017937 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292035103 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292043924 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.292052031 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292068958 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292077065 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.292084932 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292099953 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.292100906 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292118073 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292129993 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.292135000 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292151928 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292160988 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.292169094 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292185068 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292201042 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292212009 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.292222977 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292239904 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292243004 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.292257071 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292273998 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292285919 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.292289972 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292305946 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.292308092 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292325974 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292329073 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.292342901 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292359114 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292377949 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.292386055 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292402029 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292417049 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292423964 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.292433977 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292450905 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292459965 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.292465925 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292475939 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.292481899 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292496920 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.292521954 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.292555094 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.297116995 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297142029 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297166109 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297185898 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297204971 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.297208071 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297231913 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297231913 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.297256947 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297275066 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.297280073 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297302961 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297326088 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297327042 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.297349930 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297370911 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297379971 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.297394037 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297415018 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.297427893 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297447920 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297466993 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.297470093 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297492027 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297511101 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.297519922 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297540903 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297561884 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.297564983 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297586918 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297604084 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297621012 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297635078 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.297643900 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297661066 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.297665119 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297686100 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297697067 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.297705889 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297718048 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.297728062 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.297766924 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.436327934 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.510196924 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510231972 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510255098 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510278940 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510303020 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510303974 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.510327101 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510333061 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.510351896 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510375023 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510376930 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.510399103 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510401964 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.510423899 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510447979 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510449886 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.510472059 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510495901 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510497093 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.510521889 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510526896 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.510548115 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510567904 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.510572910 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510600090 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510608912 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.510626078 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510637999 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.510646105 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510669947 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510677099 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.510693073 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510701895 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.510720968 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510739088 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.510745049 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510768890 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510780096 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.510788918 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510809898 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510818005 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.510833979 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510853052 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.510854006 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510875940 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510878086 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.510896921 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510915995 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510919094 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.510936022 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510956049 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510957003 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.510977030 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.510984898 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.511002064 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.511023045 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.511023998 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.511048079 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.511066914 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.511070967 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.511092901 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.511094093 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.511116982 CET313249798103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:11.511136055 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:11.511172056 CET497983132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:15.541201115 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:15.760252953 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:15.760432005 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:15.761236906 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:15.987427950 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:15.988461018 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:16.208082914 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:16.263242960 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:16.406280994 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:16.681833029 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:16.682019949 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:16.952579975 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:16.953134060 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:16.953222990 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:16.953352928 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:16.954125881 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:16.954189062 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.172341108 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.172434092 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.172509909 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.172610044 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.172728062 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.172786951 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.173871040 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.174081087 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.174104929 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.174140930 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.174242973 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.174299955 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.391402960 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.391596079 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.391669989 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.391855001 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.391906977 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.391977072 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.391979933 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.392435074 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.392497063 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.392563105 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.392945051 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.393004894 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.393110037 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.393162012 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.393208981 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.393219948 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.393254995 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.393300056 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.393304110 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.393346071 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.393389940 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.393395901 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.393434048 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.393484116 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.404874086 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.610728979 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.610769033 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.610797882 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.610825062 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.610848904 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.610873938 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.610893965 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.610918999 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.610934019 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.611011982 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.611705065 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.611745119 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.611772060 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.611798048 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.611807108 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.611826897 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.611852884 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.611861944 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.611879110 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.611905098 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.611908913 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.611929893 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.611933947 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.611957073 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.611972094 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.611983061 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.612004995 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.612008095 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.612035036 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.612037897 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.612061977 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.612065077 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.612088919 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.612114906 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.612118006 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.612148046 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.612181902 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.612726927 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.612761974 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.612790108 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.612817049 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.612818003 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.612847090 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.612855911 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.612878084 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.612905979 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.612909079 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.612936020 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.612950087 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.612988949 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.684422016 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.830038071 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.830315113 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.830420017 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.830439091 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.830496073 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.830547094 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.830549002 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.830601931 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.830653906 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.830662966 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.830717087 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.830765009 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.830766916 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.830818892 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.830867052 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.830868959 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.830921888 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.830969095 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.830971956 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.831024885 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.831075907 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.831075907 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.831125975 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.831176043 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.831182003 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.831233025 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.831279993 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.831284046 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.831336021 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.831382036 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.831384897 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.831437111 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.831486940 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.831501007 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.831557035 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.831609964 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.831609964 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.831665993 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.831717968 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.831727028 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.831780910 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.831830978 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.831831932 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.831887007 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.831938982 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.831943989 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.831994057 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.832056999 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.832057953 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.832112074 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.832163095 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.832164049 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.832207918 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.832240105 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.832285881 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.832293987 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.832344055 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.832353115 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.832403898 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.832453966 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.832469940 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.832520962 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.832566023 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.832571030 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.832623005 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.832669973 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.832672119 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.832727909 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.832783937 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:17.832787991 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.832839966 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:17.832892895 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.051871061 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.051935911 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.051986933 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.052037001 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.052062988 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.052098036 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.052109003 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.052153111 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.052202940 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.052213907 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.052268028 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.052333117 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.052334070 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.052395105 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.052443027 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.052448034 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.052500963 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.052548885 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.052551031 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.052604914 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.052653074 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.052654028 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.052705050 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.052753925 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.052764893 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.052815914 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.052864075 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.052865028 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.052917004 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.052973032 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.053003073 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.053009987 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.053061008 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.053066015 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.053116083 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.053164959 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.066023111 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.066049099 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.066063881 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.066083908 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.066106081 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.066128969 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.066150904 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.066152096 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.066169024 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.066195965 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.066203117 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.066221952 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.066225052 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.066241026 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.066258907 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.066273928 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.066293001 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.066298008 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.066318989 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.066334009 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.066356897 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.122811079 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.216739893 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.435791016 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.435831070 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.435868025 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.435898066 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.435933113 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.435961008 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.435987949 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.435990095 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.436017036 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436048031 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436062098 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.436079025 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436085939 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.436110020 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436131001 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.436141968 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436171055 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436186075 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.436199903 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436240911 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.436249971 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436274052 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436307907 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436331987 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.436337948 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436367035 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436381102 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.436397076 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436424971 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436436892 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.436446905 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436479092 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436491966 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.436506033 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436532974 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436543941 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.436563015 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436589003 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436602116 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.436618090 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436655045 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436672926 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436697960 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436700106 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.436726093 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.436732054 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436758995 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436784029 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.436785936 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436814070 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436827898 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.436841965 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436870098 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436881065 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.436898947 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436928034 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436938047 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.436955929 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.436983109 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.437001944 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.437011003 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.437048912 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.437062025 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.437077999 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.437103987 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.437122107 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.437131882 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.437160015 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.437171936 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.437189102 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.437227011 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.656702042 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.656743050 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.656775951 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.656804085 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.656835079 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.656863928 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.656898022 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.656936884 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.656945944 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.656975985 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.656980038 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.656985044 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.657011032 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657042027 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657058001 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.657068968 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657092094 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657124043 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657133102 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.657160997 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657172918 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.657195091 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657226086 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657237053 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.657260895 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657290936 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657301903 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.657321930 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657354116 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657363892 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.657392979 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657418013 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657434940 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.657458067 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657495022 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657497883 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.657525063 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657558918 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657568932 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.657584906 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657615900 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657629013 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.657643080 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657675982 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657705069 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.657711983 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657735109 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657767057 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657793999 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.657799959 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657824993 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.657830954 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657877922 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657911062 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.657912970 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657958031 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657993078 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.657998085 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.658014059 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.658031940 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.658051968 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.658075094 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.658101082 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.658123016 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.658149958 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.658162117 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.658181906 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.658184052 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.658227921 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.659115076 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.877404928 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.877439976 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.877463102 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.877484083 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.877507925 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.877532005 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.877532005 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.877556086 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.877563953 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.877569914 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.877579927 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.877588987 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.877604961 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.877629042 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.877629995 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.877651930 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.877655983 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.877677917 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.877684116 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.877701998 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.877701998 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.877727032 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.877727985 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.877746105 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.877753019 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.877778053 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.877778053 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.877795935 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.877826929 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.878267050 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.878297091 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.878319979 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.878345013 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.878351927 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.878367901 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.878370047 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.878374100 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.878395081 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.878397942 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.878413916 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.878426075 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.878438950 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.878451109 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.878470898 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.878478050 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:18.878489971 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.920980930 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:18.934461117 CET313249801103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:19.687016964 CET498013132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:24.412362099 CET498023132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:24.635072947 CET313249802103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:24.635273933 CET498023132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:24.846565008 CET498023132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:25.079750061 CET313249802103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:25.107167006 CET498023132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:25.330727100 CET313249802103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:25.330863953 CET498023132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:25.601324081 CET313249802103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:25.792603016 CET498023132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:26.076908112 CET313249802103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:26.140906096 CET313249802103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:26.289819002 CET498023132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:26.514231920 CET313249802103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:26.623478889 CET498023132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:26.812621117 CET498023132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:27.104589939 CET313249802103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:27.105060101 CET498023132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:27.196135998 CET498023132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:27.330787897 CET313249802103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:27.333353996 CET498023132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:33.225769997 CET498303132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:33.446511030 CET313249830103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:33.446635008 CET498303132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:33.465110064 CET498303132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:33.699141026 CET313249830103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:33.699284077 CET498303132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:33.973689079 CET313249830103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:33.973798037 CET498303132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:34.194605112 CET313249830103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:34.327238083 CET498303132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:34.449939013 CET498303132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:34.730259895 CET313249830103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:34.730305910 CET498303132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:35.008133888 CET313249830103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:35.073364019 CET313249830103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:35.139842987 CET498303132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:35.360542059 CET313249830103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:35.421138048 CET498303132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:35.526707888 CET498303132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:35.804675102 CET313249830103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:35.804749966 CET498303132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:36.025705099 CET313249830103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:36.027966976 CET498303132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:36.248513937 CET313249830103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:36.311887026 CET498303132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:36.835711956 CET498303132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:37.115027905 CET313249830103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:37.350039959 CET313249830103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:37.484677076 CET498303132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:41.967749119 CET498343132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:42.187864065 CET313249834103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:42.188707113 CET498343132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:42.207684994 CET498343132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:42.440969944 CET313249834103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:42.447603941 CET498343132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:42.668381929 CET313249834103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:42.718605042 CET498343132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:42.969597101 CET498343132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:43.235023975 CET313249834103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:43.235172987 CET498343132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:43.515059948 CET313249834103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:43.564143896 CET313249834103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:43.565154076 CET498343132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:43.784113884 CET313249834103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:43.790051937 CET498343132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:44.009474039 CET313249834103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:44.009577036 CET498343132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:44.228271961 CET313249834103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:44.281218052 CET498343132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:44.985965014 CET498343132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:49.082045078 CET498353132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:49.301280975 CET313249835103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:49.301475048 CET498353132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:49.302272081 CET498353132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:49.532155037 CET313249835103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:49.537714958 CET498353132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:49.756280899 CET313249835103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:49.797821045 CET498353132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:50.182248116 CET498353132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:50.467071056 CET313249835103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:50.515261889 CET313249835103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:50.536292076 CET498353132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:50.755080938 CET313249835103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:50.755311966 CET498353132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:51.027033091 CET313249835103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:51.027264118 CET498353132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:51.246666908 CET313249835103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:51.283880949 CET498353132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:55.321033955 CET498363132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:55.543555021 CET313249836103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:55.543787956 CET498363132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:55.613006115 CET498363132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:55.847522020 CET313249836103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:55.847723961 CET498363132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:56.070332050 CET313249836103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:56.071392059 CET498363132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:56.346689939 CET313249836103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:56.410821915 CET313249836103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:56.411220074 CET498363132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:56.633182049 CET313249836103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:56.633750916 CET498363132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:56.856695890 CET313249836103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:56.857014894 CET498363132192.168.2.5103.153.78.234
            Jan 24, 2022 15:40:57.080224037 CET313249836103.153.78.234192.168.2.5
            Jan 24, 2022 15:40:57.126306057 CET498363132192.168.2.5103.153.78.234
            Jan 24, 2022 15:41:00.780040026 CET313249836103.153.78.234192.168.2.5
            Jan 24, 2022 15:41:00.829446077 CET498363132192.168.2.5103.153.78.234
            Jan 24, 2022 15:41:01.546061993 CET313249836103.153.78.234192.168.2.5
            Jan 24, 2022 15:41:01.595266104 CET498363132192.168.2.5103.153.78.234
            Jan 24, 2022 15:41:05.788197994 CET313249836103.153.78.234192.168.2.5
            Jan 24, 2022 15:41:05.829881907 CET498363132192.168.2.5103.153.78.234
            Jan 24, 2022 15:41:09.639250994 CET313249836103.153.78.234192.168.2.5
            Jan 24, 2022 15:41:09.689567089 CET498363132192.168.2.5103.153.78.234
            Jan 24, 2022 15:41:10.796786070 CET313249836103.153.78.234192.168.2.5
            Jan 24, 2022 15:41:10.846009970 CET498363132192.168.2.5103.153.78.234
            Jan 24, 2022 15:41:15.803774118 CET313249836103.153.78.234192.168.2.5
            Jan 24, 2022 15:41:15.853616953 CET498363132192.168.2.5103.153.78.234
            Jan 24, 2022 15:41:17.702678919 CET313249836103.153.78.234192.168.2.5
            Jan 24, 2022 15:41:17.778346062 CET498363132192.168.2.5103.153.78.234
            Jan 24, 2022 15:41:20.818264008 CET313249836103.153.78.234192.168.2.5
            Jan 24, 2022 15:41:20.886620998 CET498363132192.168.2.5103.153.78.234
            Jan 24, 2022 15:41:25.812063932 CET313249836103.153.78.234192.168.2.5
            Jan 24, 2022 15:41:25.857777119 CET498363132192.168.2.5103.153.78.234
            Jan 24, 2022 15:41:26.079843998 CET313249836103.153.78.234192.168.2.5
            Jan 24, 2022 15:41:26.123352051 CET498363132192.168.2.5103.153.78.234

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jan 24, 2022 15:39:33.678895950 CET5479153192.168.2.58.8.8.8
            Jan 24, 2022 15:39:33.697779894 CET53547918.8.8.8192.168.2.5
            Jan 24, 2022 15:39:40.292270899 CET5039453192.168.2.58.8.8.8
            Jan 24, 2022 15:39:40.311547995 CET53503948.8.8.8192.168.2.5
            Jan 24, 2022 15:39:47.301892042 CET5381353192.168.2.58.8.8.8
            Jan 24, 2022 15:39:47.320846081 CET53538138.8.8.8192.168.2.5
            Jan 24, 2022 15:39:54.339354038 CET5445053192.168.2.58.8.8.8
            Jan 24, 2022 15:39:54.358716965 CET53544508.8.8.8192.168.2.5
            Jan 24, 2022 15:40:01.466717958 CET5926153192.168.2.58.8.8.8
            Jan 24, 2022 15:40:01.488199949 CET53592618.8.8.8192.168.2.5
            Jan 24, 2022 15:40:08.432719946 CET5941353192.168.2.58.8.8.8
            Jan 24, 2022 15:40:08.449841022 CET53594138.8.8.8192.168.2.5
            Jan 24, 2022 15:40:15.520847082 CET5164953192.168.2.58.8.8.8
            Jan 24, 2022 15:40:15.540029049 CET53516498.8.8.8192.168.2.5
            Jan 24, 2022 15:40:24.389532089 CET6508653192.168.2.58.8.8.8
            Jan 24, 2022 15:40:24.410691023 CET53650868.8.8.8192.168.2.5
            Jan 24, 2022 15:40:33.201080084 CET6431753192.168.2.58.8.8.8
            Jan 24, 2022 15:40:33.220352888 CET53643178.8.8.8192.168.2.5
            Jan 24, 2022 15:40:41.933178902 CET6100453192.168.2.58.8.8.8
            Jan 24, 2022 15:40:41.954241991 CET53610048.8.8.8192.168.2.5
            Jan 24, 2022 15:40:49.060704947 CET5689553192.168.2.58.8.8.8
            Jan 24, 2022 15:40:49.080655098 CET53568958.8.8.8192.168.2.5
            Jan 24, 2022 15:40:55.299499035 CET6237253192.168.2.58.8.8.8
            Jan 24, 2022 15:40:55.320348024 CET53623728.8.8.8192.168.2.5

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
            Jan 24, 2022 15:39:33.678895950 CET192.168.2.58.8.8.80x4b98Standard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
            Jan 24, 2022 15:39:40.292270899 CET192.168.2.58.8.8.80xe457Standard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
            Jan 24, 2022 15:39:47.301892042 CET192.168.2.58.8.8.80x9595Standard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
            Jan 24, 2022 15:39:54.339354038 CET192.168.2.58.8.8.80xbf75Standard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
            Jan 24, 2022 15:40:01.466717958 CET192.168.2.58.8.8.80xb30dStandard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
            Jan 24, 2022 15:40:08.432719946 CET192.168.2.58.8.8.80x81e7Standard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
            Jan 24, 2022 15:40:15.520847082 CET192.168.2.58.8.8.80xdfcfStandard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
            Jan 24, 2022 15:40:24.389532089 CET192.168.2.58.8.8.80x26Standard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
            Jan 24, 2022 15:40:33.201080084 CET192.168.2.58.8.8.80xc244Standard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
            Jan 24, 2022 15:40:41.933178902 CET192.168.2.58.8.8.80x5c68Standard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
            Jan 24, 2022 15:40:49.060704947 CET192.168.2.58.8.8.80xe54cStandard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)
            Jan 24, 2022 15:40:55.299499035 CET192.168.2.58.8.8.80x5c3cStandard query (0)vijayikohli1.bounceme.netA (IP address)IN (0x0001)

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
            Jan 24, 2022 15:39:33.697779894 CET8.8.8.8192.168.2.50x4b98No error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
            Jan 24, 2022 15:39:40.311547995 CET8.8.8.8192.168.2.50xe457No error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
            Jan 24, 2022 15:39:47.320846081 CET8.8.8.8192.168.2.50x9595No error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
            Jan 24, 2022 15:39:54.358716965 CET8.8.8.8192.168.2.50xbf75No error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
            Jan 24, 2022 15:40:01.488199949 CET8.8.8.8192.168.2.50xb30dNo error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
            Jan 24, 2022 15:40:08.449841022 CET8.8.8.8192.168.2.50x81e7No error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
            Jan 24, 2022 15:40:15.540029049 CET8.8.8.8192.168.2.50xdfcfNo error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
            Jan 24, 2022 15:40:24.410691023 CET8.8.8.8192.168.2.50x26No error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
            Jan 24, 2022 15:40:33.220352888 CET8.8.8.8192.168.2.50xc244No error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
            Jan 24, 2022 15:40:41.954241991 CET8.8.8.8192.168.2.50x5c68No error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
            Jan 24, 2022 15:40:49.080655098 CET8.8.8.8192.168.2.50xe54cNo error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)
            Jan 24, 2022 15:40:55.320348024 CET8.8.8.8192.168.2.50x5c3cNo error (0)vijayikohli1.bounceme.net103.153.78.234A (IP address)IN (0x0001)

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Start time:15:38:46
            Start date:24/01/2022
            Path:C:\Users\user\Desktop\plugmanzx.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\plugmanzx.exe"
            Imagebase:0x420000
            File size:473088 bytes
            MD5 hash:7031570AA150B893F68A32900327B2AE
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.311012265.0000000003A1C000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.311012265.0000000003A1C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.311012265.0000000003A1C000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.308524154.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.308781771.0000000002B9B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            Reputation:low

            General

            Start time:15:39:08
            Start date:24/01/2022
            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZdNnwVcb.exe
            Imagebase:0xdf0000
            File size:430592 bytes
            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Reputation:high

            General

            Start time:15:39:08
            Start date:24/01/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7ecfc0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Start time:15:39:09
            Start date:24/01/2022
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZdNnwVcb" /XML "C:\Users\user\AppData\Local\Temp\tmp2B3E.tmp
            Imagebase:0xad0000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Start time:15:39:10
            Start date:24/01/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7ecfc0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Start time:15:39:12
            Start date:24/01/2022
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Imagebase:0xcd0000
            File size:45152 bytes
            MD5 hash:2867A3817C9245F7CF518524DFD18F28
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000000.304626341.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000000.304626341.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000000.304626341.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.521794334.0000000001450000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.521794334.0000000001450000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.521832008.0000000001480000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.521832008.0000000001480000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000000.304191384.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000000.304191384.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000000.304191384.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.525855110.00000000050D2000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.525737739.0000000004FE7000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.526281025.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.526281025.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.526281025.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.521778543.0000000001440000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.521778543.0000000001440000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.521862470.00000000014C0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.521862470.00000000014C0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000000.305001052.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000000.305001052.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000000.305001052.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.520201704.0000000001270000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.520201704.0000000001270000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.521819671.0000000001470000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.521819671.0000000001470000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.521545573.00000000013E0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.521545573.00000000013E0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.521751519.0000000001430000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.521751519.0000000001430000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.518339869.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.518339869.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.518339869.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.521729554.0000000001420000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.521729554.0000000001420000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.525364655.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.521673024.0000000001400000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.521673024.0000000001400000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.522822443.000000000326E000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.524023991.0000000004201000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.524023991.0000000004201000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.525653853.0000000004F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.525653853.0000000004F71000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.526212800.0000000005980000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.526212800.0000000005980000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.521716903.0000000001410000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.521716903.0000000001410000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000000.303720416.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000000.303720416.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000000.303720416.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.518644144.0000000001260000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.518644144.0000000001260000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
            Reputation:high

            General

            Start time:15:39:26
            Start date:24/01/2022
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp1F0B.tmp
            Imagebase:0xad0000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Start time:15:39:26
            Start date:24/01/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7ecfc0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Start time:15:39:28
            Start date:24/01/2022
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp2862.tmp
            Imagebase:0xad0000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Start time:15:39:28
            Start date:24/01/2022
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0
            Imagebase:0x570000
            File size:45152 bytes
            MD5 hash:2867A3817C9245F7CF518524DFD18F28
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET

            General

            Start time:15:39:29
            Start date:24/01/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7ecfc0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Start time:15:39:29
            Start date:24/01/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7ecfc0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Start time:15:39:31
            Start date:24/01/2022
            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            Wow64 process (32bit):true
            Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
            Imagebase:0xd40000
            File size:45152 bytes
            MD5 hash:2867A3817C9245F7CF518524DFD18F28
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Antivirus matches:
            • Detection: 0%, Virustotal, Browse
            • Detection: 0%, Metadefender, Browse
            • Detection: 0%, ReversingLabs

            General

            Start time:15:39:32
            Start date:24/01/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7ecfc0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Start time:15:39:36
            Start date:24/01/2022
            Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
            Wow64 process (32bit):true
            Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
            Imagebase:0x4c0000
            File size:45152 bytes
            MD5 hash:2867A3817C9245F7CF518524DFD18F28
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET

            General

            Start time:15:39:37
            Start date:24/01/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7ecfc0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:10.8%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:118
              Total number of Limit Nodes:7
              execution_graph 14227 e3b9d0 14228 e3b9d2 GetCurrentProcess 14227->14228 14229 e3ba43 14228->14229 14230 e3ba4a GetCurrentThread 14228->14230 14229->14230 14231 e3ba87 GetCurrentProcess 14230->14231 14233 e3ba80 14230->14233 14232 e3babd 14231->14232 14234 e3bae5 GetCurrentThreadId 14232->14234 14233->14231 14235 e3bb16 14234->14235 14236 e3c000 DuplicateHandle 14237 e3c096 14236->14237 14238 e33e78 14239 e33e8f 14238->14239 14240 e33f01 14239->14240 14245 e33f40 14239->14245 14249 e33f50 14239->14249 14253 e33618 14240->14253 14242 e33f16 14246 e33f62 14245->14246 14247 e33f6d 14246->14247 14257 e34039 14246->14257 14247->14239 14250 e33f62 14249->14250 14251 e33f6d 14250->14251 14252 e34039 CreateActCtxA 14250->14252 14251->14239 14252->14251 14254 e33623 14253->14254 14274 e353f4 14254->14274 14256 e368e0 14256->14242 14258 e34049 14257->14258 14262 e34529 14258->14262 14266 e34538 14258->14266 14264 e34538 14262->14264 14263 e3463c 14263->14263 14264->14263 14270 e33e54 14264->14270 14268 e3453a 14266->14268 14267 e3463c 14267->14267 14268->14267 14269 e33e54 CreateActCtxA 14268->14269 14269->14267 14271 e355c8 CreateActCtxA 14270->14271 14273 e3568b 14271->14273 14275 e353ff 14274->14275 14278 e36a10 14275->14278 14277 e36f0d 14277->14256 14279 e36a1b 14278->14279 14282 e36a40 14279->14282 14281 e36fe2 14281->14277 14283 e36a4b 14282->14283 14286 e36a70 14283->14286 14285 e370e2 14285->14281 14287 e36a7b 14286->14287 14289 e377fe 14287->14289 14292 e395b8 14287->14292 14288 e3783c 14288->14285 14289->14288 14296 e3b6f9 14289->14296 14301 e395f0 14292->14301 14305 e395ea 14292->14305 14293 e395ce 14293->14289 14298 e3b708 14296->14298 14297 e3b74d 14297->14288 14298->14297 14345 e3b8a7 14298->14345 14349 e3b8b8 14298->14349 14302 e395ff 14301->14302 14309 e396d8 14301->14309 14319 e396e8 14301->14319 14302->14293 14307 e396e8 2 API calls 14305->14307 14308 e396d8 2 API calls 14305->14308 14306 e395ff 14306->14293 14307->14306 14308->14306 14310 e396e2 14309->14310 14311 e39673 14309->14311 14312 e39713 14310->14312 14328 e39961 14310->14328 14332 e399c4 14310->14332 14337 e39970 14310->14337 14311->14302 14312->14302 14313 e39910 GetModuleHandleW 14315 e3993d 14313->14315 14314 e3970b 14314->14312 14314->14313 14315->14302 14320 e396fb 14319->14320 14321 e39713 14320->14321 14325 e39961 LoadLibraryExW 14320->14325 14326 e39970 LoadLibraryExW 14320->14326 14327 e399c4 LoadLibraryExW 14320->14327 14321->14302 14322 e39910 GetModuleHandleW 14324 e3993d 14322->14324 14323 e3970b 14323->14321 14323->14322 14324->14302 14325->14323 14326->14323 14327->14323 14329 e39970 14328->14329 14331 e399a9 14329->14331 14341 e38a80 14329->14341 14331->14314 14333 e399ca 14332->14333 14334 e3995c 14332->14334 14335 e38a80 LoadLibraryExW 14334->14335 14336 e399a9 14334->14336 14335->14336 14336->14314 14338 e39984 14337->14338 14339 e399a9 14338->14339 14340 e38a80 LoadLibraryExW 14338->14340 14339->14314 14340->14339 14342 e39b50 LoadLibraryExW 14341->14342 14344 e39bc9 14342->14344 14344->14331 14346 e3b855 14345->14346 14346->14345 14347 e3b8ff 14346->14347 14353 e3a3fc 14346->14353 14347->14297 14350 e3b8ba 14349->14350 14351 e3b8ff 14350->14351 14352 e3a3fc 3 API calls 14350->14352 14351->14297 14352->14351 14354 e3a407 14353->14354 14355 e3c5f8 14354->14355 14357 e3bc0c 14354->14357 14358 e3bc17 14357->14358 14359 e36a70 3 API calls 14358->14359 14360 e3c667 14359->14360 14364 e3e3f0 14360->14364 14370 e3e3e2 14360->14370 14361 e3c6a0 14361->14355 14366 e3e46d 14364->14366 14367 e3e421 14364->14367 14365 e3e42d 14365->14361 14366->14361 14367->14365 14368 e3e860 LoadLibraryExW GetModuleHandleW 14367->14368 14369 e3e870 LoadLibraryExW GetModuleHandleW 14367->14369 14368->14366 14369->14366 14371 e3e3f0 14370->14371 14372 e3e42d 14371->14372 14373 e3e860 LoadLibraryExW GetModuleHandleW 14371->14373 14374 e3e870 LoadLibraryExW GetModuleHandleW 14371->14374 14372->14361 14373->14372 14374->14372

              Executed Functions

              Function 00E3B9C2 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151threadCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetCurrentProcess.KERNEL32 ref: 00E3BA30
              • GetCurrentThread.KERNEL32 ref: 00E3BA6D
              • GetCurrentProcess.KERNEL32 ref: 00E3BAAA
              • GetCurrentThreadId.KERNEL32 ref: 00E3BB03
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.307978039.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_plugmanzx.jbxd
              Similarity
              • API ID: Current$ProcessThread
              • String ID: H
              • API String ID: 2063062207-1105002124
              • Opcode ID: 3b13d14c4ec6720285ac46a2c282b84cd5b11ed28287846ce282c59e21352054
              • Instruction ID: 21594b80c8ec5ccd5d1bb624c273dbe43f82f1dbd684580ca139c35d4348531a
              • Opcode Fuzzy Hash: 3b13d14c4ec6720285ac46a2c282b84cd5b11ed28287846ce282c59e21352054
              • Instruction Fuzzy Hash: AF6174B0D016488FDB14DFA9C549BEEBBF4AF89308F2488A9E009B7350D7709945CF66
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E3B9D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetCurrentProcess.KERNEL32 ref: 00E3BA30
              • GetCurrentThread.KERNEL32 ref: 00E3BA6D
              • GetCurrentProcess.KERNEL32 ref: 00E3BAAA
              • GetCurrentThreadId.KERNEL32 ref: 00E3BB03
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.307978039.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_plugmanzx.jbxd
              Similarity
              • API ID: Current$ProcessThread
              • String ID: H
              • API String ID: 2063062207-1105002124
              • Opcode ID: 6b9dca75f3cfe33102d02133785a337874cfe8ee1b90b3935aa8a4e1ba2629d6
              • Instruction ID: 637157576562906f15fd8180713cbe5479d022f1b73f97a162e96c386bb5a7e0
              • Opcode Fuzzy Hash: 6b9dca75f3cfe33102d02133785a337874cfe8ee1b90b3935aa8a4e1ba2629d6
              • Instruction Fuzzy Hash: 6E5143B0D006488FDB14CFAAC549BDEBBF4AF88318F248869E51AB7350D7749845CF66
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E396E8 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1126 e396e8-e396fd call e38a1c 1129 e39713-e39717 1126->1129 1130 e396ff 1126->1130 1131 e3972b-e3976c 1129->1131 1132 e39719-e39723 1129->1132 1181 e39705 call e39961 1130->1181 1182 e39705 call e39970 1130->1182 1183 e39705 call e399c4 1130->1183 1137 e39779-e39787 1131->1137 1138 e3976e-e39776 1131->1138 1132->1131 1133 e3970b-e3970d 1133->1129 1134 e39848-e398c6 1133->1134 1174 e398ca-e39908 1134->1174 1175 e398c8-e398c9 1134->1175 1139 e397ab-e397ad 1137->1139 1140 e39789-e3978e 1137->1140 1138->1137 1144 e397b0-e397b7 1139->1144 1142 e39790-e39797 call e38a28 1140->1142 1143 e39799 1140->1143 1147 e3979b-e397a9 1142->1147 1143->1147 1148 e397c4-e397cb 1144->1148 1149 e397b9-e397c1 1144->1149 1147->1144 1151 e397d8-e397e1 call e38a38 1148->1151 1152 e397cd-e397d5 1148->1152 1149->1148 1157 e397e3-e397eb 1151->1157 1158 e397ee-e397f3 1151->1158 1152->1151 1157->1158 1159 e39811-e39815 1158->1159 1160 e397f5-e397fc 1158->1160 1184 e39818 call e39cc0 1159->1184 1185 e39818 call e39c59 1159->1185 1186 e39818 call e39c68 1159->1186 1160->1159 1161 e397fe-e3980e call e38a48 call e38a58 1160->1161 1161->1159 1164 e3981b-e3981e 1167 e39841-e39847 1164->1167 1168 e39820-e3983e 1164->1168 1168->1167 1176 e39910-e3993b GetModuleHandleW 1174->1176 1177 e3990a-e3990d 1174->1177 1175->1174 1178 e39944-e39958 1176->1178 1179 e3993d-e39943 1176->1179 1177->1176 1179->1178 1181->1133 1182->1133 1183->1133 1184->1164 1185->1164 1186->1164
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 00E3992E
              Memory Dump Source
              • Source File: 00000000.00000002.307978039.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_plugmanzx.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 09ecd816c9a63cd8c5895fcb15d91db6e96904285ae4dc76ead434ae859fd4c1
              • Instruction ID: 44b80c01fb0d81ec394bf2a11ff98027e3939170d2eb1d268be24fb1adcbb77a
              • Opcode Fuzzy Hash: 09ecd816c9a63cd8c5895fcb15d91db6e96904285ae4dc76ead434ae859fd4c1
              • Instruction Fuzzy Hash: FD713670A00B058FD724DF6AD14879ABBF5BF88304F00892EE48AE7A51DB75E945CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E355BD Relevance: 1.6, APIs: 1, Instructions: 101COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1187 e355bd-e355c6 1188 e355ca-e35689 CreateActCtxA 1187->1188 1189 e355c8-e355c9 1187->1189 1191 e35692-e356ec 1188->1191 1192 e3568b-e35691 1188->1192 1189->1188 1199 e356fb-e356ff 1191->1199 1200 e356ee-e356f1 1191->1200 1192->1191 1201 e35701-e3570d 1199->1201 1202 e35710 1199->1202 1200->1199 1201->1202 1204 e35711 1202->1204 1204->1204
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 00E35679
              Memory Dump Source
              • Source File: 00000000.00000002.307978039.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_plugmanzx.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 7bbf4506c781244ceec8a97ee93fecb95ecb609729a1b93d92f93ebcc81dfb83
              • Instruction ID: acc36f423672be298bdeba4cb212d92a6c611f306eb9557efb86da8e4bdc13fb
              • Opcode Fuzzy Hash: 7bbf4506c781244ceec8a97ee93fecb95ecb609729a1b93d92f93ebcc81dfb83
              • Instruction Fuzzy Hash: 454104B1C00618CFDB14DFA5C9847DEBBB9BF49308F24846AD409AB250D7756946CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E33E54 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1205 e33e54-e35689 CreateActCtxA 1209 e35692-e356ec 1205->1209 1210 e3568b-e35691 1205->1210 1217 e356fb-e356ff 1209->1217 1218 e356ee-e356f1 1209->1218 1210->1209 1219 e35701-e3570d 1217->1219 1220 e35710 1217->1220 1218->1217 1219->1220 1222 e35711 1220->1222 1222->1222
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 00E35679
              Memory Dump Source
              • Source File: 00000000.00000002.307978039.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_plugmanzx.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 0f60ead30526cd5716b31cc2983e68fbc54065922505347e376349009569e969
              • Instruction ID: daf125621fbce69db6362b63453fb56e49c876a015a9962099c8f48e32deb471
              • Opcode Fuzzy Hash: 0f60ead30526cd5716b31cc2983e68fbc54065922505347e376349009569e969
              • Instruction Fuzzy Hash: 494103B1C00718CBDB14DFA5C9887CEBBB9BF49308F64846AD409BB250D7716945CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E3BFF8 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E3C087
              Memory Dump Source
              • Source File: 00000000.00000002.307978039.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_plugmanzx.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: 32ea80b7c9ff1290c4c1d8db8aa27fa907b322fe7384710ee46e59403d8e0cca
              • Instruction ID: 77e5fd2083aa3d82e267cdb24f4ff2db40b808be0e3014acc9cb22e8045ccd05
              • Opcode Fuzzy Hash: 32ea80b7c9ff1290c4c1d8db8aa27fa907b322fe7384710ee46e59403d8e0cca
              • Instruction Fuzzy Hash: 8721D6B5D00348DFDB10CFA9D484AEEBBF9AB48324F14841AE954B7310D374A955CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E3C000 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E3C087
              Memory Dump Source
              • Source File: 00000000.00000002.307978039.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_plugmanzx.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: 0bfe5c651ad870c516f14156f80f8b42175ea2339a9e2ba53ac6388bde86505f
              • Instruction ID: 4a644bc28e805f2067893dd64724937e756b42e76c8fce026e7d1da1c31bc43b
              • Opcode Fuzzy Hash: 0bfe5c651ad870c516f14156f80f8b42175ea2339a9e2ba53ac6388bde86505f
              • Instruction Fuzzy Hash: DC21B5B5900248DFDB10CFAAD484ADEBBF9EF48324F14841AE954B7310D374A954CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E39B49 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E399A9,00000800,00000000,00000000), ref: 00E39BBA
              Memory Dump Source
              • Source File: 00000000.00000002.307978039.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_plugmanzx.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: 8acbbe0fe45c865fb0145024834cca60f682aa115d15530ecb4fcb973fe68510
              • Instruction ID: 482d5f5a699de8511555c77f02e6c95f519740dc335cfd98c89cadd768ccd82d
              • Opcode Fuzzy Hash: 8acbbe0fe45c865fb0145024834cca60f682aa115d15530ecb4fcb973fe68510
              • Instruction Fuzzy Hash: 432117B5D002099FDB10CFAAD444AEEFBF5AF88324F14842ED455B7601C3B5A945CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E38A80 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E399A9,00000800,00000000,00000000), ref: 00E39BBA
              Memory Dump Source
              • Source File: 00000000.00000002.307978039.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_plugmanzx.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: 776a2249cfd016216fac0610d30694e9aa1aead77230fed39cec677523679e3c
              • Instruction ID: 86cfd7119805ab5eda21d90cd8ce2b3aad64c4caba143501de1fe792a2020916
              • Opcode Fuzzy Hash: 776a2249cfd016216fac0610d30694e9aa1aead77230fed39cec677523679e3c
              • Instruction Fuzzy Hash: 4B1106B19002089FCB10CF9AD448BDEFBF4AB88324F14842AE515B7600C3B5A945CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E398C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 00E3992E
              Memory Dump Source
              • Source File: 00000000.00000002.307978039.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_plugmanzx.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: e57ae6e20d0c59f567f317c70a330e177ead4d79a89231d6257141156f7fe7a2
              • Instruction ID: 8cf85bd29cae924ffe249c140a049d6252198fc5234ca2c29aa8c9ba02e404a9
              • Opcode Fuzzy Hash: e57ae6e20d0c59f567f317c70a330e177ead4d79a89231d6257141156f7fe7a2
              • Instruction Fuzzy Hash: 0111E0B5C006498FDB10CF9AC448BDEFBF8AF88328F14852AD859B7600D3B5A545CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 00E3E8B8 Relevance: .3, Instructions: 315COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.307978039.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_plugmanzx.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ffab04199a1e661204a284381d38182f9651a0e0378205b4ac80a83bb6109951
              • Instruction ID: b4b43cb4aa55b6aa84dad726665f49dbb7cc5decd85925801333ddbbc502fee6
              • Opcode Fuzzy Hash: ffab04199a1e661204a284381d38182f9651a0e0378205b4ac80a83bb6109951
              • Instruction Fuzzy Hash: 7F1286F2411F46CEE718CF66ECA85893B61B74532AF904B09D2653A6F2D7B8114ECF84
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E3BEDC Relevance: .3, Instructions: 265COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.307978039.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_plugmanzx.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 22f8763896c114a5135fc9b44d922fde77e5f660c089205ea99b1047bc4f2558
              • Instruction ID: 110f734554f9736c74303c1e47842c40e5220cb6dc0ff2be729823898feddafb
              • Opcode Fuzzy Hash: 22f8763896c114a5135fc9b44d922fde77e5f660c089205ea99b1047bc4f2558
              • Instruction Fuzzy Hash: 3BA15932E006198FCF05DFA5D98859EBBF2FF85304F15956AE906BB261EB31A905CB40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E3E8A8 Relevance: .2, Instructions: 223COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.307978039.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_e30000_plugmanzx.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c224acf35a0cd129ffa39a16006e167ab10dc1965131308e852dd607acc9ec79
              • Instruction ID: d813377df5dd4d12d81e3ef86817bd40d7f982b7be4536849126d58fa3dc79dc
              • Opcode Fuzzy Hash: c224acf35a0cd129ffa39a16006e167ab10dc1965131308e852dd607acc9ec79
              • Instruction Fuzzy Hash: 85C1F8B2811B46CFD718CF66ECA81897B71BB8532AF514B08D1617B6E2D7B8114ECF84
              Uniqueness

              Uniqueness Score: -1.00%

              Execution Graph

              Execution Coverage:10.3%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:91
              Total number of Limit Nodes:7
              execution_graph 14306 317b6d0 GetCurrentProcess 14307 317b743 14306->14307 14308 317b74a GetCurrentThread 14306->14308 14307->14308 14309 317b787 GetCurrentProcess 14308->14309 14310 317b780 14308->14310 14311 317b7bd 14309->14311 14310->14309 14312 317b7e5 GetCurrentThreadId 14311->14312 14313 317b816 14312->14313 14414 317bd00 DuplicateHandle 14415 317bd96 14414->14415 14416 317fe40 SetWindowLongW 14417 317feac 14416->14417 14314 3176758 14317 3176344 14314->14317 14316 3176766 14318 317634f 14317->14318 14321 3176394 14318->14321 14320 317688d 14320->14316 14322 317639f 14321->14322 14325 31763c4 14322->14325 14324 3176962 14324->14320 14326 31763cf 14325->14326 14329 31763f4 14326->14329 14328 3176a62 14328->14324 14330 31763ff 14329->14330 14332 317717e 14330->14332 14335 31792b9 14330->14335 14331 31771bc 14331->14328 14332->14331 14339 317b407 14332->14339 14344 31792e1 14335->14344 14347 31792f0 14335->14347 14336 31792ce 14336->14332 14340 317b429 14339->14340 14341 317b44d 14340->14341 14370 317b5aa 14340->14370 14374 317b5b8 14340->14374 14341->14331 14345 31792ff 14344->14345 14350 31793e8 14344->14350 14345->14336 14349 31793e8 2 API calls 14347->14349 14348 31792ff 14348->14336 14349->14348 14351 31793fb 14350->14351 14352 3179413 14351->14352 14358 3179670 14351->14358 14362 3179660 14351->14362 14352->14345 14353 317940b 14353->14352 14354 3179610 GetModuleHandleW 14353->14354 14355 317963d 14354->14355 14355->14345 14359 3179684 14358->14359 14360 31796a9 14359->14360 14366 3178768 14359->14366 14360->14353 14364 3179670 14362->14364 14363 31796a9 14363->14353 14364->14363 14365 3178768 LoadLibraryExW 14364->14365 14365->14363 14367 3179850 LoadLibraryExW 14366->14367 14369 31798c9 14367->14369 14369->14360 14371 317b5b2 14370->14371 14372 317b5ff 14371->14372 14378 317a0ec 14371->14378 14372->14341 14375 317b5c5 14374->14375 14376 317b5ff 14375->14376 14377 317a0ec 5 API calls 14375->14377 14376->14341 14377->14376 14379 317a0f7 14378->14379 14381 317c2f8 14379->14381 14382 317b904 14379->14382 14381->14381 14383 317b90f 14382->14383 14384 317c367 14383->14384 14385 31763f4 5 API calls 14383->14385 14394 317c3d1 14384->14394 14400 317c3e0 14384->14400 14385->14384 14386 317c375 14387 317b914 LoadLibraryExW GetModuleHandleW 14386->14387 14388 317c38f 14387->14388 14390 317e0f0 LoadLibraryExW GetModuleHandleW 14388->14390 14391 317e0d8 LoadLibraryExW GetModuleHandleW 14388->14391 14389 317c3a0 14389->14381 14390->14389 14391->14389 14395 317c40e 14394->14395 14397 317c437 14395->14397 14399 317c4df 14395->14399 14406 317b9a0 14395->14406 14398 317c4da KiUserCallbackDispatcher 14397->14398 14397->14399 14398->14399 14401 317c40e 14400->14401 14402 317b9a0 GetFocus 14401->14402 14403 317c4df 14401->14403 14404 317c437 14401->14404 14402->14404 14404->14403 14405 317c4da KiUserCallbackDispatcher 14404->14405 14405->14403 14407 317b9ab 14406->14407 14408 317ba14 GetFocus 14407->14408 14409 317c9f5 14407->14409 14408->14409 14409->14397 14410 317fbf8 14411 317fc60 CreateWindowExW 14410->14411 14413 317fd1c 14411->14413

              Executed Functions

              Function 0317B6C0 Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetCurrentProcess.KERNEL32 ref: 0317B730
              • GetCurrentThread.KERNEL32 ref: 0317B76D
              • GetCurrentProcess.KERNEL32 ref: 0317B7AA
              • GetCurrentThreadId.KERNEL32 ref: 0317B803
              Memory Dump Source
              • Source File: 0000000F.00000002.522560076.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_3170000_RegSvcs.jbxd
              Similarity
              • API ID: Current$ProcessThread
              • String ID:
              • API String ID: 2063062207-0
              • Opcode ID: 20e1b74dc5e99d317fbed1e741b72201b15b943944372bcfdf2236ec6d07be1d
              • Instruction ID: c3b324ac1440fc5d131fe2e2fb6136da34d262143f9b0cd567c2d55f193a0a62
              • Opcode Fuzzy Hash: 20e1b74dc5e99d317fbed1e741b72201b15b943944372bcfdf2236ec6d07be1d
              • Instruction Fuzzy Hash: B15144B09002488FDB14CFA9D688BDEBBF4BF48314F24845AE409B7390D7749848CF66
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0317B6D0 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetCurrentProcess.KERNEL32 ref: 0317B730
              • GetCurrentThread.KERNEL32 ref: 0317B76D
              • GetCurrentProcess.KERNEL32 ref: 0317B7AA
              • GetCurrentThreadId.KERNEL32 ref: 0317B803
              Memory Dump Source
              • Source File: 0000000F.00000002.522560076.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_3170000_RegSvcs.jbxd
              Similarity
              • API ID: Current$ProcessThread
              • String ID:
              • API String ID: 2063062207-0
              • Opcode ID: 113340a1679d77c42467dfdf255afe80ec7832959d0d6d4c9fe37f5461f39574
              • Instruction ID: 572920b49f5dbd2a12a4ff6df5fbfc64d4ce05fdcc2422658c53bf830db65d12
              • Opcode Fuzzy Hash: 113340a1679d77c42467dfdf255afe80ec7832959d0d6d4c9fe37f5461f39574
              • Instruction Fuzzy Hash: 485122B09006498FDB14CFA9D648BDEBBF5BF88314F24845AE419A7390D774A884CF66
              Uniqueness

              Uniqueness Score: -1.00%

              Function 031793E8 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 80 31793e8-31793fd call 3178704 83 3179413-3179417 80->83 84 31793ff 80->84 85 317942b-317946c 83->85 86 3179419-3179423 83->86 135 3179405 call 3179670 84->135 136 3179405 call 3179660 84->136 91 317946e-3179476 85->91 92 3179479-3179487 85->92 86->85 87 317940b-317940d 87->83 89 3179548-3179608 87->89 128 3179610-317963b GetModuleHandleW 89->128 129 317960a-317960d 89->129 91->92 94 31794ab-31794ad 92->94 95 3179489-317948e 92->95 98 31794b0-31794b7 94->98 96 3179490-3179497 call 3178710 95->96 97 3179499 95->97 101 317949b-31794a9 96->101 97->101 102 31794c4-31794cb 98->102 103 31794b9-31794c1 98->103 101->98 105 31794cd-31794d5 102->105 106 31794d8-31794e1 call 3178720 102->106 103->102 105->106 110 31794e3-31794eb 106->110 111 31794ee-31794f3 106->111 110->111 113 31794f5-31794fc 111->113 114 3179511-3179515 111->114 113->114 115 31794fe-317950e call 3178730 call 3178740 113->115 133 3179518 call 3179958 114->133 134 3179518 call 3179968 114->134 115->114 118 317951b-317951e 121 3179541-3179547 118->121 122 3179520-317953e 118->122 122->121 130 3179644-3179658 128->130 131 317963d-3179643 128->131 129->128 131->130 133->118 134->118 135->87 136->87
              APIs
              • GetModuleHandleW.KERNEL32(00000000), ref: 0317962E
              Memory Dump Source
              • Source File: 0000000F.00000002.522560076.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_3170000_RegSvcs.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: a7cdbe27d405b8f16da820f5a402f82dff7f2c094dc1097645c24f9c081c7b36
              • Instruction ID: 0b4f96c544c59c3e3d0fb52b09c6053641c1d8e5fbcc446acde6dbc259cca574
              • Opcode Fuzzy Hash: a7cdbe27d405b8f16da820f5a402f82dff7f2c094dc1097645c24f9c081c7b36
              • Instruction Fuzzy Hash: B27147B0A00B058FD724DF69D54579AB7F5FF88214F088A2ED48ADBA50D734E849CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0317FBEC Relevance: 1.6, APIs: 1, Instructions: 118COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 137 317fbec-317fc5e 138 317fc60-317fc66 137->138 139 317fc69-317fc70 137->139 138->139 140 317fc72-317fc78 139->140 141 317fc7b-317fcb3 139->141 140->141 142 317fcbb-317fd1a CreateWindowExW 141->142 143 317fd23-317fd5b 142->143 144 317fd1c-317fd22 142->144 148 317fd5d-317fd60 143->148 149 317fd68 143->149 144->143 148->149 150 317fd69 149->150 150->150
              APIs
              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0317FD0A
              Memory Dump Source
              • Source File: 0000000F.00000002.522560076.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_3170000_RegSvcs.jbxd
              Similarity
              • API ID: CreateWindow
              • String ID:
              • API String ID: 716092398-0
              • Opcode ID: f4ae6bff3a02980f630baeba87214ec22f097309964317d5f4afd8756a0aedca
              • Instruction ID: abd573a2f9a39e9dacda8b5c06603ee3616b14a496caa75007d3d7f972871f07
              • Opcode Fuzzy Hash: f4ae6bff3a02980f630baeba87214ec22f097309964317d5f4afd8756a0aedca
              • Instruction Fuzzy Hash: C451B1B5D00308DFDB14CFA9D884ADEBBB5FF48314F28852AE819AB210D7749945CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0317FBF8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 151 317fbf8-317fc5e 152 317fc60-317fc66 151->152 153 317fc69-317fc70 151->153 152->153 154 317fc72-317fc78 153->154 155 317fc7b-317fd1a CreateWindowExW 153->155 154->155 157 317fd23-317fd5b 155->157 158 317fd1c-317fd22 155->158 162 317fd5d-317fd60 157->162 163 317fd68 157->163 158->157 162->163 164 317fd69 163->164 164->164
              APIs
              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0317FD0A
              Memory Dump Source
              • Source File: 0000000F.00000002.522560076.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_3170000_RegSvcs.jbxd
              Similarity
              • API ID: CreateWindow
              • String ID:
              • API String ID: 716092398-0
              • Opcode ID: 3aa182887829c80697fcccbb26d818a2a924255e202d8013a927b60a14d62c84
              • Instruction ID: 0e8d2ffad9892199be5ebb66d6721bb7058197ff9de3f19e719eee6d54407369
              • Opcode Fuzzy Hash: 3aa182887829c80697fcccbb26d818a2a924255e202d8013a927b60a14d62c84
              • Instruction Fuzzy Hash: 9B41B0B1D003099FDB14CF99D884ADEFBB5FF48314F28812AE819AB210D7749945CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0317BCF9 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 165 317bcf9-317bd94 DuplicateHandle 166 317bd96-317bd9c 165->166 167 317bd9d-317bdba 165->167 166->167
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0317BD87
              Memory Dump Source
              • Source File: 0000000F.00000002.522560076.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_3170000_RegSvcs.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: 4be66b4776c219055686c3f8092a75a03d5b4ed9c7ce99d487ee52a4193371d4
              • Instruction ID: 12e41285253be1d86be3215a0ea7bf0ad803c63edb39b64dfc08bb8d69a24d5a
              • Opcode Fuzzy Hash: 4be66b4776c219055686c3f8092a75a03d5b4ed9c7ce99d487ee52a4193371d4
              • Instruction Fuzzy Hash: E621E5B59012089FDB00CFA9D984AEEBBF5FF48324F18841AE954A7310D378A954CF61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0317BD00 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 170 317bd00-317bd94 DuplicateHandle 171 317bd96-317bd9c 170->171 172 317bd9d-317bdba 170->172 171->172
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0317BD87
              Memory Dump Source
              • Source File: 0000000F.00000002.522560076.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_3170000_RegSvcs.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: f805e513ea36aa54ee7243fb6eab58442c744f5d9e14be7000cb6cf9fc7d5e7a
              • Instruction ID: 3668ed8a67aef401ef2719c3f2f04ef118a40cdc7b7f9297c6f7e53e337a9afe
              • Opcode Fuzzy Hash: f805e513ea36aa54ee7243fb6eab58442c744f5d9e14be7000cb6cf9fc7d5e7a
              • Instruction Fuzzy Hash: 8121C4B59002089FDB10CFA9D984ADEFBF9FF48324F14841AE914A7350D378A954CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 03178768 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 175 3178768-3179890 177 3179892-3179895 175->177 178 3179898-31798c7 LoadLibraryExW 175->178 177->178 179 31798d0-31798ed 178->179 180 31798c9-31798cf 178->180 180->179
              APIs
              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,031796A9,00000800,00000000,00000000), ref: 031798BA
              Memory Dump Source
              • Source File: 0000000F.00000002.522560076.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_3170000_RegSvcs.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: 6dba137744f98865dc7abb18e0d7f27a9784aca2c3202002b1622057933f0280
              • Instruction ID: cd39d4dc96306f68ce0289a7f37ba37497f4e5ae2d932616a829a969e4dc1881
              • Opcode Fuzzy Hash: 6dba137744f98865dc7abb18e0d7f27a9784aca2c3202002b1622057933f0280
              • Instruction Fuzzy Hash: 6211D6B5D002099FDB14CF9AD444ADEFBF4EB48324F18842AD915B7600D375A549CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 03179849 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 183 3179849-3179890 184 3179892-3179895 183->184 185 3179898-31798c7 LoadLibraryExW 183->185 184->185 186 31798d0-31798ed 185->186 187 31798c9-31798cf 185->187 187->186
              APIs
              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,031796A9,00000800,00000000,00000000), ref: 031798BA
              Memory Dump Source
              • Source File: 0000000F.00000002.522560076.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_3170000_RegSvcs.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: 0af92b04a05534c20c11f5f6edcbeb3efcf69915e9a843e3e4d02fb28b779a74
              • Instruction ID: 76e1e9d20816be5b5f8b1d20c1b5b2e6b0d4223a8249abf768478aa836ff45dc
              • Opcode Fuzzy Hash: 0af92b04a05534c20c11f5f6edcbeb3efcf69915e9a843e3e4d02fb28b779a74
              • Instruction Fuzzy Hash: 5411D0B6D002099FDB10CFA9D584BDEFBF4AF58324F18882AD915A7600C378A549CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 031795C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 190 31795c8-3179608 191 3179610-317963b GetModuleHandleW 190->191 192 317960a-317960d 190->192 193 3179644-3179658 191->193 194 317963d-3179643 191->194 192->191 194->193
              APIs
              • GetModuleHandleW.KERNEL32(00000000), ref: 0317962E
              Memory Dump Source
              • Source File: 0000000F.00000002.522560076.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_3170000_RegSvcs.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 8991d9ac8977e5f2c4e1b38dc51ebb97a0521cd326ae6d637dc164ddd81dda2d
              • Instruction ID: ccf8f9507d164f39fa1017d1a7a267794610412db3417cbc4b9e24e1f30c7e10
              • Opcode Fuzzy Hash: 8991d9ac8977e5f2c4e1b38dc51ebb97a0521cd326ae6d637dc164ddd81dda2d
              • Instruction Fuzzy Hash: 121113B5C002098FCB20CF9AC444BDEFBF4EF88224F18852AD819A7600D378A549CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0317FE38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 196 317fe38-317feaa SetWindowLongW 197 317feb3-317fec7 196->197 198 317feac-317feb2 196->198 198->197
              APIs
              • SetWindowLongW.USER32(?,?,?), ref: 0317FE9D
              Memory Dump Source
              • Source File: 0000000F.00000002.522560076.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_3170000_RegSvcs.jbxd
              Similarity
              • API ID: LongWindow
              • String ID:
              • API String ID: 1378638983-0
              • Opcode ID: 7f723075763bfe932d6c004a8e5e186d3d74c997eb3af8fb549d8a97fe59c379
              • Instruction ID: 754893f6387762e1e30ccf5b51ce9e7f2b8fd91eef7d37de56811ad195848578
              • Opcode Fuzzy Hash: 7f723075763bfe932d6c004a8e5e186d3d74c997eb3af8fb549d8a97fe59c379
              • Instruction Fuzzy Hash: F01122B5800208CFDB10CF99D485BDFBBF8EB48324F14841AE814A7600C378A944CFA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0317FE40 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 200 317fe40-317feaa SetWindowLongW 201 317feb3-317fec7 200->201 202 317feac-317feb2 200->202 202->201
              APIs
              • SetWindowLongW.USER32(?,?,?), ref: 0317FE9D
              Memory Dump Source
              • Source File: 0000000F.00000002.522560076.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_3170000_RegSvcs.jbxd
              Similarity
              • API ID: LongWindow
              • String ID:
              • API String ID: 1378638983-0
              • Opcode ID: 2d15e3e3ec0c868b44c6e8d391313b1cd66578adcac1ca53fab258724f585657
              • Instruction ID: a798c4bf4038dac7867eff7c70e882b33369b0344d8ebbf997fd40178f4caed8
              • Opcode Fuzzy Hash: 2d15e3e3ec0c868b44c6e8d391313b1cd66578adcac1ca53fab258724f585657
              • Instruction Fuzzy Hash: F81100B58002089FDB10CF99D585BDFFBF8EB48324F14841AE914A7640C378A944CFA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 014ED01C Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000F.00000002.521900371.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_14ed000_RegSvcs.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f618e02cf30e9d77024d014ad997c5ffed041df135be0f1865dac7144a8accbc
              • Instruction ID: 3fb5961d6775b55de4e27302442b71bdc3e5abaafca13b0b647e87453c2e3bdc
              • Opcode Fuzzy Hash: f618e02cf30e9d77024d014ad997c5ffed041df135be0f1865dac7144a8accbc
              • Instruction Fuzzy Hash: C22103B1904240DFCB15CF94D9C8B26BFA5FB84269F28C9AAD8490B356C336D847CA61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 014ED006 Relevance: .1, Instructions: 62COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000F.00000002.521900371.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_14ed000_RegSvcs.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7350c9955ed1114f9ac528c6c83fd77e33d0ccf29141a1030b3a4c4c8860fba2
              • Instruction ID: 843da90c78b0eb344e45c035781b88f61597ced0abaa5d536733f4ac7026c3d9
              • Opcode Fuzzy Hash: 7350c9955ed1114f9ac528c6c83fd77e33d0ccf29141a1030b3a4c4c8860fba2
              • Instruction Fuzzy Hash: 752180755093808FCB03CF64D994716BFB1EB46214F28C5DBD8498B667C33A980ACB62
              Uniqueness

              Uniqueness Score: -1.00%

              Execution Graph

              Execution Coverage:13%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:26
              Total number of Limit Nodes:0
              execution_graph 1472 f20480 1473 f204c3 1472->1473 1476 f208f0 1472->1476 1481 f20750 1472->1481 1477 f20916 1476->1477 1478 f20946 1477->1478 1486 f219d0 1477->1486 1490 f219bf 1477->1490 1482 f20755 1481->1482 1483 f20946 1482->1483 1484 f219d0 SearchPathW 1482->1484 1485 f219bf SearchPathW 1482->1485 1484->1483 1485->1483 1487 f219e1 1486->1487 1494 f20744 1487->1494 1491 f219e1 1490->1491 1492 f20744 SearchPathW 1491->1492 1493 f21a1f 1492->1493 1493->1478 1496 f21a48 SearchPathW 1494->1496 1497 f21bfd 1496->1497 1498 f204a8 1499 f204c3 1498->1499 1500 f208f0 SearchPathW 1498->1500 1501 f20750 SearchPathW 1498->1501 1500->1499 1501->1499 1506 f20728 1507 f2072d SearchPathW 1506->1507 1509 f21bfd 1507->1509

              Executed Functions

              Function 00F20728 Relevance: 1.7, APIs: 1, Instructions: 179COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 f20728-f21ac1 6 f21ac3-f21ac9 0->6 7 f21acc-f21ad3 0->7 6->7 8 f21ad5-f21adb 7->8 9 f21ade-f21ae7 7->9 8->9 10 f21af8-f21b01 9->10 11 f21ae9-f21af5 9->11 12 f21b03-f21b30 10->12 13 f21b6e-f21b72 10->13 11->10 22 f21b32-f21b34 12->22 23 f21b60 12->23 14 f21b74-f21b97 13->14 15 f21b9d-f21ba8 13->15 14->15 16 f21bb4-f21bfb SearchPathW 15->16 17 f21baa-f21bb2 15->17 20 f21c04-f21c19 16->20 21 f21bfd-f21c03 16->21 17->16 32 f21c1b-f21c27 20->32 33 f21c2f-f21c56 20->33 21->20 25 f21b56-f21b5e 22->25 26 f21b36-f21b40 22->26 24 f21b65-f21b68 23->24 24->13 25->24 29 f21b42 26->29 30 f21b44-f21b52 26->30 29->30 30->30 34 f21b54 30->34 32->33 37 f21c66 33->37 38 f21c58-f21c5c 33->38 34->25 40 f21c67 37->40 38->37 39 f21c5e 38->39 39->37 40->40
              APIs
              • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 00F21BEB
              Memory Dump Source
              • Source File: 00000016.00000002.341717568.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_f20000_RegSvcs.jbxd
              Similarity
              • API ID: PathSearch
              • String ID:
              • API String ID: 2203818243-0
              • Opcode ID: c868723021dbb4c11c3d0ae49eadac4eb5ae11e5c7b2f67650a12471b0aa4a10
              • Instruction ID: 8cf733fdbda2cfd5904b488f36c07dad983a4d8e40489e8289509cd1e05a4567
              • Opcode Fuzzy Hash: c868723021dbb4c11c3d0ae49eadac4eb5ae11e5c7b2f67650a12471b0aa4a10
              • Instruction Fuzzy Hash: 2E714775D002289FDB24CF99D884ADEBBF1FF98324F248429E819AB350D734A945DF85
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F21A3C Relevance: 1.7, APIs: 1, Instructions: 172COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 41 f21a3c-f21ac1 43 f21ac3-f21ac9 41->43 44 f21acc-f21ad3 41->44 43->44 45 f21ad5-f21adb 44->45 46 f21ade-f21ae7 44->46 45->46 47 f21af8-f21b01 46->47 48 f21ae9-f21af5 46->48 49 f21b03-f21b30 47->49 50 f21b6e-f21b72 47->50 48->47 59 f21b32-f21b34 49->59 60 f21b60 49->60 51 f21b74-f21b97 50->51 52 f21b9d-f21ba8 50->52 51->52 53 f21bb4-f21bfb SearchPathW 52->53 54 f21baa-f21bb2 52->54 57 f21c04-f21c19 53->57 58 f21bfd-f21c03 53->58 54->53 69 f21c1b-f21c27 57->69 70 f21c2f-f21c56 57->70 58->57 62 f21b56-f21b5e 59->62 63 f21b36-f21b40 59->63 61 f21b65-f21b68 60->61 61->50 62->61 66 f21b42 63->66 67 f21b44-f21b52 63->67 66->67 67->67 71 f21b54 67->71 69->70 74 f21c66 70->74 75 f21c58-f21c5c 70->75 71->62 77 f21c67 74->77 75->74 76 f21c5e 75->76 76->74 77->77
              APIs
              • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 00F21BEB
              Memory Dump Source
              • Source File: 00000016.00000002.341717568.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_f20000_RegSvcs.jbxd
              Similarity
              • API ID: PathSearch
              • String ID:
              • API String ID: 2203818243-0
              • Opcode ID: 2f02fcb7c3473b1f38a5e2d8408479ad06c43bbcf3a836243ff377f030b8e261
              • Instruction ID: 74f89c8be3bbfd3d7e8810bcbf9e901d7d61aaf5daa6583838d0f5f51e339560
              • Opcode Fuzzy Hash: 2f02fcb7c3473b1f38a5e2d8408479ad06c43bbcf3a836243ff377f030b8e261
              • Instruction Fuzzy Hash: 16713475D002289FDB24CF99D984ADDBBB1FF88324F24812DE819AB350D734A945CF85
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00F20744 Relevance: 1.7, APIs: 1, Instructions: 168COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 78 f20744-f21ac1 81 f21ac3-f21ac9 78->81 82 f21acc-f21ad3 78->82 81->82 83 f21ad5-f21adb 82->83 84 f21ade-f21ae7 82->84 83->84 85 f21af8-f21b01 84->85 86 f21ae9-f21af5 84->86 87 f21b03-f21b30 85->87 88 f21b6e-f21b72 85->88 86->85 97 f21b32-f21b34 87->97 98 f21b60 87->98 89 f21b74-f21b97 88->89 90 f21b9d-f21ba8 88->90 89->90 91 f21bb4-f21bfb SearchPathW 90->91 92 f21baa-f21bb2 90->92 95 f21c04-f21c19 91->95 96 f21bfd-f21c03 91->96 92->91 107 f21c1b-f21c27 95->107 108 f21c2f-f21c56 95->108 96->95 100 f21b56-f21b5e 97->100 101 f21b36-f21b40 97->101 99 f21b65-f21b68 98->99 99->88 100->99 104 f21b42 101->104 105 f21b44-f21b52 101->105 104->105 105->105 109 f21b54 105->109 107->108 112 f21c66 108->112 113 f21c58-f21c5c 108->113 109->100 115 f21c67 112->115 113->112 114 f21c5e 113->114 114->112 115->115
              APIs
              • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 00F21BEB
              Memory Dump Source
              • Source File: 00000016.00000002.341717568.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_22_2_f20000_RegSvcs.jbxd
              Similarity
              • API ID: PathSearch
              • String ID:
              • API String ID: 2203818243-0
              • Opcode ID: 517758a983cf60a2076b02589f2d3711d32d69700a3b498cd133d3f051a706b6
              • Instruction ID: e3e6c57b15246b5660398c88d4873ab3059f2a0b00e7372d804f73b8581e09c4
              • Opcode Fuzzy Hash: 517758a983cf60a2076b02589f2d3711d32d69700a3b498cd133d3f051a706b6
              • Instruction Fuzzy Hash: 9F712275D002289FDB24CF99D984ADEBBF1FF88324F248029E819AB350D734A945DF85
              Uniqueness

              Uniqueness Score: -1.00%

              Executed Functions

              Function 00D20F38 Relevance: 1.8, Strings: 1, Instructions: 575COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000001C.00000002.359892486.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_d20000_dhcpmon.jbxd
              Similarity
              • API ID:
              • String ID: $,Ui
              • API String ID: 0-3437307932
              • Opcode ID: 3d69cc8475073f1f80de507ae98c4137479146c1f7edcf391dccda00b7837dfe
              • Instruction ID: 42a4e823e5d042880cb4735c54288e7b143b371f57fa4327a3fb0ea3b6378d2d
              • Opcode Fuzzy Hash: 3d69cc8475073f1f80de507ae98c4137479146c1f7edcf391dccda00b7837dfe
              • Instruction Fuzzy Hash: 32329E387016118FCB19EF64E99466E73B2AFD8309B24896DD54687398DB31EC43CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D20728 Relevance: .3, Instructions: 295COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000001C.00000002.359892486.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_d20000_dhcpmon.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b1137a651da9f9a31505af2d3068c4caf773cf485af73b80fc3639abf90053cb
              • Instruction ID: 107cd53a00a78f641b37588537f2b130750140cc4bb830b38436f50b21561d4f
              • Opcode Fuzzy Hash: b1137a651da9f9a31505af2d3068c4caf773cf485af73b80fc3639abf90053cb
              • Instruction Fuzzy Hash: 7E310835A01254CFDB15DBA0E918BDA7FF2AF98318F0C846AC44267662CF709DC6DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D208F0 Relevance: .2, Instructions: 190COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000001C.00000002.359892486.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_d20000_dhcpmon.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 28b5b62c6d83c563470424742415fcae39702459388d82df39829e86307b5122
              • Instruction ID: 87761eab219f3b4f24da2a84db3f724cc65367a1cb2aa74d6288741dea063235
              • Opcode Fuzzy Hash: 28b5b62c6d83c563470424742415fcae39702459388d82df39829e86307b5122
              • Instruction Fuzzy Hash: 8F71C139B006448FCB15DFA4D458A9EBBF2AF98304F18C529D446676A5DF70EC82CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D20E31 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000001C.00000002.359892486.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_d20000_dhcpmon.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6194394099918c2bd7a43c804c69b92b0375f4b9113204b4d43a61049dc5d87d
              • Instruction ID: b217313917bf896a602ccba39046bf13739bb16e447438fa1a84b12915595f64
              • Opcode Fuzzy Hash: 6194394099918c2bd7a43c804c69b92b0375f4b9113204b4d43a61049dc5d87d
              • Instruction Fuzzy Hash: 6D315A797402108FC719EBB8D46892D37E2AF9A61935548BDE402CF3B2DB36DC42CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D20E40 Relevance: .1, Instructions: 81COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000001C.00000002.359892486.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_d20000_dhcpmon.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 654df4ead8c50b8fece45532a27cb6ab75e9aa7df1f80e5a145f285a27323749
              • Instruction ID: ca4a9c2ff7113101007337c889b14c11dc614627f6d0a4a9bf31ad79aeb8e9fb
              • Opcode Fuzzy Hash: 654df4ead8c50b8fece45532a27cb6ab75e9aa7df1f80e5a145f285a27323749
              • Instruction Fuzzy Hash: 842107797501108FC758EBB8D06892D33E2AF9961935148BCE106CF372DB32DC82CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D217F8 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000001C.00000002.359892486.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_d20000_dhcpmon.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: af919481f13360150d00c6c05e3abb2bab4198ec8b02a6b76db5af0752e3bae4
              • Instruction ID: 6e9876dd48219b23a2544b1d26fa8ce3880301cfb1223f50307bc8efdd4ef8ad
              • Opcode Fuzzy Hash: af919481f13360150d00c6c05e3abb2bab4198ec8b02a6b76db5af0752e3bae4
              • Instruction Fuzzy Hash: 4611C479E00205CFCB44DFB4D9449DEFBB1FF89210B1086AAE51997621E7309915CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D21808 Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000001C.00000002.359892486.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_d20000_dhcpmon.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b7b344cc89c8a3abe73b06ceb4067741563ce6fdd1b9781ae6f65fe1b29626de
              • Instruction ID: 0b4a93edeee8521d90efe3e3aa1a3943aaec71faa6b319848d19ecdcabb50e46
              • Opcode Fuzzy Hash: b7b344cc89c8a3abe73b06ceb4067741563ce6fdd1b9781ae6f65fe1b29626de
              • Instruction Fuzzy Hash: EE015E79E012059FCB44EFB8D8448AEFBB5FF8921071086AAE51997221EB31A915CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D20480 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000001C.00000002.359892486.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_d20000_dhcpmon.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 16253d9c6eac1a4a7dff720819f47b59b5d0b7df5419c5f09f95d8aad9bcae67
              • Instruction ID: ba66aad68c18d7cca48880288a1c41d94b62abb0528486ca7bb1d66812d9eed2
              • Opcode Fuzzy Hash: 16253d9c6eac1a4a7dff720819f47b59b5d0b7df5419c5f09f95d8aad9bcae67
              • Instruction Fuzzy Hash: 30F09060A0E3C45FC7429BB4AB312D97FB0AD47200B1D44EBC8C5D7223D2204A1BD7A2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D20B9C Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000001C.00000002.359892486.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_d20000_dhcpmon.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 97f1c1ede1b31228b4ba74dc9ba0705d1de64863c0357d12c7aca04d10d189ac
              • Instruction ID: 0b38eb96d6d7d73b6dfaaa22665c65750c8042883646ba7d62a0724382fd62f5
              • Opcode Fuzzy Hash: 97f1c1ede1b31228b4ba74dc9ba0705d1de64863c0357d12c7aca04d10d189ac
              • Instruction Fuzzy Hash: 51F01C75A41215CFDB14DBE4D059BAD7BF0AF5C318F280899D042A72A2CF74AD85CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D216D8 Relevance: .0, Instructions: 18COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000001C.00000002.359892486.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_d20000_dhcpmon.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 774cfbc10df9922683577f4ee9486bf9e0b3a22097d741a54b3a1da8d4cb543c
              • Instruction ID: 285ea155ffa0b230cb78885ec2b133d60d1c6d247521d63eb798993a412bdce8
              • Opcode Fuzzy Hash: 774cfbc10df9922683577f4ee9486bf9e0b3a22097d741a54b3a1da8d4cb543c
              • Instruction Fuzzy Hash: DBD012357002149FC714EB64E909A4677B8AF45611F104195E504CB254DA61DC14C7D1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D204A8 Relevance: .0, Instructions: 17COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000001C.00000002.359892486.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_28_2_d20000_dhcpmon.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a996c610203e2dbb1e906fc69aa36812fdfa49c4f09710ff74ffe794f9d45c6c
              • Instruction ID: 620d3b7a63388012c0077852b887421b03e118994c383c322c3d4693aec5a240
              • Opcode Fuzzy Hash: a996c610203e2dbb1e906fc69aa36812fdfa49c4f09710ff74ffe794f9d45c6c
              • Instruction Fuzzy Hash: 0DD06271D042299F8B50EFF999055DEBFF4EA08250B104566D959E3201E6715A118BD1
              Uniqueness

              Uniqueness Score: -1.00%