Edit tour

Windows Analysis Report
OEc88DZdiO.exe

Overview

General Information

Sample Name:	OEc88DZdiO.exe
Analysis ID:	624271
MD5:	339c2a623cb5e745856b3fa600896bd7
SHA1:	3f9254e4158a8aa0daffb16914be26a96a4b7e44
SHA256:	c34f73a880d41a1a74e636bb2e6f9dd91b9c9fe050870400c4bedb2128b63588
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

OEc88DZdiO.exe (PID: 6404 cmdline: "C:\Users\user\Desktop\OEc88DZdiO.exe" MD5: 339C2A623CB5E745856B3FA600896BD7)

schtasks.exe (PID: 7048 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UNueWzx" /XML "C:\Users\user\AppData\Local\Temp\tmp8227.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

OEc88DZdiO.exe (PID: 4972 cmdline: {path} MD5: 339C2A623CB5E745856B3FA600896BD7)

OEc88DZdiO.exe (PID: 5588 cmdline: {path} MD5: 339C2A623CB5E745856B3FA600896BD7)

dhcpmon.exe (PID: 5116 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 339C2A623CB5E745856B3FA600896BD7)

schtasks.exe (PID: 6260 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UNueWzx" /XML "C:\Users\user\AppData\Local\Temp\tmp206B.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 3312 cmdline: {path} MD5: 339C2A623CB5E745856B3FA600896BD7)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "21bc8004-9dbe-4096-a374-5331629c", "Group": "Cashout Edu", "Domain1": "aztemglobaltradltd.ddns.net", "Domain2": "91.193.75.132", "Port": 7189, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.562461280.0000000005690000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0000000E.00000002.562461280.0000000005690000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0000000E.00000002.562461280.0000000005690000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
0000000E.00000002.546310350.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.546310350.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.546310350.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000000.334835695.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000000.334835695.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000000.334835695.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000002.562338287.0000000005660000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
0000000E.00000002.562338287.0000000005660000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
0000000E.00000002.562338287.0000000005660000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
0000000E.00000000.337302386.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000000.337302386.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000000.337302386.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000002.548643911.0000000001110000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
0000000E.00000002.548643911.0000000001110000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
0000000E.00000002.548643911.0000000001110000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
0000000E.00000002.549623987.0000000001160000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
0000000E.00000002.549623987.0000000001160000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
0000000E.00000002.549623987.0000000001160000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
00000013.00000002.442350886.0000000003171000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.442350886.0000000003171000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69437:$a: NanoCore 0x69490:$a: NanoCore 0x694cd:$a: NanoCore 0x69546:$a: NanoCore 0x69499:$b: ClientPlugin 0x694d6:$b: ClientPlugin 0x69dd4:$b: ClientPlugin 0x69de1:$b: ClientPlugin 0x5f09e:$e: KeepAlive 0x69921:$g: LogClientMessage 0x698a1:$i: get_Connected 0x5986d:$j: #=q 0x5989d:$j: #=q 0x598d9:$j: #=q 0x59901:$j: #=q 0x59931:$j: #=q 0x59961:$j: #=q 0x59991:$j: #=q 0x599c1:$j: #=q 0x599dd:$j: #=q 0x59a0d:$j: #=q
0000000E.00000002.562419595.0000000005680000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
0000000E.00000002.562419595.0000000005680000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
0000000E.00000002.562419595.0000000005680000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
0000000E.00000002.561942739.0000000005500000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
0000000E.00000002.561942739.0000000005500000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
0000000E.00000002.561942739.0000000005500000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x15d0e:$a: NanoCore 0x15d33:$a: NanoCore 0x15d8c:$a: NanoCore 0x25f83:$a: NanoCore 0x25fa9:$a: NanoCore 0x26005:$a: NanoCore 0x32eaf:$a: NanoCore 0x32f08:$a: NanoCore 0x32f3b:$a: NanoCore 0x33167:$a: NanoCore 0x331e3:$a: NanoCore 0x337fc:$a: NanoCore 0x33945:$a: NanoCore 0x33e19:$a: NanoCore 0x34100:$a: NanoCore 0x34117:$a: NanoCore 0x3d00b:$a: NanoCore 0x3d087:$a: NanoCore 0x3f96a:$a: NanoCore 0x4412c:$a: NanoCore 0x44176:$a: NanoCore
0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb412f:$a: NanoCore 0xb4154:$a: NanoCore 0xb41ad:$a: NanoCore 0xc434c:$a: NanoCore 0xc4372:$a: NanoCore 0xc43ce:$a: NanoCore 0xd1225:$a: NanoCore 0xd127e:$a: NanoCore 0xd12b1:$a: NanoCore 0xd14dd:$a: NanoCore 0xd1559:$a: NanoCore 0xd1b72:$a: NanoCore 0xd1cbb:$a: NanoCore 0xd218f:$a: NanoCore 0xd2476:$a: NanoCore 0xd248d:$a: NanoCore 0xdb331:$a: NanoCore 0xdb3ad:$a: NanoCore 0xddc90:$a: NanoCore 0xe1042:$a: NanoCore 0xe23fe:$a: NanoCore
0000000E.00000000.335493633.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000000.335493633.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000000.335493633.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000013.00000000.416252631.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000013.00000000.416252631.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000000.416252631.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000002.563949640.0000000006C40000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
0000000E.00000002.563949640.0000000006C40000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
0000000E.00000002.563949640.0000000006C40000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
0000000E.00000002.559653897.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.559653897.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4af3d:$a: NanoCore 0x4af96:$a: NanoCore 0x4afd3:$a: NanoCore 0x4b04c:$a: NanoCore 0x5e6f7:$a: NanoCore 0x5e70c:$a: NanoCore 0x5e741:$a: NanoCore 0x771cb:$a: NanoCore 0x771e0:$a: NanoCore 0x77215:$a: NanoCore 0x4af9f:$b: ClientPlugin 0x4afdc:$b: ClientPlugin 0x4b8da:$b: ClientPlugin 0x4b8e7:$b: ClientPlugin 0x5e4b3:$b: ClientPlugin 0x5e4ce:$b: ClientPlugin 0x5e4fe:$b: ClientPlugin 0x5e715:$b: ClientPlugin 0x5e74a:$b: ClientPlugin 0x76f87:$b: ClientPlugin 0x76fa2:$b: ClientPlugin
0000000E.00000000.336489801.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000000.336489801.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000000.336489801.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000013.00000002.441028878.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000013.00000002.441028878.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.441028878.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.347814498.00000000038A8000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x108c7d:$x1: NanoCore.ClientPluginHost 0x2046bd:$x1: NanoCore.ClientPluginHost 0x108cba:$x2: IClientNetworkHost 0x2046fa:$x2: IClientNetworkHost 0x10c7ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x20822d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.347814498.00000000038A8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.347814498.00000000038A8000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1089e5:$a: NanoCore 0x1089f5:$a: NanoCore 0x108c29:$a: NanoCore 0x108c3d:$a: NanoCore 0x108c7d:$a: NanoCore 0x204425:$a: NanoCore 0x204435:$a: NanoCore 0x204669:$a: NanoCore 0x20467d:$a: NanoCore 0x2046bd:$a: NanoCore 0x108a44:$b: ClientPlugin 0x108c46:$b: ClientPlugin 0x108c86:$b: ClientPlugin 0x204484:$b: ClientPlugin 0x204686:$b: ClientPlugin 0x2046c6:$b: ClientPlugin 0x108b6b:$c: ProjectData 0x1c8900:$c: ProjectData 0x2045ab:$c: ProjectData 0x109572:$d: DESCrypto 0x204fb2:$d: DESCrypto
0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1ce9:$a: NanoCore 0x1d42:$a: NanoCore 0x1d7f:$a: NanoCore 0x1df8:$a: NanoCore 0x154a3:$a: NanoCore 0x154b8:$a: NanoCore 0x154ed:$a: NanoCore 0x23102:$a: NanoCore 0x23127:$a: NanoCore 0x23180:$a: NanoCore 0x3331d:$a: NanoCore 0x33343:$a: NanoCore 0x3339f:$a: NanoCore 0x401f4:$a: NanoCore 0x4024d:$a: NanoCore 0x40280:$a: NanoCore 0x404ac:$a: NanoCore 0x40528:$a: NanoCore 0x40b41:$a: NanoCore 0x40c8a:$a: NanoCore 0x4115e:$a: NanoCore
0000000E.00000002.549874699.0000000001170000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
0000000E.00000002.549874699.0000000001170000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
0000000E.00000002.549874699.0000000001170000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe09:$a: NanoCore 0xe62:$a: NanoCore 0xe9f:$a: NanoCore 0xf18:$a: NanoCore 0x145c3:$a: NanoCore 0x145d8:$a: NanoCore 0x1460d:$a: NanoCore 0x22222:$a: NanoCore 0x22247:$a: NanoCore 0x222a0:$a: NanoCore 0x3243d:$a: NanoCore 0x32463:$a: NanoCore 0x324bf:$a: NanoCore 0x3f314:$a: NanoCore 0x3f36d:$a: NanoCore 0x3f3a0:$a: NanoCore 0x3f5cc:$a: NanoCore 0x3f648:$a: NanoCore 0x3fc61:$a: NanoCore 0x3fdaa:$a: NanoCore 0x4027e:$a: NanoCore
0000000E.00000002.562083531.0000000005520000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
0000000E.00000002.562083531.0000000005520000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
0000000E.00000002.562083531.0000000005520000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
00000013.00000002.442458119.0000000004179000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.442458119.0000000004179000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42f3d:$a: NanoCore 0x42f96:$a: NanoCore 0x42fd3:$a: NanoCore 0x4304c:$a: NanoCore 0x566f7:$a: NanoCore 0x5670c:$a: NanoCore 0x56741:$a: NanoCore 0x6f1cb:$a: NanoCore 0x6f1e0:$a: NanoCore 0x6f215:$a: NanoCore 0x42f9f:$b: ClientPlugin 0x42fdc:$b: ClientPlugin 0x438da:$b: ClientPlugin 0x438e7:$b: ClientPlugin 0x564b3:$b: ClientPlugin 0x564ce:$b: ClientPlugin 0x564fe:$b: ClientPlugin 0x56715:$b: ClientPlugin 0x5674a:$b: ClientPlugin 0x6ef87:$b: ClientPlugin 0x6efa2:$b: ClientPlugin
0000000E.00000002.548674516.0000000001120000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
0000000E.00000002.548674516.0000000001120000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
0000000E.00000002.548674516.0000000001120000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
0000000F.00000002.425535286.0000000003F18000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xa361d:$x1: NanoCore.ClientPluginHost 0x1ae0bd:$x1: NanoCore.ClientPluginHost 0xa365a:$x2: IClientNetworkHost 0x1ae0fa:$x2: IClientNetworkHost 0xa718d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1b1c2d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000F.00000002.425535286.0000000003F18000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000002.425535286.0000000003F18000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xa3385:$a: NanoCore 0xa3395:$a: NanoCore 0xa35c9:$a: NanoCore 0xa35dd:$a: NanoCore 0xa361d:$a: NanoCore 0x1ade25:$a: NanoCore 0x1ade35:$a: NanoCore 0x1ae069:$a: NanoCore 0x1ae07d:$a: NanoCore 0x1ae0bd:$a: NanoCore 0xa33e4:$b: ClientPlugin 0xa35e6:$b: ClientPlugin 0xa3626:$b: ClientPlugin 0x1ade84:$b: ClientPlugin 0x1ae086:$b: ClientPlugin 0x1ae0c6:$b: ClientPlugin 0xa350b:$c: ProjectData 0x136dc4:$c: ProjectData 0x1adfab:$c: ProjectData 0xa3f12:$d: DESCrypto 0x1ae9b2:$d: DESCrypto
0000000E.00000002.562012434.0000000005510000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
0000000E.00000002.562012434.0000000005510000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
0000000E.00000002.562012434.0000000005510000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
00000013.00000000.416838253.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000013.00000000.416838253.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000000.416838253.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000002.562818620.0000000005F00000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0000000E.00000002.562818620.0000000005F00000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
0000000E.00000002.562818620.0000000005F00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.562818620.0000000005F00000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
0000000E.00000002.561903140.00000000054F0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
0000000E.00000002.561903140.00000000054F0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
0000000E.00000002.561903140.00000000054F0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
0000000E.00000002.550259552.0000000001180000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
0000000E.00000002.550259552.0000000001180000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
0000000E.00000002.550259552.0000000001180000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
00000013.00000000.417302089.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000013.00000000.417302089.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000000.417302089.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000013.00000000.415706140.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000013.00000000.415706140.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000000.415706140.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000002.556144169.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.561146588.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x55d77:$a: NanoCore 0x55e61:$a: NanoCore 0x56cd8:$a: NanoCore 0x5fe82:$a: NanoCore 0x5fee3:$a: NanoCore 0x5ff26:$a: NanoCore 0x5ff66:$a: NanoCore 0x601a2:$a: NanoCore 0x60242:$a: NanoCore 0x60a1a:$a: NanoCore 0x6100d:$a: NanoCore 0x6115e:$a: NanoCore 0x61fb8:$a: NanoCore 0x6221f:$a: NanoCore 0x62234:$a: NanoCore 0x62253:$a: NanoCore 0x6b156:$a: NanoCore 0x6b17f:$a: NanoCore 0x76ef8:$a: NanoCore 0x76f21:$a: NanoCore 0x9bde4:$a: NanoCore
Process Memory Space: OEc88DZdiO.exe PID: 6404	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4496e:$x1: NanoCore.ClientPluginHost 0x449ab:$x2: IClientNetworkHost 0x4849c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x53522:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x68b16:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: OEc88DZdiO.exe PID: 6404	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: OEc88DZdiO.exe PID: 6404	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: OEc88DZdiO.exe PID: 6404	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4463b:$a: NanoCore 0x4464b:$a: NanoCore 0x4470a:$a: NanoCore 0x44719:$a: NanoCore 0x4491a:$a: NanoCore 0x4492e:$a: NanoCore 0x4496e:$a: NanoCore 0x4fb8c:$a: NanoCore 0x4fb9e:$a: NanoCore 0x4fbda:$a: NanoCore 0x65180:$a: NanoCore 0x65192:$a: NanoCore 0x651ce:$a: NanoCore 0x4469a:$b: ClientPlugin 0x44763:$b: ClientPlugin 0x44937:$b: ClientPlugin 0x44977:$b: ClientPlugin 0x4fba7:$b: ClientPlugin 0x4fbe3:$b: ClientPlugin 0x6519b:$b: ClientPlugin 0x651d7:$b: ClientPlugin
Process Memory Space: OEc88DZdiO.exe PID: 5588	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x73ca:$x1: NanoCore.ClientPluginHost 0x7867d:$x1: NanoCore.ClientPluginHost 0xa2761:$x1: NanoCore.ClientPluginHost 0xb356e:$x1: NanoCore.ClientPluginHost 0xe7ea8:$x1: NanoCore.ClientPluginHost 0xf9f6a:$x1: NanoCore.ClientPluginHost 0x116a65:$x1: NanoCore.ClientPluginHost 0x1930d6:$x1: NanoCore.ClientPluginHost 0x1b821b:$x1: NanoCore.ClientPluginHost 0x1f88f1:$x1: NanoCore.ClientPluginHost 0x234950:$x1: NanoCore.ClientPluginHost 0x23b2cc:$x1: NanoCore.ClientPluginHost 0x24f6dd:$x1: NanoCore.ClientPluginHost 0x28ca08:$x1: NanoCore.ClientPluginHost 0x2a5d09:$x1: NanoCore.ClientPluginHost 0x2b3487:$x1: NanoCore.ClientPluginHost 0x73f4:$x2: IClientNetworkHost 0x786ba:$x2: IClientNetworkHost 0xa278b:$x2: IClientNetworkHost 0xb3598:$x2: IClientNetworkHost 0xe7ee1:$x2: IClientNetworkHost
Process Memory Space: OEc88DZdiO.exe PID: 5588	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: OEc88DZdiO.exe PID: 5588	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x73a5:$a: NanoCore 0x73ca:$a: NanoCore 0x7423:$a: NanoCore 0xaebf:$a: NanoCore 0xaee2:$a: NanoCore 0xaf37:$a: NanoCore 0x15fd4:$a: NanoCore 0x15ff8:$a: NanoCore 0x16050:$a: NanoCore 0x1d4c6:$a: NanoCore 0x1d51f:$a: NanoCore 0x1d545:$a: NanoCore 0x1d8db:$a: NanoCore 0x1d91f:$a: NanoCore 0x1d962:$a: NanoCore 0x1d9b5:$a: NanoCore 0x1d9e4:$a: NanoCore 0x1dbea:$a: NanoCore 0x1dc5e:$a: NanoCore 0x1e215:$a: NanoCore 0x1e351:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 5116	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff56:$x1: NanoCore.ClientPluginHost 0xff93:$x2: IClientNetworkHost 0x13a84:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1eb0a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x306dc:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 5116	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 5116	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 5116	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfc23:$a: NanoCore 0xfc33:$a: NanoCore 0xfcf2:$a: NanoCore 0xfd01:$a: NanoCore 0xff02:$a: NanoCore 0xff16:$a: NanoCore 0xff56:$a: NanoCore 0x1b174:$a: NanoCore 0x1b186:$a: NanoCore 0x1b1c2:$a: NanoCore 0x2cd46:$a: NanoCore 0x2cd58:$a: NanoCore 0x2cd94:$a: NanoCore 0xfc82:$b: ClientPlugin 0xfd4b:$b: ClientPlugin 0xff1f:$b: ClientPlugin 0xff5f:$b: ClientPlugin 0x1b18f:$b: ClientPlugin 0x1b1cb:$b: ClientPlugin 0x2cd61:$b: ClientPlugin 0x2cd9d:$b: ClientPlugin
Process Memory Space: dhcpmon.exe PID: 3312	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x168fe:$x1: NanoCore.ClientPluginHost 0x267eb:$x1: NanoCore.ClientPluginHost 0x417e5:$x1: NanoCore.ClientPluginHost 0x16918:$x2: IClientNetworkHost 0x26828:$x2: IClientNetworkHost 0x417ff:$x2: IClientNetworkHost 0x2a319:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3539f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 3312	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 3312	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe49:$a: NanoCore 0xea4:$a: NanoCore 0xf18:$a: NanoCore 0x16868:$a: NanoCore 0x168c1:$a: NanoCore 0x168fe:$a: NanoCore 0x16977:$a: NanoCore 0x17105:$a: NanoCore 0x17158:$a: NanoCore 0x17191:$a: NanoCore 0x17204:$a: NanoCore 0x17ce5:$a: NanoCore 0x264b8:$a: NanoCore 0x264c8:$a: NanoCore 0x26587:$a: NanoCore 0x26596:$a: NanoCore 0x26797:$a: NanoCore 0x267ab:$a: NanoCore 0x267eb:$a: NanoCore 0x31a09:$a: NanoCore 0x31a1b:$a: NanoCore
Click to see the 103 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
14.2.OEc88DZdiO.exe.4c18a16.22.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.4c18a16.22.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.4c18a16.22.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
14.2.OEc88DZdiO.exe.5510000.25.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.5510000.25.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.5510000.25.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
19.2.dhcpmon.exe.41bff94.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
19.2.dhcpmon.exe.41bff94.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
19.2.dhcpmon.exe.41bff94.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.dhcpmon.exe.41bff94.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
14.2.OEc88DZdiO.exe.5680000.28.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0xc275:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost 0xc28f:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.5680000.28.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0xc275:$x2: NanoCore.ClientPluginHost 0xc661:$s3: PipeExists 0x7641:$s4: PipeCreated 0xc536:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost 0xc2b0:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.5680000.28.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x41c9:$x2: NanoCore.ClientPlugin 0xc238:$x2: NanoCore.ClientPlugin 0x41ee:$x3: NanoCore.ClientPluginHost 0xc275:$x3: NanoCore.ClientPluginHost 0xc25a:$i1: IClientApp 0xc24e:$i2: IClientData 0x41ba:$i3: IClientNetwork 0xc229:$i3: IClientNetwork 0x41df:$i4: IClientAppHost 0xc2c3:$i4: IClientAppHost 0x4208:$i5: IClientDataHost 0xc265:$i5: IClientDataHost 0x4218:$i6: IClientLoggingHost 0xc2b0:$i6: IClientLoggingHost 0x422b:$i7: IClientNetworkHost 0xc28f:$i7: IClientNetworkHost 0x423e:$i8: IClientUIHost 0xc2a2:$i8: IClientUIHost 0x424c:$i9: IClientNameObjectCollection 0xc2d2:$i9: IClientNameObjectCollection 0xc2f7:$i10: IClientReadOnlyNameObjectCollection
14.2.OEc88DZdiO.exe.5680000.28.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x41b1:$a: NanoCore 0x41c9:$a: NanoCore 0x41ee:$a: NanoCore 0xc1df:$a: NanoCore 0xc238:$a: NanoCore 0xc275:$a: NanoCore 0xc2ee:$a: NanoCore 0x3f2e:$b: ClientPlugin 0x3f40:$b: ClientPlugin 0x3f70:$b: ClientPlugin 0x41d2:$b: ClientPlugin 0x41f7:$b: ClientPlugin 0xc241:$b: ClientPlugin 0xc27e:$b: ClientPlugin 0xcb7c:$b: ClientPlugin 0xcb89:$b: ClientPlugin 0x40c0:$c: ProjectData 0xc6c9:$g: LogClientMessage 0xc649:$i: get_Connected 0x3fe8:$j: #=q 0x49df:$j: #=q
14.2.OEc88DZdiO.exe.1170000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.1170000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3f0b:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.1170000.5.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3f87:$x2: NanoCore.ClientPlugin 0x3f0b:$x3: NanoCore.ClientPluginHost 0x3f9d:$i3: IClientNetwork 0x3f25:$i6: IClientLoggingHost 0x3f44:$i7: IClientNetworkHost 0x3bfb:$s1: ClientPlugin 0x3f90:$s1: ClientPlugin 0x50f4:$s3: IPAddress
14.2.OEc88DZdiO.exe.3cfff94.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28281:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x282ae:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.3cfff94.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28281:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2935c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x2829b:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.3cfff94.12.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.OEc88DZdiO.exe.3cfff94.12.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x2824c:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x28281:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x28240:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x28262:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x28271:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x2829b:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x282ae:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x282c1:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x282cf:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x282eb:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
14.2.OEc88DZdiO.exe.1120000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.1120000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.1120000.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
14.2.OEc88DZdiO.exe.6c4e8a4.35.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.6c4e8a4.35.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.6c4e8a4.35.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1090e:$x2: NanoCore.ClientPlugin 0x10937:$x3: NanoCore.ClientPluginHost 0x108ff:$i3: IClientNetwork 0x10924:$i6: IClientLoggingHost 0x10951:$i7: IClientNetworkHost 0x10964:$i8: IClientUIHost 0x1066e:$s1: ClientPlugin 0x10917:$s1: ClientPlugin
15.2.dhcpmon.exe.40b5f30.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.2.dhcpmon.exe.40b5f30.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
15.2.dhcpmon.exe.40b5f30.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.dhcpmon.exe.40b5f30.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
15.2.dhcpmon.exe.40b5f30.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.2.OEc88DZdiO.exe.4a0e599.15.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.4a0e599.15.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
14.2.OEc88DZdiO.exe.4a0e599.15.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
19.0.dhcpmon.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.0.dhcpmon.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
19.0.dhcpmon.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.0.dhcpmon.exe.400000.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
19.0.dhcpmon.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
19.2.dhcpmon.exe.41bff94.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28281:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x282ae:$x2: IClientNetworkHost
19.2.dhcpmon.exe.41bff94.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28281:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2935c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x2829b:$s5: IClientLoggingHost
19.2.dhcpmon.exe.41bff94.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.dhcpmon.exe.41bff94.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x2824c:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x28281:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x28240:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x28262:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x28271:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x2829b:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x282ae:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x282c1:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x282cf:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x282eb:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
14.2.OEc88DZdiO.exe.4b34d40.18.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.4b34d40.18.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.4b34d40.18.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.OEc88DZdiO.exe.4b34d40.18.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
19.2.dhcpmon.exe.41bb15e.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0b7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0e4:$x2: IClientNetworkHost
19.2.dhcpmon.exe.41bb15e.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d0b7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e192:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0d1:$s5: IClientLoggingHost
19.2.dhcpmon.exe.41bb15e.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.dhcpmon.exe.41bb15e.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0x2d082:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0x2d0b7:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x145a2:$i2: IClientData 0x2d076:$i2: IClientData 0xe29:$i3: IClientNetwork 0x145c4:$i3: IClientNetwork 0x2d098:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x145d3:$i5: IClientDataHost 0x2d0a7:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x145fd:$i6: IClientLoggingHost 0x2d0d1:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost
19.2.dhcpmon.exe.41bb15e.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d06d:$a: NanoCore 0x2d082:$a: NanoCore 0x2d0b7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce29:$b: ClientPlugin 0x2ce44:$b: ClientPlugin
14.2.OEc88DZdiO.exe.5500000.24.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.5500000.24.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.5500000.24.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3ed5:$x2: NanoCore.ClientPlugin 0x3deb:$x3: NanoCore.ClientPluginHost 0x3eeb:$i3: IClientNetwork 0x3e24:$i5: IClientDataHost 0x3e05:$i6: IClientLoggingHost 0x3f48:$i7: IClientNetworkHost 0x3e43:$i8: IClientUIHost 0x4d55:$i9: IClientNameObjectCollection 0x38fc:$s1: ClientPlugin 0x3ede:$s1: ClientPlugin 0x4d71:$s6: get_ClientSettings
14.2.OEc88DZdiO.exe.4c0a5e6.21.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x1193b:$x1: NanoCore.ClientPluginHost 0x3683f:$x1: NanoCore.ClientPluginHost 0x45c7f:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost 0x11955:$x2: IClientNetworkHost 0x36859:$x2: IClientNetworkHost 0x45cbc:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.4c0a5e6.21.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x1193b:$x2: NanoCore.ClientPluginHost 0x3683f:$x2: NanoCore.ClientPluginHost 0x45c7f:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x136e6:$s4: PipeCreated 0x39b7c:$s4: PipeCreated 0x490d2:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost 0x11928:$s5: IClientLoggingHost 0x3682c:$s5: IClientLoggingHost 0x45ca9:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.4c0a5e6.21.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x11912:$x2: NanoCore.ClientPlugin 0x36816:$x2: NanoCore.ClientPlugin 0x45c5a:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x1193b:$x3: NanoCore.ClientPluginHost 0x3683f:$x3: NanoCore.ClientPluginHost 0x45c7f:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x11903:$i3: IClientNetwork 0x36807:$i3: IClientNetwork 0x45c4b:$i3: IClientNetwork 0x45c70:$i4: IClientAppHost 0x45c99:$i5: IClientDataHost 0x5b86:$i6: IClientLoggingHost 0x11928:$i6: IClientLoggingHost 0x3682c:$i6: IClientLoggingHost 0x45ca9:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x11955:$i7: IClientNetworkHost 0x36859:$i7: IClientNetworkHost
14.2.OEc88DZdiO.exe.6c40000.33.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.6c40000.33.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.6c40000.33.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
14.2.OEc88DZdiO.exe.54f0000.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.54f0000.23.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.54f0000.23.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
14.2.OEc88DZdiO.exe.6c40000.33.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.6c40000.33.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.6c40000.33.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d3b2:$x2: NanoCore.ClientPlugin 0x1d3db:$x3: NanoCore.ClientPluginHost 0x1d3a3:$i3: IClientNetwork 0x1d3c8:$i6: IClientLoggingHost 0x1d3f5:$i7: IClientNetworkHost 0x1d408:$i8: IClientUIHost 0x1d112:$s1: ClientPlugin 0x1d3bb:$s1: ClientPlugin
14.0.OEc88DZdiO.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.OEc88DZdiO.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.0.OEc88DZdiO.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.OEc88DZdiO.exe.400000.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
14.0.OEc88DZdiO.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.OEc88DZdiO.exe.5f00000.32.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.5f00000.32.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.5f00000.32.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.OEc88DZdiO.exe.5f00000.32.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
0.2.OEc88DZdiO.exe.39d3510.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd91ad:$x1: NanoCore.ClientPluginHost 0xd91ea:$x2: IClientNetworkHost 0xdcd1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.OEc88DZdiO.exe.39d3510.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.OEc88DZdiO.exe.39d3510.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd8f15:$x1: NanoCore Client 0xd8f25:$x1: NanoCore Client 0xd916d:$x2: NanoCore.ClientPlugin 0xd91ad:$x3: NanoCore.ClientPluginHost 0xd9162:$i1: IClientApp 0xd9183:$i2: IClientData 0xd918f:$i3: IClientNetwork 0xd919e:$i4: IClientAppHost 0xd91c7:$i5: IClientDataHost 0xd91d7:$i6: IClientLoggingHost 0xd91ea:$i7: IClientNetworkHost 0xd91fd:$i8: IClientUIHost 0xd920b:$i9: IClientNameObjectCollection 0xd9227:$i10: IClientReadOnlyNameObjectCollection 0xd8f74:$s1: ClientPlugin 0xd9176:$s1: ClientPlugin 0xd966a:$s2: EndPoint 0xd9673:$s3: IPAddress 0xd967d:$s4: IPEndPoint 0xdb0b3:$s6: get_ClientSettings 0xdb657:$s7: get_Connected
0.2.OEc88DZdiO.exe.39d3510.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xd8f15:$a: NanoCore 0xd8f25:$a: NanoCore 0xd9159:$a: NanoCore 0xd916d:$a: NanoCore 0xd91ad:$a: NanoCore 0xd8f74:$b: ClientPlugin 0xd9176:$b: ClientPlugin 0xd91b6:$b: ClientPlugin 0x9d3f0:$c: ProjectData 0xd909b:$c: ProjectData 0xd9aa2:$d: DESCrypto 0xe146e:$e: KeepAlive 0xdf45c:$g: LogClientMessage 0xdb657:$i: get_Connected 0xd9dd8:$j: #=q 0xd9e08:$j: #=q 0xd9e24:$j: #=q 0xd9e54:$j: #=q 0xd9e70:$j: #=q 0xd9e8c:$j: #=q 0xd9ebc:$j: #=q
19.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
19.2.dhcpmon.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.dhcpmon.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
19.2.dhcpmon.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.OEc88DZdiO.exe.5510000.25.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.5510000.25.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.5510000.25.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
14.2.OEc88DZdiO.exe.5f00000.32.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.5f00000.32.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.5f00000.32.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.OEc88DZdiO.exe.5f00000.32.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
14.2.OEc88DZdiO.exe.4b34d40.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x1d3e7:$x1: NanoCore.ClientPluginHost 0x2d603:$x1: NanoCore.ClientPluginHost 0x3a76c:$x1: NanoCore.ClientPluginHost 0x3fe5f:$x1: NanoCore.ClientPluginHost 0x460e8:$x1: NanoCore.ClientPluginHost 0x506f7:$x1: NanoCore.ClientPluginHost 0x5ab22:$x1: NanoCore.ClientPluginHost 0x65aff:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x1d411:$x2: IClientNetworkHost 0x2d630:$x2: IClientNetworkHost 0x3a7a5:$x2: IClientNetworkHost 0x46121:$x2: IClientNetworkHost 0x50854:$x2: IClientNetworkHost 0x5ab5b:$x2: IClientNetworkHost 0x65b19:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.4b34d40.18.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x1d3e7:$x2: NanoCore.ClientPluginHost 0x2d603:$x2: NanoCore.ClientPluginHost 0x3a76c:$x2: NanoCore.ClientPluginHost 0x3fe5f:$x2: NanoCore.ClientPluginHost 0x460e8:$x2: NanoCore.ClientPluginHost 0x506f7:$x2: NanoCore.ClientPluginHost 0x5ab22:$x2: NanoCore.ClientPluginHost 0x65aff:$x2: NanoCore.ClientPluginHost 0x2e5d2:$s2: FileCommand 0x5164d:$s3: PipeExists 0x10888:$s4: PipeCreated 0x1f297:$s4: PipeCreated 0x32fd4:$s4: PipeCreated 0x3a889:$s4: PipeCreated 0x3ff3d:$s4: PipeCreated 0x46203:$s4: PipeCreated 0x508ed:$s4: PipeCreated 0x5ac6d:$s4: PipeCreated 0x66b34:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.4b34d40.18.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.OEc88DZdiO.exe.4b34d40.18.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.OEc88DZdiO.exe.4b34d40.18.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x1d3c2:$x2: NanoCore.ClientPlugin 0x2d5dd:$x2: NanoCore.ClientPlugin 0x3a7e8:$x2: NanoCore.ClientPlugin 0x3fea9:$x2: NanoCore.ClientPlugin 0x46162:$x2: NanoCore.ClientPlugin 0x507e1:$x2: NanoCore.ClientPlugin 0x5abc2:$x2: NanoCore.ClientPlugin 0x65ad6:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x1d3e7:$x3: NanoCore.ClientPluginHost 0x2d603:$x3: NanoCore.ClientPluginHost 0x3a76c:$x3: NanoCore.ClientPluginHost 0x3fe5f:$x3: NanoCore.ClientPluginHost 0x460e8:$x3: NanoCore.ClientPluginHost 0x506f7:$x3: NanoCore.ClientPluginHost 0x5ab22:$x3: NanoCore.ClientPluginHost 0x65aff:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x1d3b3:$i3: IClientNetwork
14.2.OEc88DZdiO.exe.4b34d40.18.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf763:$a: NanoCore 0xf778:$a: NanoCore 0xf7ad:$a: NanoCore 0x1d3c2:$a: NanoCore 0x1d3e7:$a: NanoCore 0x1d440:$a: NanoCore 0x2d5dd:$a: NanoCore 0x2d603:$a: NanoCore 0x2d65f:$a: NanoCore 0x3a4b4:$a: NanoCore 0x3a50d:$a: NanoCore 0x3a540:$a: NanoCore 0x3a76c:$a: NanoCore 0x3a7e8:$a: NanoCore 0x3ae01:$a: NanoCore 0x3af4a:$a: NanoCore 0x3b41e:$a: NanoCore 0x3b705:$a: NanoCore 0x3b71c:$a: NanoCore 0x3eaa5:$a: NanoCore 0x3fe5f:$a: NanoCore
14.2.OEc88DZdiO.exe.2f29404.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.2f29404.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.2f29404.9.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
14.2.OEc88DZdiO.exe.6c44c9f.34.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.6c44c9f.34.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.6c44c9f.34.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1a513:$x2: NanoCore.ClientPlugin 0x1a53c:$x3: NanoCore.ClientPluginHost 0x1a504:$i3: IClientNetwork 0x1a529:$i6: IClientLoggingHost 0x1a556:$i7: IClientNetworkHost 0x1a569:$i8: IClientUIHost 0x1a273:$s1: ClientPlugin 0x1a51c:$s1: ClientPlugin
14.2.OEc88DZdiO.exe.5500000.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.5500000.24.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.5500000.24.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
14.2.OEc88DZdiO.exe.3d045bd.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c58:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c85:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.3d045bd.13.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c58:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d33:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c72:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.3d045bd.13.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.OEc88DZdiO.exe.3d045bd.13.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x23c23:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x23c58:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0x23c17:$i2: IClientData 0xb165:$i3: IClientNetwork 0x23c39:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0x23c48:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0x23c72:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0x23c85:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0x23c98:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0x23ca6:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0x23cc2:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin
19.2.dhcpmon.exe.31d9658.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
19.2.dhcpmon.exe.31d9658.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
19.2.dhcpmon.exe.31d9658.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
14.2.OEc88DZdiO.exe.4a1a7cd.16.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.4a1a7cd.16.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.4a1a7cd.16.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
14.2.OEc88DZdiO.exe.5690000.29.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.5690000.29.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.5690000.29.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
15.2.dhcpmon.exe.3fcbcb0.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xfa40d:$x1: NanoCore.ClientPluginHost 0xfa44a:$x2: IClientNetworkHost 0xfdf7d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.2.dhcpmon.exe.3fcbcb0.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.dhcpmon.exe.3fcbcb0.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfa175:$x1: NanoCore Client 0xfa185:$x1: NanoCore Client 0xfa3cd:$x2: NanoCore.ClientPlugin 0xfa40d:$x3: NanoCore.ClientPluginHost 0xfa3c2:$i1: IClientApp 0xfa3e3:$i2: IClientData 0xfa3ef:$i3: IClientNetwork 0xfa3fe:$i4: IClientAppHost 0xfa427:$i5: IClientDataHost 0xfa437:$i6: IClientLoggingHost 0xfa44a:$i7: IClientNetworkHost 0xfa45d:$i8: IClientUIHost 0xfa46b:$i9: IClientNameObjectCollection 0xfa487:$i10: IClientReadOnlyNameObjectCollection 0xfa1d4:$s1: ClientPlugin 0xfa3d6:$s1: ClientPlugin 0xfa8ca:$s2: EndPoint 0xfa8d3:$s3: IPAddress 0xfa8dd:$s4: IPEndPoint 0xfc313:$s6: get_ClientSettings 0xfc8b7:$s7: get_Connected
15.2.dhcpmon.exe.3fcbcb0.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfa175:$a: NanoCore 0xfa185:$a: NanoCore 0xfa3b9:$a: NanoCore 0xfa3cd:$a: NanoCore 0xfa40d:$a: NanoCore 0xfa1d4:$b: ClientPlugin 0xfa3d6:$b: ClientPlugin 0xfa416:$b: ClientPlugin 0x83114:$c: ProjectData 0xfa2fb:$c: ProjectData 0xfad02:$d: DESCrypto 0x1026ce:$e: KeepAlive 0x1006bc:$g: LogClientMessage 0xfc8b7:$i: get_Connected 0xfb038:$j: #=q 0xfb068:$j: #=q 0xfb084:$j: #=q 0xfb0b4:$j: #=q 0xfb0d0:$j: #=q 0xfb0ec:$j: #=q 0xfb11c:$j: #=q
14.2.OEc88DZdiO.exe.4c017b7.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0xe9c8:$x1: NanoCore.ClientPluginHost 0x1a76a:$x1: NanoCore.ClientPluginHost 0x3f66e:$x1: NanoCore.ClientPluginHost 0x4eaae:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost 0xe9e2:$x2: IClientNetworkHost 0x1a784:$x2: IClientNetworkHost 0x3f688:$x2: IClientNetworkHost 0x4eaeb:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.4c017b7.20.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0xe9c8:$x2: NanoCore.ClientPluginHost 0x1a76a:$x2: NanoCore.ClientPluginHost 0x3f66e:$x2: NanoCore.ClientPluginHost 0x4eaae:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0xf9fd:$s4: PipeCreated 0x1c515:$s4: PipeCreated 0x429ab:$s4: PipeCreated 0x51f01:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost 0xe9b5:$s5: IClientLoggingHost 0x1a757:$s5: IClientLoggingHost 0x3f65b:$s5: IClientLoggingHost 0x4ead8:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.4c017b7.20.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0xe99f:$x2: NanoCore.ClientPlugin 0x1a741:$x2: NanoCore.ClientPlugin 0x3f645:$x2: NanoCore.ClientPlugin 0x4ea89:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0xe9c8:$x3: NanoCore.ClientPluginHost 0x1a76a:$x3: NanoCore.ClientPluginHost 0x3f66e:$x3: NanoCore.ClientPluginHost 0x4eaae:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0xe990:$i3: IClientNetwork 0x1a732:$i3: IClientNetwork 0x3f636:$i3: IClientNetwork 0x4ea7a:$i3: IClientNetwork 0x4ea9f:$i4: IClientAppHost 0x3a43:$i5: IClientDataHost 0x4eac8:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0xe9b5:$i6: IClientLoggingHost 0x1a757:$i6: IClientLoggingHost
14.2.OEc88DZdiO.exe.4c017b7.20.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x36cb:$a: NanoCore 0x372c:$a: NanoCore 0x376f:$a: NanoCore 0x37af:$a: NanoCore 0x39eb:$a: NanoCore 0x3a8b:$a: NanoCore 0x4263:$a: NanoCore 0x4856:$a: NanoCore 0x49a7:$a: NanoCore 0x5801:$a: NanoCore 0x5a68:$a: NanoCore 0x5a7d:$a: NanoCore 0x5a9c:$a: NanoCore 0xe99f:$a: NanoCore 0xe9c8:$a: NanoCore 0x1a741:$a: NanoCore 0x1a76a:$a: NanoCore 0x3f62d:$a: NanoCore 0x3f645:$a: NanoCore 0x3f66e:$a: NanoCore 0x4ea71:$a: NanoCore
14.2.OEc88DZdiO.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.OEc88DZdiO.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.OEc88DZdiO.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
14.2.OEc88DZdiO.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
19.0.dhcpmon.exe.400000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.0.dhcpmon.exe.400000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
19.0.dhcpmon.exe.400000.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.0.dhcpmon.exe.400000.12.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
19.0.dhcpmon.exe.400000.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.OEc88DZdiO.exe.1110000.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.1110000.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
14.2.OEc88DZdiO.exe.1110000.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
14.2.OEc88DZdiO.exe.54f0000.23.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.54f0000.23.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.54f0000.23.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x67f:$x2: NanoCore.ClientPlugin 0x605:$x3: NanoCore.ClientPluginHost 0x695:$i3: IClientNetwork 0x61f:$i6: IClientLoggingHost 0x63e:$i7: IClientNetworkHost 0x688:$s1: ClientPlugin
19.0.dhcpmon.exe.400000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.0.dhcpmon.exe.400000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
19.0.dhcpmon.exe.400000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.0.dhcpmon.exe.400000.10.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
19.0.dhcpmon.exe.400000.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.OEc88DZdiO.exe.3cfff94.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.3cfff94.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.3cfff94.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.OEc88DZdiO.exe.3cfff94.12.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
14.2.OEc88DZdiO.exe.4c0a5e6.21.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0xcd3b:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost 0xcd55:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.4c0a5e6.21.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0xcd3b:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost 0xcd28:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.4c0a5e6.21.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3d70:$x2: NanoCore.ClientPlugin 0xcd12:$x2: NanoCore.ClientPlugin 0x3d99:$x3: NanoCore.ClientPluginHost 0xcd3b:$x3: NanoCore.ClientPluginHost 0x3d61:$i3: IClientNetwork 0xcd03:$i3: IClientNetwork 0x3d86:$i6: IClientLoggingHost 0xcd28:$i6: IClientLoggingHost 0x3db3:$i7: IClientNetworkHost 0xcd55:$i7: IClientNetworkHost 0x3bd4:$s1: ClientPlugin 0x3d79:$s1: ClientPlugin 0xcb7e:$s1: ClientPlugin 0xcd1b:$s1: ClientPlugin 0x4084:$s2: EndPoint 0x408d:$s3: IPAddress 0x4097:$s4: IPEndPoint
14.2.OEc88DZdiO.exe.1170000.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.1170000.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.1170000.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
14.2.OEc88DZdiO.exe.2cdd950.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.2cdd950.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.2cdd950.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
14.2.OEc88DZdiO.exe.4c017b7.20.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.4c017b7.20.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.4c017b7.20.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
14.0.OEc88DZdiO.exe.400000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.OEc88DZdiO.exe.400000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.0.OEc88DZdiO.exe.400000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.OEc88DZdiO.exe.400000.10.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
14.0.OEc88DZdiO.exe.400000.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.OEc88DZdiO.exe.2f1d178.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.2f1d178.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
14.2.OEc88DZdiO.exe.2f1d178.8.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
14.2.OEc88DZdiO.exe.5520000.26.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.5520000.26.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.5520000.26.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
14.2.OEc88DZdiO.exe.6f15e60.37.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.6f15e60.37.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.6f15e60.37.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.OEc88DZdiO.exe.6f15e60.37.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
14.2.OEc88DZdiO.exe.4c18a16.22.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x2840f:$x1: NanoCore.ClientPluginHost 0x3784f:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost 0x28429:$x2: IClientNetworkHost 0x3788c:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.4c18a16.22.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x2840f:$x2: NanoCore.ClientPluginHost 0x3784f:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x2b74c:$s4: PipeCreated 0x3aca2:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost 0x283fc:$s5: IClientLoggingHost 0x37879:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.4c18a16.22.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x283e6:$x2: NanoCore.ClientPlugin 0x3782a:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x2840f:$x3: NanoCore.ClientPluginHost 0x3784f:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x283d7:$i3: IClientNetwork 0x3781b:$i3: IClientNetwork 0x37840:$i4: IClientAppHost 0x37869:$i5: IClientDataHost 0x34f8:$i6: IClientLoggingHost 0x283fc:$i6: IClientLoggingHost 0x37879:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x28429:$i7: IClientNetworkHost 0x3788c:$i7: IClientNetworkHost 0x2843c:$i8: IClientUIHost 0x3789f:$i8: IClientUIHost 0x378ad:$i9: IClientNameObjectCollection 0x334e:$s1: ClientPlugin
0.2.OEc88DZdiO.exe.39a0af0.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.OEc88DZdiO.exe.39a0af0.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.OEc88DZdiO.exe.39a0af0.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.OEc88DZdiO.exe.39a0af0.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.OEc88DZdiO.exe.39a0af0.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.2.OEc88DZdiO.exe.5680000.28.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.5680000.28.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.5680000.28.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
14.2.OEc88DZdiO.exe.4b39369.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x18dbe:$x1: NanoCore.ClientPluginHost 0x28fda:$x1: NanoCore.ClientPluginHost 0x36143:$x1: NanoCore.ClientPluginHost 0x3b836:$x1: NanoCore.ClientPluginHost 0x41abf:$x1: NanoCore.ClientPluginHost 0x4c0ce:$x1: NanoCore.ClientPluginHost 0x564f9:$x1: NanoCore.ClientPluginHost 0x614d6:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x18de8:$x2: IClientNetworkHost 0x29007:$x2: IClientNetworkHost 0x3617c:$x2: IClientNetworkHost 0x41af8:$x2: IClientNetworkHost 0x4c22b:$x2: IClientNetworkHost 0x56532:$x2: IClientNetworkHost 0x614f0:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.4b39369.17.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x18dbe:$x2: NanoCore.ClientPluginHost 0x28fda:$x2: NanoCore.ClientPluginHost 0x36143:$x2: NanoCore.ClientPluginHost 0x3b836:$x2: NanoCore.ClientPluginHost 0x41abf:$x2: NanoCore.ClientPluginHost 0x4c0ce:$x2: NanoCore.ClientPluginHost 0x564f9:$x2: NanoCore.ClientPluginHost 0x614d6:$x2: NanoCore.ClientPluginHost 0x29fa9:$s2: FileCommand 0x4d024:$s3: PipeExists 0xc25f:$s4: PipeCreated 0x1ac6e:$s4: PipeCreated 0x2e9ab:$s4: PipeCreated 0x36260:$s4: PipeCreated 0x3b914:$s4: PipeCreated 0x41bda:$s4: PipeCreated 0x4c2c4:$s4: PipeCreated 0x56644:$s4: PipeCreated 0x6250b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.4b39369.17.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.OEc88DZdiO.exe.4b39369.17.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.OEc88DZdiO.exe.4b39369.17.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x18d99:$x2: NanoCore.ClientPlugin 0x28fb4:$x2: NanoCore.ClientPlugin 0x361bf:$x2: NanoCore.ClientPlugin 0x3b880:$x2: NanoCore.ClientPlugin 0x41b39:$x2: NanoCore.ClientPlugin 0x4c1b8:$x2: NanoCore.ClientPlugin 0x56599:$x2: NanoCore.ClientPlugin 0x614ad:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x18dbe:$x3: NanoCore.ClientPluginHost 0x28fda:$x3: NanoCore.ClientPluginHost 0x36143:$x3: NanoCore.ClientPluginHost 0x3b836:$x3: NanoCore.ClientPluginHost 0x41abf:$x3: NanoCore.ClientPluginHost 0x4c0ce:$x3: NanoCore.ClientPluginHost 0x564f9:$x3: NanoCore.ClientPluginHost 0x614d6:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0x18d8a:$i3: IClientNetwork
14.2.OEc88DZdiO.exe.4b39369.17.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb13a:$a: NanoCore 0xb14f:$a: NanoCore 0xb184:$a: NanoCore 0x18d99:$a: NanoCore 0x18dbe:$a: NanoCore 0x18e17:$a: NanoCore 0x28fb4:$a: NanoCore 0x28fda:$a: NanoCore 0x29036:$a: NanoCore 0x35e8b:$a: NanoCore 0x35ee4:$a: NanoCore 0x35f17:$a: NanoCore 0x36143:$a: NanoCore 0x361bf:$a: NanoCore 0x367d8:$a: NanoCore 0x36921:$a: NanoCore 0x36df5:$a: NanoCore 0x370dc:$a: NanoCore 0x370f3:$a: NanoCore 0x3a47c:$a: NanoCore 0x3b836:$a: NanoCore
14.2.OEc88DZdiO.exe.5660000.27.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.5660000.27.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.5660000.27.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
14.2.OEc88DZdiO.exe.1180000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
14.2.OEc88DZdiO.exe.1180000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.1180000.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
14.2.OEc88DZdiO.exe.5660000.27.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.5660000.27.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.5660000.27.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
19.0.dhcpmon.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.0.dhcpmon.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
19.0.dhcpmon.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.0.dhcpmon.exe.400000.8.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
19.0.dhcpmon.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.0.OEc88DZdiO.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.OEc88DZdiO.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.0.OEc88DZdiO.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.OEc88DZdiO.exe.400000.8.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
14.0.OEc88DZdiO.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.OEc88DZdiO.exe.1120000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.1120000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.1120000.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
14.2.OEc88DZdiO.exe.2f3da84.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0xb587:$x1: NanoCore.ClientPluginHost 0x126a8:$x1: NanoCore.ClientPluginHost 0x18985:$x1: NanoCore.ClientPluginHost 0x22fe7:$x1: NanoCore.ClientPluginHost 0x2d467:$x1: NanoCore.ClientPluginHost 0x3849d:$x1: NanoCore.ClientPluginHost 0x44297:$x1: NanoCore.ClientPluginHost 0x50082:$x1: NanoCore.ClientPluginHost 0x607d3:$x1: NanoCore.ClientPluginHost 0x655f3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb5c0:$x2: IClientNetworkHost 0x189be:$x2: IClientNetworkHost 0x23144:$x2: IClientNetworkHost 0x2d4a0:$x2: IClientNetworkHost 0x384b7:$x2: IClientNetworkHost 0x442b1:$x2: IClientNetworkHost 0x500bf:$x2: IClientNetworkHost 0x607ed:$x2: IClientNetworkHost 0x6560d:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.2f3da84.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0xb587:$x2: NanoCore.ClientPluginHost 0x126a8:$x2: NanoCore.ClientPluginHost 0x18985:$x2: NanoCore.ClientPluginHost 0x22fe7:$x2: NanoCore.ClientPluginHost 0x2d467:$x2: NanoCore.ClientPluginHost 0x3849d:$x2: NanoCore.ClientPluginHost 0x44297:$x2: NanoCore.ClientPluginHost 0x50082:$x2: NanoCore.ClientPluginHost 0x607d3:$x2: NanoCore.ClientPluginHost 0x655f3:$x2: NanoCore.ClientPluginHost 0x23f3d:$s3: PipeExists 0x60bbf:$s3: PipeExists 0x659df:$s3: PipeExists 0x1800:$s4: PipeCreated 0xb68b:$s4: PipeCreated 0x12786:$s4: PipeCreated 0x18aa0:$s4: PipeCreated 0x231dd:$s4: PipeCreated 0x2d5b2:$s4: PipeCreated 0x394d2:$s4: PipeCreated
14.2.OEc88DZdiO.exe.2f3da84.10.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0xb603:$x2: NanoCore.ClientPlugin 0x126f2:$x2: NanoCore.ClientPlugin 0x189ff:$x2: NanoCore.ClientPlugin 0x230d1:$x2: NanoCore.ClientPlugin 0x2d507:$x2: NanoCore.ClientPlugin 0x38474:$x2: NanoCore.ClientPlugin 0x4426e:$x2: NanoCore.ClientPlugin 0x5005d:$x2: NanoCore.ClientPlugin 0x60796:$x2: NanoCore.ClientPlugin 0x655b6:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0xb587:$x3: NanoCore.ClientPluginHost 0x126a8:$x3: NanoCore.ClientPluginHost 0x18985:$x3: NanoCore.ClientPluginHost 0x22fe7:$x3: NanoCore.ClientPluginHost 0x2d467:$x3: NanoCore.ClientPluginHost 0x3849d:$x3: NanoCore.ClientPluginHost 0x44297:$x3: NanoCore.ClientPluginHost 0x50082:$x3: NanoCore.ClientPluginHost 0x607d3:$x3: NanoCore.ClientPluginHost
14.2.OEc88DZdiO.exe.2f3da84.10.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb587:$a: NanoCore 0xb603:$a: NanoCore 0xdee6:$a: NanoCore 0x126a8:$a: NanoCore 0x126f2:$a: NanoCore 0x1334c:$a: NanoCore 0x18985:$a: NanoCore 0x189ff:$a: NanoCore 0x22fe7:$a: NanoCore 0x230d1:$a: NanoCore 0x23f48:$a: NanoCore
14.0.OEc88DZdiO.exe.400000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.OEc88DZdiO.exe.400000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.0.OEc88DZdiO.exe.400000.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.OEc88DZdiO.exe.400000.12.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
14.0.OEc88DZdiO.exe.400000.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.OEc88DZdiO.exe.2f1d178.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14e31:$x1: NanoCore.ClientPluginHost 0x21fef:$x1: NanoCore.ClientPluginHost 0x2be93:$x1: NanoCore.ClientPluginHost 0x32fb4:$x1: NanoCore.ClientPluginHost 0x39291:$x1: NanoCore.ClientPluginHost 0x438f3:$x1: NanoCore.ClientPluginHost 0x4dd73:$x1: NanoCore.ClientPluginHost 0x58da9:$x1: NanoCore.ClientPluginHost 0x64ba3:$x1: NanoCore.ClientPluginHost 0x7098e:$x1: NanoCore.ClientPluginHost 0x810df:$x1: NanoCore.ClientPluginHost 0x85eff:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e5e:$x2: IClientNetworkHost 0x22028:$x2: IClientNetworkHost 0x2becc:$x2: IClientNetworkHost 0x392ca:$x2: IClientNetworkHost 0x43a50:$x2: IClientNetworkHost 0x4ddac:$x2: IClientNetworkHost 0x58dc3:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.2f1d178.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x14e31:$x2: NanoCore.ClientPluginHost 0x21fef:$x2: NanoCore.ClientPluginHost 0x2be93:$x2: NanoCore.ClientPluginHost 0x32fb4:$x2: NanoCore.ClientPluginHost 0x39291:$x2: NanoCore.ClientPluginHost 0x438f3:$x2: NanoCore.ClientPluginHost 0x4dd73:$x2: NanoCore.ClientPluginHost 0x58da9:$x2: NanoCore.ClientPluginHost 0x64ba3:$x2: NanoCore.ClientPluginHost 0x7098e:$x2: NanoCore.ClientPluginHost 0x810df:$x2: NanoCore.ClientPluginHost 0x85eff:$x2: NanoCore.ClientPluginHost 0x15e00:$s2: FileCommand 0x44849:$s3: PipeExists 0x814cb:$s3: PipeExists 0x862eb:$s3: PipeExists 0x6a6b:$s4: PipeCreated 0x1a802:$s4: PipeCreated 0x2210c:$s4: PipeCreated 0x2bf97:$s4: PipeCreated
14.2.OEc88DZdiO.exe.2f1d178.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.OEc88DZdiO.exe.2f1d178.8.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x14e0b:$x2: NanoCore.ClientPlugin 0x2206b:$x2: NanoCore.ClientPlugin 0x2bf0f:$x2: NanoCore.ClientPlugin 0x32ffe:$x2: NanoCore.ClientPlugin 0x3930b:$x2: NanoCore.ClientPlugin 0x439dd:$x2: NanoCore.ClientPlugin 0x4de13:$x2: NanoCore.ClientPlugin 0x58d80:$x2: NanoCore.ClientPlugin 0x64b7a:$x2: NanoCore.ClientPlugin 0x70969:$x2: NanoCore.ClientPlugin 0x810a2:$x2: NanoCore.ClientPlugin 0x85ec2:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x14e31:$x3: NanoCore.ClientPluginHost 0x21fef:$x3: NanoCore.ClientPluginHost 0x2be93:$x3: NanoCore.ClientPluginHost 0x32fb4:$x3: NanoCore.ClientPluginHost 0x39291:$x3: NanoCore.ClientPluginHost 0x438f3:$x3: NanoCore.ClientPluginHost 0x4dd73:$x3: NanoCore.ClientPluginHost
14.2.OEc88DZdiO.exe.2f1d178.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14e0b:$a: NanoCore 0x14e31:$a: NanoCore 0x14e8d:$a: NanoCore 0x21d37:$a: NanoCore 0x21d90:$a: NanoCore 0x21dc3:$a: NanoCore 0x21fef:$a: NanoCore 0x2206b:$a: NanoCore 0x22684:$a: NanoCore 0x227cd:$a: NanoCore 0x22ca1:$a: NanoCore 0x22f88:$a: NanoCore 0x22f9f:$a: NanoCore 0x2be93:$a: NanoCore 0x2bf0f:$a: NanoCore 0x2e7f2:$a: NanoCore 0x32fb4:$a: NanoCore 0x32ffe:$a: NanoCore
14.2.OEc88DZdiO.exe.3cfb15e.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0b7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0e4:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.3cfb15e.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d0b7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e192:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0d1:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.3cfb15e.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.OEc88DZdiO.exe.3cfb15e.11.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0x2d082:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0x2d0b7:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x145a2:$i2: IClientData 0x2d076:$i2: IClientData 0xe29:$i3: IClientNetwork 0x145c4:$i3: IClientNetwork 0x2d098:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x145d3:$i5: IClientDataHost 0x2d0a7:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x145fd:$i6: IClientLoggingHost 0x2d0d1:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost
14.2.OEc88DZdiO.exe.3cfb15e.11.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d06d:$a: NanoCore 0x2d082:$a: NanoCore 0x2d0b7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce29:$b: ClientPlugin 0x2ce44:$b: ClientPlugin
15.2.dhcpmon.exe.40b5f30.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.2.dhcpmon.exe.40b5f30.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
15.2.dhcpmon.exe.40b5f30.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.dhcpmon.exe.40b5f30.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
15.2.dhcpmon.exe.40b5f30.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.OEc88DZdiO.exe.5520000.26.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.5520000.26.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.5520000.26.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3d70:$x2: NanoCore.ClientPlugin 0x3d99:$x3: NanoCore.ClientPluginHost 0x3d61:$i3: IClientNetwork 0x3d86:$i6: IClientLoggingHost 0x3db3:$i7: IClientNetworkHost 0x3bd4:$s1: ClientPlugin 0x3d79:$s1: ClientPlugin 0x4084:$s2: EndPoint 0x408d:$s3: IPAddress 0x4097:$s4: IPEndPoint
14.2.OEc88DZdiO.exe.5f04629.31.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.5f04629.31.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.5f04629.31.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.OEc88DZdiO.exe.5f04629.31.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
14.2.OEc88DZdiO.exe.1160000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.1160000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
14.2.OEc88DZdiO.exe.1160000.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
14.2.OEc88DZdiO.exe.6f2e68c.38.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.6f2e68c.38.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
14.2.OEc88DZdiO.exe.6f2e68c.38.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
19.0.dhcpmon.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.0.dhcpmon.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
19.0.dhcpmon.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.0.dhcpmon.exe.400000.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
19.0.dhcpmon.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.0.OEc88DZdiO.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.0.OEc88DZdiO.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.0.OEc88DZdiO.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.0.OEc88DZdiO.exe.400000.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
14.0.OEc88DZdiO.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.OEc88DZdiO.exe.1110000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.1110000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
14.2.OEc88DZdiO.exe.1110000.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
19.2.dhcpmon.exe.41c45bd.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c58:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c85:$x2: IClientNetworkHost
19.2.dhcpmon.exe.41c45bd.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c58:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d33:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c72:$s5: IClientLoggingHost
19.2.dhcpmon.exe.41c45bd.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.dhcpmon.exe.41c45bd.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x23c23:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x23c58:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0x23c17:$i2: IClientData 0xb165:$i3: IClientNetwork 0x23c39:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0x23c48:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0x23c72:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0x23c85:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0x23c98:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0x23ca6:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0x23cc2:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin
14.2.OEc88DZdiO.exe.4b2ff0a.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2221d:$x1: NanoCore.ClientPluginHost 0x32439:$x1: NanoCore.ClientPluginHost 0x3f5a2:$x1: NanoCore.ClientPluginHost 0x44c95:$x1: NanoCore.ClientPluginHost 0x4af1e:$x1: NanoCore.ClientPluginHost 0x5552d:$x1: NanoCore.ClientPluginHost 0x5f958:$x1: NanoCore.ClientPluginHost 0x6a935:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x22247:$x2: IClientNetworkHost 0x32466:$x2: IClientNetworkHost 0x3f5db:$x2: IClientNetworkHost 0x4af57:$x2: IClientNetworkHost 0x5568a:$x2: IClientNetworkHost 0x5f991:$x2: IClientNetworkHost 0x6a94f:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.4b2ff0a.19.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2221d:$x2: NanoCore.ClientPluginHost 0x32439:$x2: NanoCore.ClientPluginHost 0x3f5a2:$x2: NanoCore.ClientPluginHost 0x44c95:$x2: NanoCore.ClientPluginHost 0x4af1e:$x2: NanoCore.ClientPluginHost 0x5552d:$x2: NanoCore.ClientPluginHost 0x5f958:$x2: NanoCore.ClientPluginHost 0x6a935:$x2: NanoCore.ClientPluginHost 0x33408:$s2: FileCommand 0x1261:$s3: PipeExists 0x56483:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x240cd:$s4: PipeCreated 0x37e0a:$s4: PipeCreated 0x3f6bf:$s4: PipeCreated 0x44d73:$s4: PipeCreated 0x4b039:$s4: PipeCreated 0x55723:$s4: PipeCreated
14.2.OEc88DZdiO.exe.4b2ff0a.19.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.OEc88DZdiO.exe.4b2ff0a.19.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.OEc88DZdiO.exe.4b2ff0a.19.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0x221f8:$x2: NanoCore.ClientPlugin 0x32413:$x2: NanoCore.ClientPlugin 0x3f61e:$x2: NanoCore.ClientPlugin 0x44cdf:$x2: NanoCore.ClientPlugin 0x4af98:$x2: NanoCore.ClientPlugin 0x55617:$x2: NanoCore.ClientPlugin 0x5f9f8:$x2: NanoCore.ClientPlugin 0x6a90c:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0x2221d:$x3: NanoCore.ClientPluginHost 0x32439:$x3: NanoCore.ClientPluginHost 0x3f5a2:$x3: NanoCore.ClientPluginHost 0x44c95:$x3: NanoCore.ClientPluginHost 0x4af1e:$x3: NanoCore.ClientPluginHost 0x5552d:$x3: NanoCore.ClientPluginHost 0x5f958:$x3: NanoCore.ClientPluginHost 0x6a935:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp
14.2.OEc88DZdiO.exe.4b2ff0a.19.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x221f8:$a: NanoCore 0x2221d:$a: NanoCore 0x22276:$a: NanoCore 0x32413:$a: NanoCore 0x32439:$a: NanoCore 0x32495:$a: NanoCore 0x3f2ea:$a: NanoCore 0x3f343:$a: NanoCore 0x3f376:$a: NanoCore 0x3f5a2:$a: NanoCore 0x3f61e:$a: NanoCore 0x3fc37:$a: NanoCore 0x3fd80:$a: NanoCore 0x40254:$a: NanoCore
14.2.OEc88DZdiO.exe.6f15e60.37.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.OEc88DZdiO.exe.6f15e60.37.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.OEc88DZdiO.exe.6f15e60.37.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x1d3c2:$x2: NanoCore.ClientPlugin 0x2d5dd:$x2: NanoCore.ClientPlugin 0x3a7e8:$x2: NanoCore.ClientPlugin 0x3fea9:$x2: NanoCore.ClientPlugin 0x46162:$x2: NanoCore.ClientPlugin 0x507e1:$x2: NanoCore.ClientPlugin 0x5abc2:$x2: NanoCore.ClientPlugin 0x65ad6:$x2: NanoCore.ClientPlugin 0x71878:$x2: NanoCore.ClientPlugin 0x9677c:$x2: NanoCore.ClientPlugin 0xa5bc0:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x1d3e7:$x3: NanoCore.ClientPluginHost 0x2d603:$x3: NanoCore.ClientPluginHost 0x3a76c:$x3: NanoCore.ClientPluginHost 0x3fe5f:$x3: NanoCore.ClientPluginHost 0x460e8:$x3: NanoCore.ClientPluginHost 0x506f7:$x3: NanoCore.ClientPluginHost 0x5ab22:$x3: NanoCore.ClientPluginHost 0x65aff:$x3: NanoCore.ClientPluginHost
14.2.OEc88DZdiO.exe.6f15e60.37.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf763:$a: NanoCore 0xf778:$a: NanoCore 0xf7ad:$a: NanoCore 0x1d3c2:$a: NanoCore 0x1d3e7:$a: NanoCore 0x1d440:$a: NanoCore 0x2d5dd:$a: NanoCore 0x2d603:$a: NanoCore 0x2d65f:$a: NanoCore 0x3a4b4:$a: NanoCore 0x3a50d:$a: NanoCore 0x3a540:$a: NanoCore 0x3a76c:$a: NanoCore 0x3a7e8:$a: NanoCore 0x3ae01:$a: NanoCore 0x3af4a:$a: NanoCore 0x3b41e:$a: NanoCore 0x3b705:$a: NanoCore 0x3b71c:$a: NanoCore 0x3eaa5:$a: NanoCore 0x3fe5f:$a: NanoCore
0.2.OEc88DZdiO.exe.39a0af0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x10bbcd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x10bc0a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x10f73d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.OEc88DZdiO.exe.39a0af0.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.OEc88DZdiO.exe.39a0af0.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x10b935:$x1: NanoCore Client 0x10b945:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x10bb8d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10bbcd:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10bb82:$i1: IClientApp 0x10163:$i2: IClientData 0x10bba3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x10bbaf:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x10bbbe:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x10bbe7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x10bbf7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
0.2.OEc88DZdiO.exe.39a0af0.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x10b935:$a: NanoCore 0x10b945:$a: NanoCore 0x10bb79:$a: NanoCore 0x10bb8d:$a: NanoCore 0x10bbcd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x10b994:$b: ClientPlugin 0x10bb96:$b: ClientPlugin 0x10bbd6:$b: ClientPlugin 0x1007b:$c: ProjectData 0xcfe10:$c: ProjectData 0x10babb:$c: ProjectData 0x10a82:$d: DESCrypto 0x10c4c2:$d: DESCrypto
15.2.dhcpmon.exe.2f68d90.1.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x2a8690:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x2a86d4:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x2a871c:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x2a89a8:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true 0x2a8a0c:$s2: Set-MpPreference -DisableArchiveScanning $true 0x2a8a64:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x2a8abc:$s4: Set-MpPreference -DisableScriptScanning $true 0x2a8b08:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x2a8b48:$s6: Set-MpPreference -MAPSReporting 0 0x2a8b94:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x2a8bec:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x2a8c3c:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x2a8c8c:$s10: Set-MpPreference -SevereThreatDefaultAction 6
14.2.OEc88DZdiO.exe.2f29404.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d63:$x1: NanoCore.ClientPluginHost 0x1fc07:$x1: NanoCore.ClientPluginHost 0x26d28:$x1: NanoCore.ClientPluginHost 0x2d005:$x1: NanoCore.ClientPluginHost 0x37667:$x1: NanoCore.ClientPluginHost 0x41ae7:$x1: NanoCore.ClientPluginHost 0x4cb1d:$x1: NanoCore.ClientPluginHost 0x58917:$x1: NanoCore.ClientPluginHost 0x64702:$x1: NanoCore.ClientPluginHost 0x74e53:$x1: NanoCore.ClientPluginHost 0x79c73:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d9c:$x2: IClientNetworkHost 0x1fc40:$x2: IClientNetworkHost 0x2d03e:$x2: IClientNetworkHost 0x377c4:$x2: IClientNetworkHost 0x41b20:$x2: IClientNetworkHost 0x4cb37:$x2: IClientNetworkHost 0x58931:$x2: IClientNetworkHost 0x6473f:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.2f29404.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x15d63:$x2: NanoCore.ClientPluginHost 0x1fc07:$x2: NanoCore.ClientPluginHost 0x26d28:$x2: NanoCore.ClientPluginHost 0x2d005:$x2: NanoCore.ClientPluginHost 0x37667:$x2: NanoCore.ClientPluginHost 0x41ae7:$x2: NanoCore.ClientPluginHost 0x4cb1d:$x2: NanoCore.ClientPluginHost 0x58917:$x2: NanoCore.ClientPluginHost 0x64702:$x2: NanoCore.ClientPluginHost 0x74e53:$x2: NanoCore.ClientPluginHost 0x79c73:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0x385bd:$s3: PipeExists 0x7523f:$s3: PipeExists 0x7a05f:$s3: PipeExists 0xe576:$s4: PipeCreated 0x15e80:$s4: PipeCreated 0x1fd0b:$s4: PipeCreated 0x26e06:$s4: PipeCreated 0x2d120:$s4: PipeCreated
14.2.OEc88DZdiO.exe.2f29404.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.OEc88DZdiO.exe.2f29404.9.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x15ddf:$x2: NanoCore.ClientPlugin 0x1fc83:$x2: NanoCore.ClientPlugin 0x26d72:$x2: NanoCore.ClientPlugin 0x2d07f:$x2: NanoCore.ClientPlugin 0x37751:$x2: NanoCore.ClientPlugin 0x41b87:$x2: NanoCore.ClientPlugin 0x4caf4:$x2: NanoCore.ClientPlugin 0x588ee:$x2: NanoCore.ClientPlugin 0x646dd:$x2: NanoCore.ClientPlugin 0x74e16:$x2: NanoCore.ClientPlugin 0x79c36:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x15d63:$x3: NanoCore.ClientPluginHost 0x1fc07:$x3: NanoCore.ClientPluginHost 0x26d28:$x3: NanoCore.ClientPluginHost 0x2d005:$x3: NanoCore.ClientPluginHost 0x37667:$x3: NanoCore.ClientPluginHost 0x41ae7:$x3: NanoCore.ClientPluginHost 0x4cb1d:$x3: NanoCore.ClientPluginHost 0x58917:$x3: NanoCore.ClientPluginHost
14.2.OEc88DZdiO.exe.2f29404.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15aab:$a: NanoCore 0x15b04:$a: NanoCore 0x15b37:$a: NanoCore 0x15d63:$a: NanoCore 0x15ddf:$a: NanoCore 0x163f8:$a: NanoCore 0x16541:$a: NanoCore 0x16a15:$a: NanoCore 0x16cfc:$a: NanoCore 0x16d13:$a: NanoCore 0x1fc07:$a: NanoCore 0x1fc83:$a: NanoCore 0x22566:$a: NanoCore 0x26d28:$a: NanoCore 0x26d72:$a: NanoCore 0x279cc:$a: NanoCore 0x2d005:$a: NanoCore 0x2d07f:$a: NanoCore
14.2.OEc88DZdiO.exe.4a2edfa.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0xb537:$x1: NanoCore.ClientPluginHost 0x12604:$x1: NanoCore.ClientPluginHost 0x1888f:$x1: NanoCore.ClientPluginHost 0x22ea0:$x1: NanoCore.ClientPluginHost 0x2d2cd:$x1: NanoCore.ClientPluginHost 0x382ac:$x1: NanoCore.ClientPluginHost 0x44050:$x1: NanoCore.ClientPluginHost 0x68f56:$x1: NanoCore.ClientPluginHost 0x78398:$x1: NanoCore.ClientPluginHost 0x9f9a1:$x1: NanoCore.ClientPluginHost 0xa9c6d:$x1: NanoCore.ClientPluginHost 0xbd3db:$x1: NanoCore.ClientPluginHost 0xc72d5:$x1: NanoCore.ClientPluginHost 0xdaa43:$x1: NanoCore.ClientPluginHost 0xe867d:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb570:$x2: IClientNetworkHost 0x188c8:$x2: IClientNetworkHost 0x22ffd:$x2: IClientNetworkHost 0x2d306:$x2: IClientNetworkHost
14.2.OEc88DZdiO.exe.4a2edfa.14.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.OEc88DZdiO.exe.4a2edfa.14.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0xb5b3:$x2: NanoCore.ClientPlugin 0x1264e:$x2: NanoCore.ClientPlugin 0x18909:$x2: NanoCore.ClientPlugin 0x22f8a:$x2: NanoCore.ClientPlugin 0x2d36d:$x2: NanoCore.ClientPlugin 0x38283:$x2: NanoCore.ClientPlugin 0x44027:$x2: NanoCore.ClientPlugin 0x68f2d:$x2: NanoCore.ClientPlugin 0x78373:$x2: NanoCore.ClientPlugin 0x9f978:$x2: NanoCore.ClientPlugin 0xa9c30:$x2: NanoCore.ClientPlugin 0xbd3a6:$x2: NanoCore.ClientPlugin 0xc7298:$x2: NanoCore.ClientPlugin 0xdaa0e:$x2: NanoCore.ClientPlugin 0xe8658:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0xb537:$x3: NanoCore.ClientPluginHost 0x12604:$x3: NanoCore.ClientPluginHost 0x1888f:$x3: NanoCore.ClientPluginHost 0x22ea0:$x3: NanoCore.ClientPluginHost
14.2.OEc88DZdiO.exe.4a2edfa.14.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb537:$a: NanoCore 0xb5b3:$a: NanoCore 0xde96:$a: NanoCore 0x11248:$a: NanoCore 0x12604:$a: NanoCore 0x1264e:$a: NanoCore 0x132a8:$a: NanoCore 0x1888f:$a: NanoCore 0x18909:$a: NanoCore 0x22ea0:$a: NanoCore 0x22f8a:$a: NanoCore
0.2.OEc88DZdiO.exe.28f8c84.1.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x2a8750:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x2a8794:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x2a87dc:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x2a8a68:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true 0x2a8acc:$s2: Set-MpPreference -DisableArchiveScanning $true 0x2a8b24:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x2a8b7c:$s4: Set-MpPreference -DisableScriptScanning $true 0x2a8bc8:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x2a8c08:$s6: Set-MpPreference -MAPSReporting 0 0x2a8c54:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x2a8cac:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x2a8cfc:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x2a8d4c:$s10: Set-MpPreference -SevereThreatDefaultAction 6
14.2.OEc88DZdiO.exe.4a0e599.15.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.OEc88DZdiO.exe.4a0e599.15.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.OEc88DZdiO.exe.4a0e599.15.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x14db3:$x2: NanoCore.ClientPlugin 0x21fc0:$x2: NanoCore.ClientPlugin 0x2be14:$x2: NanoCore.ClientPlugin 0x32eaf:$x2: NanoCore.ClientPlugin 0x3916a:$x2: NanoCore.ClientPlugin 0x437eb:$x2: NanoCore.ClientPlugin 0x4dbce:$x2: NanoCore.ClientPlugin 0x58ae4:$x2: NanoCore.ClientPlugin 0x64888:$x2: NanoCore.ClientPlugin 0x8978e:$x2: NanoCore.ClientPlugin 0x98bd4:$x2: NanoCore.ClientPlugin 0xc01d9:$x2: NanoCore.ClientPlugin 0xca491:$x2: NanoCore.ClientPlugin 0xddc07:$x2: NanoCore.ClientPlugin 0xe7af9:$x2: NanoCore.ClientPlugin 0xfb26f:$x2: NanoCore.ClientPlugin 0x108eb9:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x14dd9:$x3: NanoCore.ClientPluginHost 0x21f44:$x3: NanoCore.ClientPluginHost
14.2.OEc88DZdiO.exe.4a0e599.15.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14db3:$a: NanoCore 0x14dd9:$a: NanoCore 0x14e35:$a: NanoCore 0x21c8c:$a: NanoCore 0x21ce5:$a: NanoCore 0x21d18:$a: NanoCore 0x21f44:$a: NanoCore 0x21fc0:$a: NanoCore 0x225d9:$a: NanoCore 0x22722:$a: NanoCore 0x22bf6:$a: NanoCore 0x22edd:$a: NanoCore 0x22ef4:$a: NanoCore 0x2bd98:$a: NanoCore 0x2be14:$a: NanoCore 0x2e6f7:$a: NanoCore 0x31aa9:$a: NanoCore 0x32e65:$a: NanoCore
14.2.OEc88DZdiO.exe.6f2e68c.38.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.OEc88DZdiO.exe.4a1a7cd.16.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.OEc88DZdiO.exe.4a1a7cd.16.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.OEc88DZdiO.exe.4a1a7cd.16.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x15d8c:$x2: NanoCore.ClientPlugin 0x1fbe0:$x2: NanoCore.ClientPlugin 0x26c7b:$x2: NanoCore.ClientPlugin 0x2cf36:$x2: NanoCore.ClientPlugin 0x375b7:$x2: NanoCore.ClientPlugin 0x4199a:$x2: NanoCore.ClientPlugin 0x4c8b0:$x2: NanoCore.ClientPlugin 0x58654:$x2: NanoCore.ClientPlugin 0x7d55a:$x2: NanoCore.ClientPlugin 0x8c9a0:$x2: NanoCore.ClientPlugin 0xb3fa5:$x2: NanoCore.ClientPlugin 0xbe25d:$x2: NanoCore.ClientPlugin 0xd19d3:$x2: NanoCore.ClientPlugin 0xdb8c5:$x2: NanoCore.ClientPlugin 0xef03b:$x2: NanoCore.ClientPlugin 0xfcc85:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x15d10:$x3: NanoCore.ClientPluginHost 0x1fb64:$x3: NanoCore.ClientPluginHost 0x26c31:$x3: NanoCore.ClientPluginHost
14.2.OEc88DZdiO.exe.4a1a7cd.16.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a58:$a: NanoCore 0x15ab1:$a: NanoCore 0x15ae4:$a: NanoCore 0x15d10:$a: NanoCore 0x15d8c:$a: NanoCore 0x163a5:$a: NanoCore 0x164ee:$a: NanoCore 0x169c2:$a: NanoCore 0x16ca9:$a: NanoCore 0x16cc0:$a: NanoCore 0x1fb64:$a: NanoCore 0x1fbe0:$a: NanoCore 0x224c3:$a: NanoCore 0x25875:$a: NanoCore 0x26c31:$a: NanoCore 0x26c7b:$a: NanoCore 0x278d5:$a: NanoCore 0x2cebc:$a: NanoCore
14.2.OEc88DZdiO.exe.6f1a489.36.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.OEc88DZdiO.exe.6f1a489.36.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.OEc88DZdiO.exe.6f1a489.36.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x18d99:$x2: NanoCore.ClientPlugin 0x28fb4:$x2: NanoCore.ClientPlugin 0x361bf:$x2: NanoCore.ClientPlugin 0x3b880:$x2: NanoCore.ClientPlugin 0x41b39:$x2: NanoCore.ClientPlugin 0x4c1b8:$x2: NanoCore.ClientPlugin 0x56599:$x2: NanoCore.ClientPlugin 0x614ad:$x2: NanoCore.ClientPlugin 0x6d24f:$x2: NanoCore.ClientPlugin 0x92153:$x2: NanoCore.ClientPlugin 0xa1597:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x18dbe:$x3: NanoCore.ClientPluginHost 0x28fda:$x3: NanoCore.ClientPluginHost 0x36143:$x3: NanoCore.ClientPluginHost 0x3b836:$x3: NanoCore.ClientPluginHost 0x41abf:$x3: NanoCore.ClientPluginHost 0x4c0ce:$x3: NanoCore.ClientPluginHost 0x564f9:$x3: NanoCore.ClientPluginHost 0x614d6:$x3: NanoCore.ClientPluginHost
14.2.OEc88DZdiO.exe.6f1a489.36.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb13a:$a: NanoCore 0xb14f:$a: NanoCore 0xb184:$a: NanoCore 0x18d99:$a: NanoCore 0x18dbe:$a: NanoCore 0x18e17:$a: NanoCore 0x28fb4:$a: NanoCore 0x28fda:$a: NanoCore 0x29036:$a: NanoCore 0x35e8b:$a: NanoCore 0x35ee4:$a: NanoCore 0x35f17:$a: NanoCore 0x36143:$a: NanoCore 0x361bf:$a: NanoCore 0x367d8:$a: NanoCore 0x36921:$a: NanoCore 0x36df5:$a: NanoCore 0x370dc:$a: NanoCore 0x370f3:$a: NanoCore 0x3a47c:$a: NanoCore 0x3b836:$a: NanoCore
14.2.OEc88DZdiO.exe.6f2e68c.38.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x14db1:$x2: NanoCore.ClientPlugin 0x21fbc:$x2: NanoCore.ClientPlugin 0x2767d:$x2: NanoCore.ClientPlugin 0x2d936:$x2: NanoCore.ClientPlugin 0x37fb5:$x2: NanoCore.ClientPlugin 0x42396:$x2: NanoCore.ClientPlugin 0x4d2aa:$x2: NanoCore.ClientPlugin 0x5904c:$x2: NanoCore.ClientPlugin 0x7df50:$x2: NanoCore.ClientPlugin 0x8d394:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x14dd7:$x3: NanoCore.ClientPluginHost 0x21f40:$x3: NanoCore.ClientPluginHost 0x27633:$x3: NanoCore.ClientPluginHost 0x2d8bc:$x3: NanoCore.ClientPluginHost 0x37ecb:$x3: NanoCore.ClientPluginHost 0x422f6:$x3: NanoCore.ClientPluginHost 0x4d2d3:$x3: NanoCore.ClientPluginHost 0x59075:$x3: NanoCore.ClientPluginHost 0x7df79:$x3: NanoCore.ClientPluginHost
14.2.OEc88DZdiO.exe.6f2e68c.38.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14db1:$a: NanoCore 0x14dd7:$a: NanoCore 0x14e33:$a: NanoCore 0x21c88:$a: NanoCore 0x21ce1:$a: NanoCore 0x21d14:$a: NanoCore 0x21f40:$a: NanoCore 0x21fbc:$a: NanoCore 0x225d5:$a: NanoCore 0x2271e:$a: NanoCore 0x22bf2:$a: NanoCore 0x22ed9:$a: NanoCore 0x22ef0:$a: NanoCore 0x26279:$a: NanoCore 0x27633:$a: NanoCore 0x2767d:$a: NanoCore 0x282d7:$a: NanoCore 0x2d8bc:$a: NanoCore
Click to see the 309 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\OEc88DZdiO.exe, ProcessId: 5588, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\OEc88DZdiO.exe, ProcessId: 5588, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\OEc88DZdiO.exe, ProcessId: 5588, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\OEc88DZdiO.exe, ProcessId: 5588, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Snort Signatures

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.3 - Destination IP: 91.193.75.132

Timestamp:	192.168.2.391.193.75.1324975471892816718 05/11/22-13:07:09.020314
SID:	2816718
Source Port:	49754
Destination Port:	7189
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 91.193.75.132

Timestamp:	192.168.2.391.193.75.1324977071892816766 05/11/22-13:08:03.714048
SID:	2816766
Source Port:	49770
Destination Port:	7189
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 91.193.75.132 - Destination IP: 192.168.2.3

Timestamp:	91.193.75.132192.168.2.37189497702841753 05/11/22-13:08:13.680983
SID:	2841753
Source Port:	7189
Destination Port:	49770
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 91.193.75.132

Timestamp:	192.168.2.391.193.75.1324975271892816766 05/11/22-13:06:54.301231
SID:	2816766
Source Port:	49752
Destination Port:	7189
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 91.193.75.132

Timestamp:	192.168.2.391.193.75.1324975471892816766 05/11/22-13:07:09.020314
SID:	2816766
Source Port:	49754
Destination Port:	7189
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 91.193.75.132

Timestamp:	192.168.2.391.193.75.1324976671892816766 05/11/22-13:07:48.230138
SID:	2816766
Source Port:	49766
Destination Port:	7189
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 91.193.75.132

Timestamp:	192.168.2.391.193.75.1324976871892816766 05/11/22-13:07:57.240566
SID:	2816766
Source Port:	49768
Destination Port:	7189
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keepalive Response 1 - Source IP: 91.193.75.132 - Destination IP: 192.168.2.3

Timestamp:	91.193.75.132192.168.2.37189497662810290 05/11/22-13:07:45.938962
SID:	2810290
Source Port:	7189
Destination Port:	49766
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 91.193.75.132

Timestamp:	192.168.2.391.193.75.1324975371892816766 05/11/22-13:07:01.543070
SID:	2816766
Source Port:	49753
Destination Port:	7189
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 91.193.75.132

Timestamp:	192.168.2.391.193.75.1324975671892816766 05/11/22-13:07:23.139714
SID:	2816766
Source Port:	49756
Destination Port:	7189
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 91.193.75.132

Timestamp:	192.168.2.391.193.75.1324974871892816766 05/11/22-13:06:37.411576
SID:	2816766
Source Port:	49748
Destination Port:	7189
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 91.193.75.132

Timestamp:	192.168.2.391.193.75.1324975171892816766 05/11/22-13:06:44.520295
SID:	2816766
Source Port:	49751
Destination Port:	7189
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 91.193.75.132

Timestamp:	192.168.2.391.193.75.1324975571892816766 05/11/22-13:07:15.947085
SID:	2816766
Source Port:	49755
Destination Port:	7189
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 91.193.75.132

Timestamp:	192.168.2.391.193.75.1324975971892816766 05/11/22-13:07:32.861220
SID:	2816766
Source Port:	49759
Destination Port:	7189
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 91.193.75.132

Timestamp:	192.168.2.391.193.75.1324976571892816766 05/11/22-13:07:40.015346
SID:	2816766
Source Port:	49765
Destination Port:	7189
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000013.00000002.442350886.0000000003171000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "21bc8004-9dbe-4096-a374-5331629c", "Group": "Cashout Edu", "Domain1": "aztemglobaltradltd.ddns.net", "Domain2": "91.193.75.132", "Port": 7189, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for submitted file

Source: OEc88DZdiO.exe	Virustotal: Detection: 68%	Perma Link
Source: OEc88DZdiO.exe	Metadefender: Detection: 34%	Perma Link
Source: OEc88DZdiO.exe	ReversingLabs: Detection: 65%

Antivirus / Scanner detection for submitted sample

Source: OEc88DZdiO.exe

Avira: detected

Antivirus detection for URL or domain

Source: aztemglobaltradltd.ddns.net

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Avira: detection malicious, Label: TR/AD.Nanocore.yqnzj
Source: C:\Users\user\AppData\Roaming\UNueWzx.exe	Avira: detection malicious, Label: TR/AD.Nanocore.yqnzj

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Metadefender: Detection: 34%	Perma Link
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Roaming\UNueWzx.exe	Metadefender: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Roaming\UNueWzx.exe	ReversingLabs: Detection: 65%

Yara detected Nanocore RAT

Source: Yara match	File source: 19.2.dhcpmon.exe.41bff94.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.3cfff94.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.40b5f30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.41bff94.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4b34d40.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.41bb15e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.OEc88DZdiO.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.5f00000.32.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OEc88DZdiO.exe.39d3510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.5f00000.32.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4b34d40.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.3d045bd.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.3fcbcb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.3cfff94.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.OEc88DZdiO.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.6f15e60.37.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OEc88DZdiO.exe.39a0af0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4b39369.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.OEc88DZdiO.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.OEc88DZdiO.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.3cfb15e.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.40b5f30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.5f04629.31.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.OEc88DZdiO.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.41c45bd.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4b2ff0a.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.6f15e60.37.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OEc88DZdiO.exe.39a0af0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4a2edfa.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4a0e599.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4a1a7cd.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.6f1a489.36.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.546310350.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.334835695.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.337302386.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.442350886.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.335493633.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.416252631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.559653897.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.336489801.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.441028878.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.347814498.00000000038A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.442458119.0000000004179000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.425535286.0000000003F18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.416838253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.562818620.0000000005F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.417302089.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.415706140.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.556144169.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OEc88DZdiO.exe PID: 6404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OEc88DZdiO.exe PID: 5588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3312, type: MEMORYSTR

Machine Learning detection for sample

Source: OEc88DZdiO.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\UNueWzx.exe	Joe Sandbox ML: detected

Source: 19.0.dhcpmon.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 19.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.2.OEc88DZdiO.exe.5f00000.32.unpack	Avira: Label: TR/NanoCore.fadte
Source: 14.0.OEc88DZdiO.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 19.0.dhcpmon.exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.2.OEc88DZdiO.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 19.0.dhcpmon.exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.OEc88DZdiO.exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.OEc88DZdiO.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 19.0.dhcpmon.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.OEc88DZdiO.exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 19.0.dhcpmon.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.OEc88DZdiO.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: OEc88DZdiO.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: OEc88DZdiO.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: b77a5c561934e089\mscorlib.pdbT source: OEc88DZdiO.exe, 0000000E.00000002.548390492.0000000000FC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.549874699.0000000001170000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: .pDBm source: OEc88DZdiO.exe, dhcpmon.exe.14.dr, UNueWzx.exe.0.dr
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.550259552.0000000001180000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.561146588.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.549623987.0000000001160000.00000004.08000000.00040000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.561146588.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]		14_2_0616BB71
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]		14_2_0616BD04

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49748 -> 91.193.75.132:7189
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49751 -> 91.193.75.132:7189
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49752 -> 91.193.75.132:7189
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49753 -> 91.193.75.132:7189
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49754 -> 91.193.75.132:7189
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.3:49754 -> 91.193.75.132:7189
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49755 -> 91.193.75.132:7189
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49756 -> 91.193.75.132:7189
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49759 -> 91.193.75.132:7189
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49765 -> 91.193.75.132:7189
Source: Traffic	Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 91.193.75.132:7189 -> 192.168.2.3:49766
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49766 -> 91.193.75.132:7189
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49768 -> 91.193.75.132:7189
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49770 -> 91.193.75.132:7189
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 91.193.75.132:7189 -> 192.168.2.3:49770

Yara detected Generic Downloader

Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4b34d40.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4b39369.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.2f1d178.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4b2ff0a.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.6f15e60.37.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.2f29404.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4a0e599.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.6f2e68c.38.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4a1a7cd.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.6f1a489.36.raw.unpack, type: UNPACKEDPE

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: aztemglobaltradltd.ddns.net
Source: Malware configuration extractor	URLs: 91.193.75.132

Uses dynamic DNS services

Source: unknown

DNS query: name: aztemglobaltradltd.ddns.net

Source: Joe Sandbox View

ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG

Source: Joe Sandbox View

IP Address: 91.193.75.132 91.193.75.132

Source: global traffic

TCP traffic: 192.168.2.3:49748 -> 91.193.75.132:7189

Source: OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.561146588.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com
Source: OEc88DZdiO.exe, 00000000.00000002.343012705.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.556144169.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000F.00000002.421583627.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: OEc88DZdiO.exe, 00000000.00000002.358147748.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.339875844.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.coma6
Source: OEc88DZdiO.exe, 00000000.00000002.358147748.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.339875844.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comicto
Source: OEc88DZdiO.exe, 00000000.00000003.284078761.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283736647.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284127483.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283466649.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284211289.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284419295.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283955775.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283992211.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283655688.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284101695.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283875141.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284172138.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283551647.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283713457.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284303651.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283683584.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283456074.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284244415.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284279515.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283914855.0000000005C85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: OEc88DZdiO.exe, 00000000.00000003.283551647.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283456074.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283435158.0000000005C85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comFYh
Source: OEc88DZdiO.exe, 00000000.00000003.284078761.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283736647.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284127483.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284211289.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284419295.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283955775.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283992211.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283655688.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284101695.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283875141.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284172138.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283713457.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284303651.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283683584.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283435158.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284244415.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284279515.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283914855.0000000005C85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comnn
Source: OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: aztemglobaltradltd.ddns.net

Source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 19.2.dhcpmon.exe.41bff94.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.3cfff94.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.40b5f30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.41bff94.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4b34d40.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.41bb15e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.OEc88DZdiO.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.5f00000.32.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OEc88DZdiO.exe.39d3510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.5f00000.32.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4b34d40.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.3d045bd.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.3fcbcb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.3cfff94.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.OEc88DZdiO.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.6f15e60.37.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OEc88DZdiO.exe.39a0af0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4b39369.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.OEc88DZdiO.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.OEc88DZdiO.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.3cfb15e.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.40b5f30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.5f04629.31.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.OEc88DZdiO.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.41c45bd.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4b2ff0a.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.6f15e60.37.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OEc88DZdiO.exe.39a0af0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4a2edfa.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4a0e599.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4a1a7cd.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.6f1a489.36.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.546310350.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.334835695.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.337302386.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.442350886.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.335493633.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.416252631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.559653897.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.336489801.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.441028878.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.347814498.00000000038A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.442458119.0000000004179000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.425535286.0000000003F18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.416838253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.562818620.0000000005F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.417302089.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.415706140.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.556144169.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OEc88DZdiO.exe PID: 6404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OEc88DZdiO.exe PID: 5588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3312, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 14.2.OEc88DZdiO.exe.4c18a16.22.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.4c18a16.22.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.5510000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.5510000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.dhcpmon.exe.41bff94.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dhcpmon.exe.41bff94.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.5680000.28.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.5680000.28.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.5680000.28.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.OEc88DZdiO.exe.1170000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.1170000.5.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.3cfff94.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.3cfff94.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.1120000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.1120000.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.6c4e8a4.35.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.6c4e8a4.35.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.2.dhcpmon.exe.40b5f30.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.40b5f30.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.2.dhcpmon.exe.40b5f30.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.OEc88DZdiO.exe.4a0e599.15.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.4a0e599.15.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.dhcpmon.exe.41bff94.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dhcpmon.exe.41bff94.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.4b34d40.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.4b34d40.18.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.dhcpmon.exe.41bb15e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dhcpmon.exe.41bb15e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.dhcpmon.exe.41bb15e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.OEc88DZdiO.exe.5500000.24.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.5500000.24.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.4c0a5e6.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.4c0a5e6.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.6c40000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.6c40000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.54f0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.54f0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.6c40000.33.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.6c40000.33.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.0.OEc88DZdiO.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.OEc88DZdiO.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.0.OEc88DZdiO.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.OEc88DZdiO.exe.5f00000.32.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.5f00000.32.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OEc88DZdiO.exe.39d3510.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OEc88DZdiO.exe.39d3510.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OEc88DZdiO.exe.39d3510.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.OEc88DZdiO.exe.5510000.25.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.5510000.25.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.5f00000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.5f00000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.4b34d40.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.4b34d40.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.4b34d40.18.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.OEc88DZdiO.exe.2f29404.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.2f29404.9.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.6c44c9f.34.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.6c44c9f.34.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.5500000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.5500000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.3d045bd.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.3d045bd.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.dhcpmon.exe.31d9658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dhcpmon.exe.31d9658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.4a1a7cd.16.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.4a1a7cd.16.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.5690000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.5690000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.2.dhcpmon.exe.3fcbcb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.3fcbcb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.2.dhcpmon.exe.3fcbcb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.OEc88DZdiO.exe.4c017b7.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.4c017b7.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.4c017b7.20.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.OEc88DZdiO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.OEc88DZdiO.exe.1110000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.1110000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.54f0000.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.54f0000.23.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.OEc88DZdiO.exe.3cfff94.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.3cfff94.12.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.4c0a5e6.21.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.4c0a5e6.21.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.1170000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.1170000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.2cdd950.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.2cdd950.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.4c017b7.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.4c017b7.20.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.0.OEc88DZdiO.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.OEc88DZdiO.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.0.OEc88DZdiO.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.OEc88DZdiO.exe.2f1d178.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.2f1d178.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.5520000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.5520000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.6f15e60.37.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.6f15e60.37.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.4c18a16.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.4c18a16.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OEc88DZdiO.exe.39a0af0.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OEc88DZdiO.exe.39a0af0.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OEc88DZdiO.exe.39a0af0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.OEc88DZdiO.exe.5680000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.5680000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.4b39369.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.4b39369.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.4b39369.17.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.OEc88DZdiO.exe.5660000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.5660000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.1180000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.1180000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.5660000.27.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.5660000.27.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.OEc88DZdiO.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.OEc88DZdiO.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.0.OEc88DZdiO.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.OEc88DZdiO.exe.1120000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.1120000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.2f3da84.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.2f3da84.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.2f3da84.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.OEc88DZdiO.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.OEc88DZdiO.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.0.OEc88DZdiO.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.OEc88DZdiO.exe.2f1d178.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.2f1d178.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.2f1d178.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.OEc88DZdiO.exe.3cfb15e.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.3cfb15e.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.3cfb15e.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.40b5f30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.40b5f30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.2.dhcpmon.exe.40b5f30.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.OEc88DZdiO.exe.5520000.26.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.5520000.26.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.5f04629.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.5f04629.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.1160000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.1160000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.6f2e68c.38.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.6f2e68c.38.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.OEc88DZdiO.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.0.OEc88DZdiO.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.0.OEc88DZdiO.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.OEc88DZdiO.exe.1110000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.1110000.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.dhcpmon.exe.41c45bd.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dhcpmon.exe.41c45bd.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.4b2ff0a.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.4b2ff0a.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.4b2ff0a.19.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.OEc88DZdiO.exe.6f15e60.37.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.6f15e60.37.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.OEc88DZdiO.exe.39a0af0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.OEc88DZdiO.exe.39a0af0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.OEc88DZdiO.exe.39a0af0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.2f68d90.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.2f29404.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.2f29404.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.2f29404.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.OEc88DZdiO.exe.4a2edfa.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.OEc88DZdiO.exe.4a2edfa.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.4a2edfa.14.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.OEc88DZdiO.exe.28f8c84.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.4a0e599.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.4a0e599.15.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.OEc88DZdiO.exe.4a1a7cd.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.4a1a7cd.16.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.OEc88DZdiO.exe.6f1a489.36.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.6f1a489.36.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.OEc88DZdiO.exe.6f2e68c.38.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.OEc88DZdiO.exe.6f2e68c.38.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.562461280.0000000005690000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.562461280.0000000005690000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000E.00000002.546310350.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.546310350.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000000.334835695.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000000.334835695.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.562338287.0000000005660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.562338287.0000000005660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000E.00000000.337302386.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000000.337302386.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.548643911.0000000001110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.548643911.0000000001110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000E.00000002.549623987.0000000001160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.549623987.0000000001160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000013.00000002.442350886.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.562419595.0000000005680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.562419595.0000000005680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000E.00000002.561942739.0000000005500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.561942739.0000000005500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000000.335493633.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000000.335493633.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000000.416252631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000000.416252631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.563949640.0000000006C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.563949640.0000000006C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000E.00000002.559653897.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000000.336489801.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000000.336489801.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.441028878.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.441028878.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.347814498.00000000038A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.347814498.00000000038A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.549874699.0000000001170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.549874699.0000000001170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.562083531.0000000005520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.562083531.0000000005520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000013.00000002.442458119.0000000004179000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.548674516.0000000001120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.548674516.0000000001120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000F.00000002.425535286.0000000003F18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.425535286.0000000003F18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.562012434.0000000005510000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.562012434.0000000005510000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000013.00000000.416838253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000000.416838253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.562818620.0000000005F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.562818620.0000000005F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000E.00000002.561903140.00000000054F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.561903140.00000000054F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000E.00000002.550259552.0000000001180000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.550259552.0000000001180000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000013.00000000.417302089.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000000.417302089.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000000.415706140.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000000.415706140.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.561146588.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: OEc88DZdiO.exe PID: 6404, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: OEc88DZdiO.exe PID: 6404, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: OEc88DZdiO.exe PID: 5588, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: OEc88DZdiO.exe PID: 5588, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 5116, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 5116, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 3312, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 3312, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: OEc88DZdiO.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 14.2.OEc88DZdiO.exe.4c18a16.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.4c18a16.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.4c18a16.22.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.5510000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.5510000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.5510000.25.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.dhcpmon.exe.41bff94.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dhcpmon.exe.41bff94.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.dhcpmon.exe.41bff94.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.5680000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.5680000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.5680000.28.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.5680000.28.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.OEc88DZdiO.exe.1170000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.1170000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.1170000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.3cfff94.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.3cfff94.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.3cfff94.12.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.1120000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.1120000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.1120000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.6c4e8a4.35.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.6c4e8a4.35.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.6c4e8a4.35.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.2.dhcpmon.exe.40b5f30.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.40b5f30.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.dhcpmon.exe.40b5f30.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.2.dhcpmon.exe.40b5f30.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.OEc88DZdiO.exe.4a0e599.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.4a0e599.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.4a0e599.15.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.dhcpmon.exe.41bff94.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dhcpmon.exe.41bff94.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.dhcpmon.exe.41bff94.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.4b34d40.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.4b34d40.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.4b34d40.18.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.dhcpmon.exe.41bb15e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dhcpmon.exe.41bb15e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.dhcpmon.exe.41bb15e.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.dhcpmon.exe.41bb15e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.OEc88DZdiO.exe.5500000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.5500000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.5500000.24.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.4c0a5e6.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.4c0a5e6.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.4c0a5e6.21.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.6c40000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.6c40000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.6c40000.33.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.54f0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.54f0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.54f0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.6c40000.33.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.6c40000.33.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.6c40000.33.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.0.OEc88DZdiO.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.OEc88DZdiO.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.OEc88DZdiO.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.0.OEc88DZdiO.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.OEc88DZdiO.exe.5f00000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.5f00000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.5f00000.32.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OEc88DZdiO.exe.39d3510.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OEc88DZdiO.exe.39d3510.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OEc88DZdiO.exe.39d3510.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.OEc88DZdiO.exe.5510000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.5510000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.5510000.25.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.5f00000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.5f00000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.5f00000.32.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.4b34d40.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.4b34d40.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.4b34d40.18.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.4b34d40.18.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.OEc88DZdiO.exe.2f29404.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.2f29404.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.2f29404.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.6c44c9f.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.6c44c9f.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.6c44c9f.34.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.5500000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.5500000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.5500000.24.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.3d045bd.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.3d045bd.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.3d045bd.13.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.dhcpmon.exe.31d9658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dhcpmon.exe.31d9658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.dhcpmon.exe.31d9658.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.4a1a7cd.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.4a1a7cd.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.4a1a7cd.16.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.5690000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.5690000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.5690000.29.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.2.dhcpmon.exe.3fcbcb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.3fcbcb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.2.dhcpmon.exe.3fcbcb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.OEc88DZdiO.exe.4c017b7.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.4c017b7.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.4c017b7.20.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.4c017b7.20.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.OEc88DZdiO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.OEc88DZdiO.exe.1110000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.1110000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.1110000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.54f0000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.54f0000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.54f0000.23.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.OEc88DZdiO.exe.3cfff94.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.3cfff94.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.3cfff94.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.4c0a5e6.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.4c0a5e6.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.4c0a5e6.21.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.1170000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.1170000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.1170000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.2cdd950.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.2cdd950.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.2cdd950.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.4c017b7.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.4c017b7.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.4c017b7.20.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.0.OEc88DZdiO.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.OEc88DZdiO.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.OEc88DZdiO.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.0.OEc88DZdiO.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.OEc88DZdiO.exe.2f1d178.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.2f1d178.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.2f1d178.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.5520000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.5520000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.5520000.26.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.6f15e60.37.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.6f15e60.37.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.6f15e60.37.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.4c18a16.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.4c18a16.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.4c18a16.22.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OEc88DZdiO.exe.39a0af0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OEc88DZdiO.exe.39a0af0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.OEc88DZdiO.exe.39a0af0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OEc88DZdiO.exe.39a0af0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.OEc88DZdiO.exe.5680000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.5680000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.5680000.28.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.4b39369.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.4b39369.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.4b39369.17.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.4b39369.17.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.OEc88DZdiO.exe.5660000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.5660000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.5660000.27.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.1180000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.1180000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.1180000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.5660000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.5660000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.5660000.27.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.OEc88DZdiO.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.OEc88DZdiO.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.OEc88DZdiO.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.0.OEc88DZdiO.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.OEc88DZdiO.exe.1120000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.1120000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.1120000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.2f3da84.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.2f3da84.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.2f3da84.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.2f3da84.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.OEc88DZdiO.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.OEc88DZdiO.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.OEc88DZdiO.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.0.OEc88DZdiO.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.OEc88DZdiO.exe.2f1d178.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.2f1d178.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.2f1d178.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.2f1d178.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.OEc88DZdiO.exe.3cfb15e.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.3cfb15e.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.3cfb15e.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.3cfb15e.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.40b5f30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.40b5f30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.dhcpmon.exe.40b5f30.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.2.dhcpmon.exe.40b5f30.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.OEc88DZdiO.exe.5520000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.5520000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.5520000.26.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.5f04629.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.5f04629.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.5f04629.31.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.1160000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.1160000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.1160000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.6f2e68c.38.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.6f2e68c.38.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.6f2e68c.38.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.0.OEc88DZdiO.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.0.OEc88DZdiO.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.0.OEc88DZdiO.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.0.OEc88DZdiO.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.OEc88DZdiO.exe.1110000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.1110000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.1110000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.dhcpmon.exe.41c45bd.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dhcpmon.exe.41c45bd.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.dhcpmon.exe.41c45bd.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.4b2ff0a.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.4b2ff0a.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.4b2ff0a.19.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.4b2ff0a.19.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.OEc88DZdiO.exe.6f15e60.37.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.6f15e60.37.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.OEc88DZdiO.exe.39a0af0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.OEc88DZdiO.exe.39a0af0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.OEc88DZdiO.exe.39a0af0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.2f68d90.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 14.2.OEc88DZdiO.exe.2f29404.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.2f29404.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.OEc88DZdiO.exe.2f29404.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.2f29404.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.OEc88DZdiO.exe.4a2edfa.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.OEc88DZdiO.exe.4a2edfa.14.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.4a2edfa.14.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.OEc88DZdiO.exe.28f8c84.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 14.2.OEc88DZdiO.exe.4a0e599.15.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.4a0e599.15.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.OEc88DZdiO.exe.4a1a7cd.16.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.4a1a7cd.16.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.OEc88DZdiO.exe.6f1a489.36.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.6f1a489.36.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.OEc88DZdiO.exe.6f2e68c.38.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.OEc88DZdiO.exe.6f2e68c.38.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.562461280.0000000005690000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.562461280.0000000005690000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.562461280.0000000005690000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000E.00000002.546310350.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.546310350.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000000.334835695.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000000.334835695.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.562338287.0000000005660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.562338287.0000000005660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.562338287.0000000005660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000E.00000000.337302386.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000000.337302386.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.548643911.0000000001110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.548643911.0000000001110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.548643911.0000000001110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000E.00000002.549623987.0000000001160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.549623987.0000000001160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.549623987.0000000001160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000013.00000002.442350886.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.562419595.0000000005680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.562419595.0000000005680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.562419595.0000000005680000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000E.00000002.561942739.0000000005500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.561942739.0000000005500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.561942739.0000000005500000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000000.335493633.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000000.335493633.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000000.416252631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000000.416252631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.563949640.0000000006C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.563949640.0000000006C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.563949640.0000000006C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000E.00000002.559653897.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000000.336489801.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000000.336489801.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.441028878.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.441028878.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.347814498.00000000038A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.347814498.00000000038A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.549874699.0000000001170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.549874699.0000000001170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.549874699.0000000001170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.562083531.0000000005520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.562083531.0000000005520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.562083531.0000000005520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000013.00000002.442458119.0000000004179000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.548674516.0000000001120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.548674516.0000000001120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.548674516.0000000001120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000F.00000002.425535286.0000000003F18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.425535286.0000000003F18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.562012434.0000000005510000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.562012434.0000000005510000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.562012434.0000000005510000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000013.00000000.416838253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000000.416838253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.562818620.0000000005F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.562818620.0000000005F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.562818620.0000000005F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000E.00000002.561903140.00000000054F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.561903140.00000000054F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.561903140.00000000054F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000E.00000002.550259552.0000000001180000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.550259552.0000000001180000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000E.00000002.550259552.0000000001180000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000013.00000000.417302089.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000000.417302089.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000000.415706140.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000000.415706140.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.561146588.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: OEc88DZdiO.exe PID: 6404, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: OEc88DZdiO.exe PID: 6404, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: OEc88DZdiO.exe PID: 5588, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: OEc88DZdiO.exe PID: 5588, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 5116, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 5116, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 3312, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 3312, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Code function: 0_2_00DE49F8	0_2_00DE49F8
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Code function: 0_2_00DE7710	0_2_00DE7710
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Code function: 0_2_00DE49E8	0_2_00DE49E8
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Code function: 0_2_00DE76FF	0_2_00DE76FF
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Code function: 14_2_0123E471	14_2_0123E471
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Code function: 14_2_0123E480	14_2_0123E480
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Code function: 14_2_0123BBD4	14_2_0123BBD4
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Code function: 14_2_06168AB0	14_2_06168AB0
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Code function: 14_2_0616D40E	14_2_0616D40E
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Code function: 14_2_06169D20	14_2_06169D20
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Code function: 14_2_06169DDE	14_2_06169DDE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02DE49F8	15_2_02DE49F8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02DE7710	15_2_02DE7710
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02DE49E8	15_2_02DE49E8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02DE76FF	15_2_02DE76FF
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_02DEDA7C	15_2_02DEDA7C
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_058CDE90	15_2_058CDE90
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_058C3C20	15_2_058C3C20
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_058CB8A8	15_2_058CB8A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_058CB8B8	15_2_058CB8B8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_058CBBB0	15_2_058CBBB0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_058CBBC0	15_2_058CBBC0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_058CAB68	15_2_058CAB68
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_058CAB78	15_2_058CAB78
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 15_2_058C4A68	15_2_058C4A68
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_0182E480	19_2_0182E480
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_0182E471	19_2_0182E471
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_0182BBD4	19_2_0182BBD4
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_05753E30	19_2_05753E30
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_05754A50	19_2_05754A50
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_05754B08	19_2_05754B08

Source: OEc88DZdiO.exe, 00000000.00000000.276522892.0000000000546000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamehzsr.exeZ vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 00000000.00000002.359210608.0000000009270000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 00000000.00000002.347814498.00000000038A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamehzsr.exeZ vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 00000000.00000002.357847961.0000000005A40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 00000000.00000002.343012705.00000000028A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 00000000.00000002.347743494.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 00000000.00000002.355095008.0000000003CE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000D.00000002.328677382.00000000002E6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamehzsr.exeZ vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.548643911.0000000001110000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.549623987.0000000001160000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.547518204.0000000000876000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamehzsr.exeZ vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000003.516835193.00000000067D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.559653897.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.559653897.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.559653897.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.563949640.0000000006C40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.563949640.0000000006C40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.563949640.0000000006C40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000003.347781617.0000000001018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamehzsr.exeZ vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.548269431.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.549874699.0000000001170000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.548674516.0000000001120000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.561146588.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.561146588.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.561146588.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.561146588.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.561146588.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.561146588.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.561146588.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.561146588.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.556144169.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.562818620.0000000005F00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.562818620.0000000005F00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe, 0000000E.00000002.550259552.0000000001180000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs OEc88DZdiO.exe
Source: OEc88DZdiO.exe	Binary or memory string: OriginalFilenamehzsr.exeZ vs OEc88DZdiO.exe

Source: OEc88DZdiO.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UNueWzx.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.14.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: OEc88DZdiO.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UNueWzx.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.14.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: OEc88DZdiO.exe	Virustotal: Detection: 68%
Source: OEc88DZdiO.exe	Metadefender: Detection: 34%
Source: OEc88DZdiO.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\OEc88DZdiO.exe

File read: C:\Users\user\Desktop\OEc88DZdiO.exe

Jump to behavior

Source: OEc88DZdiO.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\OEc88DZdiO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\OEc88DZdiO.exe "C:\Users\user\Desktop\OEc88DZdiO.exe"
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UNueWzx" /XML "C:\Users\user\AppData\Local\Temp\tmp8227.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process created: C:\Users\user\Desktop\OEc88DZdiO.exe {path}
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process created: C:\Users\user\Desktop\OEc88DZdiO.exe {path}
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UNueWzx" /XML "C:\Users\user\AppData\Local\Temp\tmp206B.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UNueWzx" /XML "C:\Users\user\AppData\Local\Temp\tmp8227.tmp	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process created: C:\Users\user\Desktop\OEc88DZdiO.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process created: C:\Users\user\Desktop\OEc88DZdiO.exe {path}	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UNueWzx" /XML "C:\Users\user\AppData\Local\Temp\tmp206B.tmp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\OEc88DZdiO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\OEc88DZdiO.exe

File created: C:\Users\user\AppData\Roaming\UNueWzx.exe

Jump to behavior

Source: C:\Users\user\Desktop\OEc88DZdiO.exe

File created: C:\Users\user\AppData\Local\Temp\tmp8227.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@14/12@12/1

Source: C:\Users\user\Desktop\OEc88DZdiO.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: OEc88DZdiO.exe, 00000000.00000000.276033925.0000000000482000.00000002.00000001.01000000.00000003.sdmp, OEc88DZdiO.exe, 00000000.00000002.347814498.00000000038A8000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000D.00000002.328491038.0000000000222000.00000002.00000001.01000000.00000003.sdmp, OEc88DZdiO.exe, 0000000E.00000000.330492546.00000000007B2000.00000002.00000001.01000000.00000003.sdmp, OEc88DZdiO.exe, 0000000E.00000003.347781617.0000000001018000.00000004.00000020.00020000.00000000.sdmp, dhcpmon.exe, 0000000F.00000002.419732828.0000000000B62000.00000002.00000001.01000000.0000000B.sdmp, dhcpmon.exe, 00000013.00000002.441091274.0000000000CB2000.00000002.00000001.01000000.0000000B.sdmp, dhcpmon.exe.14.dr, UNueWzx.exe.0.dr

Binary or memory string: SELECT DISTINCT TeacherMachineName FROM [ClassesByTeacherMachineName.csv]7\ClassesByTeacherADName.csv;\StudentsForClassByADName.csv[Provider=Microsoft.Jet.OLEDB.4.0;Data Source=

Source: 19.0.dhcpmon.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 19.0.dhcpmon.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.OEc88DZdiO.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.OEc88DZdiO.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.2.OEc88DZdiO.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.2.OEc88DZdiO.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.OEc88DZdiO.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.OEc88DZdiO.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.OEc88DZdiO.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.OEc88DZdiO.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 19.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 19.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.OEc88DZdiO.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.OEc88DZdiO.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 19.0.dhcpmon.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 19.0.dhcpmon.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.OEc88DZdiO.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.OEc88DZdiO.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6376:120:WilError_01
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Mutant created: \Sessions\1\BaseNamedObjects\PrGjAyam
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_01
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{21bc8004-9dbe-4096-a374-5331629c8f12}

Source: C:\Users\user\Desktop\OEc88DZdiO.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: OEc88DZdiO.exe

String found in binary or memory: :.zip)Please select a File/buttonAddNewMachineName!rcitemAddStudent'ToolStripSeparator3-Add &AD Name CSV Files3Add &Login Name CSV Files+Active Directory Name3SettingsToolStripMenuItem

Source: 14.0.OEc88DZdiO.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 14.0.OEc88DZdiO.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.0.OEc88DZdiO.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 14.2.OEc88DZdiO.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.2.OEc88DZdiO.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 14.2.OEc88DZdiO.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 14.0.OEc88DZdiO.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 14.0.OEc88DZdiO.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.0.OEc88DZdiO.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\OEc88DZdiO.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: OEc88DZdiO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: OEc88DZdiO.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: b77a5c561934e089\mscorlib.pdbT source: OEc88DZdiO.exe, 0000000E.00000002.548390492.0000000000FC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.549874699.0000000001170000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: .pDBm source: OEc88DZdiO.exe, dhcpmon.exe.14.dr, UNueWzx.exe.0.dr
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.550259552.0000000001180000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.561146588.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.549623987.0000000001160000.00000004.08000000.00040000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.561146588.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 14.0.OEc88DZdiO.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.OEc88DZdiO.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.OEc88DZdiO.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.OEc88DZdiO.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.OEc88DZdiO.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.OEc88DZdiO.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.OEc88DZdiO.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.OEc88DZdiO.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.OEc88DZdiO.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.OEc88DZdiO.exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.OEc88DZdiO.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.OEc88DZdiO.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.0.dhcpmon.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.0.dhcpmon.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.0.dhcpmon.exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.0.dhcpmon.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Code function: 14_2_0616F747 push 6CB8FF33h; retf	14_2_0616F782
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Code function: 14_2_0616D292 push es; retf	14_2_0616D2AC
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Code function: 14_2_0616D2D2 push es; retf	14_2_0616D2AC
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Code function: 14_2_0616D2DE push es; retf	14_2_0616D2EC
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Code function: 14_2_0616D31A push es; retf	14_2_0616D2EC
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Code function: 14_2_0616D066 push es; ret	14_2_0616D068
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Code function: 14_2_0616D16E push es; retf	14_2_0616D170
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_05756E5D push FFFFFF8Bh; iretd	19_2_05756E5F

Source: initial sample	Static PE information: section name: .text entropy: 7.41415187485
Source: initial sample	Static PE information: section name: .text entropy: 7.41415187485
Source: initial sample	Static PE information: section name: .text entropy: 7.41415187485

Source: 14.0.OEc88DZdiO.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 14.0.OEc88DZdiO.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 14.2.OEc88DZdiO.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 14.2.OEc88DZdiO.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 14.0.OEc88DZdiO.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 14.0.OEc88DZdiO.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 14.0.OEc88DZdiO.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 14.0.OEc88DZdiO.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 14.0.OEc88DZdiO.exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 14.0.OEc88DZdiO.exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 14.0.OEc88DZdiO.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 14.0.OEc88DZdiO.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 19.0.dhcpmon.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 19.0.dhcpmon.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 19.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 19.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 19.0.dhcpmon.exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 19.0.dhcpmon.exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\OEc88DZdiO.exe	File created: C:\Users\user\AppData\Roaming\UNueWzx.exe			Jump to dropped file
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\OEc88DZdiO.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UNueWzx" /XML "C:\Users\user\AppData\Local\Temp\tmp8227.tmp

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\OEc88DZdiO.exe

File opened: C:\Users\user\Desktop\OEc88DZdiO.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: OEc88DZdiO.exe PID: 6404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5116, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: OEc88DZdiO.exe, 00000000.00000002.343012705.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000F.00000002.421583627.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: OEc88DZdiO.exe, 00000000.00000002.343012705.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000F.00000002.421583627.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\OEc88DZdiO.exe TID: 6460	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe TID: 1868	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6808	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5792	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Window / User API: threadDelayed 5646	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Window / User API: threadDelayed 3699	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Window / User API: foregroundWindowGot 648	Jump to behavior

Source: C:\Users\user\Desktop\OEc88DZdiO.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: dhcpmon.exe, 0000000F.00000002.421583627.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: dhcpmon.exe, 0000000F.00000002.421583627.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: dhcpmon.exe, 0000000F.00000002.421583627.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 0000000F.00000002.421583627.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: dhcpmon.exe, 0000000F.00000002.435751155.00000000079F4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:.3
Source: dhcpmon.exe, 0000000F.00000002.421583627.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: dhcpmon.exe, 0000000F.00000002.421583627.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 0000000F.00000002.435751155.00000000079F4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\g7
Source: dhcpmon.exe, 0000000F.00000002.421583627.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: dhcpmon.exe, 0000000F.00000002.421583627.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: dhcpmon.exe, 0000000F.00000002.421583627.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: OEc88DZdiO.exe, 0000000E.00000002.548390492.0000000000FC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\OEc88DZdiO.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Memory written: C:\Users\user\Desktop\OEc88DZdiO.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UNueWzx" /XML "C:\Users\user\AppData\Local\Temp\tmp8227.tmp	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process created: C:\Users\user\Desktop\OEc88DZdiO.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Process created: C:\Users\user\Desktop\OEc88DZdiO.exe {path}	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UNueWzx" /XML "C:\Users\user\AppData\Local\Temp\tmp206B.tmp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}	Jump to behavior

Source: OEc88DZdiO.exe, 0000000E.00000002.562948209.000000000605D000.00000004.00000010.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.559567348.00000000031EC000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: OEc88DZdiO.exe, 0000000E.00000002.559477839.0000000003159000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerHa7m
Source: OEc88DZdiO.exe, 0000000E.00000002.563144253.00000000063FA000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managerram Manager
Source: OEc88DZdiO.exe, 0000000E.00000002.559109308.0000000002FAB000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.557198780.0000000002DB2000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.556774911.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager$?H

Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Users\user\Desktop\OEc88DZdiO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Users\user\Desktop\OEc88DZdiO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\OEc88DZdiO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\OEc88DZdiO.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\OEc88DZdiO.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 19.2.dhcpmon.exe.41bff94.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.3cfff94.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.40b5f30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.41bff94.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4b34d40.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.41bb15e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.OEc88DZdiO.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.5f00000.32.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OEc88DZdiO.exe.39d3510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.5f00000.32.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4b34d40.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.3d045bd.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.3fcbcb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.3cfff94.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.OEc88DZdiO.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.6f15e60.37.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OEc88DZdiO.exe.39a0af0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4b39369.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.OEc88DZdiO.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.OEc88DZdiO.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.3cfb15e.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.40b5f30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.5f04629.31.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.OEc88DZdiO.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.41c45bd.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4b2ff0a.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.6f15e60.37.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OEc88DZdiO.exe.39a0af0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4a2edfa.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4a0e599.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4a1a7cd.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.6f1a489.36.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.546310350.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.334835695.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.337302386.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.442350886.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.335493633.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.416252631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.559653897.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.336489801.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.441028878.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.347814498.00000000038A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.442458119.0000000004179000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.425535286.0000000003F18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.416838253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.562818620.0000000005F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.417302089.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.415706140.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.556144169.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OEc88DZdiO.exe PID: 6404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OEc88DZdiO.exe PID: 5588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3312, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: OEc88DZdiO.exe, 00000000.00000002.347814498.00000000038A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: OEc88DZdiO.exe, 0000000E.00000002.546310350.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: OEc88DZdiO.exe, 0000000E.00000002.548643911.0000000001110000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: OEc88DZdiO.exe, 0000000E.00000002.549623987.0000000001160000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: OEc88DZdiO.exe, 0000000E.00000002.549623987.0000000001160000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: OEc88DZdiO.exe, 0000000E.00000003.516835193.00000000067D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: OEc88DZdiO.exe, 0000000E.00000002.559653897.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: OEc88DZdiO.exe, 0000000E.00000002.559653897.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: OEc88DZdiO.exe, 0000000E.00000002.563949640.0000000006C40000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: OEc88DZdiO.exe, 0000000E.00000002.549874699.0000000001170000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: OEc88DZdiO.exe, 0000000E.00000002.548674516.0000000001120000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: OEc88DZdiO.exe, 0000000E.00000002.561146588.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: OEc88DZdiO.exe, 0000000E.00000002.561146588.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: OEc88DZdiO.exe, 0000000E.00000002.556144169.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: OEc88DZdiO.exe, 0000000E.00000002.556144169.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: OEc88DZdiO.exe, 0000000E.00000002.562818620.0000000005F00000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: OEc88DZdiO.exe, 0000000E.00000002.550259552.0000000001180000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: OEc88DZdiO.exe, 0000000E.00000002.550259552.0000000001180000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: dhcpmon.exe, 0000000F.00000002.425535286.0000000003F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000013.00000002.442350886.0000000003171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000013.00000002.442350886.0000000003171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000013.00000000.416252631.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000013.00000002.442458119.0000000004179000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000013.00000002.442458119.0000000004179000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 19.2.dhcpmon.exe.41bff94.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.3cfff94.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.40b5f30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.dhcpmon.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.41bff94.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4b34d40.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.41bb15e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.OEc88DZdiO.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.5f00000.32.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OEc88DZdiO.exe.39d3510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.5f00000.32.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4b34d40.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.3d045bd.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.3fcbcb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.dhcpmon.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.dhcpmon.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.3cfff94.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.OEc88DZdiO.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.6f15e60.37.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OEc88DZdiO.exe.39a0af0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4b39369.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.dhcpmon.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.OEc88DZdiO.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.OEc88DZdiO.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.3cfb15e.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.40b5f30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.5f04629.31.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.dhcpmon.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.OEc88DZdiO.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.41c45bd.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4b2ff0a.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.6f15e60.37.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OEc88DZdiO.exe.39a0af0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4a2edfa.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4a0e599.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.4a1a7cd.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.OEc88DZdiO.exe.6f1a489.36.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.546310350.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.334835695.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.337302386.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.442350886.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.335493633.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.416252631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.559653897.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.336489801.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.441028878.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.347814498.00000000038A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.442458119.0000000004179000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.425535286.0000000003F18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.416838253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.562818620.0000000005F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.417302089.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.415706140.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.556144169.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OEc88DZdiO.exe PID: 6404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OEc88DZdiO.exe PID: 5588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3312, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	112 Process Injection	2 Masquerading	11 Input Capture	211 Security Software Discovery	Remote Services	11 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	112 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	21 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Hidden Files and Directories	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	13 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
OEc88DZdiO.exe	68%	Virustotal		Browse
OEc88DZdiO.exe	34%	Metadefender		Browse
OEc88DZdiO.exe	66%	ReversingLabs	Win32.Trojan.AgentTesla
OEc88DZdiO.exe	100%	Avira	TR/AD.Nanocore.yqnzj
OEc88DZdiO.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Avira	TR/AD.Nanocore.yqnzj
C:\Users\user\AppData\Roaming\UNueWzx.exe	100%	Avira	TR/AD.Nanocore.yqnzj
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\UNueWzx.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	34%	Metadefender		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	66%	ReversingLabs	Win32.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\UNueWzx.exe	34%	Metadefender		Browse
C:\Users\user\AppData\Roaming\UNueWzx.exe	66%	ReversingLabs	Win32.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
19.0.dhcpmon.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
19.2.dhcpmon.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.2.OEc88DZdiO.exe.5f00000.32.unpack	100%	Avira	TR/NanoCore.fadte	Download File
14.0.OEc88DZdiO.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
19.0.dhcpmon.exe.400000.12.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.2.OEc88DZdiO.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
19.0.dhcpmon.exe.400000.10.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.0.OEc88DZdiO.exe.400000.10.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.0.OEc88DZdiO.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
19.0.dhcpmon.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.0.OEc88DZdiO.exe.400000.12.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
19.0.dhcpmon.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.0.OEc88DZdiO.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

Source	Detection	Scanner	Label	Link
aztemglobaltradltd.ddns.net	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.fonts.comnn	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.fontbureau.comicto	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
aztemglobaltradltd.ddns.net	1%	Virustotal		Browse
aztemglobaltradltd.ddns.net	100%	Avira URL Cloud	malware
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.fonts.comFYh	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.coma6	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
91.193.75.132	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
aztemglobaltradltd.ddns.net	91.193.75.132	true	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
aztemglobaltradltd.ddns.net	true	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
91.193.75.132	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.comnn	OEc88DZdiO.exe, 00000000.00000003.284078761.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283736647.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284127483.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284211289.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284419295.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283955775.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283992211.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283655688.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284101695.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283875141.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284172138.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283713457.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284303651.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283683584.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283435158.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284244415.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284279515.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283914855.0000000005C85000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://google.com	OEc88DZdiO.exe, 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.561146588.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comicto	OEc88DZdiO.exe, 00000000.00000002.358147748.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.339875844.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.comFYh	OEc88DZdiO.exe, 00000000.00000003.283551647.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283456074.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283435158.0000000005C85000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.coma6	OEc88DZdiO.exe, 00000000.00000002.358147748.0000000005C50000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.339875844.0000000005C50000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	OEc88DZdiO.exe, 00000000.00000003.284078761.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283736647.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284127483.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283466649.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284211289.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284419295.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283955775.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283992211.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283655688.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284101695.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283875141.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284172138.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283551647.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283713457.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284303651.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283683584.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283456074.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284244415.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.284279515.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 00000000.00000003.283914855.0000000005C85000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	OEc88DZdiO.exe, 00000000.00000002.343012705.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, OEc88DZdiO.exe, 0000000E.00000002.556144169.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000F.00000002.421583627.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	OEc88DZdiO.exe, 00000000.00000002.358547271.0000000006E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.193.75.132	aztemglobaltradltd.ddns.net	Serbia		209623	DAVID_CRAIGGG	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	624271
Start date and time: 11/05/202213:04:40	2022-05-11 13:04:40 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	OEc88DZdiO.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@14/12@12/1
EGA Information:	Successful, ratio: 80%
HDC Information:	Successful, ratio: 1.6% (good quality ratio 1%) Quality average: 36.7% Quality standard deviation: 32.1%
HCA Information:	Successful, ratio: 97% Number of executed functions: 85 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.152.110.14, 20.54.89.106, 20.223.24.244, 52.242.101.226
Excluded domains from analysis (whitelisted): fs.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target OEc88DZdiO.exe, PID 4972 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:06:15	API Interceptor	740x Sleep call for process: OEc88DZdiO.exe modified
13:06:35	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
13:06:55	API Interceptor	2x Sleep call for process: dhcpmon.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
91.193.75.132	po-iteam DOO00076543.exe	Get hash	malicious	Browse
	NEW ORDER 0522 202204280000883 pdf.vbs	Get hash	malicious	Browse
	DHL receipt_ 7048297463 document, pdf.exe	Get hash	malicious	Browse
	mhddd.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetectNet.01.10610.exe	Get hash	malicious	Browse
	DHL_119040 documento de recibo, pdf.exe	Get hash	malicious	Browse
	DHL_119040 receipt document.exe	Get hash	malicious	Browse
	3SEaWza67y.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Strictor.271096.5167.exe	Get hash	malicious	Browse
	Documento de entrega de env#U00edo DHL227024.exe	Get hash	malicious	Browse
	DHL_119040 receipt document, .exe	Get hash	malicious	Browse
	mimibless.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Lazy.160827.18092.exe	Get hash	malicious	Browse
	DHL_119040 receipt document.exe	Get hash	malicious	Browse
	DHL_119060 Receipt Document.exe	Get hash	malicious	Browse
	DHL_119060 Receipt Document.exe	Get hash	malicious	Browse
	DHL_receipt belgesi DHL751110.exe	Get hash	malicious	Browse
	Documento de recibo DHL139040.exe	Get hash	malicious	Browse
	vbc.exe	Get hash	malicious	Browse
	DHL Receipt Document,pdf.exe	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DAVID_CRAIGGG	SecuriteInfo.com.Trojan.PackedNET.331.28355.exe	Get hash	malicious	Browse	91.193.75.133
	qs5yhVj1bE.exe	Get hash	malicious	Browse	91.193.75.221
	Ki8WlC0ddA.exe	Get hash	malicious	Browse	91.193.75.221
	xVDAUvl3Pn.exe	Get hash	malicious	Browse	91.193.75.134
	e1f388b8a086e034b1fbd94ca7341008.exe	Get hash	malicious	Browse	185.140.53.3
	CMACGM-WBINS9013246-20210714-125247.pdf.vbs	Get hash	malicious	Browse	91.193.75.131
	po-iteam DOO00076543.exe	Get hash	malicious	Browse	91.193.75.132
	Charter request details.vbs	Get hash	malicious	Browse	91.193.75.194
	SWIFT_poruka ERSTE BANK ad NOVI SAD.vbs	Get hash	malicious	Browse	91.193.75.133
	IMG2_455982134.exe	Get hash	malicious	Browse	185.140.53.174
	Purchase Report.vbs	Get hash	malicious	Browse	91.193.75.175
	BRINK GMBH BESTELLUNG _ ANFORDERUNG SH238429 12x2.5 mm#U00b2.exe	Get hash	malicious	Browse	185.140.53.72
	Scan 1000276325462 document.vbs	Get hash	malicious	Browse	91.193.75.131
	NEW ORDER 0522 202204280000883 pdf.vbs	Get hash	malicious	Browse	91.193.75.132
	commercial invoice.vbs	Get hash	malicious	Browse	185.165.153.84
	CHECK#718263.VBS	Get hash	malicious	Browse	185.140.53.12
	eW8XdXzJ0K.exe	Get hash	malicious	Browse	91.193.75.227
	HIkhD4L4gC.exe	Get hash	malicious	Browse	185.140.53.212
	DHL Shipment Notice of Arrival AWB 8032697940.vbs	Get hash	malicious	Browse	91.193.75.209
	Invoice.vbs	Get hash	malicious	Browse	91.193.75.227

Process:	C:\Users\user\Desktop\OEc88DZdiO.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	823808
Entropy (8bit):	7.220589038549463
Encrypted:	false
SSDEEP:	12288:xWvZ9voNAsOvZDM0WluH0dcBYKfY3665D4eXyvLkW6CfKjUJJf4r9ap4wWzPSZEm:xWvPTtw0W3dcLGvoLk4L
MD5:	339C2A623CB5E745856B3FA600896BD7
SHA1:	3F9254E4158A8AA0DAFFB16914BE26A96A4B7E44
SHA-256:	C34F73A880D41A1A74E636BB2E6F9DD91B9C9FE050870400C4BEDB2128B63588
SHA-512:	80E4EA1545500B8800648B931FB5F37105C97BFFA510BE9DDAA88AC942243F36A9EEC263BD7EC13A8F51BCCD5F7622872373B541D90F285ACD33FA884D6BD504
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 34%, Browse Antivirus: ReversingLabs, Detection: 66%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`b..............P.................. ........@.. ....................................@.....................................O.......0............................................................................ ............... ..H............text...4.... ...................... ..`.rsrc...0...........................@..@.reloc..............................@..B........................H........}...v......5.......P............................................0..............0...........(#.....0............($........0..d.......s%........s&........ ..~. nDP.a%..^E................+.s'......... ..L1Z 4...a+.s(........s).........0..?........~....o.... ... x..a%..^E................+.. ...Z ...a+....0..?........~....o+.... x0:. i...a%..^E................+.. r..nZ \|4K.a+....0..?........ ^e. ._.a%..^E................+.~....o,..... .S..Z ...a+..*..0..R...

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\OEc88DZdiO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OEc88DZdiO.exe.log

Download File

Process:	C:\Users\user\Desktop\OEc88DZdiO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1302
Entropy (8bit):	5.3499841584777394
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84bE4K5AE4Kzr7RKDE4KhK3VZ9pKhPKIE4oKFKHKorE4j:MIHK5HKXE1qHxvbHK5AHKzvRYHKhQnoY
MD5:	D301510043EA888F0153B24FCB84AC2C
SHA1:	135453B8D9BED826ED8A274E18679190153540DE
SHA-256:	9B36FB58E33C10EEEDEE9591E5F6B1BA828A95CD21B2EC26CF603511B0B268E7
SHA-512:	B09F76128A2FAB8B6588C3A337619E32CCA66AA5F1E53277BBCF134C733B088889D6ACB978548AA6E8F6114BF617F4BF6B3406E27677D40057A744C9417B7E41
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Co

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1302
Entropy (8bit):	5.3499841584777394
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84bE4K5AE4Kzr7RKDE4KhK3VZ9pKhPKIE4oKFKHKorE4j:MIHK5HKXE1qHxvbHK5AHKzvRYHKhQnoY
MD5:	D301510043EA888F0153B24FCB84AC2C
SHA1:	135453B8D9BED826ED8A274E18679190153540DE
SHA-256:	9B36FB58E33C10EEEDEE9591E5F6B1BA828A95CD21B2EC26CF603511B0B268E7
SHA-512:	B09F76128A2FAB8B6588C3A337619E32CCA66AA5F1E53277BBCF134C733B088889D6ACB978548AA6E8F6114BF617F4BF6B3406E27677D40057A744C9417B7E41
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Co

C:\Users\user\AppData\Local\Temp\tmp206B.tmp

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1640
Entropy (8bit):	5.187675710145917
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB1Btn:cbh47TlNQ//rydbz9I3YODOLNdq3nT
MD5:	69599E15A09E6BEBE2523AFCAEA997DA
SHA1:	8EDE953155179C52E9C9C422AEA55755CB23A8E3
SHA-256:	1C91482B8F39888F7CA15AEB17FFBA442739D9E16A1B3270AC2C8BC60A9491E8
SHA-512:	9B7FCE6EB8C842AD692730E98A29CF080AC3C86EAF4BD44FD80A75306B8DBD6A025269C74C4A0FDA140D4D2619D195DBDC45F2DAE13B02C9A1670790E9D6A3D3
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmp8227.tmp

Download File

Process:	C:\Users\user\Desktop\OEc88DZdiO.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1640
Entropy (8bit):	5.187675710145917
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB1Btn:cbh47TlNQ//rydbz9I3YODOLNdq3nT
MD5:	69599E15A09E6BEBE2523AFCAEA997DA
SHA1:	8EDE953155179C52E9C9C422AEA55755CB23A8E3
SHA-256:	1C91482B8F39888F7CA15AEB17FFBA442739D9E16A1B3270AC2C8BC60A9491E8
SHA-512:	9B7FCE6EB8C842AD692730E98A29CF080AC3C86EAF4BD44FD80A75306B8DBD6A025269C74C4A0FDA140D4D2619D195DBDC45F2DAE13B02C9A1670790E9D6A3D3
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

Download File

Process:	C:\Users\user\Desktop\OEc88DZdiO.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
MD5:	9E7D0351E4DF94A9B0BADCEB6A9DB963
SHA1:	76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
SHA-256:	AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
SHA-512:	93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\OEc88DZdiO.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:cV:cV
MD5:	6EB619EC341C19FBE2C3BBB1AD5B163E
SHA1:	A1569CCD3A96D8885F32E579EF163DD5EB6E31BF
SHA-256:	391121618F0603826F35E3ABD5E7869D43181B33F4312434104EC19877044D6C
SHA-512:	6E32B1E6ABF295FB61F701ADD9FF4B9592A9F7877FEC988AEFF28859ECF1287214E7EB8AF0E8C65F1357609BB8A135B4922D0B548DC333EFCDBE27D77504C2BB
Malicious:	true
Preview:	.R...3.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak

Download File

Process:	C:\Users\user\Desktop\OEc88DZdiO.exe
File Type:	data
Category:	modified
Size (bytes):	24
Entropy (8bit):	4.501629167387823
Encrypted:	false
SSDEEP:	3:9bzY6oRDIvYk:RzWDI3
MD5:	ACD3FB4310417DC77FE06F15B0E353E6
SHA1:	80E7002E655EB5765FDEB21114295CB96AD9D5EB
SHA-256:	DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
SHA-512:	DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
Malicious:	false
Preview:	9iH...}Z.4..f..J".C;"a

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

Download File

Process:	C:\Users\user\Desktop\OEc88DZdiO.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

Download File

Process:	C:\Users\user\Desktop\OEc88DZdiO.exe
File Type:	data
Category:	dropped
Size (bytes):	327768
Entropy (8bit):	7.999367066417797
Encrypted:	true
SSDEEP:	6144:oX44S90aTiB66x3PlZmqze1d1wI8lkWmtjJ/3Exi:LkjbU7LjGxi
MD5:	2E52F446105FBF828E63CF808B721F9C
SHA1:	5330E54F238F46DC04C1AC62B051DB4FCD7416FB
SHA-256:	2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
SHA-512:	C08BA0E3315E2314ECBEF38722DF834C2CB8412446A9A310F41A8F83B4AC5984FCC1B26A1D8B0D58A730FDBDD885714854BDFD04DCDF7F582FC125F552D5C3CA
Malicious:	false
Preview:	pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...\|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.).....{B.[...y%...i.Q.<..xt.X..H.. ..HF7g...I.3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.\|i4...i...;O...n.?.,. ....v?.5}.OY@.dG\|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...\|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`\|.B....3.....I..o...u1..8i=.z.W..7

C:\Users\user\AppData\Roaming\UNueWzx.exe

Download File

Process:	C:\Users\user\Desktop\OEc88DZdiO.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	823808
Entropy (8bit):	7.220589038549463
Encrypted:	false
SSDEEP:	12288:xWvZ9voNAsOvZDM0WluH0dcBYKfY3665D4eXyvLkW6CfKjUJJf4r9ap4wWzPSZEm:xWvPTtw0W3dcLGvoLk4L
MD5:	339C2A623CB5E745856B3FA600896BD7
SHA1:	3F9254E4158A8AA0DAFFB16914BE26A96A4B7E44
SHA-256:	C34F73A880D41A1A74E636BB2E6F9DD91B9C9FE050870400C4BEDB2128B63588
SHA-512:	80E4EA1545500B8800648B931FB5F37105C97BFFA510BE9DDAA88AC942243F36A9EEC263BD7EC13A8F51BCCD5F7622872373B541D90F285ACD33FA884D6BD504
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 34%, Browse Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`b..............P.................. ........@.. ....................................@.....................................O.......0............................................................................ ............... ..H............text...4.... ...................... ..`.rsrc...0...........................@..@.reloc..............................@..B........................H........}...v......5.......P............................................0..............0...........(#.....0............($........0..d.......s%........s&........ ..~. nDP.a%..^E................+.s'......... ..L1Z 4...a+.s(........s).........0..?........~....o.... ... x..a%..^E................+.. ...Z ...a+....0..?........~....o+.... x0:. i...a%..^E................+.. r..nZ \|4K.a+....0..?........ ^e. ._.a%..^E................+.~....o,..... .S..Z ...a+..*..0..R...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.220589038549463
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	OEc88DZdiO.exe
File size:	823808
MD5:	339c2a623cb5e745856b3fa600896bd7
SHA1:	3f9254e4158a8aa0daffb16914be26a96a4b7e44
SHA256:	c34f73a880d41a1a74e636bb2e6f9dd91b9c9fe050870400c4bedb2128b63588
SHA512:	80e4ea1545500b8800648b931fb5f37105c97bffa510be9ddaa88ac942243f36a9eec263bd7ec13a8f51bccd5f7622872373b541d90f285acd33fa884d6bd504
SSDEEP:	12288:xWvZ9voNAsOvZDM0WluH0dcBYKfY3665D4eXyvLkW6CfKjUJJf4r9ap4wWzPSZEm:xWvPTtw0W3dcLGvoLk4L
TLSH:	F905F6A83ED171CEC4E7C832CEA89C74AA5474EB431B921BB057469DAE4C887DF141F6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`b..............P.................. ........@.. ....................................@................................

File Icon


Icon Hash:	74f4d4d4c8e4e8c0

Static PE Info

General

Entrypoint:	0x4af52e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6260C992 [Thu Apr 21 03:03:46 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xaf4dc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb0000	0x1b730	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xcc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xad534	0xad600	False	0.736116900234	data	7.41415187485	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xb0000	0x1b730	0x1b800	False	0.138645241477	data	3.91180073404	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xcc000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xb0220	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0xb0688	0x1d11	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0xb239c	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0xb4944	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0xb59ec	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0xc6214	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
RT_GROUP_ICON	0xca43c	0x5a	data
RT_VERSION	0xca498	0x47c	data
RT_MANIFEST	0xca914	0xe15	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2017
Assembly Version	1.2.1.0
InternalName	hzsr.exe
FileVersion	1.2.1.0
CompanyName	Jonathan Perry - Norwich Public Schools
LegalTrademarks
Comments	This application helps in viewing and managing the CSV files that control LanSchool's Dynamic Class Lists.
ProductName	LanSchool Class Lists Helper
ProductVersion	1.2.1.0
FileDescription	LanSchool Class Lists Helper
OriginalFilename	hzsr.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.391.193.75.1324975471892816718 05/11/22-13:07:09.020314	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49754	7189	192.168.2.3	91.193.75.132
192.168.2.391.193.75.1324977071892816766 05/11/22-13:08:03.714048	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49770	7189	192.168.2.3	91.193.75.132
91.193.75.132192.168.2.37189497702841753 05/11/22-13:08:13.680983	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	7189	49770	91.193.75.132	192.168.2.3
192.168.2.391.193.75.1324975271892816766 05/11/22-13:06:54.301231	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49752	7189	192.168.2.3	91.193.75.132
192.168.2.391.193.75.1324975471892816766 05/11/22-13:07:09.020314	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49754	7189	192.168.2.3	91.193.75.132
192.168.2.391.193.75.1324976671892816766 05/11/22-13:07:48.230138	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49766	7189	192.168.2.3	91.193.75.132
192.168.2.391.193.75.1324976871892816766 05/11/22-13:07:57.240566	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49768	7189	192.168.2.3	91.193.75.132
91.193.75.132192.168.2.37189497662810290 05/11/22-13:07:45.938962	TCP	2810290	ETPRO TROJAN NanoCore RAT Keepalive Response 1	7189	49766	91.193.75.132	192.168.2.3
192.168.2.391.193.75.1324975371892816766 05/11/22-13:07:01.543070	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49753	7189	192.168.2.3	91.193.75.132
192.168.2.391.193.75.1324975671892816766 05/11/22-13:07:23.139714	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49756	7189	192.168.2.3	91.193.75.132
192.168.2.391.193.75.1324974871892816766 05/11/22-13:06:37.411576	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49748	7189	192.168.2.3	91.193.75.132
192.168.2.391.193.75.1324975171892816766 05/11/22-13:06:44.520295	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49751	7189	192.168.2.3	91.193.75.132
192.168.2.391.193.75.1324975571892816766 05/11/22-13:07:15.947085	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49755	7189	192.168.2.3	91.193.75.132
192.168.2.391.193.75.1324975971892816766 05/11/22-13:07:32.861220	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49759	7189	192.168.2.3	91.193.75.132
192.168.2.391.193.75.1324976571892816766 05/11/22-13:07:40.015346	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49765	7189	192.168.2.3	91.193.75.132

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 11, 2022 13:06:35.777904987 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:36.029099941 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:36.031433105 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:36.120783091 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:36.373085976 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:36.373147011 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:36.437007904 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:36.536736012 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:36.698561907 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:36.698750973 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:36.919104099 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.001961946 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.133270025 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.410496950 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.411576033 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.532835960 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.532876015 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.532907009 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.532943010 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.533020020 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.533030987 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.533086061 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.533124924 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.533129930 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.533160925 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.533200026 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.533229113 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.533235073 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.533252954 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.533282995 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.533339977 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.661181927 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.754692078 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.754816055 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.754844904 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.754868031 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.754877090 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.754940033 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.755515099 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.755639076 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.756604910 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.757049084 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.765211105 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.765239000 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.765250921 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.765264034 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.765280008 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.765435934 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.765458107 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.773647070 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.773685932 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.773705006 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.773729086 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.773761034 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.773787022 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.773809910 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.773861885 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.773919106 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.773947954 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.977229118 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.977267981 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.977293968 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.977761030 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.985622883 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.985657930 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.985685110 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.985713005 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.985740900 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.985769033 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.985827923 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.985853910 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.985863924 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.985881090 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.985889912 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.985896111 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.985934019 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.985960007 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.986522913 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.986552000 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.986579895 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.986656904 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.986680031 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.987504005 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.987576008 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.987612009 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.987648010 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.987739086 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.987796068 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.997396946 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.997464895 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.997507095 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.997584105 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.997623920 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.997663975 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.997689962 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.997711897 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.997713089 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.997752905 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.997792006 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.997811079 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.997817039 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.997838020 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.997876883 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.997915983 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.997944117 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.997955084 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.997992992 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.998032093 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.998074055 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.998094082 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.998099089 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.998115063 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.998155117 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.998192072 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.998212099 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.998218060 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:37.998236895 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.998277903 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:37.998388052 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.189074039 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.189126968 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.189142942 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.190071106 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.194698095 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.202075005 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.202574015 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.202614069 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.202630997 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.202774048 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.203433990 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.203453064 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.203499079 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.203531981 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.203552008 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.205054998 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.205075979 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.205091953 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.205130100 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.206064939 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.206068039 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.206140995 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.206157923 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.207092047 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.207115889 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.207133055 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.207189083 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.207206964 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.207463980 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.213711023 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.213742971 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.213761091 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.213773012 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.213850975 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.213905096 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.213912010 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.214983940 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.215003967 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.215063095 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.215147018 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.215436935 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.215456009 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.215519905 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.215585947 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.215620041 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.216022015 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.217184067 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.217211008 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.217227936 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.217264891 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.217278004 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.217344999 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.217345953 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.217379093 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.217423916 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.217446089 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.217503071 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.217569113 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.219364882 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.219386101 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.219428062 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.219501972 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.219518900 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.219556093 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.219573021 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.219585896 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.219650030 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.222543001 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.222584009 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.222621918 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.222661972 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.222702980 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.222812891 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.300347090 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.410799026 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.410861969 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.410902023 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.410934925 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.410970926 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.410974979 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.412590981 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.412636995 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.412722111 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.412758112 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.421171904 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.421232939 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.421276093 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.421302080 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.421318054 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.421324968 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.421329021 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.421365976 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.429800987 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.429864883 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.429908037 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.429969072 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.429982901 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.429996014 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.430001020 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.430026054 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.430068970 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.430088043 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.430094957 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.430110931 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.430130959 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.430152893 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.430191040 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.430206060 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.430212021 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.430227995 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.430260897 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.430265903 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.430304050 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.430342913 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.430355072 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.430361986 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.430382013 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.430427074 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.430432081 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.433674097 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.433729887 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.433768034 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.433800936 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.440110922 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.440190077 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.440229893 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.440267086 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.440341949 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.440383911 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.442656994 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.442692995 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.442730904 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.442770004 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.442806005 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.442816973 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.442858934 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.442864895 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.451594114 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.451648951 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.451687098 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.451725006 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.451841116 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.452636003 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.452680111 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.452719927 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.452734947 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.452753067 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.452951908 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.454583883 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.454991102 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.460670948 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.460728884 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.460771084 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.460810900 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.460979939 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.461546898 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.461589098 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.461626053 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.461643934 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.461653948 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.461667061 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.461708069 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.461709023 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.461714983 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.461812973 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:38.463088036 CEST	7189	49748	91.193.75.132	192.168.2.3
May 11, 2022 13:06:38.464504957 CEST	49748	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:42.822367907 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:43.159079075 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:43.159193993 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:43.159895897 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:43.411319017 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:43.414638042 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:43.519613981 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:43.611924887 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:43.739681959 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:43.742089033 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:43.960546970 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.111918926 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:44.252465963 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:44.520117998 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.520294905 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:44.676662922 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.676702976 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.676726103 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.676748037 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.676764011 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:44.676769972 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.676812887 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:44.676820040 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:44.678107023 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.678139925 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.678163052 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.678195000 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:44.678250074 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:44.678277969 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.678303957 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.678324938 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:44.678349972 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:44.776985884 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.989279985 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.989320040 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.989336967 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.989355087 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.989372015 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.989387989 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.989404917 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.989422083 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.989434004 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:44.989439011 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.989471912 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:44.989476919 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:44.989479065 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.989514112 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:44.989653111 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.989672899 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.989701986 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.989722967 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:44.989729881 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.989748001 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.989763975 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.989765882 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:44.989779949 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.989797115 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:44.989821911 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.989859104 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:44.989865065 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.989905119 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:44.989940882 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.208730936 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.208766937 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.208785057 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.208843946 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.209574938 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.209595919 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.209611893 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.209630013 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.209686041 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.211134911 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.211163998 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.211182117 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.211198092 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.211237907 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.211560965 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.211591959 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.211617947 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.211678982 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.211702108 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.212693930 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.212721109 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.212783098 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.218528032 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.218552113 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.218569040 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.218588114 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.218619108 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.218626976 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.219424963 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.219443083 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.219459057 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.219501972 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.219533920 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.219547987 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.220813990 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.220833063 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.220910072 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.220909119 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.220947981 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.221415043 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.221677065 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.221695900 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.221713066 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.221728086 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.221755981 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.230637074 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.230680943 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.230705023 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.230726004 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.230747938 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.230768919 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.230789900 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.230797052 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.230834007 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.230920076 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.230942965 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.230961084 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.230962992 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.230984926 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.231005907 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.362546921 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.424720049 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.424750090 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.424766064 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.424778938 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.424864054 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.425407887 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.425425053 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.425461054 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.425479889 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.426459074 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.426528931 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.434894085 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.434925079 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.434943914 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.434961081 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.434989929 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.435023069 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.443543911 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.443646908 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.443698883 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.443720102 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.443737984 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.443753004 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.443756104 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.443773985 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.443789959 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.443803072 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.443809032 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.443826914 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.443837881 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.443867922 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.443901062 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.443944931 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.443967104 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.444004059 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.455307961 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.455457926 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.461075068 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.461101055 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.461117983 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.461134911 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.461154938 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.461194992 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.461230040 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.461247921 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.461265087 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.461267948 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.461281061 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.461308956 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.461347103 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.461374998 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.461391926 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.461411953 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.461422920 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.461438894 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.461464882 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.461498976 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.461534023 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.461534977 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.461569071 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.461577892 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.461615086 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.461658001 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.461674929 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.461692095 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.461697102 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.461724043 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.461767912 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.461805105 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.461806059 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.461842060 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.462028980 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.462083101 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.466630936 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.466662884 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.466681004 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.466697931 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.466756105 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.466806889 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.467401028 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.467422962 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.467461109 CEST	7189	49751	91.193.75.132	192.168.2.3
May 11, 2022 13:06:45.467470884 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:45.467526913 CEST	49751	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:52.351332903 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:52.563494921 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:52.563704967 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:53.160370111 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:53.419361115 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:53.419430971 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:53.572750092 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:53.683890104 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:53.684016943 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:53.925077915 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:54.112760067 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:54.301230907 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:54.559462070 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:54.559593916 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:54.929039001 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.025187016 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.025233984 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.025255919 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.025279045 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.025300026 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.025305033 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.025346041 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.025417089 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.025458097 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.025490999 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.025535107 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.025579929 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.027163029 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.027199984 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.027251005 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.242501020 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.242527962 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.242546082 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.242563009 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.242595911 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.242641926 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.242645025 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.242686987 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.242707014 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.243844032 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.243921995 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.243998051 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.244002104 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.244015932 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.244077921 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.264453888 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.264605045 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.264622927 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.264640093 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.264677048 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.264707088 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.264720917 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.264760971 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.264801025 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.266020060 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.266071081 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.266087055 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.266135931 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.266165018 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.266793966 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.270359993 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.508634090 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.508662939 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.508678913 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.508713961 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.508748055 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.509538889 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.509557962 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.509588957 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.509588957 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.509612083 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.509653091 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.511039972 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.511082888 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.511123896 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.511145115 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.511161089 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.511183977 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.511221886 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.511660099 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.511678934 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.511730909 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.535222054 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.535248041 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.535260916 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.535346985 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.535984039 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.536052942 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.536062956 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.536072016 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.536088943 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.536120892 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.536144018 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.544627905 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.544652939 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.544668913 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.544687033 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.544703007 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.544724941 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.544734001 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.544756889 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.544811964 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.544816971 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.544864893 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.544886112 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.544904947 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.544934988 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.544945002 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.544977903 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.545000076 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.545017958 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.545052052 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.545582056 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.545658112 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.545682907 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.545690060 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.545707941 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.545725107 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.545758963 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.545777082 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.545821905 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.548096895 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.548137903 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.548171997 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.548209906 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.548223972 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.548288107 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.548332930 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:06:55.549489021 CEST	7189	49752	91.193.75.132	192.168.2.3
May 11, 2022 13:06:55.549556971 CEST	49752	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:00.145737886 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:00.350873947 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:00.351123095 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:00.352077961 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:00.727243900 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:00.819472075 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:00.827202082 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:01.045186043 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:01.160224915 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:01.242611885 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:01.542983055 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:01.543070078 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:01.645019054 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:01.645081997 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:01.645323992 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:01.645344019 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:01.645380020 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:01.645405054 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:01.645442963 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:01.645486116 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:01.645697117 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:01.645750046 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:01.645953894 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:01.645972013 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:01.645999908 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:01.646024942 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:01.646080971 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:01.646099091 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:01.646121025 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:01.646150112 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:01.647512913 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:01.647569895 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:01.987628937 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.084598064 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.096409082 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.096451998 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.096470118 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.096513987 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.096551895 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.096565962 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.096590042 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.096628904 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.096689939 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.096728086 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.096863031 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.096885920 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.096925020 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.096965075 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.097012997 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.097143888 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.097186089 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.097187042 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.097220898 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.097258091 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.097289085 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.097326040 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.097368002 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.097923994 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.097964048 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.098002911 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.098067999 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.098426104 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.098491907 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.267746925 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.318528891 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.318557978 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.318572998 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.318588972 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.318680048 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.319433928 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.319452047 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.319540024 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.319690943 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.319711924 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.319755077 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.319783926 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.321044922 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.321064949 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.321135998 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.321155071 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.328564882 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.328604937 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.328622103 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.328635931 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.328680038 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.328694105 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.328752041 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.329767942 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.329786062 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.329801083 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.329813957 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.329835892 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.329885960 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.330439091 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.330459118 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.330471992 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.330502987 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.330542088 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.330543041 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.330553055 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.330586910 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.330589056 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.330636024 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.331713915 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.331733942 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.331749916 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.331765890 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.331796885 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.331849098 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.332551003 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.332575083 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.332591057 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.332607985 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.332628965 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.332665920 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.333666086 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.333687067 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.333703041 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.333719969 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.333748102 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.333775043 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.336502075 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.336524963 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.336632013 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.336631060 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.336663961 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.336693048 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.336745024 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.339025021 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.339046955 CEST	7189	49753	91.193.75.132	192.168.2.3
May 11, 2022 13:07:02.339080095 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:02.339138031 CEST	49753	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:06.833168030 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:07.040718079 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:07.040875912 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:07.041517973 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:07.300770044 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:07.337342024 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:07.382970095 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:07.426460981 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:07.740694046 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:07.740839005 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:07.958688974 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:08.004615068 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:08.244241953 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:08.494633913 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:08.494924068 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:08.636723042 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:08.636805058 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:08.636832952 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:08.636931896 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:08.636975050 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:08.637537956 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:08.637572050 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:08.637593031 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:08.637648106 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:08.637659073 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:08.637684107 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:08.637716055 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:08.637742996 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:08.637749910 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:08.637825012 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:08.637828112 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:08.637876987 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:09.020313978 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:09.500161886 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:09.652393103 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:09.652517080 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:09.652549982 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:09.652590036 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:09.652777910 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:09.652797937 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:09.652815104 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:09.652842045 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:09.652868032 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:09.652880907 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:09.652888060 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:09.652954102 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:09.652966976 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:09.652985096 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:09.653002024 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:09.653023958 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:09.653040886 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:09.653045893 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:09.653074980 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:09.653130054 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:09.653177977 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:09.653196096 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:09.653212070 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:09.653230906 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:09.653242111 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:09.653259993 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:09.653275013 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:09.653304100 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:09.653323889 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:09.653337002 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:09.653357029 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:09.653372049 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:09.653389931 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:09.653403997 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:09.653434992 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:09.663870096 CEST	7189	49754	91.193.75.132	192.168.2.3
May 11, 2022 13:07:09.664052010 CEST	49754	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:14.033580065 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:14.240506887 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:14.241003990 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:14.241930962 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:14.519654989 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:14.552525997 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:14.553019047 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:14.770621061 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:14.911495924 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:14.962634087 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:15.210499048 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.210616112 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:15.479545116 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.568669081 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.568707943 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.568723917 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.568741083 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.568850994 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:15.577570915 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.577603102 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.577692986 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:15.577785969 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.577804089 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.577821970 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.577837944 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.577867031 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:15.577888966 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:15.799211025 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.799247980 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.799267054 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.799283028 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.799299955 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.799319029 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.799330950 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:15.799336910 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.799354076 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.799376011 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:15.799392939 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:15.801064014 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.801094055 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.801146984 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:15.802232981 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.802258968 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.802277088 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.802328110 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:15.803241014 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.803283930 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.803308964 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:15.804075003 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.804100990 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.804117918 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.804142952 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:15.804152966 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.804162979 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:15.804949999 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:15.805008888 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:15.947084904 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.016586065 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.016618967 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.016634941 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.016650915 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.016652107 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.016690016 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.016732931 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.017474890 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.017529011 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.017707109 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.017726898 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.017751932 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.017791033 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.018373966 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.018439054 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.018474102 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.018495083 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.018515110 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.018546104 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.018552065 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.018589973 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.019665956 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.019691944 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.019710064 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.019730091 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.019745111 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.019762039 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.019804001 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.020448923 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.020473003 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.020504951 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.020515919 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.020545006 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.020569086 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.027075052 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.027107954 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.027122021 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.027174950 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.027237892 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.035552979 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.035583019 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.035599947 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.035617113 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.035626888 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.035650969 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.036535978 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.036561966 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.036578894 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.036595106 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.036597967 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.036612034 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.036639929 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.036674023 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.037442923 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.037476063 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.037498951 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.037517071 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.037518978 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.037556887 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.037559032 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.037600994 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.037606955 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.037637949 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.037679911 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.037698030 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.037744999 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.037756920 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.037795067 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.037817955 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.037856102 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.037919044 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.037955046 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.037959099 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.037995100 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.213022947 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.233129978 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.233175993 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.233201981 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.233226061 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.233299017 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.242149115 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.242201090 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.242227077 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.242249012 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.242314100 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.242372990 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.251154900 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.251209021 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.251235008 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.251259089 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.251272917 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.251323938 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.252016068 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.252084017 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.252134085 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.252154112 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.264631987 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.264676094 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.264698029 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.264703035 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.264730930 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.264753103 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.264755011 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.264781952 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.264806986 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.264808893 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.264864922 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.264880896 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.264908075 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.264947891 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.264971018 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.264998913 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.265024900 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.265036106 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.265048981 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.265074968 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.265089035 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.267595053 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.267632008 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.267657995 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.267668009 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.267680883 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.267699003 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.267713070 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.267736912 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.267790079 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.267807007 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.267823935 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.267854929 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.267859936 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.267899036 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.271034956 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.271080971 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.271111012 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.271131992 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.271192074 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.271209002 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.271224976 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.271233082 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.271270990 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.271306038 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.271323919 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.271353960 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.271378994 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.271435022 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.271495104 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.275022030 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.275047064 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.275108099 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.275115967 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.317765951 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.450892925 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.450917006 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.450933933 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.450951099 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.450987101 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.451029062 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.451456070 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.470582008 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.470604897 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.470622063 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.470659971 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.470669985 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.470721006 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.478759050 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.478799105 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.478816032 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.478835106 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.478873968 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.479444981 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.480587959 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.480750084 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.482556105 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.494184971 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.494211912 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.494250059 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.494266033 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.494283915 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.494286060 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.494301081 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.494309902 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.494318008 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.494335890 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.494343042 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.494368076 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.494375944 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.494393110 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.494425058 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.494469881 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.494512081 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.494529009 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.494553089 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.494570017 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.494626045 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.494765043 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.494813919 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.494885921 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.506143093 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.506164074 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.506181955 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.506227016 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.506275892 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.506309032 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.512140036 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.512164116 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.512181044 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.512197971 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.512214899 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.512228966 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.512232065 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.512248993 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.512255907 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.512267113 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.512273073 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.512285948 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.512293100 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.512303114 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.512319088 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.512326002 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.512335062 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.512351036 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.512368917 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.512377024 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.512394905 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.540604115 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.544626951 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.666676998 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.666706085 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.666722059 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.666739941 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.666820049 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.666863918 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.697137117 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.697168112 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.697186947 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.697223902 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.697242022 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.697290897 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.697344065 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.706748009 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.706787109 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.706804991 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.706820965 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.706971884 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.707062006 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.707720041 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.707742929 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.707783937 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.716650009 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.716675043 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.716727018 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.716746092 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.716769934 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.716820955 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.718100071 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.718123913 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.718151093 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.718180895 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.718225002 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.718276024 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.718914986 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.720077038 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.725019932 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.725043058 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.725059986 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.725078106 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.725106001 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.725150108 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.726002932 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.726025105 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.726042032 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.726074934 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.726090908 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.726128101 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.726135015 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.735048056 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.735075951 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.735093117 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.735111952 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.735130072 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.735179901 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.735186100 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.735204935 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.735220909 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.735224009 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.735264063 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.735276937 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.737555027 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.745096922 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.745121002 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.745223045 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.745240927 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.745243073 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.745307922 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.745353937 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.745371103 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.745417118 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.768599987 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.768625975 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.768709898 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.883126020 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.883156061 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.883173943 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.883191109 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:16.883259058 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.883284092 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:16.943708897 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.098678112 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.098728895 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.098747969 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.098768950 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.098786116 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.098805904 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.098846912 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.098895073 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.098964930 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.100532055 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.100562096 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.100647926 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.101387024 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.101464033 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.109164000 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.109199047 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.109217882 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.109306097 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.109359026 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.117595911 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.117624998 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.117643118 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.117660046 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.117695093 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.117746115 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.117768049 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.117780924 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.117804050 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.117804050 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.117818117 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.117841959 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.117877007 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.117877960 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.117908955 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.117940903 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.117957115 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.117985964 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.117994070 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.118026018 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.118045092 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.118076086 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.121717930 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.121742964 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.121845007 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.121922016 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.121953011 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.121973038 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.121999979 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.122026920 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.122044086 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.122061968 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.122075081 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.122080088 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.122098923 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.122114897 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.122117043 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.122144938 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.122167110 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.122173071 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.122186899 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.122203112 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.122231007 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.122260094 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.122289896 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.122308969 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.122356892 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.122361898 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.122375011 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.122401953 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.122431040 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.122483015 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.122503996 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.122520924 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.122555017 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.122582912 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.122587919 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.122648954 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.122677088 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.122698069 CEST	7189	49755	91.193.75.132	192.168.2.3
May 11, 2022 13:07:17.122701883 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.122735023 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:17.122746944 CEST	49755	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:21.606617928 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:21.818557978 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:21.822103977 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:21.886929989 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:22.203150034 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:22.203284025 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:22.260660887 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:22.302676916 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:22.459981918 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:22.460083008 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:22.688632011 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:22.740221977 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:22.871829987 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.139600039 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.139714003 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.267358065 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.267435074 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.267438889 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.267492056 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.267496109 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.267549992 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.267550945 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.267596960 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.267700911 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.267749071 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.267755985 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.267796993 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.267807961 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.267849922 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.267858982 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.267899990 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.267910004 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.267952919 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.268197060 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.268253088 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.466495037 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.487188101 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.487235069 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.487263918 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.487341881 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.487550020 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.487592936 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.487633944 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.487633944 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.487665892 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.487669945 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.488955021 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.489011049 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.490042925 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.490077972 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.490139008 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.497997999 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.498050928 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.498084068 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.498101950 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.498116016 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.498219967 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.498478889 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.498506069 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.498553991 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.498553991 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.498606920 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.498929024 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.499443054 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.499478102 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.499524117 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.707144022 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.707173109 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.707205057 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.707285881 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.707432985 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.707473993 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.707500935 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.707537889 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.707573891 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.707614899 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.708467960 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.708512068 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.708556890 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.708662987 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.708699942 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.708700895 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.710059881 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.710088968 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.710448027 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.716710091 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.716733932 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.716763973 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.716784000 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.716813087 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.716866016 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.717464924 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.717506886 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.717525959 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.718508005 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.718528032 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.718565941 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.718601942 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.718622923 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.718632936 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.719685078 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.719719887 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.719758034 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.719789028 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.719834089 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.719844103 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.721005917 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.721066952 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.721066952 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.722002983 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.722073078 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.722094059 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.722110987 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.722157001 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.722460985 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.722481966 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.722538948 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.722568035 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.731612921 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.731698990 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.731735945 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.731769085 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.731775999 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.731805086 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.731808901 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.731839895 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:23.732645035 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:23.787225008 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.021138906 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.021189928 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.021218061 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.021262884 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.032341957 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.032387972 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.032421112 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.032457113 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.032459021 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.032491922 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.032521963 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.032557011 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.032591105 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.032624006 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.032634020 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.032656908 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.035317898 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.035351992 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.035403967 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.035662889 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.035701036 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.035721064 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.035787106 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.036171913 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.036196947 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.036236048 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.036237001 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.036247969 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.036262989 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.036286116 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.036302090 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.037158012 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.037267923 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.037324905 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.037324905 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.037363052 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.037389994 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.037590027 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.037612915 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.037657022 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.037658930 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.037684917 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.037704945 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.037710905 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.037730932 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.037745953 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.037749052 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.037776947 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.037797928 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.037807941 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.037818909 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.037842035 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.037842989 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.037872076 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.037883997 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.050976992 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.050997972 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.051104069 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.051111937 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.051137924 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.051162004 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.051178932 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.051218987 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.051242113 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.051302910 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.051434040 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.051456928 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.051479101 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.051522017 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.051558971 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.051582098 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.051621914 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.051621914 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.051686049 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.051814079 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.051860094 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.150149107 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.247199059 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.247289896 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.248994112 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.252048969 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.271781921 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.271821976 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.271851063 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.271878958 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.271878004 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.271908998 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.271931887 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.271943092 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.271975994 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.272133112 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.272177935 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.272185087 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.272231102 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.272264957 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.272304058 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.272311926 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.272341967 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.272353888 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.272370100 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.272378922 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.272398949 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.272414923 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.272427082 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.272437096 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.272455931 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.272465944 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.272492886 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.272507906 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.272536039 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.272551060 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.272564888 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.272572994 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.272593975 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.272605896 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.272629023 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.272686005 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.272737026 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.272764921 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.272794008 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.272823095 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.272854090 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.281110048 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.281160116 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.281181097 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.281199932 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.281208038 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.281239986 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.281243086 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.281276941 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.281281948 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.281315088 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.281320095 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.281352043 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.281356096 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.281388998 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.281392097 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.281424999 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.281450033 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.281478882 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.281505108 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.281539917 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.281574965 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.281578064 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.281620979 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.281636000 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.281670094 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.281678915 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.281711102 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.281711102 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.281748056 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.281749964 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.281785011 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.281795979 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.281821012 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.281827927 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.281860113 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.281881094 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.281908035 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.281929016 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.281980038 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.282016039 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.282048941 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.282049894 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.282085896 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.282136917 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.282682896 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.282737970 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:24.282738924 CEST	7189	49756	91.193.75.132	192.168.2.3
May 11, 2022 13:07:24.282780886 CEST	49756	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:31.433255911 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:31.647072077 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:31.647305965 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:31.648183107 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:31.920070887 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:31.920157909 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:32.015007973 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:32.147233963 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:32.179402113 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:32.179472923 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:32.400590897 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:32.537914038 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:32.595709085 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:32.859472036 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:32.861219883 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.017570972 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.017633915 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.017664909 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.017693043 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.017721891 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.017911911 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.018498898 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.018536091 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.018564939 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.018594980 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.018621922 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.018624067 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.018640995 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.018661022 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.119611025 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.236526012 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.236568928 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.236593008 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.236614943 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.236634970 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.236641884 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.236690998 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.237370014 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.237390041 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.237448931 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.237457991 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.237503052 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.237504005 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.237716913 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.238459110 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.238511086 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.238532066 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.238539934 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.238574028 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.238589048 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.238622904 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.238629103 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.247606993 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.247626066 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.247653008 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.247689009 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.247719049 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.247749090 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.247762918 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.247790098 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.462953091 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.462994099 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.463013887 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.463035107 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.463056087 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.463074923 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.463089943 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.463103056 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.463115931 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.463136911 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.463136911 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.463144064 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.463157892 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.463177919 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.463177919 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.463207006 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.475369930 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.475390911 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.475419044 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.475438118 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.475461006 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.475469112 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.475480080 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.475501060 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.475507975 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.475529909 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.475538969 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.475550890 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.475572109 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.475574017 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.475598097 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.475599051 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.475662947 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.479166985 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.479192972 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.479214907 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.479247093 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.479249001 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.479290962 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.479470968 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.479487896 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.479512930 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.479545116 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.479590893 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.479610920 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.479631901 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.479640961 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.479671955 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.487276077 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.487297058 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.487324953 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.487344027 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.487387896 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.487430096 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.487451077 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.487456083 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.487493038 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.487607002 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.487627983 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.487673044 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.683779001 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.684021950 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.684052944 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.684071064 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.684133053 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.684173107 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.684662104 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.684684038 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.684710979 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.684798002 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.685003996 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.685034990 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.685076952 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.686322927 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.686368942 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.686465025 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.693082094 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.693115950 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.693140030 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.693160057 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.693171024 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.693181038 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.693198919 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.693243027 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.700457096 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.700510025 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.700530052 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.700551033 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.700572014 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.700582027 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.700617075 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.701493025 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.701524973 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.701564074 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.702044964 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.702074051 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.702094078 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.702111959 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.702131987 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.702140093 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.702150106 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.702163935 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.702191114 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.702249050 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.710740089 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.710774899 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.710794926 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.710860968 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.710975885 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.711035013 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.711390972 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.711416960 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.711479902 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.719049931 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.719434023 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.719470024 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.719491005 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.719511032 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.719521999 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.719532967 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.719552994 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.719553947 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.719568968 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.719583988 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.719594955 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.719610929 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.719835997 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.719856024 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.719881058 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.719887018 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.719899893 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.719918966 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.719924927 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.719949007 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.719961882 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.850522995 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.904400110 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.904437065 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.904504061 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.904551029 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.905471087 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.905531883 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.905565977 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.905579090 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.905608892 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.905669928 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.905711889 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.905755997 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.905778885 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.905781984 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.905808926 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.905831099 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.905833960 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.905860901 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.905888081 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.913484097 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.913561106 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.913620949 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.913624048 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.913671970 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.914186954 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.914236069 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.914288044 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.914433002 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.923625946 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.923651934 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.923669100 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.923680067 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.923696041 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.923712969 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.923795938 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.923798084 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.923818111 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.923830032 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.923834085 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.923852921 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.923854113 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.923870087 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.923886061 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.923896074 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.923957109 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.924982071 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.925017118 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.925067902 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.925111055 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.925132990 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.925146103 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.931896925 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.931943893 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.931994915 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.932061911 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.932096958 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.932122946 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.939124107 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.939157963 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.939197063 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.939230919 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.939277887 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.939349890 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.947854042 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.947891951 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.947925091 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.947949886 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.947974920 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.947995901 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:33.948067904 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:33.948112011 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.011888981 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.060585022 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.060709000 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.125163078 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.125217915 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.125247002 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.125264883 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.125272036 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.125283003 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.125307083 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.125389099 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.126513958 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.126549959 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.126631021 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.126678944 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.142976999 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.143013954 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.143028021 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.143039942 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.143052101 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.143064976 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.143078089 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.143090963 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.143107891 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.143121004 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.143162966 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.143207073 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.143208027 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.143241882 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.143265009 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.143326044 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.144553900 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.144581079 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.144620895 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.144649029 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.144685984 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.144723892 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.144742012 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.144764900 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.144783974 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.144831896 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.145420074 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.145488024 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.145509005 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.145524979 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.145536900 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.145544052 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.145570993 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.145637035 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.147006989 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.147092104 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.147099972 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.147138119 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.147162914 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.147216082 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.147242069 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.147309065 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.337498903 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.337533951 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.337567091 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.337579966 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.337583065 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.337604046 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.337610006 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.337615013 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.337677002 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.339010000 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.339036942 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.339065075 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.339087963 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.339107990 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.339113951 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.339132071 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.339159012 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.339181900 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.339190960 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.339246988 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.339263916 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.339301109 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.339303970 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.339338064 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.339348078 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.339384079 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.339390993 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.339421988 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.339432001 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.339474916 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.339550972 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.339567900 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.339602947 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.339620113 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.339638948 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.339674950 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.339684963 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.339720964 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.339726925 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.339745998 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.339776993 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.339790106 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.339792967 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.339829922 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.339874983 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.339893103 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.339917898 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.339920998 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.339936972 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.339955091 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.339961052 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.339991093 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.340023041 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.340051889 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.340069056 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.340081930 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.340087891 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.340110064 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.340199947 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.340250969 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.340272903 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.340284109 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.340300083 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.340318918 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.340318918 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.340357065 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.340369940 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.340373993 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.340401888 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.340404034 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.340432882 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.340451002 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.340468884 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.340521097 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.340558052 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.340595007 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.340605974 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.340614080 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.340639114 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.340655088 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.340677023 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.340711117 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.340722084 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.340751886 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.340770960 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.340795994 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.340799093 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.340856075 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:34.340874910 CEST	7189	49759	91.193.75.132	192.168.2.3
May 11, 2022 13:07:34.340919971 CEST	49759	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:38.653162956 CEST	49765	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:38.875277996 CEST	7189	49765	91.193.75.132	192.168.2.3
May 11, 2022 13:07:38.875386000 CEST	49765	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:38.876116991 CEST	49765	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:39.135025024 CEST	7189	49765	91.193.75.132	192.168.2.3
May 11, 2022 13:07:39.135108948 CEST	49765	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:39.219605923 CEST	7189	49765	91.193.75.132	192.168.2.3
May 11, 2022 13:07:39.422682047 CEST	7189	49765	91.193.75.132	192.168.2.3
May 11, 2022 13:07:39.422787905 CEST	49765	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:39.641115904 CEST	7189	49765	91.193.75.132	192.168.2.3
May 11, 2022 13:07:39.757335901 CEST	49765	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:40.015346050 CEST	49765	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:40.279654026 CEST	7189	49765	91.193.75.132	192.168.2.3
May 11, 2022 13:07:40.802201986 CEST	49765	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:41.046709061 CEST	49765	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:41.060630083 CEST	7189	49765	91.193.75.132	192.168.2.3
May 11, 2022 13:07:41.060756922 CEST	49765	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:41.188796997 CEST	7189	49765	91.193.75.132	192.168.2.3
May 11, 2022 13:07:41.188842058 CEST	7189	49765	91.193.75.132	192.168.2.3
May 11, 2022 13:07:41.188858986 CEST	7189	49765	91.193.75.132	192.168.2.3
May 11, 2022 13:07:41.188894033 CEST	7189	49765	91.193.75.132	192.168.2.3
May 11, 2022 13:07:41.188915968 CEST	7189	49765	91.193.75.132	192.168.2.3
May 11, 2022 13:07:41.188977957 CEST	49765	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:41.189023972 CEST	49765	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:41.197547913 CEST	7189	49765	91.193.75.132	192.168.2.3
May 11, 2022 13:07:41.197585106 CEST	7189	49765	91.193.75.132	192.168.2.3
May 11, 2022 13:07:41.197613955 CEST	7189	49765	91.193.75.132	192.168.2.3
May 11, 2022 13:07:41.197622061 CEST	49765	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:41.197637081 CEST	7189	49765	91.193.75.132	192.168.2.3
May 11, 2022 13:07:41.197657108 CEST	49765	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:41.197659969 CEST	7189	49765	91.193.75.132	192.168.2.3
May 11, 2022 13:07:41.197662115 CEST	49765	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:41.197679996 CEST	49765	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:41.197699070 CEST	49765	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:45.391935110 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:45.601068974 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:45.601176023 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:45.601767063 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:45.853172064 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:45.938961983 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:45.939372063 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:46.161098957 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:46.161211014 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:46.481256962 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:46.904788971 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.159629107 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.219063997 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.275172949 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.275218964 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.275269985 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.275379896 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.275417089 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.275506020 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.275541067 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.275548935 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.275573969 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.275585890 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.275608063 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.275618076 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.275640011 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.275641918 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.275671005 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.275691032 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.275716066 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.275762081 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.276176929 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.470645905 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.504661083 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.504700899 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.504729986 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.504760027 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.504782915 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.504805088 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.504864931 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.504919052 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.505418062 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.505443096 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.505517960 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.505635977 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.505659103 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.505682945 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.505706072 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.505728960 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.505760908 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.507036924 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.507070065 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.507101059 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.507174969 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.514740944 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.514784098 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.514797926 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.514813900 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.514869928 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.514980078 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.515027046 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.721170902 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.721236944 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.721256971 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.721288919 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.721312046 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.721420050 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.721438885 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.721465111 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.721477032 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.721498966 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.721533060 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.721573114 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.721584082 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.739332914 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.739377022 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.739388943 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.739406109 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.739418030 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.739451885 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.739572048 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.739594936 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.739619017 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.739641905 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.739645004 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.739696026 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.739712954 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.739770889 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.739793062 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.739811897 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.739830017 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.739866018 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.739869118 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.739927053 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.739953995 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.739991903 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.740009069 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.740026951 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.740029097 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.741811991 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.741852999 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.741868973 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.741909981 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.741933107 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.741956949 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.741977930 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.742026091 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.742089033 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.746701956 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.757294893 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.757339954 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.757356882 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.757390022 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.757411003 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.757535934 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.757586956 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.955298901 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.955336094 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.955353975 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.955389023 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.955411911 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.955431938 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.955450058 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.955497026 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.955506086 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.955543041 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.955575943 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.959209919 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.959249020 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.959284067 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.959404945 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.959459066 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.961474895 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.961504936 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.961538076 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.961560011 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.961581945 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.961595058 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.961604118 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.961627007 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.961636066 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.961654902 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.961663008 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.961678982 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.961700916 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.961700916 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.961724043 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.961760044 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.961941004 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.961997032 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.961999893 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.962022066 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.962043047 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.962064981 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.962075949 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.962112904 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.974867105 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.974909067 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.974925041 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.974966049 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.974988937 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.975011110 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.975033045 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.975054026 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.975054026 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.975091934 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.975109100 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.975110054 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.975228071 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.975274086 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.975301027 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.975338936 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.975358963 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.975378990 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.975425959 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.975466013 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.984638929 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.984674931 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.984700918 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.984733105 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.984755039 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.984776974 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.984791994 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.984817028 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.984838963 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:47.984841108 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:47.984890938 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.173222065 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.173268080 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.173285007 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.173297882 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.173441887 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.173461914 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.173499107 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.173554897 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.173614025 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.173651934 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.173687935 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.173692942 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.179152012 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.179348946 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.192049026 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.192090988 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.192107916 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.192176104 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.192215919 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.192254066 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.192251921 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.192291975 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.192291975 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.192296982 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.192316055 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.192353964 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.192382097 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.192452908 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.192498922 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.192661047 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.192682028 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.192709923 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.192733049 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.192739010 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.192756891 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.192779064 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.192780018 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.192802906 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.192816019 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.192826986 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.192871094 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.193451881 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.193485022 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.193511009 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.193558931 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.205246925 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.230138063 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.421276093 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.421320915 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.421338081 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.421502113 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.421550989 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.421585083 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.421610117 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.421647072 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.421664953 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.421693087 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.421710968 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.421742916 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.422498941 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.422576904 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.422616959 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.422636986 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.422642946 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.422669888 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.422708035 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.423410892 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.423459053 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.423501968 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.423506021 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.423552990 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.423553944 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.423600912 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.430663109 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.430715084 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.430840015 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.430870056 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.430903912 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.430923939 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.430959940 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.431457996 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.431540012 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.431549072 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.431590080 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.431696892 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.431725025 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.431746960 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.431768894 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.432461023 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.432524920 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.432549953 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.432580948 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.432593107 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.432626009 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.442712069 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.442784071 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.442807913 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.442854881 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.442881107 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.442924976 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.442933083 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.442953110 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.442972898 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.442981005 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.442986012 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.443008900 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.443022966 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.443037033 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.443061113 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.443062067 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.443085909 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.443092108 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.443103075 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.443120956 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.443126917 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.443150043 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.443161011 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.443178892 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.443187952 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.443206072 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.443214893 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.443259954 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.443289042 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.443316936 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.443336010 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.443363905 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.443367004 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.443393946 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.443413019 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.443444014 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.443718910 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.443754911 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.443769932 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.443783998 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.443803072 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.443813086 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.443820953 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.443844080 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.443851948 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.480608940 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.646826029 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.646869898 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.646886110 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.646909952 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.646961927 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.646981001 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.647001028 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.647021055 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.647039890 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.647083998 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.647121906 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.647149086 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.647202015 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.647207022 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.648533106 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.648566008 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.648593903 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.648641109 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.648679018 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.648732901 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.648788929 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.649576902 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.649615049 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.649652004 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.649729967 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.649753094 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.649771929 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.649774075 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.649810076 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.650988102 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.651017904 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.651034117 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.651140928 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.651705980 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.651726007 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.651751041 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.651772022 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.651817083 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.651839972 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.661604881 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.661644936 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.661660910 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.661674023 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.661698103 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.661722898 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.661808014 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.661838055 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.661851883 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.661881924 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.661892891 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.661922932 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.661984921 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.662004948 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.662056923 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.662086010 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.662107944 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.662127972 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.662151098 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.662250042 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.662312031 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.662326097 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.662362099 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.662405014 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.662524939 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.662544966 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.662590027 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.663167953 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.663193941 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.663222075 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.663243055 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.663276911 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.663327932 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.663455963 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.663480043 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.663522959 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.663528919 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.663609028 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.663625002 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.663659096 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.664493084 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.664606094 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.664830923 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.664853096 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.664881945 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.664901972 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.664958000 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.665420055 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.665612936 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.665632963 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.665657997 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.665693045 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.665720940 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.666405916 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.666434050 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.666485071 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.666513920 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.666521072 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.666544914 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.666594028 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:48.667462111 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.667654037 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.667676926 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.667694092 CEST	7189	49766	91.193.75.132	192.168.2.3
May 11, 2022 13:07:48.667948008 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:50.204839945 CEST	49766	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:55.032872915 CEST	49768	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:55.368748903 CEST	7189	49768	91.193.75.132	192.168.2.3
May 11, 2022 13:07:55.368866920 CEST	49768	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:55.403476000 CEST	49768	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:55.747661114 CEST	7189	49768	91.193.75.132	192.168.2.3
May 11, 2022 13:07:55.747699976 CEST	7189	49768	91.193.75.132	192.168.2.3
May 11, 2022 13:07:55.748307943 CEST	49768	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:56.026581049 CEST	7189	49768	91.193.75.132	192.168.2.3
May 11, 2022 13:07:56.149281979 CEST	49768	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:56.230866909 CEST	49768	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:56.699732065 CEST	7189	49768	91.193.75.132	192.168.2.3
May 11, 2022 13:07:56.699839115 CEST	49768	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:57.020402908 CEST	7189	49768	91.193.75.132	192.168.2.3
May 11, 2022 13:07:57.240566015 CEST	49768	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:57.369040966 CEST	7189	49768	91.193.75.132	192.168.2.3
May 11, 2022 13:07:57.450539112 CEST	7189	49768	91.193.75.132	192.168.2.3
May 11, 2022 13:07:57.450694084 CEST	49768	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:57.489794016 CEST	49768	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:57.809011936 CEST	7189	49768	91.193.75.132	192.168.2.3
May 11, 2022 13:07:57.833092928 CEST	7189	49768	91.193.75.132	192.168.2.3
May 11, 2022 13:07:57.833215952 CEST	49768	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:58.045305014 CEST	7189	49768	91.193.75.132	192.168.2.3
May 11, 2022 13:07:58.069523096 CEST	49768	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:58.399765015 CEST	7189	49768	91.193.75.132	192.168.2.3
May 11, 2022 13:07:58.400415897 CEST	49768	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:58.531004906 CEST	49768	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:07:58.659444094 CEST	7189	49768	91.193.75.132	192.168.2.3
May 11, 2022 13:07:58.659545898 CEST	49768	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:08:03.235272884 CEST	49770	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:08:03.446476936 CEST	7189	49770	91.193.75.132	192.168.2.3
May 11, 2022 13:08:03.446588993 CEST	49770	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:08:03.447551966 CEST	49770	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:08:03.712568998 CEST	7189	49770	91.193.75.132	192.168.2.3
May 11, 2022 13:08:03.714047909 CEST	49770	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:08:03.766577959 CEST	7189	49770	91.193.75.132	192.168.2.3
May 11, 2022 13:08:03.962454081 CEST	49770	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:08:03.979666948 CEST	7189	49770	91.193.75.132	192.168.2.3
May 11, 2022 13:08:03.979787111 CEST	49770	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:08:04.197161913 CEST	7189	49770	91.193.75.132	192.168.2.3
May 11, 2022 13:08:04.197863102 CEST	49770	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:08:04.449091911 CEST	7189	49770	91.193.75.132	192.168.2.3
May 11, 2022 13:08:04.657269955 CEST	7189	49770	91.193.75.132	192.168.2.3
May 11, 2022 13:08:04.657717943 CEST	49770	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:08:04.877135038 CEST	7189	49770	91.193.75.132	192.168.2.3
May 11, 2022 13:08:04.877681971 CEST	49770	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:08:05.098634958 CEST	7189	49770	91.193.75.132	192.168.2.3
May 11, 2022 13:08:05.099636078 CEST	49770	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:08:05.308698893 CEST	7189	49770	91.193.75.132	192.168.2.3
May 11, 2022 13:08:05.462626934 CEST	49770	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:08:05.672969103 CEST	7189	49770	91.193.75.132	192.168.2.3
May 11, 2022 13:08:05.759522915 CEST	49770	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:08:08.658492088 CEST	7189	49770	91.193.75.132	192.168.2.3
May 11, 2022 13:08:08.759813070 CEST	49770	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:08:13.399112940 CEST	7189	49770	91.193.75.132	192.168.2.3
May 11, 2022 13:08:13.463238955 CEST	49770	7189	192.168.2.3	91.193.75.132
May 11, 2022 13:08:13.680983067 CEST	7189	49770	91.193.75.132	192.168.2.3
May 11, 2022 13:08:13.760200024 CEST	49770	7189	192.168.2.3	91.193.75.132

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 11, 2022 13:06:35.552562952 CEST	56417	53	192.168.2.3	8.8.8.8
May 11, 2022 13:06:35.574078083 CEST	53	56417	8.8.8.8	192.168.2.3
May 11, 2022 13:06:42.793772936 CEST	57723	53	192.168.2.3	8.8.8.8
May 11, 2022 13:06:42.813097954 CEST	53	57723	8.8.8.8	192.168.2.3
May 11, 2022 13:06:52.264692068 CEST	58116	53	192.168.2.3	8.8.8.8
May 11, 2022 13:06:52.284145117 CEST	53	58116	8.8.8.8	192.168.2.3
May 11, 2022 13:07:00.108546972 CEST	57421	53	192.168.2.3	8.8.8.8
May 11, 2022 13:07:00.130428076 CEST	53	57421	8.8.8.8	192.168.2.3
May 11, 2022 13:07:06.807050943 CEST	65358	53	192.168.2.3	8.8.8.8
May 11, 2022 13:07:06.828341007 CEST	53	65358	8.8.8.8	192.168.2.3
May 11, 2022 13:07:13.998492002 CEST	49873	53	192.168.2.3	8.8.8.8
May 11, 2022 13:07:14.019278049 CEST	53	49873	8.8.8.8	192.168.2.3
May 11, 2022 13:07:21.482220888 CEST	53802	53	192.168.2.3	8.8.8.8
May 11, 2022 13:07:21.501014948 CEST	53	53802	8.8.8.8	192.168.2.3
May 11, 2022 13:07:31.411381960 CEST	63332	53	192.168.2.3	8.8.8.8
May 11, 2022 13:07:31.430727959 CEST	53	63332	8.8.8.8	192.168.2.3
May 11, 2022 13:07:38.631161928 CEST	49327	53	192.168.2.3	8.8.8.8
May 11, 2022 13:07:38.652080059 CEST	53	49327	8.8.8.8	192.168.2.3
May 11, 2022 13:07:45.371444941 CEST	51391	53	192.168.2.3	8.8.8.8
May 11, 2022 13:07:45.390515089 CEST	53	51391	8.8.8.8	192.168.2.3
May 11, 2022 13:07:55.000224113 CEST	58981	53	192.168.2.3	8.8.8.8
May 11, 2022 13:07:55.021661997 CEST	53	58981	8.8.8.8	192.168.2.3
May 11, 2022 13:08:03.213051081 CEST	64452	53	192.168.2.3	8.8.8.8
May 11, 2022 13:08:03.234108925 CEST	53	64452	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 11, 2022 13:06:35.552562952 CEST	192.168.2.3	8.8.8.8	0xcd5a	Standard query (0)	aztemglobaltradltd.ddns.net	A (IP address)	IN (0x0001)
May 11, 2022 13:06:42.793772936 CEST	192.168.2.3	8.8.8.8	0xe525	Standard query (0)	aztemglobaltradltd.ddns.net	A (IP address)	IN (0x0001)
May 11, 2022 13:06:52.264692068 CEST	192.168.2.3	8.8.8.8	0x4b38	Standard query (0)	aztemglobaltradltd.ddns.net	A (IP address)	IN (0x0001)
May 11, 2022 13:07:00.108546972 CEST	192.168.2.3	8.8.8.8	0x6d54	Standard query (0)	aztemglobaltradltd.ddns.net	A (IP address)	IN (0x0001)
May 11, 2022 13:07:06.807050943 CEST	192.168.2.3	8.8.8.8	0x9d27	Standard query (0)	aztemglobaltradltd.ddns.net	A (IP address)	IN (0x0001)
May 11, 2022 13:07:13.998492002 CEST	192.168.2.3	8.8.8.8	0xa16f	Standard query (0)	aztemglobaltradltd.ddns.net	A (IP address)	IN (0x0001)
May 11, 2022 13:07:21.482220888 CEST	192.168.2.3	8.8.8.8	0x787	Standard query (0)	aztemglobaltradltd.ddns.net	A (IP address)	IN (0x0001)
May 11, 2022 13:07:31.411381960 CEST	192.168.2.3	8.8.8.8	0x7c54	Standard query (0)	aztemglobaltradltd.ddns.net	A (IP address)	IN (0x0001)
May 11, 2022 13:07:38.631161928 CEST	192.168.2.3	8.8.8.8	0x5fc0	Standard query (0)	aztemglobaltradltd.ddns.net	A (IP address)	IN (0x0001)
May 11, 2022 13:07:45.371444941 CEST	192.168.2.3	8.8.8.8	0x4fd0	Standard query (0)	aztemglobaltradltd.ddns.net	A (IP address)	IN (0x0001)
May 11, 2022 13:07:55.000224113 CEST	192.168.2.3	8.8.8.8	0xe1c1	Standard query (0)	aztemglobaltradltd.ddns.net	A (IP address)	IN (0x0001)
May 11, 2022 13:08:03.213051081 CEST	192.168.2.3	8.8.8.8	0xc968	Standard query (0)	aztemglobaltradltd.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
May 11, 2022 13:06:35.574078083 CEST	8.8.8.8	192.168.2.3	0xcd5a	No error (0)	aztemglobaltradltd.ddns.net	91.193.75.132	A (IP address)	IN (0x0001)
May 11, 2022 13:06:42.813097954 CEST	8.8.8.8	192.168.2.3	0xe525	No error (0)	aztemglobaltradltd.ddns.net	91.193.75.132	A (IP address)	IN (0x0001)
May 11, 2022 13:06:52.284145117 CEST	8.8.8.8	192.168.2.3	0x4b38	No error (0)	aztemglobaltradltd.ddns.net	91.193.75.132	A (IP address)	IN (0x0001)
May 11, 2022 13:07:00.130428076 CEST	8.8.8.8	192.168.2.3	0x6d54	No error (0)	aztemglobaltradltd.ddns.net	91.193.75.132	A (IP address)	IN (0x0001)
May 11, 2022 13:07:06.828341007 CEST	8.8.8.8	192.168.2.3	0x9d27	No error (0)	aztemglobaltradltd.ddns.net	91.193.75.132	A (IP address)	IN (0x0001)
May 11, 2022 13:07:14.019278049 CEST	8.8.8.8	192.168.2.3	0xa16f	No error (0)	aztemglobaltradltd.ddns.net	91.193.75.132	A (IP address)	IN (0x0001)
May 11, 2022 13:07:21.501014948 CEST	8.8.8.8	192.168.2.3	0x787	No error (0)	aztemglobaltradltd.ddns.net	91.193.75.132	A (IP address)	IN (0x0001)
May 11, 2022 13:07:31.430727959 CEST	8.8.8.8	192.168.2.3	0x7c54	No error (0)	aztemglobaltradltd.ddns.net	91.193.75.132	A (IP address)	IN (0x0001)
May 11, 2022 13:07:38.652080059 CEST	8.8.8.8	192.168.2.3	0x5fc0	No error (0)	aztemglobaltradltd.ddns.net	91.193.75.132	A (IP address)	IN (0x0001)
May 11, 2022 13:07:45.390515089 CEST	8.8.8.8	192.168.2.3	0x4fd0	No error (0)	aztemglobaltradltd.ddns.net	91.193.75.132	A (IP address)	IN (0x0001)
May 11, 2022 13:07:55.021661997 CEST	8.8.8.8	192.168.2.3	0xe1c1	No error (0)	aztemglobaltradltd.ddns.net	91.193.75.132	A (IP address)	IN (0x0001)
May 11, 2022 13:08:03.234108925 CEST	8.8.8.8	192.168.2.3	0xc968	No error (0)	aztemglobaltradltd.ddns.net	91.193.75.132	A (IP address)	IN (0x0001)

Target ID:	0
Start time:	13:05:57
Start date:	11/05/2022
Path:	C:\Users\user\Desktop\OEc88DZdiO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\OEc88DZdiO.exe"
Imagebase:	0x480000
File size:	823808 bytes
MD5 hash:	339C2A623CB5E745856B3FA600896BD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.347814498.00000000038A8000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.347814498.00000000038A8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.347814498.00000000038A8000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Show Windows behavior

Target ID:	9
Start time:	13:06:19
Start date:	11/05/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UNueWzx" /XML "C:\Users\user\AppData\Local\Temp\tmp8227.tmp
Imagebase:	0xaa0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	11
Start time:	13:06:19
Start date:	11/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	13
Start time:	13:06:21
Start date:	11/05/2022
Path:	C:\Users\user\Desktop\OEc88DZdiO.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x220000
File size:	823808 bytes
MD5 hash:	339C2A623CB5E745856B3FA600896BD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	14
Start time:	13:06:22
Start date:	11/05/2022
Path:	C:\Users\user\Desktop\OEc88DZdiO.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x7b0000
File size:	823808 bytes
MD5 hash:	339C2A623CB5E745856B3FA600896BD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.562461280.0000000005690000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.562461280.0000000005690000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000E.00000002.562461280.0000000005690000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.546310350.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.546310350.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.546310350.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000000.334835695.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000000.334835695.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000000.334835695.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.562338287.0000000005660000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.562338287.0000000005660000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000E.00000002.562338287.0000000005660000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000000.337302386.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000000.337302386.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000000.337302386.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.548643911.0000000001110000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.548643911.0000000001110000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000E.00000002.548643911.0000000001110000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.549623987.0000000001160000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.549623987.0000000001160000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000E.00000002.549623987.0000000001160000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.562419595.0000000005680000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.562419595.0000000005680000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000E.00000002.562419595.0000000005680000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.561942739.0000000005500000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.561942739.0000000005500000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000E.00000002.561942739.0000000005500000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.558842108.0000000002F0C000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.560771807.000000000495F000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000000.335493633.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000000.335493633.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000000.335493633.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.563949640.0000000006C40000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.563949640.0000000006C40000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000E.00000002.563949640.0000000006C40000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.559653897.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.559653897.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000000.336489801.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000000.336489801.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000000.336489801.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.561045738.0000000004B2F000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.549874699.0000000001170000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.549874699.0000000001170000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000E.00000002.549874699.0000000001170000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.564193046.0000000006F11000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.562083531.0000000005520000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.562083531.0000000005520000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000E.00000002.562083531.0000000005520000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.548674516.0000000001120000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.548674516.0000000001120000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000E.00000002.548674516.0000000001120000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.562012434.0000000005510000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.562012434.0000000005510000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000E.00000002.562012434.0000000005510000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.562818620.0000000005F00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.562818620.0000000005F00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.562818620.0000000005F00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000E.00000002.562818620.0000000005F00000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.561903140.00000000054F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.561903140.00000000054F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000E.00000002.561903140.00000000054F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.550259552.0000000001180000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.550259552.0000000001180000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000E.00000002.550259552.0000000001180000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.556144169.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.561146588.0000000004BA5000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Show Windows behavior

Target ID:	15
Start time:	13:06:43
Start date:	11/05/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Imagebase:	0xb60000
File size:	823808 bytes
MD5 hash:	339C2A623CB5E745856B3FA600896BD7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.425535286.0000000003F18000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.425535286.0000000003F18000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.425535286.0000000003F18000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 34%, Metadefender, Browse Detection: 66%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	17
Start time:	13:06:59
Start date:	11/05/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UNueWzx" /XML "C:\Users\user\AppData\Local\Temp\tmp206B.tmp
Imagebase:	0xaa0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	18
Start time:	13:07:00
Start date:	11/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	19
Start time:	13:07:01
Start date:	11/05/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xcb0000
File size:	823808 bytes
MD5 hash:	339C2A623CB5E745856B3FA600896BD7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.442350886.0000000003171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000013.00000002.442350886.0000000003171000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000000.416252631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000000.416252631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000013.00000000.416252631.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.441028878.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.441028878.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000013.00000002.441028878.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.442458119.0000000004179000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000013.00000002.442458119.0000000004179000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000000.416838253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000000.416838253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000013.00000000.416838253.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000000.417302089.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000000.417302089.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000013.00000000.417302089.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000000.415706140.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000000.415706140.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000013.00000000.415706140.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	7.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.7%
Total number of Nodes:	82
Total number of Limit Nodes:	8

Executed Functions

Function 00DE49F8 Relevance: 2.8, Strings: 2, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`'[/, xrefs: 00DE4C3A
mF{3, xrefs: 00DE4C7C

Memory Dump Source

Source File: 00000000.00000002.342190870.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_OEc88DZdiO.jbxd

Similarity

API ID:
String ID: `'[/$mF{3
API String ID: 0-1693475496
Opcode ID: ac23a11b7740244fe955a565926450473364585d8f78df878ae706f40fdbdba1
Instruction ID: 18a04fcf8b31e89183b68ec78858e921a11da45cadf8be276d888dcbfc7cd82b
Opcode Fuzzy Hash: ac23a11b7740244fe955a565926450473364585d8f78df878ae706f40fdbdba1
Instruction Fuzzy Hash: C0E11774E04259CFCB14DFA6D484B9EBBB2FF89314F2484AAE50AAB354DB349944CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00DE49E8 Relevance: 2.8, Strings: 2, Instructions: 324
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`'[/, xrefs: 00DE4C3A
mF{3, xrefs: 00DE4C7C

Memory Dump Source

Source File: 00000000.00000002.342190870.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_OEc88DZdiO.jbxd

Similarity

API ID:
String ID: `'[/$mF{3
API String ID: 0-1693475496
Opcode ID: ac3ec39a12cfd6e874c4e18aac969cc438cedcd73b4d4ec347c601ab1bc794eb
Instruction ID: 991f94630bd10f812ffaa93f31611a1ddb9639378c14cd5ba33b42e2dfe6ddd7
Opcode Fuzzy Hash: ac3ec39a12cfd6e874c4e18aac969cc438cedcd73b4d4ec347c601ab1bc794eb
Instruction Fuzzy Hash: 47E12674E04259CFCB14DFA5D484B9EBBF2AF89314F2484AAE509AB354DB349984CF24

Uniqueness

Uniqueness Score: -1.00%

Function 00DE76FF Relevance: 1.5, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

3)}, xrefs: 00DE78F2

Memory Dump Source

Source File: 00000000.00000002.342190870.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_OEc88DZdiO.jbxd

Similarity

API ID:
String ID: 3)}
API String ID: 0-1736493269
Opcode ID: affb163a069c056125620d785aec645456f7457b0896b73db075bbffa99f85f1
Instruction ID: 26ea45a57d9833169b3fbd92633a485b9238e131c62acf78694a969b14dba46b
Opcode Fuzzy Hash: affb163a069c056125620d785aec645456f7457b0896b73db075bbffa99f85f1
Instruction Fuzzy Hash: DE910778E05319DFCB04EFA6C5485AEBBB2FF89340F249829D915A7354D7349A01CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00DE7710 Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

3)}, xrefs: 00DE78F2

Memory Dump Source

Source File: 00000000.00000002.342190870.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_OEc88DZdiO.jbxd

Similarity

API ID:
String ID: 3)}
API String ID: 0-1736493269
Opcode ID: ca991e9fa0083b27de95e1b1b8c3b0e1345536c6029706f70241da6c9f5e4f90
Instruction ID: f3c986452492921d774f662bccbe2040abd9186daa49b3b5e6d5749519d8c19c
Opcode Fuzzy Hash: ca991e9fa0083b27de95e1b1b8c3b0e1345536c6029706f70241da6c9f5e4f90
Instruction Fuzzy Hash: 39910678E05229DBCB04EFE6C5485AEBBB2FF89340F249829E915B7354D7349A01CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00DECFA1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00DED010
GetCurrentThread.KERNEL32 ref: 00DED04D
GetCurrentProcess.KERNEL32 ref: 00DED08A
GetCurrentThreadId.KERNEL32 ref: 00DED0E3

Strings

H, xrefs: 00DED10F

Memory Dump Source

Source File: 00000000.00000002.342190870.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_OEc88DZdiO.jbxd

Similarity

API ID: Current$ProcessThread
String ID: H
API String ID: 2063062207-1105002124
Opcode ID: f57a30c6bbf8dcac43bd0228ee7ae20f5a43b5f430153178fad2dc5061c61303
Instruction ID: b9b139f2be7f7db1eab9a81db08156e661d140e9ae5c8ae07e95a068e3d02c38
Opcode Fuzzy Hash: f57a30c6bbf8dcac43bd0228ee7ae20f5a43b5f430153178fad2dc5061c61303
Instruction Fuzzy Hash: 645154B4D007488FDB10CFAAD548BDEBBF1AF89318F248499E509A7390DB745944CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00DECFB0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00DED010
GetCurrentThread.KERNEL32 ref: 00DED04D
GetCurrentProcess.KERNEL32 ref: 00DED08A
GetCurrentThreadId.KERNEL32 ref: 00DED0E3

Strings

H, xrefs: 00DED10F

Memory Dump Source

Source File: 00000000.00000002.342190870.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_OEc88DZdiO.jbxd

Similarity

API ID: Current$ProcessThread
String ID: H
API String ID: 2063062207-1105002124
Opcode ID: 1d78230be14119548987dffb1a056b8343e849da7802e9fb6f2256c891e4e94c
Instruction ID: 182ceec51a6e036aafb3b9e2dc8ac3dcb978ad2c82310aa7314207a380f0f5b8
Opcode Fuzzy Hash: 1d78230be14119548987dffb1a056b8343e849da7802e9fb6f2256c891e4e94c
Instruction Fuzzy Hash: 6D5143B4D007488FDB10CFAAD548BDEBBF1AF88318F248499E519A7790DBB45844CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00DEACB0 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00DEAEF6

Memory Dump Source

Source File: 00000000.00000002.342190870.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_OEc88DZdiO.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d35da3dd63965de4fae5874e762fc491cc823bfca5ef36f49746a1e96952cc85
Instruction ID: da80e9add332328525ed974b72d31cd49c548893938cea4a2319a2765bb24c34
Opcode Fuzzy Hash: d35da3dd63965de4fae5874e762fc491cc823bfca5ef36f49746a1e96952cc85
Instruction Fuzzy Hash: D7712770A00B458FD724EF2AD44075AB7F1FF88304F14892DE546D7A50EB75F9458BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DEAF28 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00DEAEF6

Part of subcall function 00DEA9B0: LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00DEAF71,00000800,00000000,00000000), ref: 00DEB182

Memory Dump Source

Source File: 00000000.00000002.342190870.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_OEc88DZdiO.jbxd

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: 0bc9264a167ead3d8730eb09dae6f9e9c2cf588c1ae68828fcd3c2ff811f35d6
Instruction ID: bb1da67002d3224396174f22d4a346b20dab6b4a6b8185ec39ed76fa6ab23f39
Opcode Fuzzy Hash: 0bc9264a167ead3d8730eb09dae6f9e9c2cf588c1ae68828fcd3c2ff811f35d6
Instruction Fuzzy Hash: 2A21A1B1A042868FDB20EB6ED8447EEBBB5EFC9310F14805EE415A7251CB74A805CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DED1D1 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DED25F

Memory Dump Source

Source File: 00000000.00000002.342190870.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_OEc88DZdiO.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0fa2d7ba8dbb191fbd4be4485791504435a69bfc3e0f752501dcbce331d15863
Instruction ID: 3be2ebd8651f7ec3db75cace75b36efcbe8b7814cf49229d6e30b8e0310d75c1
Opcode Fuzzy Hash: 0fa2d7ba8dbb191fbd4be4485791504435a69bfc3e0f752501dcbce331d15863
Instruction Fuzzy Hash: 8D2112B5D00208DFDB10CFAAD484AEEBBF5FB48320F24841AE914A7310D378A944DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DED1D8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DED25F

Memory Dump Source

Source File: 00000000.00000002.342190870.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_OEc88DZdiO.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cf1444f90f495f9bcfd90476f9309ad0363ab8c0e87cc60ac7ed123d82b9b979
Instruction ID: 5d596ce978794cfd0015ee62c32b9b53da0efc8274a0ca5ac00dcd7974a425ce
Opcode Fuzzy Hash: cf1444f90f495f9bcfd90476f9309ad0363ab8c0e87cc60ac7ed123d82b9b979
Instruction Fuzzy Hash: 3221E4B59002489FDB10CFAAD484ADEBBF9EB48320F14801AE914A7310D778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00DEA9B0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00DEAF71,00000800,00000000,00000000), ref: 00DEB182

Memory Dump Source

Source File: 00000000.00000002.342190870.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_OEc88DZdiO.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: abaa0ae0ea6d1b7c3b48822aae9b69d38dfa314fffae449696dc2d063b2cdfae
Instruction ID: 6e564df5aa91189ad0f9487c4dde448dcef19c545390a20d27ae97a8f055a7e0
Opcode Fuzzy Hash: abaa0ae0ea6d1b7c3b48822aae9b69d38dfa314fffae449696dc2d063b2cdfae
Instruction Fuzzy Hash: FF1133B69003498FCB10CF9AC444ADFBBF4EB48320F14802EE519A7600C3B4A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DEB110 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00DEAF71,00000800,00000000,00000000), ref: 00DEB182

Memory Dump Source

Source File: 00000000.00000002.342190870.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_OEc88DZdiO.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5e65e0efcb846460e93052a6360ff06057c05308fe6d1bed528d126a298dd7e7
Instruction ID: 4a206597c649431a8d28766e047ffa788b0eb29757fec1952dc9df6889a83517
Opcode Fuzzy Hash: 5e65e0efcb846460e93052a6360ff06057c05308fe6d1bed528d126a298dd7e7
Instruction Fuzzy Hash: 832117B2C003498FCB10CF9AD484ADEFBF4EB98324F14851ED419A7610C775A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DEAE90 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00DEAEF6

Memory Dump Source

Source File: 00000000.00000002.342190870.0000000000DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_OEc88DZdiO.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 627e4b2de2cba807a0edf3e3cf6b6915883cf74080bd8c88677bd007795ac993
Instruction ID: f713c98f75370980d2f7f5b353f9a68c049386734bd41629908fb1c0f92bb229
Opcode Fuzzy Hash: 627e4b2de2cba807a0edf3e3cf6b6915883cf74080bd8c88677bd007795ac993
Instruction Fuzzy Hash: 6E110FB6D002498FCB10DF9AC444ADEFBF4EB88324F14841AD429A7600D3B8A545CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 009AD3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.341017164.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ad000_OEc88DZdiO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8970d0dfb226828765206783a3747353b3dd5fe7736abfe25afd24fcd794f837
Instruction ID: 0bd943da857ca0a281ad20990df89013841b9a2389664ef1ea7da1d21e9e74c8
Opcode Fuzzy Hash: 8970d0dfb226828765206783a3747353b3dd5fe7736abfe25afd24fcd794f837
Instruction Fuzzy Hash: CE213DB1505244DFDF00DF14D4C0B16BFA9FB98328F24C569E9064BA96C735E846D7E1

Uniqueness

Uniqueness Score: -1.00%

Function 009AD3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.341017164.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ad000_OEc88DZdiO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28fa5a6574e77e61a0c17e2828a4ab5aed3429d064b06815d3d2e1fd3576c304
Instruction ID: e992140497ec49fc42d22a121e269a31f7a546b5073a3d7d8752328e40c779a1
Opcode Fuzzy Hash: 28fa5a6574e77e61a0c17e2828a4ab5aed3429d064b06815d3d2e1fd3576c304
Instruction Fuzzy Hash: 2C11D376805280CFCB11CF10D5C4B56BFB2FB99324F24C6A9D8450BA66C336E85ACBE1

Uniqueness

Uniqueness Score: -1.00%

Function 009AD651 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.341017164.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ad000_OEc88DZdiO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c3b000bf3014281a38c62e998f02820a15bd4cea57748bf99b113283d5701b8
Instruction ID: 7b15d3098398d2b7975406c8744fb3b75b6bf1c1af75be3986064d833c1edcdb
Opcode Fuzzy Hash: 4c3b000bf3014281a38c62e998f02820a15bd4cea57748bf99b113283d5701b8
Instruction Fuzzy Hash: AE01F77150A3489AE7109A15CC84766BF9CEF42378F18845DEE0A5EA42D7799844C6F1

Uniqueness

Uniqueness Score: -1.00%

Function 009AD650 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.341017164.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ad000_OEc88DZdiO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 699856d7a2233a2f2161cfb0140d2124e63bad94cd7cf68bd0a67957713d8d15
Instruction ID: e25f1cab5f2bea311dbff8d1382e2541cd8f66039e2be7bd392a901bbcfcd1e0
Opcode Fuzzy Hash: 699856d7a2233a2f2161cfb0140d2124e63bad94cd7cf68bd0a67957713d8d15
Instruction Fuzzy Hash: 6EF062714052489BE7109A15CD84BA2FF9CEB51774F18C45EED095F686C3799C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: OEc88DZdiO.exePID: 5588, Parent PID: 6404COMMON

Execution Graph

Execution Coverage:	13%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	327
Total number of Limit Nodes:	26

Executed Functions

Function 0616BB71 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.563004370.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6160000_OEc88DZdiO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce692dade7d8470dd874712c8072ec9c7bcd688c55f5abaac2851b7f29fe844e
Instruction ID: 20cf343f20ef76f5beff2d40afed84d07802eeb7ae41518b19926c3229087cf9
Opcode Fuzzy Hash: ce692dade7d8470dd874712c8072ec9c7bcd688c55f5abaac2851b7f29fe844e
Instruction Fuzzy Hash: 6F51B078E012089FDB44DFA4D995AADBBF2FB89300F148029E906B7394EB356D46CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0123B6C0 Relevance: 6.1, APIs: 4, Instructions: 124
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0123B730
GetCurrentThread.KERNEL32 ref: 0123B76D
GetCurrentProcess.KERNEL32 ref: 0123B7AA
GetCurrentThreadId.KERNEL32 ref: 0123B803

Memory Dump Source

Source File: 0000000E.00000002.554727320.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1230000_OEc88DZdiO.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 55bef799ccc2001f7098393c9505f38c43919578b1b69f3f5c865b2f0a3c17b2
Instruction ID: 2e03ba2b881e46770c22ac9212d9c47acfd24a8bb56ad5b01b93f37e2d4bd72e
Opcode Fuzzy Hash: 55bef799ccc2001f7098393c9505f38c43919578b1b69f3f5c865b2f0a3c17b2
Instruction Fuzzy Hash: F05152B5D002498FEB18CFA9D588BEEBBF4EF88308F248459E109A7750D7749849CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0123B6D0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0123B730
GetCurrentThread.KERNEL32 ref: 0123B76D
GetCurrentProcess.KERNEL32 ref: 0123B7AA
GetCurrentThreadId.KERNEL32 ref: 0123B803

Memory Dump Source

Source File: 0000000E.00000002.554727320.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1230000_OEc88DZdiO.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: dd64a27c748ca7aeac3c6f9583e8cc7cab10bdbe2337680c6c93fd7d9dfc8c96
Instruction ID: 4d55cc5787fc34b5ac84f0d927fbf0d89aea3fbde3471d37c74395b80686e748
Opcode Fuzzy Hash: dd64a27c748ca7aeac3c6f9583e8cc7cab10bdbe2337680c6c93fd7d9dfc8c96
Instruction Fuzzy Hash: 335162B5D002498FDB18CFA9D588BEEBBF4EF88304F248059E109A7350D7749848CF65

Uniqueness

Uniqueness Score: -1.00%

Function 06162F58 Relevance: 1.7, APIs: 1, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.563004370.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6160000_OEc88DZdiO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a520263f1b896990e42b7b518091eb2b71ef947149662f57e5e5ee370b2ca5
Instruction ID: 68a89407e902f9fb1f5157c76eac1bb9c8d515549456a546955fb19969d37f6c
Opcode Fuzzy Hash: e4a520263f1b896990e42b7b518091eb2b71ef947149662f57e5e5ee370b2ca5
Instruction Fuzzy Hash: F48167B5D0420DDFDB14DFA9C8807EEBBB1FF48314F21852AE815AB250DB709959CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06165188 Relevance: 1.7, APIs: 1, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL(?,?), ref: 06165381

Memory Dump Source

Source File: 0000000E.00000002.563004370.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6160000_OEc88DZdiO.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9f05a5178d19392c99d3ae684fdee67a73b8fc241ff5a519b70756b65f76cafd
Instruction ID: 058f44a10c38b9a8394c95300a2f0361c6b93a9f73aafbcb5ef4d29262e93bce
Opcode Fuzzy Hash: 9f05a5178d19392c99d3ae684fdee67a73b8fc241ff5a519b70756b65f76cafd
Instruction Fuzzy Hash: 9D716B35B00605CFCB58DF6AC8809BFB7F3BF98604B14892DE55697650DB31E816CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012393E8 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0123962E

Memory Dump Source

Source File: 0000000E.00000002.554727320.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1230000_OEc88DZdiO.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7fb98b5549ff9499e09b604004490bc21cea0fb743baeef0f9c455da46c3c765
Instruction ID: 165c314fd68b9ad5e07eab9122138eed1dca9281bd51f3beb1bb918876ba7a2e
Opcode Fuzzy Hash: 7fb98b5549ff9499e09b604004490bc21cea0fb743baeef0f9c455da46c3c765
Instruction Fuzzy Hash: 707115B0A10B068FDB25DF2AD04175ABBF5FB89318F008A2DE64AD7A40D775E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06163004 Relevance: 1.6, APIs: 1, Instructions: 143
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06163138

Memory Dump Source

Source File: 0000000E.00000002.563004370.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6160000_OEc88DZdiO.jbxd

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: db8e7d4de7f546e49b0731b20fe3a6aa74f779f34b4640641aa9e07534809b27
Instruction ID: 5c61cbbc9ccfb256c328127cdd8388ee6e6e75ae5f90c9724174e1053a1084c3
Opcode Fuzzy Hash: db8e7d4de7f546e49b0731b20fe3a6aa74f779f34b4640641aa9e07534809b27
Instruction Fuzzy Hash: 305112B5D0021C9FDB14CFA9C9807DEBBB5FF48314F24812AE815AB250DB74998ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 061612F5 Relevance: 1.6, APIs: 1, Instructions: 142
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06163138

Memory Dump Source

Source File: 0000000E.00000002.563004370.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6160000_OEc88DZdiO.jbxd

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 179ac864fcbe605e6939f3355e2f2d946badd01bbc8c4f4efc6a2121f216258d
Instruction ID: 9ad169b88c8161a7c8366c2be4999b243be61457447a72d528aae676d30e1e7a
Opcode Fuzzy Hash: 179ac864fcbe605e6939f3355e2f2d946badd01bbc8c4f4efc6a2121f216258d
Instruction Fuzzy Hash: 485115B5D0021C9FDB54CFAAC8806DDBBB5FF48314F24812AE815BB250DB74A95ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 061612FC Relevance: 1.6, APIs: 1, Instructions: 140
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06163138

Memory Dump Source

Source File: 0000000E.00000002.563004370.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6160000_OEc88DZdiO.jbxd

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: ceae500a47c365bc2a0070d0114f03668e56c382f3fcd795e436c5b7293336f3
Instruction ID: 259a5c765de65525dd2cab9fd54d60e242a9d6de9e22a8e98f85eeb746b70150
Opcode Fuzzy Hash: ceae500a47c365bc2a0070d0114f03668e56c382f3fcd795e436c5b7293336f3
Instruction Fuzzy Hash: CD5125B5D0021C9FDB14CFAAC8807DDBBB5FF48304F24812AE815AB250DB74A95ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 0123FB81 Relevance: 1.6, APIs: 1, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0123FD0A

Memory Dump Source

Source File: 0000000E.00000002.554727320.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1230000_OEc88DZdiO.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6f2a8c4930f0acae3ca47728f44c57882dd8497f8271c10323159eb3fbd2d933
Instruction ID: 50756969b7017135dfcbc61a082f767717dd0667df5679a0dc651559918294a6
Opcode Fuzzy Hash: 6f2a8c4930f0acae3ca47728f44c57882dd8497f8271c10323159eb3fbd2d933
Instruction Fuzzy Hash: D751E0B1D103099FDF14CFA9D984ADDBBB1FF88314F24862AE518AB210D774A985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0123FBF8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0123FD0A

Memory Dump Source

Source File: 0000000E.00000002.554727320.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1230000_OEc88DZdiO.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c78b1bdc3c738117440d10343317abc79aa1f0e8dcad0ec20e783e849acc0834
Instruction ID: 7d62e8a357eb681c525f0d4b815c4618c0c4c61d6c72dc356a88099c179be790
Opcode Fuzzy Hash: c78b1bdc3c738117440d10343317abc79aa1f0e8dcad0ec20e783e849acc0834
Instruction Fuzzy Hash: FE41C1B1D1030D9FDF14CF99D984ADEBBB5BF88314F24812AE919AB210D774A885CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06160CD0 Relevance: 1.6, APIs: 1, Instructions: 91
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 06160DA9

Memory Dump Source

Source File: 0000000E.00000002.563004370.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6160000_OEc88DZdiO.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 940f9c1d8683c648f004c21e509b3246d968d4a704bd49c318ab6eaf53844916
Instruction ID: a8e7000670c3d7aad04192da0125228118144b658d09ff2057f20ed26a819013
Opcode Fuzzy Hash: 940f9c1d8683c648f004c21e509b3246d968d4a704bd49c318ab6eaf53844916
Instruction Fuzzy Hash: 59314875E002289FDB64DFAAC588BEDBBF5AF48710F14805EE406A7350CB74A845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06160CC1 Relevance: 1.6, APIs: 1, Instructions: 79
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 06160DA9

Memory Dump Source

Source File: 0000000E.00000002.563004370.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6160000_OEc88DZdiO.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 2d6ed4cf95f6c8357db430bca742611a81ca6b368a688a78c0752a37191be8eb
Instruction ID: f9c40cb029bcb4c4198a2a240a15d0cb2a7384d2ed30f9e1edfca81ec99d4e47
Opcode Fuzzy Hash: 2d6ed4cf95f6c8357db430bca742611a81ca6b368a688a78c0752a37191be8eb
Instruction Fuzzy Hash: 1031A975E002189FDB24DFA9D588BEDBBF4EB48711F15851EE406AB380CB745845CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0123BCF9 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0123BD87

Memory Dump Source

Source File: 0000000E.00000002.554727320.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1230000_OEc88DZdiO.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 52291a336da26e1398819d17cf608bf690c5c5b246a2262505d8e60a3fdfb141
Instruction ID: 26644ea19b1278f8309b0e6aee5f3d42313e49e52e9155618204c3047deed72c
Opcode Fuzzy Hash: 52291a336da26e1398819d17cf608bf690c5c5b246a2262505d8e60a3fdfb141
Instruction Fuzzy Hash: 9D21E3B590024DAFDB10CFA9D884ADEBFF8EB48324F14845AE954A7310D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0123BD00 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0123BD87

Memory Dump Source

Source File: 0000000E.00000002.554727320.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1230000_OEc88DZdiO.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c2193d4bd6c067389374f7d64ce86cc39c33dcc358349a11802871b87808110a
Instruction ID: 8d0acc56015a337f3f3c5ad7e32789ef2088ddac13568138a6dd17087dd25ec6
Opcode Fuzzy Hash: c2193d4bd6c067389374f7d64ce86cc39c33dcc358349a11802871b87808110a
Instruction Fuzzy Hash: 1521C4B5D0020D9FDB10CF99D484ADEBBF8EB48324F14841AE914A7310D374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01238768 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,012396A9,00000800,00000000,00000000), ref: 012398BA

Memory Dump Source

Source File: 0000000E.00000002.554727320.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1230000_OEc88DZdiO.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 980b348fe02a1899dfb7b950fad585951f85d9ca72b4693a8434baee603178e8
Instruction ID: 4e9507e3eb82627c873c90c3b91ccc9962889511a542567a3b6fa90c36629644
Opcode Fuzzy Hash: 980b348fe02a1899dfb7b950fad585951f85d9ca72b4693a8434baee603178e8
Instruction Fuzzy Hash: 191103B6D002099FDB10CF9AC444ADEBBF4EB89314F14842EE619A7600C3B5A985CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01239849 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,012396A9,00000800,00000000,00000000), ref: 012398BA

Memory Dump Source

Source File: 0000000E.00000002.554727320.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1230000_OEc88DZdiO.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a5ee34ebcea370d69f092afdaf775bc371ca23a5e4bdc7b587f5b5c8a7bdcb93
Instruction ID: e7563f256a0f8b6d798aff64f50f45e3b8c545d69b0e23f2eb0a2829c4449f10
Opcode Fuzzy Hash: a5ee34ebcea370d69f092afdaf775bc371ca23a5e4bdc7b587f5b5c8a7bdcb93
Instruction Fuzzy Hash: 241100B2C002099FDB10CFAAD444ADEBBF4EB89324F14842AE519A7600C7B5A585CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 012395C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0123962E

Memory Dump Source

Source File: 0000000E.00000002.554727320.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1230000_OEc88DZdiO.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 328409abfb685ff1908e8648fdf4a7cb9dc5a5d5a41f31365035b055627cd50a
Instruction ID: d94ede574dae0a1a9edebe0e206529043895c016ae3bc08a9dd09b7d604c99d6
Opcode Fuzzy Hash: 328409abfb685ff1908e8648fdf4a7cb9dc5a5d5a41f31365035b055627cd50a
Instruction Fuzzy Hash: 741110B2C006098FDB10CF9AC444BDEFBF4EB89324F10841AD529A7600D3B4A586CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0123FE38 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0123FE9D

Memory Dump Source

Source File: 0000000E.00000002.554727320.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1230000_OEc88DZdiO.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: a9da489211d1b731c1e45192f9ab8e149a43e72f8c2afda3993fa0d5d137df64
Instruction ID: 510d4453d2f5741b3f369db23606e1abe5f4f267ee9725b2810f076375a57b26
Opcode Fuzzy Hash: a9da489211d1b731c1e45192f9ab8e149a43e72f8c2afda3993fa0d5d137df64
Instruction Fuzzy Hash: 3E1103B5C002499FDB10CF99D585BDEBFF8EB88724F10845AE958A7641C374A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0123FE40 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0123FE9D

Memory Dump Source

Source File: 0000000E.00000002.554727320.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1230000_OEc88DZdiO.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 8013b0171dbe643946bd2689487c1af15e630c1db3f48381d13bc489f9bb3a7b
Instruction ID: b6dc8375012087c1c869ee5bab6dd6db10fb99ac58513237a8e900c76a3d02c2
Opcode Fuzzy Hash: 8013b0171dbe643946bd2689487c1af15e630c1db3f48381d13bc489f9bb3a7b
Instruction Fuzzy Hash: 9B1115B5C002099FDB10CF99D585BDFBBF8EB88324F10845AD914A7700C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D8D3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.547961675.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_d8d000_OEc88DZdiO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b734092a88c68ae66c084f5d927ab4db86764bdd9855d931e6730af00f5464f
Instruction ID: 17241eb8b6e915d962d08f7b977cbaa1d5877886d67101b0ade5984f033e751d
Opcode Fuzzy Hash: 7b734092a88c68ae66c084f5d927ab4db86764bdd9855d931e6730af00f5464f
Instruction Fuzzy Hash: 292103B1504244EFDB04EF18D8C0F26BB66FB94324F24C569E9454B6C6C336E846D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00D8D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.547961675.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_d8d000_OEc88DZdiO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b77283ac9fea66fa089ac71e7fbecbbf05a95b2ca60d06d2ffe243f103f492
Instruction ID: 31b7985ee2f0a459cb0ca783e9374ba9d27d9c5aee3eaf4b7e328d8e7fae6c6e
Opcode Fuzzy Hash: 74b77283ac9fea66fa089ac71e7fbecbbf05a95b2ca60d06d2ffe243f103f492
Instruction Fuzzy Hash: 5E2106B1504244DFDF05EF14D8C0B2ABF66FB94328F2485AAE9054B2D6C336D845D7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00D9D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.548045946.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_d9d000_OEc88DZdiO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40727bb8e0fe14800f587703f15fc89c886bb1418b8f169f08f3a5fec3b08726
Instruction ID: 5428525f2024579b71ca0baf055821426dc4956175b2a95921816d8e4ec4a68e
Opcode Fuzzy Hash: 40727bb8e0fe14800f587703f15fc89c886bb1418b8f169f08f3a5fec3b08726
Instruction Fuzzy Hash: 6421F271604244DFDF14DF24D8C4B26BB66FB84324F24CA69E94E4B246C73AD847CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D9D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.548045946.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_d9d000_OEc88DZdiO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab3160611fff54c003976ce38d9fb14a652bc0b126a80e53aaf53958b3d711f
Instruction ID: 2c440f881ab7f507c22c04432b65b60a06cc89cbc5023051ef77baf5570e0a6f
Opcode Fuzzy Hash: 7ab3160611fff54c003976ce38d9fb14a652bc0b126a80e53aaf53958b3d711f
Instruction Fuzzy Hash: D02192755093C08FCB02CF24D990715BF72EB46314F28C5EAD8498B697C33A980ACB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D8D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.547961675.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_d8d000_OEc88DZdiO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28fa5a6574e77e61a0c17e2828a4ab5aed3429d064b06815d3d2e1fd3576c304
Instruction ID: fe1af42d52c117af508c94cd48eb177d02d5fbca6144933957606a137992f460
Opcode Fuzzy Hash: 28fa5a6574e77e61a0c17e2828a4ab5aed3429d064b06815d3d2e1fd3576c304
Instruction Fuzzy Hash: 7911B4B6804240CFCB12DF14D5C4B56BF72FB95324F28C5AAD8050B696C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D8D3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.547961675.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_d8d000_OEc88DZdiO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28fa5a6574e77e61a0c17e2828a4ab5aed3429d064b06815d3d2e1fd3576c304
Instruction ID: 6a4e52899cbbc6fc97bd47b3ae558078c1f5c8db31fd6251bc99b60ebd59237d
Opcode Fuzzy Hash: 28fa5a6574e77e61a0c17e2828a4ab5aed3429d064b06815d3d2e1fd3576c304
Instruction Fuzzy Hash: AD11D376804280DFCB11DF14D5C4B56BF72FB94324F28C6A9D8450B696C336E85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0616BD04 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.563004370.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6160000_OEc88DZdiO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4621fc8236bc7ae8cb6fda80be7ed6c8ec8fbd49fccf6c3e1c50ec55d9eca614
Instruction ID: 352b6feec4de20d14bc92af47a844f6cccd39a8a232b029ffbcd57e609682fe0
Opcode Fuzzy Hash: 4621fc8236bc7ae8cb6fda80be7ed6c8ec8fbd49fccf6c3e1c50ec55d9eca614
Instruction Fuzzy Hash: 5C118B75E04149CFCB14DFA1E8959AEBB71FF86304F04005AE506E7355EB309D12CB50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dhcpmon.exePID: 5116, Parent PID: 3968COMMON

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	115
Total number of Limit Nodes:	4

Executed Functions

Function 058CDE90 Relevance: .9, Instructions: 889COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.428414738.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_58c0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ad35cc189bca2f4591bac613fbee08680189cb2850a14bb9f0eeb842b44b6e
Instruction ID: 2378efe05de5cde9354dd7077b7beb85dd898bd1591ff351b3c6458e6d4a60ec
Opcode Fuzzy Hash: 45ad35cc189bca2f4591bac613fbee08680189cb2850a14bb9f0eeb842b44b6e
Instruction Fuzzy Hash: E7726F71A001199FCB15DF68D894AAEBBF6FF88304F1580A9E806EB351DB34ED45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02DEACB0 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02DEAEF6

Memory Dump Source

Source File: 0000000F.00000002.421393523.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2de0000_dhcpmon.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 524dc0f455abf59114f43d79ddaed13d848904b8a384c272bba987bc481547f5
Instruction ID: feff6aec43d4827ede3b448b593eaad823021b6ce22a8c7df219d7b7ae44b8ca
Opcode Fuzzy Hash: 524dc0f455abf59114f43d79ddaed13d848904b8a384c272bba987bc481547f5
Instruction Fuzzy Hash: 4C71F570A00B068FDB24EF69D54175AB7F1FF88204F008929D58AD7B50EB75E945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02DECCAE Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02DED19E,?,?,?,?,?), ref: 02DED25F

Memory Dump Source

Source File: 0000000F.00000002.421393523.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2de0000_dhcpmon.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fa1d2d85ad1b627aa3fe28ab99911961d03f93a811814a76f0ce36d776f0dd7f
Instruction ID: 6e450b3758de16fe94525a4a1d4db1cf253844dcd5a6f5085e0b67dc25f5c7f7
Opcode Fuzzy Hash: fa1d2d85ad1b627aa3fe28ab99911961d03f93a811814a76f0ce36d776f0dd7f
Instruction Fuzzy Hash: EB2133B1C04248AFCB10CFA9D884AEEBFF8EB48320F14805AE955A7310D774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0614FE00 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0614FE97

Memory Dump Source

Source File: 0000000F.00000002.428903105.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6140000_dhcpmon.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: a62168abad85435d49dfcf1d3c797c8b826e5019c91b9f7ec0bc0c88196d3b98
Instruction ID: f970aaa2c6349cc916da08c35fc234c4c375046d524d8e6e7303a4eb3ab7446d
Opcode Fuzzy Hash: a62168abad85435d49dfcf1d3c797c8b826e5019c91b9f7ec0bc0c88196d3b98
Instruction Fuzzy Hash: 4321CEB5D002099FDB10CF9AD884AEEBBF4FB48324F15842AE919A7710D774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DECD24 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02DED19E,?,?,?,?,?), ref: 02DED25F

Memory Dump Source

Source File: 0000000F.00000002.421393523.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2de0000_dhcpmon.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 75d91472b6ae8367de7e6d43109c2cc606006f8e7698891be8e1a067fc669220
Instruction ID: 98448d269b6e74d5979d820dbe3baa75b79ce9cf9a4f9202729067e2c4c8f609
Opcode Fuzzy Hash: 75d91472b6ae8367de7e6d43109c2cc606006f8e7698891be8e1a067fc669220
Instruction Fuzzy Hash: F92100B5D0020CAFDF10CFA9D984AEEBBF8EB48320F14805AE915A7310D774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DED1D1 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02DED19E,?,?,?,?,?), ref: 02DED25F

Memory Dump Source

Source File: 0000000F.00000002.421393523.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2de0000_dhcpmon.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 10f5ab824998e11bd9ef7df35bc95d9dd64b7c1898f52665bf9c6ae19fcd8236
Instruction ID: 8f418478d2092e69afd80bf21d979b2f88acb024b1b234576eb032658787361e
Opcode Fuzzy Hash: 10f5ab824998e11bd9ef7df35bc95d9dd64b7c1898f52665bf9c6ae19fcd8236
Instruction Fuzzy Hash: C12100B5D00208AFDB10CFA9D984BEEBBF8EB48324F14801AE955A3310D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DEA9B0 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02DEAF71,00000800,00000000,00000000), ref: 02DEB182

Memory Dump Source

Source File: 0000000F.00000002.421393523.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2de0000_dhcpmon.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: bf72272f681f360674ad938154f64023be61991e3aa46023f4621cbe378c0919
Instruction ID: 19c400d9ed8fc56dd5f9a2e637776b84a1a1bf0671f289ff47efd75734208b66
Opcode Fuzzy Hash: bf72272f681f360674ad938154f64023be61991e3aa46023f4621cbe378c0919
Instruction Fuzzy Hash: 511103B2D002499FDB10DF9AD484ADEBBF4FB48324F14846EE51AA7700C7B4A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DEB110 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02DEAF71,00000800,00000000,00000000), ref: 02DEB182

Memory Dump Source

Source File: 0000000F.00000002.421393523.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2de0000_dhcpmon.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d6743da56f46a1cf0e9875d3fa89c0ce00ee35ae174c8503841fc32f6e8b800a
Instruction ID: 70fcda56f6f37ae392cc74c9a386d56b08c7e56f6361e31ecab39355cf2e1f33
Opcode Fuzzy Hash: d6743da56f46a1cf0e9875d3fa89c0ce00ee35ae174c8503841fc32f6e8b800a
Instruction Fuzzy Hash: 6111F2B29002499FDB10CF9AC884BDEBBF4EB88324F14842ED459A7700C774A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02DEAE90 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02DEAEF6

Memory Dump Source

Source File: 0000000F.00000002.421393523.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2de0000_dhcpmon.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8f4e333764dba46ece41d976980f789f63d4ef26f8207dc3d896a6ec8eda18e5
Instruction ID: 73e4859c14d2f7319cfe654933de3302b60b5756994302c45c714ec461bd7974
Opcode Fuzzy Hash: 8f4e333764dba46ece41d976980f789f63d4ef26f8207dc3d896a6ec8eda18e5
Instruction Fuzzy Hash: 301110B6D002498FDB10DF9AC444BDEFBF4EB88224F10845AD469B7700D3B4A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 058CEBE0 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.428414738.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_58c0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3a2700c45b1b7ef336a6605c3e41aecb8ae84a8cb368a82c46effed0cf44d62
Instruction ID: b9382c31df1c4160559585bba005d9516bad9fb09507d13c5b4a3b6a10415eeb
Opcode Fuzzy Hash: d3a2700c45b1b7ef336a6605c3e41aecb8ae84a8cb368a82c46effed0cf44d62
Instruction Fuzzy Hash: 37125734A04208CFDB25DF68D484AAEBBF6BF49314F1585A9E94ADB361DB30EC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 058CEBD2 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.428414738.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_58c0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed1bfa700b4ab9dd5a7a37b21aafffda914fb1daa907d08f4fc7a9e29de2627
Instruction ID: f5d8b2f2269cdaae6d2442db8936c3df0b5b7d612b61f72e4a684be7b80267af
Opcode Fuzzy Hash: 0ed1bfa700b4ab9dd5a7a37b21aafffda914fb1daa907d08f4fc7a9e29de2627
Instruction Fuzzy Hash: 84C13730A00209DFDB25CF69C884AAEBFF6BF49304F158599E946EB261D730ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 058CF1B0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.428414738.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_58c0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faccdf74205bfdce791aa6095793836ef5f7b2f5820dc0336f36add1bec98d3c
Instruction ID: 61fd75dbb3ee66b6837b4dfb103de07e6b4f66cefb0ea6275d1c4109399b9872
Opcode Fuzzy Hash: faccdf74205bfdce791aa6095793836ef5f7b2f5820dc0336f36add1bec98d3c
Instruction Fuzzy Hash: 217115347142059FEB15DF68C898AAA7BE6BF49244F1900E9EE06CB3A1DB74DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 058CFC98 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.428414738.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_58c0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a09e9fdc047b60eb35329c5bf4bb83c24f3b29041955aa44ceea72646dc87a4a
Instruction ID: e08ff9a63f64f305617563efb320913b6d819b4d341ac11e38d5dc8f955006be
Opcode Fuzzy Hash: a09e9fdc047b60eb35329c5bf4bb83c24f3b29041955aa44ceea72646dc87a4a
Instruction Fuzzy Hash: CB51E270E15219EBDB04CFA9D8449EDFBB2FF88304F1081AAEA15A7214D7309A51CF95

Uniqueness

Uniqueness Score: -1.00%

Function 058CFC88 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.428414738.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_58c0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a743ab645d8da50ad7e9da86401cf955aa4dbf1358264fcd89f919371678b8
Instruction ID: 3f8b62a5248c39b47e479f6735a052780a860495101dc0c5cf1649dfd0109d10
Opcode Fuzzy Hash: 16a743ab645d8da50ad7e9da86401cf955aa4dbf1358264fcd89f919371678b8
Instruction Fuzzy Hash: 1251F374E15219EFDB04CFA9D8449AEFBB2FF88304F1481AAEA11A7214D7309A51CF95

Uniqueness

Uniqueness Score: -1.00%

Function 058CF458 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.428414738.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_58c0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb2002f515901502590e736a003a013455a2c3d16b28b4e1d2f3f03873f46aa
Instruction ID: bdf57279275f45c2c33107b3346577c58f0194af3b367e3fb5e7131e85c4c4b3
Opcode Fuzzy Hash: 8fb2002f515901502590e736a003a013455a2c3d16b28b4e1d2f3f03873f46aa
Instruction Fuzzy Hash: A121AF303042194BFB256A299494B7A3E9BBFC4619B1480FDEF02CB794EE36DC419791

Uniqueness

Uniqueness Score: -1.00%

Function 058CF452 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.428414738.00000000058C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_58c0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11654b5a84bbe2ea659ac32bc2958525aa511cf0ff8685e569a3912cdd2f92ae
Instruction ID: 56163ac415ffc72348a1a52b4b279ff0edf5912afd8b83e829adf5ae5280ece5
Opcode Fuzzy Hash: 11654b5a84bbe2ea659ac32bc2958525aa511cf0ff8685e569a3912cdd2f92ae
Instruction Fuzzy Hash: 5C21CF303042194BEB256A399494A7E3EDBBF8462971480FDEF02CB795EE35DC019791

Uniqueness

Uniqueness Score: -1.00%

Function 013DD3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.420732997.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_13dd000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb2813597faefe4f982619f9516ef842b008afd596cedbe3baa4960695738dc
Instruction ID: d2eeeb3c05490c84832d2cd25e5b46a05a9bfc8cf1875e9c91cdb2a786ebaea3
Opcode Fuzzy Hash: 4bb2813597faefe4f982619f9516ef842b008afd596cedbe3baa4960695738dc
Instruction Fuzzy Hash: 732148B2504244DFCF01DF54E8C0BA6BF79FB84328F20C569E9055B686CB36E846C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 013FD09C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.420910458.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_13fd000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a85cc0b5919c67c3e0de5b3f31e44e12ab13d96d460f3993a18259b8bc96d1e2
Instruction ID: d61403642e1ccae214777ee30a5c95a60b124927347804cf771cf32c90f1b741
Opcode Fuzzy Hash: a85cc0b5919c67c3e0de5b3f31e44e12ab13d96d460f3993a18259b8bc96d1e2
Instruction Fuzzy Hash: D62107B1504244EFDB41DF54D8C8B16BB69FB8431CF24C56DEA094B746C73AD846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 013FD32C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.420910458.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_13fd000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b33d6e54484e58971cc4f54572ed1e87431ad817efcae4a98d518808a14bb11
Instruction ID: b90717b548bd033ce2ca136363cc578b6c8d58840235b3a94443d18b145f25ed
Opcode Fuzzy Hash: 4b33d6e54484e58971cc4f54572ed1e87431ad817efcae4a98d518808a14bb11
Instruction Fuzzy Hash: DD213775604248DFCB01DF54D4C8B16BB69FB84328F24C56EEB094B746C73AD806CA61

Uniqueness

Uniqueness Score: -1.00%

Function 013FD086 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.420910458.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_13fd000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9578e0af182f65f65992b92e8c6eeba45f052b48ccb0a7bc441c4f8047e8eae8
Instruction ID: 377caaa084505385d961a0286faa5e340137624857de1e2ee3b5594b745387ec
Opcode Fuzzy Hash: 9578e0af182f65f65992b92e8c6eeba45f052b48ccb0a7bc441c4f8047e8eae8
Instruction Fuzzy Hash: 4721A1754043809FCB02CF54D984B11BFB1EB46328F28C5EED9498B267C33AD84ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013DD3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.420732997.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_13dd000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28fa5a6574e77e61a0c17e2828a4ab5aed3429d064b06815d3d2e1fd3576c304
Instruction ID: 3310de5d20d16be8ed61f853ae51ba0dccb45eb1e7c06621e729b295c7662135
Opcode Fuzzy Hash: 28fa5a6574e77e61a0c17e2828a4ab5aed3429d064b06815d3d2e1fd3576c304
Instruction Fuzzy Hash: 8511B176804280DFCB12CF54E5C4B56BF71FB84328F24C6A9D8451B656C336E45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013FD327 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.420910458.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_13fd000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 301107c08c07515c4ac3401fa3caac9d009fb17811d5e1622b7a25300d4a95ff
Instruction ID: 9f182be8d0e6131c6bb8b6dac96c6f54c18c5c9d56970a55d5dc676151f9203f
Opcode Fuzzy Hash: 301107c08c07515c4ac3401fa3caac9d009fb17811d5e1622b7a25300d4a95ff
Instruction Fuzzy Hash: 2A11DD75904280CFCB02CF14D5C8B15BFA1FB84328F28C6AEDA494B656C33AD44ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013DD651 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.420732997.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_13dd000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de00155b4f917e32ade6d5de77cc6c4e18da75fe2fb896d8a559fed1affd2dc8
Instruction ID: c8d39b51848dbd2d9071aba36a01c8f698fdf55938e3685c005eeea6431f203e
Opcode Fuzzy Hash: de00155b4f917e32ade6d5de77cc6c4e18da75fe2fb896d8a559fed1affd2dc8
Instruction Fuzzy Hash: 4801F77250834CAAE7109A59DD84762BFDCEF41278F188459EE094E6C2D7789844C6F1

Uniqueness

Uniqueness Score: -1.00%

Function 013DD650 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.420732997.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_13dd000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f8202fde76fc44129fe83f7f15fb23432ca33db128660ccf07e3a9b58ce1350
Instruction ID: b3af0f4853c89e8380fea678e68b008c2db8a0485b94be5c06e33070f8665553
Opcode Fuzzy Hash: 2f8202fde76fc44129fe83f7f15fb23432ca33db128660ccf07e3a9b58ce1350
Instruction Fuzzy Hash: 1DF062725043489EE7118A59DDC4B62FFD8EB41778F18C45AEE085F686C378A844CAB1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dhcpmon.exePID: 3312, Parent PID: 5116COMMON

Execution Graph

Execution Coverage:	15.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	96
Total number of Limit Nodes:	9

Executed Functions

Function 0182B6C0 Relevance: 6.1, APIs: 4, Instructions: 126
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0182B730
GetCurrentThread.KERNEL32 ref: 0182B76D
GetCurrentProcess.KERNEL32 ref: 0182B7AA
GetCurrentThreadId.KERNEL32 ref: 0182B803

Memory Dump Source

Source File: 00000013.00000002.442081899.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1820000_dhcpmon.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 13aca564ced0e90e4d6ee14e6372f6f411e20ed129eb49a02280a7d1023298fc
Instruction ID: 3069296674f08a23d48bc17a808432be8eb831f0c886d11de9d04c72a956bce3
Opcode Fuzzy Hash: 13aca564ced0e90e4d6ee14e6372f6f411e20ed129eb49a02280a7d1023298fc
Instruction Fuzzy Hash: 415174B0D022588FDB11CFA9D5887DEBBF0FF48304F24849AE109A7650D7789988CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0182B6D0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0182B730
GetCurrentThread.KERNEL32 ref: 0182B76D
GetCurrentProcess.KERNEL32 ref: 0182B7AA
GetCurrentThreadId.KERNEL32 ref: 0182B803

Memory Dump Source

Source File: 00000013.00000002.442081899.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1820000_dhcpmon.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 9c0d0838502f08b1e631b723b150475eb1879d67a3f76e5e29bce5f568b51c9f
Instruction ID: e29540419690edab49ce9acabe12773f4f054d5325c8db77e8f7d2fd3e8d42ba
Opcode Fuzzy Hash: 9c0d0838502f08b1e631b723b150475eb1879d67a3f76e5e29bce5f568b51c9f
Instruction Fuzzy Hash: 345173B0D022488FDB14CFA9D588BDEBBF0EF48304F248459E109A7750D774A988CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0182FAA0 Relevance: 1.7, APIs: 1, Instructions: 249
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0182FD0A

Memory Dump Source

Source File: 00000013.00000002.442081899.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1820000_dhcpmon.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2dec7177ccf1d96d90d81f86d3939ec6af623647fb1e7d1fa81555dbc5d4e61b
Instruction ID: 9200def00bd26b96358802b6ecbf58c734bf044629595b5b755b9643f0592a07
Opcode Fuzzy Hash: 2dec7177ccf1d96d90d81f86d3939ec6af623647fb1e7d1fa81555dbc5d4e61b
Instruction Fuzzy Hash: E8914B718093899FCF06CFA4C890AD9BFB1FF4A304F19819AE944EB262D3759945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 018293E8 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0182962E

Memory Dump Source

Source File: 00000013.00000002.442081899.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1820000_dhcpmon.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: aab562e1f122b00e564010cc1ba3c3771937f8d135f55ab42c8de62e062a3d2e
Instruction ID: 4187e92f054a3d9f01c7d52e08a54ea1922f51d23d7e2e75f548dfd734124f89
Opcode Fuzzy Hash: aab562e1f122b00e564010cc1ba3c3771937f8d135f55ab42c8de62e062a3d2e
Instruction Fuzzy Hash: 8F712770A00B158FDB25DF69C48079ABBF1FF88308F008A2DD54ADBA50E774E985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0182FBF8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0182FD0A

Memory Dump Source

Source File: 00000013.00000002.442081899.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1820000_dhcpmon.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: aab7ad4511169c4fe7c8f596c491b135eb2b592a9dd2110b78f1acd1af709799
Instruction ID: cccd13e4948c75c2bea4a84adc1ef029d2de6a1cb5ee4cf5d5b66aac408369f1
Opcode Fuzzy Hash: aab7ad4511169c4fe7c8f596c491b135eb2b592a9dd2110b78f1acd1af709799
Instruction Fuzzy Hash: 3241C0B1D003199FDF15CF99C884ADEBBB5BF48314F24822AE919AB210D775A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0182BCF9 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0182BD87

Memory Dump Source

Source File: 00000013.00000002.442081899.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1820000_dhcpmon.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e6cff20a3133eea4e70d6a28f45f4f475745715cfb0bb40f84861fe02f709007
Instruction ID: c6e8a722004bd5f94b6ba268d98a8eaf1b8687d0ddb429e441c25f5a7b9cb99f
Opcode Fuzzy Hash: e6cff20a3133eea4e70d6a28f45f4f475745715cfb0bb40f84861fe02f709007
Instruction Fuzzy Hash: B02112B6D002189FDB01CFA9D984AEEBBF4EF48324F14841AE954B3310D379A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0182BD00 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0182BD87

Memory Dump Source

Source File: 00000013.00000002.442081899.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1820000_dhcpmon.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d8f57449d31c54a0c18dcf9ae59f86a4a9989b95fe427b578a614e6b1bfffbc0
Instruction ID: aaf02168be22a21ce6d5de36a708d89b8ae2298ebe0598338904d755a6489a03
Opcode Fuzzy Hash: d8f57449d31c54a0c18dcf9ae59f86a4a9989b95fe427b578a614e6b1bfffbc0
Instruction Fuzzy Hash: AB21C2B5D012599FDB11CFAAD884ADEBBF8EB48324F14841AE914A7350D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01828768 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,018296A9,00000800,00000000,00000000), ref: 018298BA

Memory Dump Source

Source File: 00000013.00000002.442081899.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1820000_dhcpmon.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 52cfa86020a92cb6268d535aa2ef7f377d0186015ea24133ad2ca2ac240df27a
Instruction ID: cf922394dd26467bc36f4343589ec6a450e154d79682ba764fcb7d38ee8866da
Opcode Fuzzy Hash: 52cfa86020a92cb6268d535aa2ef7f377d0186015ea24133ad2ca2ac240df27a
Instruction Fuzzy Hash: 0B1103B6D002198FDB11CF9AC444BDEBBF4EB48314F14842EE915B7600C3B5A989CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01829849 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,018296A9,00000800,00000000,00000000), ref: 018298BA

Memory Dump Source

Source File: 00000013.00000002.442081899.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1820000_dhcpmon.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4c384ea1a1b06e2c9a6cf1931c701c8258fb861d0b11a8af6e6e30f6d41c8896
Instruction ID: 38ad0ac908ca7972cc3a4bd2df34cc0148d6efeb1fac050787dc8bd8b662b6b1
Opcode Fuzzy Hash: 4c384ea1a1b06e2c9a6cf1931c701c8258fb861d0b11a8af6e6e30f6d41c8896
Instruction Fuzzy Hash: 821112B6C00219CFDB11CFA9D484BDEBBF4AF48324F18852AD515B7600D3B4AA85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0182FE38 Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?), ref: 0182FE9D

Memory Dump Source

Source File: 00000013.00000002.442081899.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1820000_dhcpmon.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: e5d6c77c113a939fef665b63bb3d6d45da88cbe396c36f1e3517cfc5a0be39f2
Instruction ID: c7d0f18f54f2ef7fc2d0b57f6f25b220d52096c3d13bfd32833192b51b0ee840
Opcode Fuzzy Hash: e5d6c77c113a939fef665b63bb3d6d45da88cbe396c36f1e3517cfc5a0be39f2
Instruction Fuzzy Hash: A61125B5800208CFDB10CF99D484BDEBBF8FB48324F10845AD915B7600D374AA44CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 018295C8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0182962E

Memory Dump Source

Source File: 00000013.00000002.442081899.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1820000_dhcpmon.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: da37199df076cd8d9333abe50e7bdbdb1955e8891f91c60994c2dd3004aca461
Instruction ID: e962edc7666cdc524af0e60accc0178dd2fb3d58d3a8761abec2c8151c1cdfaf
Opcode Fuzzy Hash: da37199df076cd8d9333abe50e7bdbdb1955e8891f91c60994c2dd3004aca461
Instruction Fuzzy Hash: 19110FB1C006598FDB20CF9AC444ADEFBF4AB88328F10841AD919B7600D374A689CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05750438 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 0575049D

Memory Dump Source

Source File: 00000013.00000002.443032769.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5750000_dhcpmon.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 8c6cd92b683a3ffb2ec2992382d30584dd338bdb5aab76b387c788de87322ec0
Instruction ID: e79ee11a0d8883ae3b65e36da36a5480c0f614083dbcaf2340d92fdffb073d23
Opcode Fuzzy Hash: 8c6cd92b683a3ffb2ec2992382d30584dd338bdb5aab76b387c788de87322ec0
Instruction Fuzzy Hash: 341103B5C006588FCB10CF9AD5487DEFBF4AF48324F14862AD829B7640D378A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0182FE40 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?), ref: 0182FE9D

Memory Dump Source

Source File: 00000013.00000002.442081899.0000000001820000.00000040.00000800.00020000.00000000.sdmp, Offset: 01820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1820000_dhcpmon.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 040d1337678c60fc3d5c9c1a657de026db46588d7bef26c3aef2e3c347ce55ae
Instruction ID: 1c46b1e7abdba8e28c3892cd17e4b7ee97d4eb140d701f39df235851e24589f9
Opcode Fuzzy Hash: 040d1337678c60fc3d5c9c1a657de026db46588d7bef26c3aef2e3c347ce55ae
Instruction Fuzzy Hash: 561115B58002488FDB10CF99D485BDEBBF8EB48324F10845AD915B7740C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05750440 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 0575049D

Memory Dump Source

Source File: 00000013.00000002.443032769.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5750000_dhcpmon.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 906f6ca3cec1ffc2c3f65440866a509e478d0aa1437a8562ac0fefb4676f180e
Instruction ID: f5cfed458b38a4527e2adfbd2ff9be13fd4b9d96caefaff0d3738a76dcb67598
Opcode Fuzzy Hash: 906f6ca3cec1ffc2c3f65440866a509e478d0aa1437a8562ac0fefb4676f180e
Instruction Fuzzy Hash: 4111E2B1C046598FCB10CF9AD448BDEFBF4EB48324F10856AD919B7640D378A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0133D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.441440005.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_133d000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1252ee3e545704efc0a2a4c323f654b85813bc9c70185b7914969239d69c01d
Instruction ID: 48e00836c615ccad0b9af49c217b236b000f7284d8009a51a350051ab4f5533c
Opcode Fuzzy Hash: f1252ee3e545704efc0a2a4c323f654b85813bc9c70185b7914969239d69c01d
Instruction Fuzzy Hash: BE2136B1504244DFEF01DF44D8C0B66BF69FBC432CF608569E9050B646C736D845C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0134D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.441475651.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_134d000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69b50bc86218d0aea4f40db160f9f7b645fb82e0f243657b1341af36053af290
Instruction ID: 2ef726ab8b91b4fe3670474ffec658d67826db30f1a17a68421ab21e2a9391ae
Opcode Fuzzy Hash: 69b50bc86218d0aea4f40db160f9f7b645fb82e0f243657b1341af36053af290
Instruction Fuzzy Hash: E2213771504244DFCB15DF54D8C0B16BBA9FB94358F20C56DD9094B746C736E807CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0134D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.441475651.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_134d000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d478101f38e22559fb54d333a9474cacca8ba2d86e3e4086c9812c8ab7b9efad
Instruction ID: ef1fe73f462d4e6b1b11ad6f8fcb6c6031d1051fce02f6d18818f1fac57a52ad
Opcode Fuzzy Hash: d478101f38e22559fb54d333a9474cacca8ba2d86e3e4086c9812c8ab7b9efad
Instruction Fuzzy Hash: 5A2180754083809FCB02CF54D994B11BFB1EB46214F28C5DAD8458B657C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0133D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.441440005.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_133d000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28fa5a6574e77e61a0c17e2828a4ab5aed3429d064b06815d3d2e1fd3576c304
Instruction ID: f5abcb64577c69ae73245463f7125379b7b8ce1b9adc0131260eed14d52484ce
Opcode Fuzzy Hash: 28fa5a6574e77e61a0c17e2828a4ab5aed3429d064b06815d3d2e1fd3576c304
Instruction Fuzzy Hash: 6E11B176804280CFDB12CF54D5C4B56BF72FB84328F24C6A9D9050B657C336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report OEc88DZdiO.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OEc88DZdiO.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

C:\Users\user\AppData\Local\Temp\tmp206B.tmp

C:\Users\user\AppData\Local\Temp\tmp8227.tmp

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak

Windows Analysis Report
OEc88DZdiO.exe

Function 00DE49F8 Relevance: 2.8, Strings: 2, Instructions: 331
COMMON

Function 00DE49E8 Relevance: 2.8, Strings: 2, Instructions: 324
COMMON

Function 00DECFA1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127
threadCOMMON

Function 00DECFB0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120
threadCOMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre