Edit tour

Windows Analysis Report
Quotation Details.exe

Overview

General Information

Sample Name:	Quotation Details.exe
Analysis ID:	878709
MD5:	5ec7a9d9a56fa3eb2d6f63a555969a37
SHA1:	77719c19c79e9a1ff120981a78bf8dda6be321c5
SHA256:	dee80ff02e834fac0e59395bb2ad3a39698208dbf02eed0e7697f6d2a9d604db
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Detected Nanocore Rat

Sigma detected: Scheduled temp file as task from temp location

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

Quotation Details.exe (PID: 7120 cmdline: C:\Users\user\Desktop\Quotation Details.exe MD5: 5EC7A9D9A56FA3EB2D6F63A555969A37)

Quotation Details.exe (PID: 5328 cmdline: C:\Users\user\Desktop\Quotation Details.exe MD5: 5EC7A9D9A56FA3EB2D6F63A555969A37)

schtasks.exe (PID: 1968 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE4FD.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 2108 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpE6C3.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Quotation Details.exe (PID: 2600 cmdline: "C:\Users\user\Desktop\Quotation Details.exe" 0 MD5: 5EC7A9D9A56FA3EB2D6F63A555969A37)

Quotation Details.exe (PID: 5356 cmdline: C:\Users\user\Desktop\Quotation Details.exe MD5: 5EC7A9D9A56FA3EB2D6F63A555969A37)

Quotation Details.exe (PID: 5644 cmdline: C:\Users\user\Desktop\Quotation Details.exe MD5: 5EC7A9D9A56FA3EB2D6F63A555969A37)

dhcpmon.exe (PID: 1276 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 5EC7A9D9A56FA3EB2D6F63A555969A37)

dhcpmon.exe (PID: 2404 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 5EC7A9D9A56FA3EB2D6F63A555969A37)

dhcpmon.exe (PID: 2220 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 5EC7A9D9A56FA3EB2D6F63A555969A37)

dhcpmon.exe (PID: 5692 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 5EC7A9D9A56FA3EB2D6F63A555969A37)

dhcpmon.exe (PID: 3616 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 5EC7A9D9A56FA3EB2D6F63A555969A37)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nanocore RAT, NanoCore	Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.	APT33 The Gorgon Group	https://assets.virustotal.com/reports/2021trends.pdf https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.morphisec.com/syk-crypter-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "0d867adb-3500-4c95-b576-70e197aa", "Group": "UC1", "Domain1": "ucnano180523.ddns.net", "Domain2": "ucnano180523.ddns.net", "Port": 5899, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.622362871.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.622362871.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69463:$a: NanoCore 0x694bc:$a: NanoCore 0x694f9:$a: NanoCore 0x69572:$a: NanoCore 0x694c5:$b: ClientPlugin 0x69502:$b: ClientPlugin 0x69e00:$b: ClientPlugin 0x69e0d:$b: ClientPlugin 0x5f5e5:$e: KeepAlive 0x6994d:$g: LogClientMessage 0x698cd:$i: get_Connected 0x59899:$j: #=q 0x598c9:$j: #=q 0x59905:$j: #=q 0x5992d:$j: #=q 0x5995d:$j: #=q 0x5998d:$j: #=q 0x599bd:$j: #=q 0x599ed:$j: #=q 0x59a09:$j: #=q 0x59a39:$j: #=q
0000000D.00000002.622362871.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x694f9:$a1: NanoCore.ClientPluginHost 0x694bc:$a2: NanoCore.ClientPlugin 0x5add3:$b1: get_BuilderSettings 0x69890:$b1: get_BuilderSettings 0x69547:$b4: IClientAppHost 0x69901:$b6: AddHostEntry 0x5ad42:$b7: LogClientException 0x69970:$b7: LogClientException 0x698e5:$b8: PipeExists 0x69534:$b9: IClientLoggingHost
00000003.00000003.578596362.0000000001511000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x49ac:$a1: NanoCore.ClientPluginHost 0x4987:$a2: NanoCore.ClientPlugin 0x499d:$b4: IClientAppHost 0x8e8c:$b7: LogClientException 0x49d6:$b9: IClientLoggingHost
00000001.00000002.565244380.000000000416B000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x47e4d:$x1: NanoCore.ClientPluginHost 0x7aa6d:$x1: NanoCore.ClientPluginHost 0xad48d:$x1: NanoCore.ClientPluginHost 0x47e8a:$x2: IClientNetworkHost 0x7aaaa:$x2: IClientNetworkHost 0xad4ca:$x2: IClientNetworkHost 0x4b9bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7e5dd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb0ffd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.565244380.000000000416B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.565244380.000000000416B000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x47bb5:$a: NanoCore 0x47bc5:$a: NanoCore 0x47df9:$a: NanoCore 0x47e0d:$a: NanoCore 0x47e4d:$a: NanoCore 0x7a7d5:$a: NanoCore 0x7a7e5:$a: NanoCore 0x7aa19:$a: NanoCore 0x7aa2d:$a: NanoCore 0x7aa6d:$a: NanoCore 0xad1f5:$a: NanoCore 0xad205:$a: NanoCore 0xad439:$a: NanoCore 0xad44d:$a: NanoCore 0xad48d:$a: NanoCore 0x47c14:$b: ClientPlugin 0x47e16:$b: ClientPlugin 0x47e56:$b: ClientPlugin 0x7a834:$b: ClientPlugin 0x7aa36:$b: ClientPlugin 0x7aa76:$b: ClientPlugin
00000001.00000002.565244380.000000000416B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x47e4d:$a1: NanoCore.ClientPluginHost 0x7aa6d:$a1: NanoCore.ClientPluginHost 0xad48d:$a1: NanoCore.ClientPluginHost 0x47e0d:$a2: NanoCore.ClientPlugin 0x7aa2d:$a2: NanoCore.ClientPlugin 0xad44d:$a2: NanoCore.ClientPlugin 0x49d66:$b1: get_BuilderSettings 0x7c986:$b1: get_BuilderSettings 0xaf3a6:$b1: get_BuilderSettings 0x47c69:$b2: ClientLoaderForm.resources 0x7a889:$b2: ClientLoaderForm.resources 0xad2a9:$b2: ClientLoaderForm.resources 0x49486:$b3: PluginCommand 0x7c0a6:$b3: PluginCommand 0xaeac6:$b3: PluginCommand 0x47e3e:$b4: IClientAppHost 0x7aa5e:$b4: IClientAppHost 0xad47e:$b4: IClientAppHost 0x522be:$b5: GetBlockHash 0x84ede:$b5: GetBlockHash 0xb78fe:$b5: GetBlockHash
0000000B.00000002.623117634.0000000003AA7000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x11d95:$a1: NanoCore.ClientPluginHost 0x11d60:$a2: NanoCore.ClientPlugin 0x11daf:$b9: IClientLoggingHost
0000000D.00000002.623726899.0000000003B6B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1633:$a1: NanoCore.ClientPluginHost 0x15f6:$a2: NanoCore.ClientPlugin 0x19ca:$b1: get_BuilderSettings 0x1681:$b4: IClientAppHost 0x1a3b:$b6: AddHostEntry 0x1aaa:$b7: LogClientException 0x1a1f:$b8: PipeExists 0x166e:$b9: IClientLoggingHost
0000000B.00000002.623117634.0000000003A9F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.623117634.0000000003A9F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xda1:$a1: NanoCore.ClientPluginHost 0xd6c:$a2: NanoCore.ClientPlugin 0xdbb:$b9: IClientLoggingHost
0000000B.00000002.615605121.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.615605121.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.615605121.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000B.00000002.615605121.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0x1a3fe:$b5: GetBlockHash 0x124fe:$b6: AddHostEntry 0x161f1:$b7: LogClientException 0x1246b:$b8: PipeExists 0xffb7:$b9: IClientLoggingHost
0000000B.00000002.621560780.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.621560780.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x693df:$a: NanoCore 0x69438:$a: NanoCore 0x69475:$a: NanoCore 0x694ee:$a: NanoCore 0x69441:$b: ClientPlugin 0x6947e:$b: ClientPlugin 0x69d7c:$b: ClientPlugin 0x69d89:$b: ClientPlugin 0x5f561:$e: KeepAlive 0x698c9:$g: LogClientMessage 0x69849:$i: get_Connected 0x59815:$j: #=q 0x59845:$j: #=q 0x59881:$j: #=q 0x598a9:$j: #=q 0x598d9:$j: #=q 0x59909:$j: #=q 0x59939:$j: #=q 0x59969:$j: #=q 0x59985:$j: #=q 0x599b5:$j: #=q
0000000B.00000002.621560780.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x69475:$a1: NanoCore.ClientPluginHost 0x69438:$a2: NanoCore.ClientPlugin 0x5ad4f:$b1: get_BuilderSettings 0x6980c:$b1: get_BuilderSettings 0x694c3:$b4: IClientAppHost 0x6987d:$b6: AddHostEntry 0x5acbe:$b7: LogClientException 0x698ec:$b7: LogClientException 0x69861:$b8: PipeExists 0x694b0:$b9: IClientLoggingHost
Process Memory Space: Quotation Details.exe PID: 7120	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x59de1:$x1: NanoCore.ClientPluginHost 0x59e1e:$x2: IClientNetworkHost 0x5d906:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x68984:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x749c9:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7fd63:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Quotation Details.exe PID: 7120	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Quotation Details.exe PID: 7120	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x59aae:$a: NanoCore 0x59abe:$a: NanoCore 0x59b7d:$a: NanoCore 0x59b8c:$a: NanoCore 0x59d8d:$a: NanoCore 0x59da1:$a: NanoCore 0x59de1:$a: NanoCore 0x64fee:$a: NanoCore 0x65000:$a: NanoCore 0x6503c:$a: NanoCore 0x71033:$a: NanoCore 0x71045:$a: NanoCore 0x71081:$a: NanoCore 0x7c3cd:$a: NanoCore 0x7c3df:$a: NanoCore 0x7c41b:$a: NanoCore 0x59b0d:$b: ClientPlugin 0x59bd6:$b: ClientPlugin 0x59daa:$b: ClientPlugin 0x59dea:$b: ClientPlugin 0x65009:$b: ClientPlugin
Process Memory Space: Quotation Details.exe PID: 7120	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x59de1:$a1: NanoCore.ClientPluginHost 0x59da1:$a2: NanoCore.ClientPlugin 0x5bcaf:$b1: get_BuilderSettings 0x59b62:$b2: ClientLoaderForm.resources 0x5b3cf:$b3: PluginCommand 0x59dd2:$b4: IClientAppHost 0x641fa:$b5: GetBlockHash 0x5c307:$b6: AddHostEntry 0x6741e:$b6: AddHostEntry 0x73463:$b6: AddHostEntry 0x7e7fd:$b6: AddHostEntry 0x5fffa:$b7: LogClientException 0x6af5f:$b7: LogClientException 0x76fa4:$b7: LogClientException 0x8233e:$b7: LogClientException 0x5c274:$b8: PipeExists 0x67392:$b8: PipeExists 0x733d7:$b8: PipeExists 0x7e771:$b8: PipeExists 0x59e0b:$b9: IClientLoggingHost
Process Memory Space: Quotation Details.exe PID: 5328	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6398a:$a1: NanoCore.ClientPluginHost 0x63965:$a2: NanoCore.ClientPlugin 0x6397b:$b4: IClientAppHost 0x67e04:$b7: LogClientException 0x639b4:$b9: IClientLoggingHost
Process Memory Space: Quotation Details.exe PID: 5644	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xa80f:$x1: NanoCore.ClientPluginHost 0xe153:$x1: NanoCore.ClientPluginHost 0x243bc:$x1: NanoCore.ClientPluginHost 0x47cec:$x1: NanoCore.ClientPluginHost 0xa83c:$x2: IClientNetworkHost 0xe190:$x2: IClientNetworkHost 0x243e9:$x2: IClientNetworkHost 0x47d06:$x2: IClientNetworkHost 0x11c81:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1cd07:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Quotation Details.exe PID: 5644	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Quotation Details.exe PID: 5644	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4be7:$a: NanoCore 0xa7c5:$a: NanoCore 0xa7da:$a: NanoCore 0xa80f:$a: NanoCore 0xabb9:$a: NanoCore 0xabcc:$a: NanoCore 0xabfe:$a: NanoCore 0xde20:$a: NanoCore 0xde30:$a: NanoCore 0xdeef:$a: NanoCore 0xdefe:$a: NanoCore 0xe0ff:$a: NanoCore 0xe113:$a: NanoCore 0xe153:$a: NanoCore 0x19371:$a: NanoCore 0x19383:$a: NanoCore 0x193bf:$a: NanoCore 0x24372:$a: NanoCore 0x24387:$a: NanoCore 0x243bc:$a: NanoCore 0x26733:$a: NanoCore
Process Memory Space: Quotation Details.exe PID: 5644	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xa80f:$a1: NanoCore.ClientPluginHost 0xe153:$a1: NanoCore.ClientPluginHost 0x243bc:$a1: NanoCore.ClientPluginHost 0x47cec:$a1: NanoCore.ClientPluginHost 0xa7da:$a2: NanoCore.ClientPlugin 0xe113:$a2: NanoCore.ClientPlugin 0x24387:$a2: NanoCore.ClientPlugin 0x47caf:$a2: NanoCore.ClientPlugin 0x1002a:$b1: get_BuilderSettings 0x2e1e1:$b1: get_BuilderSettings 0x41446:$b1: get_BuilderSettings 0xded4:$b2: ClientLoaderForm.resources 0xf74a:$b3: PluginCommand 0xe144:$b4: IClientAppHost 0x47d3a:$b4: IClientAppHost 0x1857d:$b5: GetBlockHash 0x10682:$b6: AddHostEntry 0x1b7a1:$b6: AddHostEntry 0x4804d:$b6: AddHostEntry 0x14375:$b7: LogClientException 0x1f2e2:$b7: LogClientException
Process Memory Space: dhcpmon.exe PID: 2220	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 2220	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x412:$a: NanoCore 0x46d:$a: NanoCore 0x4e1:$a: NanoCore 0x15959:$a: NanoCore 0x159b2:$a: NanoCore 0x159ef:$a: NanoCore 0x15a68:$a: NanoCore 0x161f6:$a: NanoCore 0x16249:$a: NanoCore 0x16282:$a: NanoCore 0x162f5:$a: NanoCore 0x16df2:$a: NanoCore 0x1e466:$a: NanoCore 0x1e47a:$a: NanoCore 0x1f53d:$a: NanoCore 0x25108:$a: NanoCore 0x25161:$a: NanoCore 0x2519e:$a: NanoCore 0x25217:$a: NanoCore 0x25ad0:$a: NanoCore 0x25b23:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 2220	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x159ef:$a1: NanoCore.ClientPluginHost 0x2519e:$a1: NanoCore.ClientPluginHost 0x159b2:$a2: NanoCore.ClientPlugin 0x25161:$a2: NanoCore.ClientPlugin 0xf149:$b1: get_BuilderSettings 0x25518:$b1: get_BuilderSettings 0x2c60b:$b1: get_BuilderSettings 0x15a3d:$b4: IClientAppHost 0x251ec:$b4: IClientAppHost 0x15d50:$b6: AddHostEntry 0x25589:$b6: AddHostEntry 0xf0b8:$b7: LogClientException 0x255f8:$b7: LogClientException 0x2c57a:$b7: LogClientException 0x15d34:$b8: PipeExists 0x2556d:$b8: PipeExists 0x15a2a:$b9: IClientLoggingHost 0x251d9:$b9: IClientLoggingHost
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.Quotation Details.exe.3aa95e8.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
11.2.Quotation Details.exe.3aa95e8.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0xf7c7:$s5: IClientLoggingHost
11.2.Quotation Details.exe.3aa95e8.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin
11.2.Quotation Details.exe.3aa95e8.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0xf7c7:$b9: IClientLoggingHost
1.2.Quotation Details.exe.41a2cc0.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.Quotation Details.exe.41a2cc0.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.Quotation Details.exe.41a2cc0.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.Quotation Details.exe.41a2cc0.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
1.2.Quotation Details.exe.41a2cc0.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.2.Quotation Details.exe.41a2cc0.4.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
13.2.dhcpmon.exe.2b89684.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
13.2.dhcpmon.exe.2b89684.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
13.2.dhcpmon.exe.2b89684.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
13.2.dhcpmon.exe.2b89684.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
11.2.Quotation Details.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.Quotation Details.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
11.2.Quotation Details.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.Quotation Details.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
11.2.Quotation Details.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
11.2.Quotation Details.exe.400000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
13.2.dhcpmon.exe.3b6b7be.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
13.2.dhcpmon.exe.3b6b7be.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
13.2.dhcpmon.exe.3b6b7be.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
13.2.dhcpmon.exe.3b6b7be.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
11.2.Quotation Details.exe.3aadc11.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
11.2.Quotation Details.exe.3aadc11.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x2: NanoCore.ClientPluginHost 0xb19e:$s5: IClientLoggingHost
11.2.Quotation Details.exe.3aadc11.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin
11.2.Quotation Details.exe.3aadc11.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0xb19e:$b9: IClientLoggingHost
11.2.Quotation Details.exe.3aa95e8.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
11.2.Quotation Details.exe.3aa95e8.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x2: NanoCore.ClientPluginHost 0xd9c7:$s5: IClientLoggingHost
11.2.Quotation Details.exe.3aa95e8.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
11.2.Quotation Details.exe.3aa95e8.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
1.2.Quotation Details.exe.41d58e0.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.Quotation Details.exe.41d58e0.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.Quotation Details.exe.41d58e0.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.Quotation Details.exe.41d58e0.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
1.2.Quotation Details.exe.41d58e0.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.2.Quotation Details.exe.41d58e0.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
11.2.Quotation Details.exe.2aa9600.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
11.2.Quotation Details.exe.2aa9600.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
11.2.Quotation Details.exe.2aa9600.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
11.2.Quotation Details.exe.2aa9600.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
1.2.Quotation Details.exe.41a2cc0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x757cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x7580a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7933d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.Quotation Details.exe.41a2cc0.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.Quotation Details.exe.41a2cc0.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42b15:$x1: NanoCore Client 0x42b25:$x1: NanoCore Client 0x75535:$x1: NanoCore Client 0x75545:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42d6d:$x2: NanoCore.ClientPlugin 0x7578d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42dad:$x3: NanoCore.ClientPluginHost 0x757cd:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42d62:$i1: IClientApp 0x75782:$i1: IClientApp 0x10163:$i2: IClientData 0x42d83:$i2: IClientData 0x757a3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42d8f:$i3: IClientNetwork 0x757af:$i3: IClientNetwork
1.2.Quotation Details.exe.41a2cc0.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0x75535:$a: NanoCore 0x75545:$a: NanoCore 0x75779:$a: NanoCore 0x7578d:$a: NanoCore 0x757cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin
1.2.Quotation Details.exe.41a2cc0.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42dad:$a1: NanoCore.ClientPluginHost 0x757cd:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42d6d:$a2: NanoCore.ClientPlugin 0x7578d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44cc6:$b1: get_BuilderSettings 0x776e6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x42bc9:$b2: ClientLoaderForm.resources 0x755e9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x443e6:$b3: PluginCommand 0x76e06:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42d9e:$b4: IClientAppHost 0x757be:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d21e:$b5: GetBlockHash 0x7fc3e:$b5: GetBlockHash
1.2.Quotation Details.exe.41d58e0.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.Quotation Details.exe.41d58e0.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.Quotation Details.exe.41d58e0.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42915:$x1: NanoCore Client 0x42925:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42b6d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42bad:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42b62:$i1: IClientApp 0x10163:$i2: IClientData 0x42b83:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42b8f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x42b9e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x42bc7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x42bd7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
1.2.Quotation Details.exe.41d58e0.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x756a7:$c: ProjectData 0xe3ec7:$c: ProjectData 0x10a82:$d: DESCrypto
1.2.Quotation Details.exe.41d58e0.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42bad:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42b6d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44ac6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x429c9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x441e6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42b9e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d01e:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x4511e:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x48e11:$b7: LogClientException 0x1266b:$b8: PipeExists 0x4508b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
1.2.Quotation Details.exe.416bca0.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x471ad:$x1: NanoCore.ClientPluginHost 0x79dcd:$x1: NanoCore.ClientPluginHost 0xac7ed:$x1: NanoCore.ClientPluginHost 0x471ea:$x2: IClientNetworkHost 0x79e0a:$x2: IClientNetworkHost 0xac82a:$x2: IClientNetworkHost 0x4ad1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7d93d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb035d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.Quotation Details.exe.416bca0.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.Quotation Details.exe.416bca0.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x46f15:$x1: NanoCore Client 0x46f25:$x1: NanoCore Client 0x79b35:$x1: NanoCore Client 0x79b45:$x1: NanoCore Client 0xac555:$x1: NanoCore Client 0xac565:$x1: NanoCore Client 0x4716d:$x2: NanoCore.ClientPlugin 0x79d8d:$x2: NanoCore.ClientPlugin 0xac7ad:$x2: NanoCore.ClientPlugin 0x471ad:$x3: NanoCore.ClientPluginHost 0x79dcd:$x3: NanoCore.ClientPluginHost 0xac7ed:$x3: NanoCore.ClientPluginHost 0x47162:$i1: IClientApp 0x79d82:$i1: IClientApp 0xac7a2:$i1: IClientApp 0x47183:$i2: IClientData 0x79da3:$i2: IClientData 0xac7c3:$i2: IClientData 0x4718f:$i3: IClientNetwork 0x79daf:$i3: IClientNetwork 0xac7cf:$i3: IClientNetwork
1.2.Quotation Details.exe.416bca0.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x46f15:$a: NanoCore 0x46f25:$a: NanoCore 0x47159:$a: NanoCore 0x4716d:$a: NanoCore 0x471ad:$a: NanoCore 0x79b35:$a: NanoCore 0x79b45:$a: NanoCore 0x79d79:$a: NanoCore 0x79d8d:$a: NanoCore 0x79dcd:$a: NanoCore 0xac555:$a: NanoCore 0xac565:$a: NanoCore 0xac799:$a: NanoCore 0xac7ad:$a: NanoCore 0xac7ed:$a: NanoCore 0x46f74:$b: ClientPlugin 0x47176:$b: ClientPlugin 0x471b6:$b: ClientPlugin 0x79b94:$b: ClientPlugin 0x79d96:$b: ClientPlugin 0x79dd6:$b: ClientPlugin
1.2.Quotation Details.exe.416bca0.7.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x471ad:$a1: NanoCore.ClientPluginHost 0x79dcd:$a1: NanoCore.ClientPluginHost 0xac7ed:$a1: NanoCore.ClientPluginHost 0x4716d:$a2: NanoCore.ClientPlugin 0x79d8d:$a2: NanoCore.ClientPlugin 0xac7ad:$a2: NanoCore.ClientPlugin 0x490c6:$b1: get_BuilderSettings 0x7bce6:$b1: get_BuilderSettings 0xae706:$b1: get_BuilderSettings 0x46fc9:$b2: ClientLoaderForm.resources 0x79be9:$b2: ClientLoaderForm.resources 0xac609:$b2: ClientLoaderForm.resources 0x487e6:$b3: PluginCommand 0x7b406:$b3: PluginCommand 0xade26:$b3: PluginCommand 0x4719e:$b4: IClientAppHost 0x79dbe:$b4: IClientAppHost 0xac7de:$b4: IClientAppHost 0x5161e:$b5: GetBlockHash 0x8423e:$b5: GetBlockHash 0xb6c5e:$b5: GetBlockHash
Click to see the 52 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Quotation Details.exe, ProcessId: 5328, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE4FD.tmp, CommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE4FD.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\Quotation Details.exe, ParentImage: C:\Users\user\Desktop\Quotation Details.exe, ParentProcessId: 5328, ParentProcessName: Quotation Details.exe, ProcessCommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE4FD.tmp, ProcessId: 1968, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Snort Signatures

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424972658992816766 05/31/23-04:00:07.009857
SID:	2816766
Source Port:	49726
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424971658992816766 05/31/23-03:59:01.488743
SID:	2816766
Source Port:	49716
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424969258992816766 05/31/23-03:56:30.836452
SID:	2816766
Source Port:	49692
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424972158992025019 05/31/23-03:59:34.295435
SID:	2025019
Source Port:	49721
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424970058992816766 05/31/23-03:57:08.650888
SID:	2816766
Source Port:	49700
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424970658992816766 05/31/23-03:57:49.951823
SID:	2816766
Source Port:	49706
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424971158992025019 05/31/23-03:58:24.970043
SID:	2025019
Source Port:	49711
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424970158992025019 05/31/23-03:57:13.870857
SID:	2025019
Source Port:	49701
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424971058992816766 05/31/23-03:58:19.657024
SID:	2816766
Source Port:	49710
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424972758992025019 05/31/23-04:00:12.125417
SID:	2025019
Source Port:	49727
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424971458992025019 05/31/23-03:58:45.735743
SID:	2025019
Source Port:	49714
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424971758992025019 05/31/23-03:59:08.572866
SID:	2025019
Source Port:	49717
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424969858992816766 05/31/23-03:56:54.146303
SID:	2816766
Source Port:	49698
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424970958992816718 05/31/23-03:58:12.396923
SID:	2816718
Source Port:	49709
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424972458992025019 05/31/23-03:59:52.535511
SID:	2025019
Source Port:	49724
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424972358992816766 05/31/23-03:59:47.414495
SID:	2816766
Source Port:	49723
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424971358992816766 05/31/23-03:58:40.308766
SID:	2816766
Source Port:	49713
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424970358992816766 05/31/23-03:57:29.347255
SID:	2816766
Source Port:	49703
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424969958992816718 05/31/23-03:57:00.431618
SID:	2816718
Source Port:	49699
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424970158992816766 05/31/23-03:57:14.834913
SID:	2816766
Source Port:	49701
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424970858992816766 05/31/23-03:58:04.738849
SID:	2816766
Source Port:	49708
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424971158992816766 05/31/23-03:58:26.204064
SID:	2816766
Source Port:	49711
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424972658992025019 05/31/23-04:00:05.187162
SID:	2025019
Source Port:	49726
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424971858992816766 05/31/23-03:59:17.099573
SID:	2816766
Source Port:	49718
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424972158992816766 05/31/23-03:59:35.241904
SID:	2816766
Source Port:	49721
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424971658992025019 05/31/23-03:58:59.883660
SID:	2025019
Source Port:	49716
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424969258992025019 05/31/23-03:56:25.759325
SID:	2025019
Source Port:	49692
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424970758992025019 05/31/23-03:57:55.475825
SID:	2025019
Source Port:	49707
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424972058992816766 05/31/23-03:59:29.175573
SID:	2816766
Source Port:	49720
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424970258992816766 05/31/23-03:57:22.488525
SID:	2816766
Source Port:	49702
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424971958992816766 05/31/23-03:59:23.103459
SID:	2816766
Source Port:	49719
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424969358992025019 05/31/23-03:56:36.589109
SID:	2025019
Source Port:	49693
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424970658992025019 05/31/23-03:57:48.142985
SID:	2025019
Source Port:	49706
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424972558992025019 05/31/23-03:59:58.620724
SID:	2025019
Source Port:	49725
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 45.12.253.242 - Destination IP: 192.168.2.4

Timestamp:	45.12.253.242192.168.2.45899496922841753 05/31/23-03:56:30.589443
SID:	2841753
Source Port:	5899
Destination Port:	49692
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424970958992816766 05/31/23-03:58:12.396923
SID:	2816766
Source Port:	49709
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424970858992025019 05/31/23-03:58:03.568164
SID:	2025019
Source Port:	49708
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424969458992025019 05/31/23-03:56:47.050579
SID:	2025019
Source Port:	49694
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424971858992025019 05/31/23-03:59:15.425860
SID:	2025019
Source Port:	49718
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424969958992816766 05/31/23-03:57:01.461077
SID:	2816766
Source Port:	49699
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424971558992025019 05/31/23-03:58:52.346146
SID:	2025019
Source Port:	49715
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424970558992025019 05/31/23-03:57:40.488645
SID:	2025019
Source Port:	49705
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424971258992816766 05/31/23-03:58:34.052236
SID:	2816766
Source Port:	49712
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424970758992816766 05/31/23-03:57:57.856787
SID:	2816766
Source Port:	49707
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keepalive Response 1 - Source IP: 45.12.253.242 - Destination IP: 192.168.2.4

Timestamp:	45.12.253.242192.168.2.45899497132810290 05/31/23-03:58:40.151665
SID:	2810290
Source Port:	5899
Destination Port:	49713
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424971758992816766 05/31/23-03:59:10.025241
SID:	2816766
Source Port:	49717
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424972058992025019 05/31/23-03:59:28.244511
SID:	2025019
Source Port:	49720
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424972258992816766 05/31/23-03:59:41.289827
SID:	2816766
Source Port:	49722
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424972758992816766 05/31/23-04:00:13.057662
SID:	2816766
Source Port:	49727
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424969458992816766 05/31/23-03:56:48.090304
SID:	2816766
Source Port:	49694
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424970058992025019 05/31/23-03:57:07.149878
SID:	2025019
Source Port:	49700
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424971058992025019 05/31/23-03:58:18.373829
SID:	2025019
Source Port:	49710
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424971858992816718 05/31/23-03:59:16.099293
SID:	2816718
Source Port:	49718
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424970358992025019 05/31/23-03:57:27.579932
SID:	2025019
Source Port:	49703
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424971358992025019 05/31/23-03:58:39.081495
SID:	2025019
Source Port:	49713
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424969958992025019 05/31/23-03:56:59.566501
SID:	2025019
Source Port:	49699
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keepalive Response 1 - Source IP: 45.12.253.242 - Destination IP: 192.168.2.4

Timestamp:	45.12.253.242192.168.2.45899496942810290 05/31/23-03:56:47.496805
SID:	2810290
Source Port:	5899
Destination Port:	49694
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424972358992025019 05/31/23-03:59:46.392270
SID:	2025019
Source Port:	49723
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424972458992816766 05/31/23-03:59:53.493126
SID:	2816766
Source Port:	49724
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424970458992816766 05/31/23-03:57:35.533816
SID:	2816766
Source Port:	49704
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424969858992025019 05/31/23-03:56:53.190117
SID:	2025019
Source Port:	49698
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424970958992025019 05/31/23-03:58:11.627033
SID:	2025019
Source Port:	49709
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424971258992025019 05/31/23-03:58:31.969396
SID:	2025019
Source Port:	49712
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424971958992025019 05/31/23-03:59:22.203113
SID:	2025019
Source Port:	49719
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424972258992025019 05/31/23-03:59:40.358095
SID:	2025019
Source Port:	49722
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424972558992816766 05/31/23-03:59:59.543859
SID:	2816766
Source Port:	49725
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424969358992816766 05/31/23-03:56:38.356653
SID:	2816766
Source Port:	49693
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424971558992816766 05/31/23-03:58:53.787555
SID:	2816766
Source Port:	49715
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424970258992025019 05/31/23-03:57:20.083306
SID:	2025019
Source Port:	49702
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 45.12.253.242

Timestamp:	192.168.2.445.12.253.2424970558992816766 05/31/23-03:57:41.435019
SID:	2816766
Source Port:	49705
Destination Port:	5899
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000D.00000002.622362871.0000000002B21000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "0d867adb-3500-4c95-b576-70e197aa", "Group": "UC1", "Domain1": "ucnano180523.ddns.net", "Domain2": "ucnano180523.ddns.net", "Port": 5899, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for submitted file

Source: Quotation Details.exe	ReversingLabs: Detection: 41%
Source: Quotation Details.exe	Virustotal: Detection: 54%			Perma Link

Multi AV Scanner detection for domain / URL

Source: ucnano180523.ddns.net

Virustotal: Detection: 10%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

ReversingLabs: Detection: 41%

Yara detected Nanocore RAT

Source: Yara match	File source: 1.2.Quotation Details.exe.41a2cc0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Quotation Details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Quotation Details.exe.41d58e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Quotation Details.exe.41a2cc0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Quotation Details.exe.41d58e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Quotation Details.exe.416bca0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.622362871.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.565244380.000000000416B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.623117634.0000000003A9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.615605121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.621560780.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation Details.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Quotation Details.exe PID: 5644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 2220, type: MEMORYSTR

Machine Learning detection for sample

Source: Quotation Details.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox ML: detected

Source: Quotation Details.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Quotation Details.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wHvwr.pdbSHA256 source: Quotation Details.exe, dhcpmon.exe.3.dr
Source:	Binary string: wHvwr.pdb source: Quotation Details.exe, dhcpmon.exe.3.dr

Source: C:\Users\user\Desktop\Quotation Details.exe	Code function: 4x nop then jmp 07799C9Dh	1_2_077990D0
Source: C:\Users\user\Desktop\Quotation Details.exe	Code function: 4x nop then jmp 068D9C9Dh	8_2_068D90D0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then jmp 06899C9Dh	9_2_068990D0

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49692 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49692 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.12.253.242:5899 -> 192.168.2.4:49692
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49693 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49693 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49694 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 45.12.253.242:5899 -> 192.168.2.4:49694
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49694 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49698 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49698 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49699 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49699 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.4:49699 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49700 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49700 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49701 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49701 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49702 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49702 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49703 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49703 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49704 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49705 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49705 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49706 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49706 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49707 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49707 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49708 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49708 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49709 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49709 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.4:49709 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49710 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49710 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49711 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49711 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49712 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49712 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49713 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49713 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 45.12.253.242:5899 -> 192.168.2.4:49713
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49714 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49715 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49715 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49716 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49716 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49717 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49717 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49718 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49718 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.4:49718 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49719 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49719 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49720 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49720 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49721 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49721 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49722 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49722 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49723 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49723 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49724 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49724 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49725 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49725 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49726 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49726 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49727 -> 45.12.253.242:5899
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49727 -> 45.12.253.242:5899

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: ucnano180523.ddns.net

Uses dynamic DNS services

Source: unknown

DNS query: name: ucnano180523.ddns.net

Source: Joe Sandbox View

ASN Name: CMCSUS CMCSUS

Source: global traffic

TCP traffic: 192.168.2.4:49692 -> 45.12.253.242:5899

Source: Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Quotation Details.exe, 00000001.00000003.548377237.0000000005EDC000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548541678.0000000005EDC000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548420477.0000000005EDE000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548217840.0000000005EDE000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.547570175.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.547404517.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548068960.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548329912.0000000005EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comcy
Source: Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.562763120.0000000005ED0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Quotation Details.exe, 00000001.00000003.550525064.0000000005F16000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.550699168.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.550558059.0000000005F16000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.550467557.0000000005F16000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.550499127.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.550644679.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.550597180.0000000005F17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designP
Source: Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Quotation Details.exe, 00000001.00000003.550212944.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.550286641.0000000005F16000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.550396489.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.550324044.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.550429788.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.550245065.0000000005F16000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.550355346.0000000005F17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Quotation Details.exe, 00000001.00000003.562763120.0000000005ED0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comionawv&
Source: Quotation Details.exe, 00000001.00000003.562763120.0000000005ED0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comt
Source: Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Quotation Details.exe, 00000001.00000003.545601428.0000000005F0D000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.545546949.0000000005F0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Quotation Details.exe, 00000001.00000003.545506291.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnIT
Source: Quotation Details.exe, 00000001.00000003.545506291.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnd
Source: Quotation Details.exe, 00000001.00000003.545546949.0000000005F0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cns
Source: Quotation Details.exe, 00000001.00000003.554105421.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Quotation Details.exe, 00000001.00000003.553838850.0000000005EDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmI
Source: Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Quotation Details.exe, 00000001.00000003.548554025.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Quotation Details.exe, 00000001.00000003.548388819.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548217840.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548453978.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548068960.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548554025.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/)v
Source: Quotation Details.exe, 00000001.00000003.547570175.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.547404517.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/6va
Source: Quotation Details.exe, 00000001.00000003.548217840.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548068960.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Ev4
Source: Quotation Details.exe, 00000001.00000003.548388819.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548217840.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548453978.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.547570175.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.547404517.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548068960.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548554025.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/P
Source: Quotation Details.exe, 00000001.00000003.548554025.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: Quotation Details.exe, 00000001.00000003.548388819.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548453978.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548554025.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
Source: Quotation Details.exe, 00000001.00000003.548388819.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548217840.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548453978.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548068960.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548554025.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ZvM
Source: Quotation Details.exe, 00000001.00000003.548554025.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/iv
Source: Quotation Details.exe, 00000001.00000003.548388819.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548217840.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548453978.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548068960.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548554025.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Quotation Details.exe, 00000001.00000003.548388819.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548217840.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548453978.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548068960.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548554025.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/6va
Source: Quotation Details.exe, 00000001.00000003.548388819.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548453978.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548554025.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Ev4
Source: Quotation Details.exe, 00000001.00000003.548554025.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/wv&
Source: Quotation Details.exe, 00000001.00000003.548388819.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548217840.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548453978.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.547570175.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.547404517.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548068960.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548554025.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/x
Source: Quotation Details.exe, 00000001.00000003.554999096.0000000005F16000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.554980127.0000000005F16000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.555039584.0000000005F16000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.555016211.0000000005F16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.monotype.
Source: Quotation Details.exe, 00000001.00000003.545081296.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.543997545.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544102018.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544324148.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.543851711.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544923288.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544135306.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544576997.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.545124936.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544981372.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544453838.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544885298.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544065041.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544853168.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544647907.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544265316.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.543937043.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544537246.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.543970292.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544010760.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548959861.0000000005F16000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.549053710.0000000005F16000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.549004017.0000000005F16000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.549031471.0000000005F16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: ucnano180523.ddns.net

Source: Quotation Details.exe, 00000001.00000002.563085825.00000000011A9000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: Quotation Details.exe, 0000000B.00000002.623117634.0000000003ABA000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 1.2.Quotation Details.exe.41a2cc0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Quotation Details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Quotation Details.exe.41d58e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Quotation Details.exe.41a2cc0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Quotation Details.exe.41d58e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Quotation Details.exe.416bca0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.622362871.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.565244380.000000000416B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.623117634.0000000003A9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.615605121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.621560780.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation Details.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Quotation Details.exe PID: 5644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 2220, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.Quotation Details.exe.3aa95e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 11.2.Quotation Details.exe.3aa95e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.Quotation Details.exe.3aa95e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.Quotation Details.exe.41a2cc0.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.Quotation Details.exe.41a2cc0.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.Quotation Details.exe.41a2cc0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Quotation Details.exe.41a2cc0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.dhcpmon.exe.2b89684.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.dhcpmon.exe.2b89684.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.dhcpmon.exe.2b89684.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.Quotation Details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 11.2.Quotation Details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.Quotation Details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.Quotation Details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 13.2.dhcpmon.exe.3b6b7be.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 13.2.dhcpmon.exe.3b6b7be.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 13.2.dhcpmon.exe.3b6b7be.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.Quotation Details.exe.3aadc11.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 11.2.Quotation Details.exe.3aadc11.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.Quotation Details.exe.3aadc11.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.Quotation Details.exe.3aa95e8.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 11.2.Quotation Details.exe.3aa95e8.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.Quotation Details.exe.3aa95e8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.Quotation Details.exe.41d58e0.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.Quotation Details.exe.41d58e0.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.Quotation Details.exe.41d58e0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Quotation Details.exe.41d58e0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.Quotation Details.exe.2aa9600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 11.2.Quotation Details.exe.2aa9600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.Quotation Details.exe.2aa9600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.Quotation Details.exe.41a2cc0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.Quotation Details.exe.41a2cc0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.Quotation Details.exe.41a2cc0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Quotation Details.exe.41a2cc0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.Quotation Details.exe.41d58e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.Quotation Details.exe.41d58e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.Quotation Details.exe.41d58e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Quotation Details.exe.41d58e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.Quotation Details.exe.416bca0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.Quotation Details.exe.416bca0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.Quotation Details.exe.416bca0.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Quotation Details.exe.416bca0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.622362871.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.622362871.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000003.578596362.0000000001511000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.565244380.000000000416B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000001.00000002.565244380.000000000416B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.565244380.000000000416B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000B.00000002.623117634.0000000003AA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000D.00000002.623726899.0000000003B6B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000B.00000002.623117634.0000000003A9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000B.00000002.615605121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000B.00000002.615605121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.615605121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000B.00000002.621560780.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.621560780.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: Quotation Details.exe PID: 7120, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: Quotation Details.exe PID: 7120, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Quotation Details.exe PID: 7120, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: Quotation Details.exe PID: 5328, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: Quotation Details.exe PID: 5644, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: Quotation Details.exe PID: 5644, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Quotation Details.exe PID: 5644, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: dhcpmon.exe PID: 2220, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 2220, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Quotation Details.exe

Source: Quotation Details.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 11.2.Quotation Details.exe.3aa95e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.Quotation Details.exe.3aa95e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.Quotation Details.exe.3aa95e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.Quotation Details.exe.3aa95e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.Quotation Details.exe.41a2cc0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.Quotation Details.exe.41a2cc0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.Quotation Details.exe.41a2cc0.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.Quotation Details.exe.41a2cc0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Quotation Details.exe.41a2cc0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.dhcpmon.exe.2b89684.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.dhcpmon.exe.2b89684.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.dhcpmon.exe.2b89684.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.dhcpmon.exe.2b89684.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.Quotation Details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.Quotation Details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.Quotation Details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.Quotation Details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.Quotation Details.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 13.2.dhcpmon.exe.3b6b7be.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.dhcpmon.exe.3b6b7be.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.dhcpmon.exe.3b6b7be.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 13.2.dhcpmon.exe.3b6b7be.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.Quotation Details.exe.3aadc11.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.Quotation Details.exe.3aadc11.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.Quotation Details.exe.3aadc11.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.Quotation Details.exe.3aadc11.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.Quotation Details.exe.3aa95e8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.Quotation Details.exe.3aa95e8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.Quotation Details.exe.3aa95e8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.Quotation Details.exe.3aa95e8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.Quotation Details.exe.41d58e0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.Quotation Details.exe.41d58e0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.Quotation Details.exe.41d58e0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.Quotation Details.exe.41d58e0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Quotation Details.exe.41d58e0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.Quotation Details.exe.2aa9600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.Quotation Details.exe.2aa9600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.Quotation Details.exe.2aa9600.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.Quotation Details.exe.2aa9600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.Quotation Details.exe.41a2cc0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.Quotation Details.exe.41a2cc0.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.Quotation Details.exe.41a2cc0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Quotation Details.exe.41a2cc0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.Quotation Details.exe.41d58e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.Quotation Details.exe.41d58e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.Quotation Details.exe.41d58e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Quotation Details.exe.41d58e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.Quotation Details.exe.416bca0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.Quotation Details.exe.416bca0.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.Quotation Details.exe.416bca0.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Quotation Details.exe.416bca0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.622362871.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.622362871.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000003.578596362.0000000001511000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.565244380.000000000416B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.565244380.000000000416B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.565244380.000000000416B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000B.00000002.623117634.0000000003AA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000D.00000002.623726899.0000000003B6B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000B.00000002.623117634.0000000003A9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000B.00000002.615605121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000002.615605121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.615605121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000B.00000002.621560780.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.621560780.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: Quotation Details.exe PID: 7120, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: Quotation Details.exe PID: 7120, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Quotation Details.exe PID: 7120, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: Quotation Details.exe PID: 5328, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: Quotation Details.exe PID: 5644, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: Quotation Details.exe PID: 5644, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Quotation Details.exe PID: 5644, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: dhcpmon.exe PID: 2220, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 2220, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\Quotation Details.exe	Code function: 1_2_02E0C284	1_2_02E0C284
Source: C:\Users\user\Desktop\Quotation Details.exe	Code function: 1_2_02E0E640	1_2_02E0E640
Source: C:\Users\user\Desktop\Quotation Details.exe	Code function: 1_2_02E0E650	1_2_02E0E650
Source: C:\Users\user\Desktop\Quotation Details.exe	Code function: 1_2_0779B168	1_2_0779B168
Source: C:\Users\user\Desktop\Quotation Details.exe	Code function: 1_2_077990D0	1_2_077990D0
Source: C:\Users\user\Desktop\Quotation Details.exe	Code function: 1_2_07790DB0	1_2_07790DB0
Source: C:\Users\user\Desktop\Quotation Details.exe	Code function: 1_2_07792248	1_2_07792248
Source: C:\Users\user\Desktop\Quotation Details.exe	Code function: 1_2_07790818	1_2_07790818
Source: C:\Users\user\Desktop\Quotation Details.exe	Code function: 1_2_077990C0	1_2_077990C0
Source: C:\Users\user\Desktop\Quotation Details.exe	Code function: 8_2_00B6C284	8_2_00B6C284
Source: C:\Users\user\Desktop\Quotation Details.exe	Code function: 8_2_00B6E650	8_2_00B6E650
Source: C:\Users\user\Desktop\Quotation Details.exe	Code function: 8_2_00B6E640	8_2_00B6E640
Source: C:\Users\user\Desktop\Quotation Details.exe	Code function: 8_2_04AA5020	8_2_04AA5020
Source: C:\Users\user\Desktop\Quotation Details.exe	Code function: 8_2_04AA4FF1	8_2_04AA4FF1
Source: C:\Users\user\Desktop\Quotation Details.exe	Code function: 8_2_068DB308	8_2_068DB308
Source: C:\Users\user\Desktop\Quotation Details.exe	Code function: 8_2_068D90D0	8_2_068D90D0
Source: C:\Users\user\Desktop\Quotation Details.exe	Code function: 8_2_068D2248	8_2_068D2248
Source: C:\Users\user\Desktop\Quotation Details.exe	Code function: 8_2_068D0DB0	8_2_068D0DB0
Source: C:\Users\user\Desktop\Quotation Details.exe	Code function: 8_2_068D080A	8_2_068D080A
Source: C:\Users\user\Desktop\Quotation Details.exe	Code function: 8_2_068D0818	8_2_068D0818
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_00A9C284	9_2_00A9C284
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_00A9E640	9_2_00A9E640
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_00A9E650	9_2_00A9E650
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_04FBE6F9	9_2_04FBE6F9
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_04FBE050	9_2_04FBE050
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_04FB0040	9_2_04FB0040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_04FB001E	9_2_04FB001E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_04FB8E11	9_2_04FB8E11
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_04FBEBB6	9_2_04FBEBB6
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_04FB5410	9_2_04FB5410
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_04FB95B8	9_2_04FB95B8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_04FB95A8	9_2_04FB95A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_04FB1828	9_2_04FB1828
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_04FB1817	9_2_04FB1817
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_04FB9990	9_2_04FB9990
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_04FBBB07	9_2_04FBBB07
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_068990D0	9_2_068990D0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_06892248	9_2_06892248
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_06890DB0	9_2_06890DB0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_0689080A	9_2_0689080A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_06890818	9_2_06890818
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_04FB1AC8	9_2_04FB1AC8

Source: Quotation Details.exe, 00000001.00000002.563939613.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Quotation Details.exe
Source: Quotation Details.exe, 00000001.00000000.540900984.0000000000CFC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewHvwr.exe4 vs Quotation Details.exe
Source: Quotation Details.exe, 00000001.00000002.563085825.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Quotation Details.exe
Source: Quotation Details.exe, 00000001.00000002.565244380.000000000416B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRegive.dll4 vs Quotation Details.exe
Source: Quotation Details.exe, 00000001.00000002.569619696.00000000077A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRegive.dll4 vs Quotation Details.exe
Source: Quotation Details.exe, 00000003.00000003.569077079.00000000014D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewHvwr.exe4 vs Quotation Details.exe
Source: Quotation Details.exe, 00000003.00000003.578596362.0000000001511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Quotation Details.exe
Source: Quotation Details.exe, 00000008.00000002.592800003.000000000254C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Quotation Details.exe
Source: Quotation Details.exe, 00000008.00000002.594795186.0000000003864000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRegive.dll4 vs Quotation Details.exe
Source: Quotation Details.exe, 00000008.00000002.589866445.00000000007F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Quotation Details.exe
Source: Quotation Details.exe, 0000000B.00000002.617603566.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Quotation Details.exe
Source: Quotation Details.exe, 0000000B.00000002.623117634.0000000003AC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Quotation Details.exe
Source: Quotation Details.exe, 0000000B.00000002.623117634.0000000003AA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Quotation Details.exe
Source: Quotation Details.exe, 0000000B.00000002.623117634.0000000003AA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs Quotation Details.exe
Source: Quotation Details.exe, 0000000B.00000002.621560780.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Quotation Details.exe
Source: Quotation Details.exe, 0000000B.00000002.621560780.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Quotation Details.exe
Source: Quotation Details.exe	Binary or memory string: OriginalFilenamewHvwr.exe4 vs Quotation Details.exe

Source: Quotation Details.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Quotation Details.exe	ReversingLabs: Detection: 41%
Source: Quotation Details.exe	Virustotal: Detection: 54%

Source: C:\Users\user\Desktop\Quotation Details.exe

File read: C:\Users\user\Desktop\Quotation Details.exe

Jump to behavior

Source: Quotation Details.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Quotation Details.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Quotation Details.exe C:\Users\user\Desktop\Quotation Details.exe
Source: C:\Users\user\Desktop\Quotation Details.exe	Process created: C:\Users\user\Desktop\Quotation Details.exe C:\Users\user\Desktop\Quotation Details.exe
Source: C:\Users\user\Desktop\Quotation Details.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE4FD.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation Details.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpE6C3.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\Quotation Details.exe "C:\Users\user\Desktop\Quotation Details.exe" 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: C:\Users\user\Desktop\Quotation Details.exe	Process created: C:\Users\user\Desktop\Quotation Details.exe C:\Users\user\Desktop\Quotation Details.exe
Source: C:\Users\user\Desktop\Quotation Details.exe	Process created: C:\Users\user\Desktop\Quotation Details.exe C:\Users\user\Desktop\Quotation Details.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\Quotation Details.exe	Process created: C:\Users\user\Desktop\Quotation Details.exe C:\Users\user\Desktop\Quotation Details.exe	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE4FD.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpE6C3.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process created: C:\Users\user\Desktop\Quotation Details.exe C:\Users\user\Desktop\Quotation Details.exe	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process created: C:\Users\user\Desktop\Quotation Details.exe C:\Users\user\Desktop\Quotation Details.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Source: C:\Users\user\Desktop\Quotation Details.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Quotation Details.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation Details.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Quotation Details.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE4FD.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@22/11@33/2

Source: Quotation Details.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Quotation Details.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5644:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:944:120:WilError_01
Source: C:\Users\user\Desktop\Quotation Details.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{0d867adb-3500-4c95-b576-70e197aae229}

Source: C:\Users\user\Desktop\Quotation Details.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 11.2.Quotation Details.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 11.2.Quotation Details.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.Quotation Details.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\Quotation Details.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Quotation Details.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Quotation Details.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Quotation Details.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wHvwr.pdbSHA256 source: Quotation Details.exe, dhcpmon.exe.3.dr
Source:	Binary string: wHvwr.pdb source: Quotation Details.exe, dhcpmon.exe.3.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: Quotation Details.exe, TrafficSimulationSCE/MainScreen.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 1.0.Quotation Details.exe.c40000.0.unpack, TrafficSimulationSCE/MainScreen.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: dhcpmon.exe.3.dr, TrafficSimulationSCE/MainScreen.cs	.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.2.Quotation Details.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.Quotation Details.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\Quotation Details.exe	Code function: 1_2_0779A5A8 push 0000005Dh; ret	1_2_0779A5D9
Source: C:\Users\user\Desktop\Quotation Details.exe	Code function: 1_2_07795823 push esp; retf	1_2_07795826
Source: C:\Users\user\Desktop\Quotation Details.exe	Code function: 8_2_068D5823 push esp; retf	8_2_068D5826
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_04FBC2A0 push esp; iretd	9_2_04FBC2A1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_04FBB0C2 push eax; ret	9_2_04FBB0C9
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_04FBB0C0 pushad ; ret	9_2_04FBB0C1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_06898023 push es; iretd	9_2_06898024
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 9_2_06895823 push esp; retf	9_2_06895826

Source: initial sample	Static PE information: section name: .text entropy: 7.7081753259071135
Source: initial sample	Static PE information: section name: .text entropy: 7.7081753259071135

Source: 11.2.Quotation Details.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 11.2.Quotation Details.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\Quotation Details.exe

File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Quotation Details.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE4FD.tmp

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Quotation Details.exe

File opened: C:\Users\user\Desktop\Quotation Details.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\Quotation Details.exe TID: 7108	Thread sleep time: -41202s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe TID: 7056	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe TID: 4572	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe TID: 2808	Thread sleep time: -41202s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe TID: 4292	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5384	Thread sleep time: -41202s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4940	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe TID: 6068	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5696	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7120	Thread sleep time: -41202s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6964	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1248	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Quotation Details.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Quotation Details.exe	Window / User API: threadDelayed 9363	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Window / User API: foregroundWindowGot 715	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Window / User API: foregroundWindowGot 837	Jump to behavior

Source: C:\Users\user\Desktop\Quotation Details.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Quotation Details.exe	Thread delayed: delay time: 41202	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Thread delayed: delay time: 41202	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 41202	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 41202
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Quotation Details.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Quotation Details.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Quotation Details.exe	Memory written: C:\Users\user\Desktop\Quotation Details.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Memory written: C:\Users\user\Desktop\Quotation Details.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\Quotation Details.exe	Process created: C:\Users\user\Desktop\Quotation Details.exe C:\Users\user\Desktop\Quotation Details.exe	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE4FD.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpE6C3.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process created: C:\Users\user\Desktop\Quotation Details.exe C:\Users\user\Desktop\Quotation Details.exe	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Process created: C:\Users\user\Desktop\Quotation Details.exe C:\Users\user\Desktop\Quotation Details.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Users\user\Desktop\Quotation Details.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Users\user\Desktop\Quotation Details.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Users\user\Desktop\Quotation Details.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Users\user\Desktop\Quotation Details.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Details.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Quotation Details.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation Details.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 1.2.Quotation Details.exe.41a2cc0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Quotation Details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Quotation Details.exe.41d58e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Quotation Details.exe.41a2cc0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Quotation Details.exe.41d58e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Quotation Details.exe.416bca0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.622362871.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.565244380.000000000416B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.623117634.0000000003A9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.615605121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.621560780.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation Details.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Quotation Details.exe PID: 5644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 2220, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: Quotation Details.exe, 00000001.00000002.565244380.000000000416B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Quotation Details.exe, 00000003.00000003.578596362.0000000001511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Quotation Details.exe, 0000000B.00000002.623117634.0000000003AA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Quotation Details.exe, 0000000B.00000002.623117634.0000000003AA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HApplicationBaseMicrosoft.VisualBasic.ApplicationServicesUserConversionsMicrosoft.VisualBasic.CompilerServicesObjectFlowControlOperatorsProjectDataStandardModuleAttributeComputerMicrosoft.VisualBasic.DevicesHideModuleNameAttributeMyGroupCollectionAttributeContextValue`1Microsoft.VisualBasic.MyServices.InternalClientInvokeDelegateNanoCoreIClientDataNanoCore.ClientPluginIClientNetworkIClientDataHostNanoCore.ClientPluginHostIClientLoggingHostIClientNetworkHostIClientUIHostIClientNameObjectCollectionIClientReadOnlyNameObjectCollectionActivatorAppDomainArgumentOutOfRangeExceptionArrayAsyncCallbackBitConverterBooleanBufferByteCharCLSCompliantAttributeGeneratedCodeAttributeSystem.CodeDom.CompilerDictionary`2System.Collections.GenericEnumeratorIEnumerable`1KeyValuePair`2List`1IEnumeratorSystem.CollectionsEditorBrowsableAttributeSystem.ComponentModelEditorBrowsableStateApplicationSettingsBaseSystem.ConfigurationSettingsBaseDateTimeDateTimeKindDelegateDebuggerDisplayAttributeSy
Source: Quotation Details.exe, 0000000B.00000002.615605121.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Quotation Details.exe, 0000000B.00000002.623117634.0000000003A9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Quotation Details.exe, 0000000B.00000002.621560780.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Quotation Details.exe, 0000000B.00000002.621560780.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 0000000D.00000002.622362871.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000000D.00000002.622362871.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 0000000D.00000002.623726899.0000000003B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000000D.00000002.623726899.0000000003B6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 1.2.Quotation Details.exe.41a2cc0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Quotation Details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Quotation Details.exe.41d58e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Quotation Details.exe.41a2cc0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Quotation Details.exe.41d58e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Quotation Details.exe.416bca0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.622362871.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.565244380.000000000416B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.623117634.0000000003A9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.615605121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.621560780.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation Details.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Quotation Details.exe PID: 5644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 2220, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	111 Process Injection	2 Masquerading	21 Input Capture	11 Security Software Discovery	Remote Services	21 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	21 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Hidden Files and Directories	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Quotation Details.exe	42%	ReversingLabs	Win32.Trojan.Pwsx
Quotation Details.exe	55%	Virustotal		Browse
Quotation Details.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	42%	ReversingLabs	Win32.Trojan.Pwsx

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
ucnano180523.ddns.net	10%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.founder.com.cn/cnIT	0%	Avira URL Cloud	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnIT	1%	Virustotal		Browse
http://www.founder.com.cn/cns	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/ZvM	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/6va	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnd	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/P	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/x	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0/	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.fontbureau.comt	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/iv	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/Ev4	0%	Avira URL Cloud	safe
http://www.fontbureau.comionawv&	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/)v	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/6va	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htmI	0%	Avira URL Cloud	safe
ucnano180523.ddns.net	0%	Avira URL Cloud	safe
http://www.carterandcone.comcy	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/wv&	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Ev4	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ucnano180523.ddns.net	45.12.253.242	true	true	10%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
ucnano180523.ddns.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cnIT	Quotation Details.exe, 00000001.00000003.545506291.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/ZvM	Quotation Details.exe, 00000001.00000003.548388819.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548217840.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548453978.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548068960.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548554025.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/6va	Quotation Details.exe, 00000001.00000003.547570175.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.547404517.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	Quotation Details.exe, 00000001.00000003.545081296.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.543997545.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544102018.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544324148.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.543851711.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544923288.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544135306.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544576997.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.545124936.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544981372.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544453838.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544885298.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544065041.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544853168.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544647907.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544265316.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.543937043.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544537246.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.543970292.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.544010760.0000000005EEB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/)v	Quotation Details.exe, 00000001.00000003.548388819.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548217840.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548453978.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548068960.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548554025.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cns	Quotation Details.exe, 00000001.00000003.545546949.0000000005F0D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0	Quotation Details.exe, 00000001.00000003.548554025.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htmI	Quotation Details.exe, 00000001.00000003.553838850.0000000005EDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/Ev4	Quotation Details.exe, 00000001.00000003.548388819.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548453978.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548554025.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548959861.0000000005F16000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.549053710.0000000005F16000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.549004017.0000000005F16000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.549031471.0000000005F16000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnd	Quotation Details.exe, 00000001.00000003.545506291.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.comcy	Quotation Details.exe, 00000001.00000003.548377237.0000000005EDC000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548541678.0000000005EDC000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548420477.0000000005EDE000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548217840.0000000005EDE000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.547570175.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.547404517.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548068960.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548329912.0000000005EDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com	Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.562763120.0000000005ED0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/	Quotation Details.exe, 00000001.00000003.554105421.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/P	Quotation Details.exe, 00000001.00000003.548388819.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548217840.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548453978.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.547570175.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.547404517.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548068960.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548554025.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comionawv&	Quotation Details.exe, 00000001.00000003.562763120.0000000005ED0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.jiyu-kobo.co.jp/jp/6va	Quotation Details.exe, 00000001.00000003.548388819.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548217840.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548453978.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548068960.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548554025.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	Quotation Details.exe, 00000001.00000003.548388819.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548217840.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548453978.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548068960.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548554025.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/wv&	Quotation Details.exe, 00000001.00000003.548554025.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	Quotation Details.exe, 00000001.00000003.545601428.0000000005F0D000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.545546949.0000000005F0D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/x	Quotation Details.exe, 00000001.00000003.548388819.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548217840.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548453978.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.547570175.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.547404517.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548068960.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548554025.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/Y0/	Quotation Details.exe, 00000001.00000003.548388819.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548453978.0000000005ED2000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548554025.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.monotype.	Quotation Details.exe, 00000001.00000003.554999096.0000000005F16000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.554980127.0000000005F16000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.555039584.0000000005F16000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.555016211.0000000005F16000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designP	Quotation Details.exe, 00000001.00000003.550525064.0000000005F16000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.550699168.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.550558059.0000000005F16000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.550467557.0000000005F16000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.550499127.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.550644679.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.550597180.0000000005F17000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.comt	Quotation Details.exe, 00000001.00000003.562763120.0000000005ED0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/iv	Quotation Details.exe, 00000001.00000003.548554025.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	Quotation Details.exe, 00000001.00000003.548554025.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Quotation Details.exe, 00000001.00000002.568320134.0000000007032000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/	Quotation Details.exe, 00000001.00000003.550212944.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.550286641.0000000005F16000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.550396489.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.550324044.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.550429788.0000000005F17000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.550245065.0000000005F16000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.550355346.0000000005F17000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/Ev4	Quotation Details.exe, 00000001.00000003.548217840.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, Quotation Details.exe, 00000001.00000003.548068960.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.12.253.242	ucnano180523.ddns.net	Germany		33657	CMCSUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	878709
Start date and time:	2023-05-31 03:55:15 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Quotation Details.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@22/11@33/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 97% Number of executed functions: 95 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): audiodg.exe, WMIADAP.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:56:17	API Interceptor	1954x Sleep call for process: Quotation Details.exe modified
03:56:23	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\Quotation Details.exe" s>$(Arg0)
03:56:24	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
03:56:25	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
03:56:30	API Interceptor	2x Sleep call for process: dhcpmon.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.12.253.242	RFQ_GIFT_(Tender_Closed_Date._25_05_2023.exe	Get hash	malicious	Nanocore	Browse
45.12.253.242	RFQ_GIFT_(Tender_Closed_Date._25_05_2023.exe	Get hash	malicious	Nanocore	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ucnano180523.ddns.net	RFQ_GIFT_(Tender_Closed_Date._25_05_2023.exe	Get hash	malicious	Nanocore	Browse	45.12.253.242
ucnano180523.ddns.net	RFQ_GIFT_(Tender_Closed_Date._25_05_2023.exe	Get hash	malicious	Nanocore	Browse	45.12.253.242

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CMCSUS	m2uFAHJ8jm.exe	Get hash	malicious	Nymaim	Browse	45.12.253.56
	F61T6QigJc.exe	Get hash	malicious	Nymaim	Browse	45.12.253.56
	https://0831ww367.top/r2.php#M=suckit@suckit.com	Get hash	malicious	HTMLPhisher	Browse	95.214.24.140
	Shipping_Document_&_BL_Draft_copy.xls	Get hash	malicious	Lokibot	Browse	171.22.30.164
	AB7JQ1vKDq.exe	Get hash	malicious	MinerDownloader, Nymaim, RedLine, Vidar, Xmrig	Browse	45.12.253.56
	Modis_list.xls	Get hash	malicious	Remcos	Browse	45.66.230.127
	9s3YK7qgWI.exe	Get hash	malicious	Nymaim	Browse	45.12.253.56
	7b35hyn484.exe	Get hash	malicious	Nymaim	Browse	45.12.253.56
	https://sign-on-lmo.agile-workbench.com/?username=t.haus@asdk.com	Get hash	malicious	HTMLPhisher	Browse	95.214.24.140
	xPP4QxLkmgBB.exe	Get hash	malicious	Clipboard Hijacker, Quasar	Browse	95.214.27.180
	4An07Q7I8G.exe	Get hash	malicious	Nanocore	Browse	141.98.6.167
	https://www.bing.com/ck/a?!&&p=79845ec745a4255fJmltdHM9MTY4NTE0NTYwMCZpZ3VpZD0yNDYzOTBhOS1kZDMyLTY1Y2ItMDM5ZC04M2I3ZGM1MDY0NzImaW5zaWQ9NTIwOQ&ptn=3&hsh=3&fclid=246390a9-dd32-65cb-039d-83b7dc506472&u=a1aHR0cHM6Ly9mdXJuaXphLmNvbS9wcm9kdWN0L2VsbGVuLXVwaG9sc3RlcmVkLXNjb29wZWQtYXJtLXNvZmEtd2l0aC1zcXVhcmUtdHVmdGluZy1icm9va3NpZGUtaG9tZS8#M=abuse@fbi.gov	Get hash	malicious	HTMLPhisher	Browse	95.214.24.140
	RPxMx1uuBh.exe	Get hash	malicious	Nymaim	Browse	45.12.253.56
	K0zAFb4x67.exe	Get hash	malicious	Nymaim	Browse	45.12.253.56
	py75hHwvGP.exe	Get hash	malicious	Nymaim	Browse	45.12.253.56
	0P1uXL1t2D.exe	Get hash	malicious	Nymaim	Browse	45.12.253.56
	APLlhTxRDG.exe	Get hash	malicious	Nymaim	Browse	45.12.253.56
	1Q0c6cE9If.exe	Get hash	malicious	Nymaim	Browse	45.12.253.56
	Dx3iLWPHgo.exe	Get hash	malicious	Nymaim	Browse	45.12.253.56
	03UpBUxBjY.exe	Get hash	malicious	Nymaim	Browse	45.12.253.56

Process:	C:\Users\user\Desktop\Quotation Details.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	782336
Entropy (8bit):	7.67780755150778
Encrypted:	false
SSDEEP:	12288:MRP2B0xTGlxNqvNu2hZ+nUEsn9lu8fFUjXHvMeP/ppubvhRwL7kBfZkOcZRGUdyH:IPLaVUH9993FUFHib7wLKbcZRisY
MD5:	5EC7A9D9A56FA3EB2D6F63A555969A37
SHA1:	77719C19C79E9A1FF120981A78BF8DDA6BE321C5
SHA-256:	DEE80FF02E834FAC0E59395BB2AD3A39698208DBF02EED0E7697F6D2A9D604DB
SHA-512:	8ACF485DD2B8B66B28133DDC68233D0AE9DF71978F3A690F0C754BEBB003E2BEE87E60E7D7EE9A124AB481E1B2F6191E9D282E8A51BCCCFB6FCBED2225859C63
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Hud..............0......P.......... ........@.. ....................... ............@.....................................O.......<:..........................`...T............................................ ............... ..H............text........ ...................... ..`.rsrc...<:.......@..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Quotation Details.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation Details.exe.log

Download File

Process:	C:\Users\user\Desktop\Quotation Details.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\tmpE4FD.tmp

Download File

Process:	C:\Users\user\Desktop\Quotation Details.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1307
Entropy (8bit):	5.090550108749449
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Ys63xtn:cbk4oL600QydbQxIYODOLedq34Ej
MD5:	91DCDC886A0EFF0DA2FA8ECF8DEB1E97
SHA1:	8B07D57AFACF67072F811CA197957C4239969306
SHA-256:	7FD14E9B979ACAF5A9276B80C021AEB4F54C136F5A12EED6250E590236311F19
SHA-512:	F18B66EA75FC4C2FCFD0F6BDBA9E3F661A492D7FC699F3803F34AF123C2A60209403BE05578B93AB48428584635FBFE6FDC126A6C4CEDAEB2C158769DA13A673
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpE6C3.tmp

Download File

Process:	C:\Users\user\Desktop\Quotation Details.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

Download File

Process:	C:\Users\user\Desktop\Quotation Details.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
MD5:	9E7D0351E4DF94A9B0BADCEB6A9DB963
SHA1:	76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
SHA-256:	AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
SHA-512:	93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\Quotation Details.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:Ton:0n
MD5:	FFC60B4CCB85F50FF3C0055520E2FF90
SHA1:	49D2630B3926D64D3435FFB4B689846A4299C98C
SHA-256:	98150A036795F6449CD03BEFF707CEAAA2DCEDE425990B417766A67301D97CE1
SHA-512:	0D6E6AB79B1A8854A7EAF3ADF316BFEAC1C36594733F515AF5ACA7E124B1908AC425C9B2C5839B60DCCD2ADFB331DA694FF05CA6992195B3D860F4ED62FE1568
Malicious:	true
Preview:	..;za.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

Download File

Process:	C:\Users\user\Desktop\Quotation Details.exe
File Type:	data
Category:	modified
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

Download File

Process:	C:\Users\user\Desktop\Quotation Details.exe
File Type:	data
Category:	dropped
Size (bytes):	327768
Entropy (8bit):	7.999367066417797
Encrypted:	true
SSDEEP:	6144:oX44S90aTiB66x3PlZmqze1d1wI8lkWmtjJ/3Exi:LkjbU7LjGxi
MD5:	2E52F446105FBF828E63CF808B721F9C
SHA1:	5330E54F238F46DC04C1AC62B051DB4FCD7416FB
SHA-256:	2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
SHA-512:	C08BA0E3315E2314ECBEF38722DF834C2CB8412446A9A310F41A8F83B4AC5984FCC1B26A1D8B0D58A730FDBDD885714854BDFD04DCDF7F582FC125F552D5C3CA
Malicious:	false
Preview:	pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...\|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.).....{B.[...y%...i.Q.<..xt.X..H.. ..HF7g...I.3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.\|i4...i...;O...n.?.,. ....v?.5}.OY@.dG\|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...\|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`\|.B....3.....I..o...u1..8i=.z.W..7

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

Download File

Process:	C:\Users\user\Desktop\Quotation Details.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	44
Entropy (8bit):	4.115808539574485
Encrypted:	false
SSDEEP:	3:oNt+WfW0fyMQh94A:oNwv0fyz+A
MD5:	D2671C11D14B859D0436289526D51188
SHA1:	CCA894322508B19C74F73BB3AE96E62B83C2E314
SHA-256:	6162C7AEC17B46C5910F4417F9E2A3B3FD8FFDCE187CFBEE1037A5134612E000
SHA-512:	7B77B4940F37E9584C3013F1FC3405D85A9720555EA52D3C9924867EA50331BAF96AADA1D4A5261E7DDF3594BC0532253BA3C381BD710C908E84A6571EE12235
Malicious:	false
Preview:	C:\Users\user\Desktop\Quotation Details.exe

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.67780755150778
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Quotation Details.exe
File size:	782336
MD5:	5ec7a9d9a56fa3eb2d6f63a555969a37
SHA1:	77719c19c79e9a1ff120981a78bf8dda6be321c5
SHA256:	dee80ff02e834fac0e59395bb2ad3a39698208dbf02eed0e7697f6d2a9d604db
SHA512:	8acf485dd2b8b66b28133ddc68233d0ae9df71978f3a690f0c754bebb003e2bee87e60e7d7ee9a124ab481e1b2f6191e9d282e8a51bcccfb6fcbed2225859c63
SSDEEP:	12288:MRP2B0xTGlxNqvNu2hZ+nUEsn9lu8fFUjXHvMeP/ppubvhRwL7kBfZkOcZRGUdyH:IPLaVUH9993FUFHib7wLKbcZRisY
TLSH:	3CF42254665B846FC2C72FF40C8463B1A2EC83CABD7AEB271C12B4E4DA47F4A144579A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Hud..............0......P........... ........@.. ....................... ............@................................

File Icon


Icon Hash:	94969edbd9f8d9c6

Static PE Info

General

Entrypoint:	0x4babea
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x647548EE [Tue May 30 00:53:02 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbab96	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbc000	0x3a3c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb9b60	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb8bf0	0xb9000	False	0.9320497255067568	data	7.7081753259071135	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xbc000	0x3a3c	0x4000	False	0.8494873046875	data	7.3967994906792525	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc0000	0xc	0x1000	False	0.0087890625	data	0.016408464515625623	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xbc0c8	0x36fd	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0xbf7d8	0x14	data
RT_VERSION	0xbf7fc	0x23c	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.445.12.253.2424972658992816766 05/31/23-04:00:07.009857	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49726	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424971658992816766 05/31/23-03:59:01.488743	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49716	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424969258992816766 05/31/23-03:56:30.836452	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49692	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424972158992025019 05/31/23-03:59:34.295435	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49721	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424970058992816766 05/31/23-03:57:08.650888	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49700	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424970658992816766 05/31/23-03:57:49.951823	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49706	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424971158992025019 05/31/23-03:58:24.970043	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49711	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424970158992025019 05/31/23-03:57:13.870857	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49701	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424971058992816766 05/31/23-03:58:19.657024	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49710	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424972758992025019 05/31/23-04:00:12.125417	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49727	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424971458992025019 05/31/23-03:58:45.735743	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49714	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424971758992025019 05/31/23-03:59:08.572866	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49717	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424969858992816766 05/31/23-03:56:54.146303	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49698	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424970958992816718 05/31/23-03:58:12.396923	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49709	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424972458992025019 05/31/23-03:59:52.535511	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49724	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424972358992816766 05/31/23-03:59:47.414495	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49723	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424971358992816766 05/31/23-03:58:40.308766	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49713	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424970358992816766 05/31/23-03:57:29.347255	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49703	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424969958992816718 05/31/23-03:57:00.431618	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49699	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424970158992816766 05/31/23-03:57:14.834913	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49701	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424970858992816766 05/31/23-03:58:04.738849	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49708	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424971158992816766 05/31/23-03:58:26.204064	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49711	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424972658992025019 05/31/23-04:00:05.187162	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49726	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424971858992816766 05/31/23-03:59:17.099573	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49718	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424972158992816766 05/31/23-03:59:35.241904	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49721	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424971658992025019 05/31/23-03:58:59.883660	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49716	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424969258992025019 05/31/23-03:56:25.759325	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49692	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424970758992025019 05/31/23-03:57:55.475825	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49707	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424972058992816766 05/31/23-03:59:29.175573	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49720	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424970258992816766 05/31/23-03:57:22.488525	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49702	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424971958992816766 05/31/23-03:59:23.103459	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49719	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424969358992025019 05/31/23-03:56:36.589109	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49693	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424970658992025019 05/31/23-03:57:48.142985	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49706	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424972558992025019 05/31/23-03:59:58.620724	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49725	5899	192.168.2.4	45.12.253.242
45.12.253.242192.168.2.45899496922841753 05/31/23-03:56:30.589443	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	5899	49692	45.12.253.242	192.168.2.4
192.168.2.445.12.253.2424970958992816766 05/31/23-03:58:12.396923	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49709	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424970858992025019 05/31/23-03:58:03.568164	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49708	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424969458992025019 05/31/23-03:56:47.050579	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49694	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424971858992025019 05/31/23-03:59:15.425860	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49718	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424969958992816766 05/31/23-03:57:01.461077	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49699	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424971558992025019 05/31/23-03:58:52.346146	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49715	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424970558992025019 05/31/23-03:57:40.488645	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49705	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424971258992816766 05/31/23-03:58:34.052236	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49712	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424970758992816766 05/31/23-03:57:57.856787	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49707	5899	192.168.2.4	45.12.253.242
45.12.253.242192.168.2.45899497132810290 05/31/23-03:58:40.151665	TCP	2810290	ETPRO TROJAN NanoCore RAT Keepalive Response 1	5899	49713	45.12.253.242	192.168.2.4
192.168.2.445.12.253.2424971758992816766 05/31/23-03:59:10.025241	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49717	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424972058992025019 05/31/23-03:59:28.244511	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49720	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424972258992816766 05/31/23-03:59:41.289827	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49722	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424972758992816766 05/31/23-04:00:13.057662	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49727	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424969458992816766 05/31/23-03:56:48.090304	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49694	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424970058992025019 05/31/23-03:57:07.149878	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49700	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424971058992025019 05/31/23-03:58:18.373829	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49710	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424971858992816718 05/31/23-03:59:16.099293	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49718	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424970358992025019 05/31/23-03:57:27.579932	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49703	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424971358992025019 05/31/23-03:58:39.081495	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49713	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424969958992025019 05/31/23-03:56:59.566501	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49699	5899	192.168.2.4	45.12.253.242
45.12.253.242192.168.2.45899496942810290 05/31/23-03:56:47.496805	TCP	2810290	ETPRO TROJAN NanoCore RAT Keepalive Response 1	5899	49694	45.12.253.242	192.168.2.4
192.168.2.445.12.253.2424972358992025019 05/31/23-03:59:46.392270	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49723	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424972458992816766 05/31/23-03:59:53.493126	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49724	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424970458992816766 05/31/23-03:57:35.533816	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49704	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424969858992025019 05/31/23-03:56:53.190117	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49698	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424970958992025019 05/31/23-03:58:11.627033	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49709	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424971258992025019 05/31/23-03:58:31.969396	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49712	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424971958992025019 05/31/23-03:59:22.203113	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49719	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424972258992025019 05/31/23-03:59:40.358095	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49722	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424972558992816766 05/31/23-03:59:59.543859	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49725	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424969358992816766 05/31/23-03:56:38.356653	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49693	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424971558992816766 05/31/23-03:58:53.787555	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49715	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424970258992025019 05/31/23-03:57:20.083306	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49702	5899	192.168.2.4	45.12.253.242
192.168.2.445.12.253.2424970558992816766 05/31/23-03:57:41.435019	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49705	5899	192.168.2.4	45.12.253.242

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 31, 2023 03:56:25.531831980 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:25.560472965 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:25.560745001 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:25.759325027 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:25.838757038 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:25.838912964 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:25.883755922 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.011210918 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.223103046 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.250231028 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.276443958 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.354517937 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.444910049 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.444981098 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.445035934 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.445092916 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.445142031 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.445199966 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.471662998 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.471735001 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.471791983 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.471833944 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.471863985 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.471924067 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.471946955 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.471978903 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.472033024 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.472038031 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.472088099 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.472143888 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.498102903 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.498168945 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.498224974 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.498289108 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.498296022 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.498356104 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.498361111 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.498413086 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.498467922 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.498492002 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.498522997 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.498579025 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.498588085 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.498631954 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.498687029 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.498688936 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.498744965 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.498797894 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.498801947 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.498857021 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.498912096 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.498912096 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.498980999 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.499037027 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.525347948 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.525438070 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.525497913 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.525554895 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.525554895 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.525614023 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.525646925 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.525671959 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.525728941 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.525734901 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.525787115 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.525837898 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.525841951 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.525897980 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.525949955 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.525954962 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.526015043 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.526072025 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.526073933 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.526128054 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.526184082 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.526185989 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.526246071 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.526299000 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.526303053 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.526360035 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.526411057 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.526416063 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.526472092 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.526527882 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.526530027 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.526585102 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.526635885 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.526640892 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.526698112 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.526753902 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.526772022 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.526812077 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.526870012 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.526880980 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.526937962 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.526988029 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.526992083 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.527046919 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.527095079 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.527101040 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.527158022 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.527210951 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.554213047 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.554284096 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.554342031 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.554398060 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.554447889 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.554455996 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.554512024 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.554569006 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.554641008 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.554719925 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.554791927 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.554848909 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.554904938 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.554960966 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.555013895 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.555017948 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.555074930 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.555084944 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.555130959 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.555187941 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.555243969 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.555300951 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.555356979 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.555382967 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.555413961 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.555428028 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.555470943 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.555526018 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.555531979 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.555582047 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.555639029 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.555694103 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.555748940 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.555752039 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.555804968 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.555859089 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.555917025 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.555977106 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.556035995 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.556039095 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.556092978 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.556150913 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.556150913 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.556205988 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.556210041 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.556287050 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.556344986 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.556401968 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.556458950 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.556490898 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.556518078 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.556586027 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.556647062 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.556701899 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.556708097 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.556759119 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.556814909 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.556870937 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.556926966 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.556962013 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.556983948 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.557041883 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.557100058 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.557195902 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.583631992 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.583725929 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.583808899 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.583811045 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.583893061 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.583960056 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.583976030 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.584036112 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.584090948 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.584099054 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.584147930 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.584204912 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.584208012 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.584284067 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.584292889 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.584342003 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.584399939 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.584408045 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.584456921 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.584510088 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.584511995 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.584570885 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.584620953 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.584625959 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.584682941 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.584733009 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.584738970 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.584795952 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.584849119 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.584851980 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.584909916 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.584978104 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.584978104 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.585032940 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.585088968 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.585089922 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.585146904 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.585211039 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.585215092 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.585268974 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.585325956 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.585326910 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.585381985 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.585439920 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.585457087 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.585498095 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.585551977 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.585551977 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.585608006 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.585659981 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.585661888 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.585717916 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.585769892 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.585773945 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.585829020 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.585879087 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.585882902 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.585938931 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.585997105 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.586004972 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.586055040 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.586111069 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.586114883 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.586173058 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.586227894 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.612412930 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.612524033 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.612611055 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.612651110 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.612694979 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.612751007 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.612776041 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.612858057 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.612909079 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.612936974 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.613019943 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.613071918 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.613096952 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.613172054 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.613217115 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.613229036 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.613290071 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.613336086 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.613346100 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.613403082 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.613447905 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.613461018 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.613518953 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.613563061 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.613574028 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.613631964 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.613679886 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.613689899 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.613746881 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.613795042 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.613805056 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.613862038 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.613905907 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.613919020 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.613976955 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.614021063 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.614033937 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.614092112 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.614139080 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.614149094 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.614211082 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.614278078 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.614294052 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.614334106 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.614387035 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.614388943 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.614447117 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.614495993 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.614504099 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.614561081 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.614610910 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.614619970 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.614676952 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.614725113 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.614732027 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.614789009 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.614835024 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.614845037 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.614902020 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.614950895 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.614958048 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.615015030 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.615065098 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.615071058 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.615128994 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.615175962 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.615184069 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.615242958 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.615288973 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.615299940 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.615358114 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.615403891 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.615413904 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.615470886 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.615518093 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.615526915 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.615583897 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.615628958 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.615639925 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.615696907 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.615746021 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.615753889 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.615811110 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.615861893 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.615868092 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.615925074 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.615977049 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.615986109 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.616044044 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.616096973 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.616099119 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.616154909 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.616202116 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.616225004 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.616307974 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.616362095 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.616364956 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.616422892 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.616476059 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.616478920 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.616535902 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.616583109 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.616592884 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.616648912 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.616702080 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.616705894 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.616763115 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.616811991 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.616818905 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.616875887 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.616924047 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.616931915 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.616988897 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.617036104 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.617046118 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.617104053 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.617151976 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.643435001 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.643549919 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.643614054 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.643616915 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.643702030 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.643760920 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.643784046 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.643867016 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.643925905 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.643930912 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.643982887 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.644036055 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.644041061 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.644098043 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.644148111 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.644155979 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.644215107 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.644273996 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.644298077 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.644357920 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.644413948 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.644416094 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.644470930 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.644519091 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.644526958 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.644583941 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.644629002 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.644638062 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.644694090 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.644737005 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.644750118 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.644805908 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.644849062 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.644862890 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.644917965 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.644973993 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.644975901 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.645028114 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.645076036 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.645085096 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.645142078 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.645194054 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.645198107 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.645256996 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.645306110 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.645313025 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.645369053 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.645414114 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.645445108 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.645459890 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.645493984 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.645498991 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.645530939 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.645561934 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.645581007 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.645595074 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.645627022 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.645672083 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.645679951 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.645704031 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.645747900 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.645761967 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.645793915 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.645795107 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.645836115 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.645874023 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.645889997 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.645932913 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.645972013 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.646023989 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:26.646056890 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:26.648370028 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:28.071033955 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:28.151479959 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:28.853535891 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:28.932666063 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:29.867607117 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:29.948309898 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:30.589442968 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:30.662228107 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:30.745198965 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:30.836452007 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:30.840924025 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:30.862705946 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:30.862807035 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:30.888968945 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:31.006711006 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:31.067756891 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:31.151283979 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:31.151559114 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:31.178345919 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:31.397391081 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:31.423722982 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:31.433809996 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:31.510770082 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:31.511894941 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:31.604489088 CEST	5899	49692	45.12.253.242	192.168.2.4
May 31, 2023 03:56:32.344244003 CEST	49692	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:36.561944008 CEST	49693	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:36.588614941 CEST	5899	49693	45.12.253.242	192.168.2.4
May 31, 2023 03:56:36.588735104 CEST	49693	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:36.589108944 CEST	49693	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:36.667023897 CEST	5899	49693	45.12.253.242	192.168.2.4
May 31, 2023 03:56:37.040910006 CEST	5899	49693	45.12.253.242	192.168.2.4
May 31, 2023 03:56:37.041166067 CEST	49693	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:37.068533897 CEST	5899	49693	45.12.253.242	192.168.2.4
May 31, 2023 03:56:37.075834036 CEST	49693	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:37.167084932 CEST	5899	49693	45.12.253.242	192.168.2.4
May 31, 2023 03:56:37.183995008 CEST	49693	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:37.260809898 CEST	5899	49693	45.12.253.242	192.168.2.4
May 31, 2023 03:56:37.262775898 CEST	5899	49693	45.12.253.242	192.168.2.4
May 31, 2023 03:56:37.263545990 CEST	49693	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:37.289771080 CEST	5899	49693	45.12.253.242	192.168.2.4
May 31, 2023 03:56:37.290704012 CEST	49693	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:37.317464113 CEST	5899	49693	45.12.253.242	192.168.2.4
May 31, 2023 03:56:37.318259001 CEST	49693	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:37.344916105 CEST	5899	49693	45.12.253.242	192.168.2.4
May 31, 2023 03:56:37.433799028 CEST	49693	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:37.730376959 CEST	5899	49693	45.12.253.242	192.168.2.4
May 31, 2023 03:56:37.778227091 CEST	49693	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:38.356652975 CEST	49693	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:38.432584047 CEST	5899	49693	45.12.253.242	192.168.2.4
May 31, 2023 03:56:39.407241106 CEST	49693	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:47.023410082 CEST	49694	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:47.049972057 CEST	5899	49694	45.12.253.242	192.168.2.4
May 31, 2023 03:56:47.050098896 CEST	49694	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:47.050579071 CEST	49694	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:47.135759115 CEST	5899	49694	45.12.253.242	192.168.2.4
May 31, 2023 03:56:47.277990103 CEST	5899	49694	45.12.253.242	192.168.2.4
May 31, 2023 03:56:47.278232098 CEST	49694	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:47.305984974 CEST	5899	49694	45.12.253.242	192.168.2.4
May 31, 2023 03:56:47.310528040 CEST	49694	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:47.401324034 CEST	5899	49694	45.12.253.242	192.168.2.4
May 31, 2023 03:56:47.496804953 CEST	5899	49694	45.12.253.242	192.168.2.4
May 31, 2023 03:56:47.498653889 CEST	49694	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:47.525479078 CEST	5899	49694	45.12.253.242	192.168.2.4
May 31, 2023 03:56:47.526926994 CEST	49694	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:47.554074049 CEST	5899	49694	45.12.253.242	192.168.2.4
May 31, 2023 03:56:47.554184914 CEST	49694	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:47.581015110 CEST	5899	49694	45.12.253.242	192.168.2.4
May 31, 2023 03:56:47.681495905 CEST	49694	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:48.090303898 CEST	49694	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:48.181700945 CEST	5899	49694	45.12.253.242	192.168.2.4
May 31, 2023 03:56:49.095277071 CEST	49694	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:53.160795927 CEST	49698	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:53.188422918 CEST	5899	49698	45.12.253.242	192.168.2.4
May 31, 2023 03:56:53.189727068 CEST	49698	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:53.190116882 CEST	49698	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:53.275661945 CEST	5899	49698	45.12.253.242	192.168.2.4
May 31, 2023 03:56:53.747499943 CEST	5899	49698	45.12.253.242	192.168.2.4
May 31, 2023 03:56:53.748469114 CEST	49698	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:53.776503086 CEST	5899	49698	45.12.253.242	192.168.2.4
May 31, 2023 03:56:53.785178900 CEST	49698	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:53.869437933 CEST	5899	49698	45.12.253.242	192.168.2.4
May 31, 2023 03:56:53.949773073 CEST	5899	49698	45.12.253.242	192.168.2.4
May 31, 2023 03:56:53.953294039 CEST	49698	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:53.979695082 CEST	5899	49698	45.12.253.242	192.168.2.4
May 31, 2023 03:56:53.980499983 CEST	49698	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:54.007303953 CEST	5899	49698	45.12.253.242	192.168.2.4
May 31, 2023 03:56:54.008444071 CEST	49698	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:54.035248995 CEST	5899	49698	45.12.253.242	192.168.2.4
May 31, 2023 03:56:54.086941957 CEST	49698	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:54.146302938 CEST	49698	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:54.228735924 CEST	5899	49698	45.12.253.242	192.168.2.4
May 31, 2023 03:56:55.314747095 CEST	49698	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:59.538966894 CEST	49699	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:59.565203905 CEST	5899	49699	45.12.253.242	192.168.2.4
May 31, 2023 03:56:59.565501928 CEST	49699	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:59.566500902 CEST	49699	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:59.650640965 CEST	5899	49699	45.12.253.242	192.168.2.4
May 31, 2023 03:56:59.805403948 CEST	5899	49699	45.12.253.242	192.168.2.4
May 31, 2023 03:56:59.852930069 CEST	49699	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:59.867183924 CEST	49699	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:59.894709110 CEST	5899	49699	45.12.253.242	192.168.2.4
May 31, 2023 03:56:59.946836948 CEST	49699	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:56:59.965082884 CEST	49699	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:00.064893007 CEST	5899	49699	45.12.253.242	192.168.2.4
May 31, 2023 03:57:00.137186050 CEST	5899	49699	45.12.253.242	192.168.2.4
May 31, 2023 03:57:00.169647932 CEST	49699	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:00.196732998 CEST	5899	49699	45.12.253.242	192.168.2.4
May 31, 2023 03:57:00.197741985 CEST	49699	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:00.228518009 CEST	5899	49699	45.12.253.242	192.168.2.4
May 31, 2023 03:57:00.228681087 CEST	49699	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:00.255865097 CEST	5899	49699	45.12.253.242	192.168.2.4
May 31, 2023 03:57:00.306123972 CEST	49699	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:00.431617975 CEST	49699	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:00.510086060 CEST	5899	49699	45.12.253.242	192.168.2.4
May 31, 2023 03:57:01.461076975 CEST	49699	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:01.541312933 CEST	5899	49699	45.12.253.242	192.168.2.4
May 31, 2023 03:57:02.073776007 CEST	5899	49699	45.12.253.242	192.168.2.4
May 31, 2023 03:57:02.118743896 CEST	49699	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:02.631942034 CEST	49699	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:07.025301933 CEST	49700	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:07.051928043 CEST	5899	49700	45.12.253.242	192.168.2.4
May 31, 2023 03:57:07.052066088 CEST	49700	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:07.149878025 CEST	49700	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:07.228761911 CEST	5899	49700	45.12.253.242	192.168.2.4
May 31, 2023 03:57:07.451963902 CEST	5899	49700	45.12.253.242	192.168.2.4
May 31, 2023 03:57:07.452210903 CEST	49700	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:07.481190920 CEST	5899	49700	45.12.253.242	192.168.2.4
May 31, 2023 03:57:07.525439024 CEST	49700	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:07.567550898 CEST	49700	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:07.650465965 CEST	5899	49700	45.12.253.242	192.168.2.4
May 31, 2023 03:57:07.680233002 CEST	49700	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:07.759943962 CEST	5899	49700	45.12.253.242	192.168.2.4
May 31, 2023 03:57:07.762763023 CEST	5899	49700	45.12.253.242	192.168.2.4
May 31, 2023 03:57:07.764799118 CEST	49700	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:07.791580915 CEST	5899	49700	45.12.253.242	192.168.2.4
May 31, 2023 03:57:07.837996006 CEST	49700	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:07.864738941 CEST	5899	49700	45.12.253.242	192.168.2.4
May 31, 2023 03:57:07.866297960 CEST	49700	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:07.895016909 CEST	5899	49700	45.12.253.242	192.168.2.4
May 31, 2023 03:57:07.895188093 CEST	49700	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:07.922079086 CEST	5899	49700	45.12.253.242	192.168.2.4
May 31, 2023 03:57:07.963010073 CEST	49700	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:08.650887966 CEST	49700	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:08.728813887 CEST	5899	49700	45.12.253.242	192.168.2.4
May 31, 2023 03:57:09.652345896 CEST	49700	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:13.841788054 CEST	49701	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:13.868469000 CEST	5899	49701	45.12.253.242	192.168.2.4
May 31, 2023 03:57:13.870449066 CEST	49701	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:13.870857000 CEST	49701	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:13.967449903 CEST	5899	49701	45.12.253.242	192.168.2.4
May 31, 2023 03:57:14.167241096 CEST	5899	49701	45.12.253.242	192.168.2.4
May 31, 2023 03:57:14.167619944 CEST	49701	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:14.196538925 CEST	5899	49701	45.12.253.242	192.168.2.4
May 31, 2023 03:57:14.202368975 CEST	49701	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:14.291688919 CEST	5899	49701	45.12.253.242	192.168.2.4
May 31, 2023 03:57:14.403049946 CEST	5899	49701	45.12.253.242	192.168.2.4
May 31, 2023 03:57:14.404117107 CEST	49701	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:14.430331945 CEST	5899	49701	45.12.253.242	192.168.2.4
May 31, 2023 03:57:14.431694984 CEST	49701	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:14.458707094 CEST	5899	49701	45.12.253.242	192.168.2.4
May 31, 2023 03:57:14.462115049 CEST	49701	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:14.489161015 CEST	5899	49701	45.12.253.242	192.168.2.4
May 31, 2023 03:57:14.542438030 CEST	49701	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:14.834913015 CEST	49701	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:14.916462898 CEST	5899	49701	45.12.253.242	192.168.2.4
May 31, 2023 03:57:15.893723011 CEST	49701	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:20.055826902 CEST	49702	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:20.082123041 CEST	5899	49702	45.12.253.242	192.168.2.4
May 31, 2023 03:57:20.082353115 CEST	49702	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:20.083306074 CEST	49702	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:20.166624069 CEST	5899	49702	45.12.253.242	192.168.2.4
May 31, 2023 03:57:20.167623043 CEST	49702	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:20.244642973 CEST	5899	49702	45.12.253.242	192.168.2.4
May 31, 2023 03:57:20.289603949 CEST	5899	49702	45.12.253.242	192.168.2.4
May 31, 2023 03:57:20.339073896 CEST	49702	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:20.355660915 CEST	49702	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:20.383469105 CEST	5899	49702	45.12.253.242	192.168.2.4
May 31, 2023 03:57:20.432867050 CEST	49702	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:21.071719885 CEST	49702	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:21.151002884 CEST	5899	49702	45.12.253.242	192.168.2.4
May 31, 2023 03:57:21.247040987 CEST	5899	49702	45.12.253.242	192.168.2.4
May 31, 2023 03:57:21.257110119 CEST	49702	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:21.283426046 CEST	5899	49702	45.12.253.242	192.168.2.4
May 31, 2023 03:57:21.339562893 CEST	49702	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:22.124360085 CEST	49702	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:22.197943926 CEST	5899	49702	45.12.253.242	192.168.2.4
May 31, 2023 03:57:22.198267937 CEST	49702	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:22.225083113 CEST	5899	49702	45.12.253.242	192.168.2.4
May 31, 2023 03:57:22.276725054 CEST	49702	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:22.302838087 CEST	5899	49702	45.12.253.242	192.168.2.4
May 31, 2023 03:57:22.355839968 CEST	49702	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:22.488524914 CEST	49702	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:22.572745085 CEST	5899	49702	45.12.253.242	192.168.2.4
May 31, 2023 03:57:23.503010035 CEST	49702	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:27.552160025 CEST	49703	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:27.579190016 CEST	5899	49703	45.12.253.242	192.168.2.4
May 31, 2023 03:57:27.579418898 CEST	49703	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:27.579931974 CEST	49703	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:27.651091099 CEST	5899	49703	45.12.253.242	192.168.2.4
May 31, 2023 03:57:27.652914047 CEST	49703	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:27.729149103 CEST	5899	49703	45.12.253.242	192.168.2.4
May 31, 2023 03:57:27.798115015 CEST	5899	49703	45.12.253.242	192.168.2.4
May 31, 2023 03:57:27.839833975 CEST	49703	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:27.857814074 CEST	49703	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:27.887229919 CEST	5899	49703	45.12.253.242	192.168.2.4
May 31, 2023 03:57:27.938901901 CEST	49703	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:28.007929087 CEST	49703	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:28.088629961 CEST	5899	49703	45.12.253.242	192.168.2.4
May 31, 2023 03:57:28.184854031 CEST	5899	49703	45.12.253.242	192.168.2.4
May 31, 2023 03:57:28.230340004 CEST	49703	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:28.256762981 CEST	5899	49703	45.12.253.242	192.168.2.4
May 31, 2023 03:57:28.308479071 CEST	49703	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:28.311858892 CEST	49703	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:28.401022911 CEST	5899	49703	45.12.253.242	192.168.2.4
May 31, 2023 03:57:28.682396889 CEST	49703	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:28.721728086 CEST	5899	49703	45.12.253.242	192.168.2.4
May 31, 2023 03:57:28.756004095 CEST	49703	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:28.782624960 CEST	5899	49703	45.12.253.242	192.168.2.4
May 31, 2023 03:57:28.824110031 CEST	49703	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:29.088242054 CEST	5899	49703	45.12.253.242	192.168.2.4
May 31, 2023 03:57:29.090851068 CEST	49703	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:29.347254992 CEST	49703	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:29.432116032 CEST	5899	49703	45.12.253.242	192.168.2.4
May 31, 2023 03:57:29.433732033 CEST	49703	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:29.510293007 CEST	5899	49703	45.12.253.242	192.168.2.4
May 31, 2023 03:57:30.294336081 CEST	49703	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:35.216082096 CEST	49704	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:35.244519949 CEST	5899	49704	45.12.253.242	192.168.2.4
May 31, 2023 03:57:35.244755983 CEST	49704	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:35.533816099 CEST	49704	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:35.561510086 CEST	5899	49704	45.12.253.242	192.168.2.4
May 31, 2023 03:57:40.461869001 CEST	49705	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:40.488130093 CEST	5899	49705	45.12.253.242	192.168.2.4
May 31, 2023 03:57:40.488246918 CEST	49705	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:40.488645077 CEST	49705	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:40.557713985 CEST	5899	49705	45.12.253.242	192.168.2.4
May 31, 2023 03:57:40.778357983 CEST	5899	49705	45.12.253.242	192.168.2.4
May 31, 2023 03:57:40.836045980 CEST	49705	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:40.863471985 CEST	5899	49705	45.12.253.242	192.168.2.4
May 31, 2023 03:57:41.028400898 CEST	49705	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:41.053992033 CEST	49705	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:41.135437965 CEST	5899	49705	45.12.253.242	192.168.2.4
May 31, 2023 03:57:41.214898109 CEST	5899	49705	45.12.253.242	192.168.2.4
May 31, 2023 03:57:41.215671062 CEST	49705	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:41.241951942 CEST	5899	49705	45.12.253.242	192.168.2.4
May 31, 2023 03:57:41.242700100 CEST	49705	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:41.269660950 CEST	5899	49705	45.12.253.242	192.168.2.4
May 31, 2023 03:57:41.269735098 CEST	49705	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:41.296176910 CEST	5899	49705	45.12.253.242	192.168.2.4
May 31, 2023 03:57:41.434531927 CEST	49705	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:41.435019016 CEST	49705	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:41.510341883 CEST	5899	49705	45.12.253.242	192.168.2.4
May 31, 2023 03:57:42.683080912 CEST	5899	49705	45.12.253.242	192.168.2.4
May 31, 2023 03:57:42.840924025 CEST	49705	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:43.109342098 CEST	49705	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:48.115884066 CEST	49706	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:48.142308950 CEST	5899	49706	45.12.253.242	192.168.2.4
May 31, 2023 03:57:48.142505884 CEST	49706	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:48.142985106 CEST	49706	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:48.230043888 CEST	5899	49706	45.12.253.242	192.168.2.4
May 31, 2023 03:57:48.306740046 CEST	5899	49706	45.12.253.242	192.168.2.4
May 31, 2023 03:57:48.307444096 CEST	49706	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:48.334368944 CEST	5899	49706	45.12.253.242	192.168.2.4
May 31, 2023 03:57:48.344669104 CEST	49706	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:48.433103085 CEST	5899	49706	45.12.253.242	192.168.2.4
May 31, 2023 03:57:48.529215097 CEST	5899	49706	45.12.253.242	192.168.2.4
May 31, 2023 03:57:48.530402899 CEST	49706	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:48.558969021 CEST	5899	49706	45.12.253.242	192.168.2.4
May 31, 2023 03:57:48.561399937 CEST	49706	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:48.592461109 CEST	5899	49706	45.12.253.242	192.168.2.4
May 31, 2023 03:57:48.597088099 CEST	49706	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:48.623598099 CEST	5899	49706	45.12.253.242	192.168.2.4
May 31, 2023 03:57:48.669562101 CEST	49706	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:48.794981003 CEST	49706	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:48.870603085 CEST	5899	49706	45.12.253.242	192.168.2.4
May 31, 2023 03:57:49.951822996 CEST	49706	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:50.042438984 CEST	5899	49706	45.12.253.242	192.168.2.4
May 31, 2023 03:57:50.777338028 CEST	5899	49706	45.12.253.242	192.168.2.4
May 31, 2023 03:57:50.826175928 CEST	49706	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:50.964418888 CEST	49706	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:55.447793007 CEST	49707	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:55.474473000 CEST	5899	49707	45.12.253.242	192.168.2.4
May 31, 2023 03:57:55.474658012 CEST	49707	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:55.475825071 CEST	49707	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:55.564989090 CEST	5899	49707	45.12.253.242	192.168.2.4
May 31, 2023 03:57:55.660254955 CEST	5899	49707	45.12.253.242	192.168.2.4
May 31, 2023 03:57:55.660576105 CEST	49707	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:55.687011003 CEST	5899	49707	45.12.253.242	192.168.2.4
May 31, 2023 03:57:55.696316004 CEST	49707	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:55.776741982 CEST	5899	49707	45.12.253.242	192.168.2.4
May 31, 2023 03:57:55.872975111 CEST	5899	49707	45.12.253.242	192.168.2.4
May 31, 2023 03:57:55.873907089 CEST	49707	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:55.900338888 CEST	5899	49707	45.12.253.242	192.168.2.4
May 31, 2023 03:57:55.903157949 CEST	49707	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:55.930005074 CEST	5899	49707	45.12.253.242	192.168.2.4
May 31, 2023 03:57:55.930340052 CEST	49707	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:55.956783056 CEST	5899	49707	45.12.253.242	192.168.2.4
May 31, 2023 03:57:55.998697996 CEST	49707	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:56.093627930 CEST	49707	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:56.183134079 CEST	5899	49707	45.12.253.242	192.168.2.4
May 31, 2023 03:57:57.856786966 CEST	49707	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:57.933763981 CEST	5899	49707	45.12.253.242	192.168.2.4
May 31, 2023 03:57:58.903405905 CEST	5899	49707	45.12.253.242	192.168.2.4
May 31, 2023 03:57:59.029863119 CEST	49707	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:57:59.493494034 CEST	49707	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:03.538994074 CEST	49708	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:03.566737890 CEST	5899	49708	45.12.253.242	192.168.2.4
May 31, 2023 03:58:03.568164110 CEST	49708	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:03.568164110 CEST	49708	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:03.652395010 CEST	5899	49708	45.12.253.242	192.168.2.4
May 31, 2023 03:58:03.675272942 CEST	5899	49708	45.12.253.242	192.168.2.4
May 31, 2023 03:58:03.699872971 CEST	49708	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:03.728348970 CEST	5899	49708	45.12.253.242	192.168.2.4
May 31, 2023 03:58:03.885819912 CEST	49708	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:04.236568928 CEST	49708	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:04.323734045 CEST	5899	49708	45.12.253.242	192.168.2.4
May 31, 2023 03:58:04.436485052 CEST	5899	49708	45.12.253.242	192.168.2.4
May 31, 2023 03:58:04.530292988 CEST	49708	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:04.557023048 CEST	5899	49708	45.12.253.242	192.168.2.4
May 31, 2023 03:58:04.733421087 CEST	49708	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:04.738848925 CEST	49708	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:04.824069023 CEST	5899	49708	45.12.253.242	192.168.2.4
May 31, 2023 03:58:04.876157999 CEST	49708	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:04.964457989 CEST	5899	49708	45.12.253.242	192.168.2.4
May 31, 2023 03:58:04.967888117 CEST	49708	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:04.994597912 CEST	5899	49708	45.12.253.242	192.168.2.4
May 31, 2023 03:58:05.118931055 CEST	49708	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:05.145750046 CEST	5899	49708	45.12.253.242	192.168.2.4
May 31, 2023 03:58:05.233494997 CEST	49708	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:05.598366022 CEST	49708	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:05.609080076 CEST	49708	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:11.467175007 CEST	49709	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:11.493309021 CEST	5899	49709	45.12.253.242	192.168.2.4
May 31, 2023 03:58:11.493695974 CEST	49709	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:11.627032995 CEST	49709	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:11.713918924 CEST	5899	49709	45.12.253.242	192.168.2.4
May 31, 2023 03:58:11.865675926 CEST	5899	49709	45.12.253.242	192.168.2.4
May 31, 2023 03:58:11.905880928 CEST	49709	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:11.907592058 CEST	49709	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:11.944005013 CEST	5899	49709	45.12.253.242	192.168.2.4
May 31, 2023 03:58:12.003175974 CEST	49709	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:12.145515919 CEST	49709	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:12.230035067 CEST	5899	49709	45.12.253.242	192.168.2.4
May 31, 2023 03:58:12.326630116 CEST	5899	49709	45.12.253.242	192.168.2.4
May 31, 2023 03:58:12.374738932 CEST	49709	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:12.396923065 CEST	49709	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:12.401308060 CEST	5899	49709	45.12.253.242	192.168.2.4
May 31, 2023 03:58:12.452800989 CEST	49709	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:12.480447054 CEST	5899	49709	45.12.253.242	192.168.2.4
May 31, 2023 03:58:12.508495092 CEST	49709	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:12.589854956 CEST	5899	49709	45.12.253.242	192.168.2.4
May 31, 2023 03:58:12.590118885 CEST	49709	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:12.617563963 CEST	5899	49709	45.12.253.242	192.168.2.4
May 31, 2023 03:58:12.671581984 CEST	49709	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:12.698501110 CEST	5899	49709	45.12.253.242	192.168.2.4
May 31, 2023 03:58:12.749736071 CEST	49709	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:13.949470997 CEST	49709	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:18.346506119 CEST	49710	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:18.372896910 CEST	5899	49710	45.12.253.242	192.168.2.4
May 31, 2023 03:58:18.373122931 CEST	49710	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:18.373828888 CEST	49710	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:18.463561058 CEST	5899	49710	45.12.253.242	192.168.2.4
May 31, 2023 03:58:18.558012962 CEST	5899	49710	45.12.253.242	192.168.2.4
May 31, 2023 03:58:18.558264017 CEST	49710	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:18.585190058 CEST	5899	49710	45.12.253.242	192.168.2.4
May 31, 2023 03:58:18.592127085 CEST	49710	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:18.682212114 CEST	5899	49710	45.12.253.242	192.168.2.4
May 31, 2023 03:58:18.682332993 CEST	49710	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:18.760309935 CEST	5899	49710	45.12.253.242	192.168.2.4
May 31, 2023 03:58:18.762763023 CEST	5899	49710	45.12.253.242	192.168.2.4
May 31, 2023 03:58:18.763474941 CEST	49710	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:18.815803051 CEST	5899	49710	45.12.253.242	192.168.2.4
May 31, 2023 03:58:18.860081911 CEST	49710	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:18.974490881 CEST	49710	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:19.001420975 CEST	5899	49710	45.12.253.242	192.168.2.4
May 31, 2023 03:58:19.001822948 CEST	49710	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:19.028248072 CEST	5899	49710	45.12.253.242	192.168.2.4
May 31, 2023 03:58:19.078814030 CEST	49710	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:19.335745096 CEST	49710	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:19.416779041 CEST	5899	49710	45.12.253.242	192.168.2.4
May 31, 2023 03:58:19.657023907 CEST	49710	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:19.744769096 CEST	5899	49710	45.12.253.242	192.168.2.4
May 31, 2023 03:58:20.751070976 CEST	49710	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:24.936439991 CEST	49711	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:24.969158888 CEST	5899	49711	45.12.253.242	192.168.2.4
May 31, 2023 03:58:24.969443083 CEST	49711	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:24.970042944 CEST	49711	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:25.061156034 CEST	5899	49711	45.12.253.242	192.168.2.4
May 31, 2023 03:58:25.274995089 CEST	5899	49711	45.12.253.242	192.168.2.4
May 31, 2023 03:58:25.275542021 CEST	49711	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:25.302356958 CEST	5899	49711	45.12.253.242	192.168.2.4
May 31, 2023 03:58:25.309453011 CEST	49711	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:25.385612965 CEST	5899	49711	45.12.253.242	192.168.2.4
May 31, 2023 03:58:25.482187033 CEST	5899	49711	45.12.253.242	192.168.2.4
May 31, 2023 03:58:25.483175993 CEST	49711	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:25.509413958 CEST	5899	49711	45.12.253.242	192.168.2.4
May 31, 2023 03:58:25.563386917 CEST	49711	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:25.589806080 CEST	5899	49711	45.12.253.242	192.168.2.4
May 31, 2023 03:58:25.590167999 CEST	49711	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:25.618211031 CEST	5899	49711	45.12.253.242	192.168.2.4
May 31, 2023 03:58:25.618401051 CEST	49711	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:25.644996881 CEST	5899	49711	45.12.253.242	192.168.2.4
May 31, 2023 03:58:25.688364983 CEST	49711	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:25.939071894 CEST	49711	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:26.204063892 CEST	49711	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:26.291517973 CEST	5899	49711	45.12.253.242	192.168.2.4
May 31, 2023 03:58:26.997247934 CEST	49711	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:31.941567898 CEST	49712	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:31.968231916 CEST	5899	49712	45.12.253.242	192.168.2.4
May 31, 2023 03:58:31.968389034 CEST	49712	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:31.969396114 CEST	49712	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:32.041541100 CEST	5899	49712	45.12.253.242	192.168.2.4
May 31, 2023 03:58:32.168967962 CEST	5899	49712	45.12.253.242	192.168.2.4
May 31, 2023 03:58:32.222275972 CEST	49712	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:33.250241041 CEST	49712	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:33.277179003 CEST	5899	49712	45.12.253.242	192.168.2.4
May 31, 2023 03:58:33.498622894 CEST	49712	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:33.573384047 CEST	5899	49712	45.12.253.242	192.168.2.4
May 31, 2023 03:58:33.700300932 CEST	49712	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:33.792509079 CEST	5899	49712	45.12.253.242	192.168.2.4
May 31, 2023 03:58:33.888225079 CEST	5899	49712	45.12.253.242	192.168.2.4
May 31, 2023 03:58:34.017431974 CEST	49712	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:34.044451952 CEST	5899	49712	45.12.253.242	192.168.2.4
May 31, 2023 03:58:34.052236080 CEST	49712	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:34.137164116 CEST	5899	49712	45.12.253.242	192.168.2.4
May 31, 2023 03:58:34.137743950 CEST	49712	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:34.213718891 CEST	5899	49712	45.12.253.242	192.168.2.4
May 31, 2023 03:58:34.437139988 CEST	49712	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:34.464813948 CEST	5899	49712	45.12.253.242	192.168.2.4
May 31, 2023 03:58:34.464989901 CEST	49712	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:34.493380070 CEST	5899	49712	45.12.253.242	192.168.2.4
May 31, 2023 03:58:34.720366955 CEST	49712	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:34.924046040 CEST	49712	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:39.053441048 CEST	49713	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:39.079771042 CEST	5899	49713	45.12.253.242	192.168.2.4
May 31, 2023 03:58:39.081135035 CEST	49713	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:39.081495047 CEST	49713	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:39.166631937 CEST	5899	49713	45.12.253.242	192.168.2.4
May 31, 2023 03:58:39.265647888 CEST	49713	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:39.285615921 CEST	5899	49713	45.12.253.242	192.168.2.4
May 31, 2023 03:58:39.354409933 CEST	5899	49713	45.12.253.242	192.168.2.4
May 31, 2023 03:58:39.393378973 CEST	49713	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:39.498735905 CEST	49713	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:39.529280901 CEST	5899	49713	45.12.253.242	192.168.2.4
May 31, 2023 03:58:39.536314011 CEST	49713	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:39.619738102 CEST	5899	49713	45.12.253.242	192.168.2.4
May 31, 2023 03:58:39.731456041 CEST	5899	49713	45.12.253.242	192.168.2.4
May 31, 2023 03:58:39.732192993 CEST	49713	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:39.758069038 CEST	5899	49713	45.12.253.242	192.168.2.4
May 31, 2023 03:58:39.892656088 CEST	49713	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:39.918927908 CEST	5899	49713	45.12.253.242	192.168.2.4
May 31, 2023 03:58:40.095838070 CEST	49713	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:40.124983072 CEST	49713	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:40.151664972 CEST	5899	49713	45.12.253.242	192.168.2.4
May 31, 2023 03:58:40.153394938 CEST	49713	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:40.180174112 CEST	5899	49713	45.12.253.242	192.168.2.4
May 31, 2023 03:58:40.283718109 CEST	49713	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:40.308765888 CEST	49713	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:40.386292934 CEST	5899	49713	45.12.253.242	192.168.2.4
May 31, 2023 03:58:40.387681961 CEST	49713	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:40.463879108 CEST	5899	49713	45.12.253.242	192.168.2.4
May 31, 2023 03:58:41.190476894 CEST	49713	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:45.708885908 CEST	49714	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:45.734884977 CEST	5899	49714	45.12.253.242	192.168.2.4
May 31, 2023 03:58:45.735281944 CEST	49714	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:45.735743046 CEST	49714	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:45.822750092 CEST	5899	49714	45.12.253.242	192.168.2.4
May 31, 2023 03:58:45.969703913 CEST	5899	49714	45.12.253.242	192.168.2.4
May 31, 2023 03:58:45.970299959 CEST	49714	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:45.997128963 CEST	5899	49714	45.12.253.242	192.168.2.4
May 31, 2023 03:58:46.006270885 CEST	49714	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:46.088608027 CEST	5899	49714	45.12.253.242	192.168.2.4
May 31, 2023 03:58:46.184689045 CEST	5899	49714	45.12.253.242	192.168.2.4
May 31, 2023 03:58:46.236978054 CEST	49714	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:46.266772032 CEST	5899	49714	45.12.253.242	192.168.2.4
May 31, 2023 03:58:46.315071106 CEST	49714	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:46.560944080 CEST	49714	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:46.651236057 CEST	5899	49714	45.12.253.242	192.168.2.4
May 31, 2023 03:58:46.651367903 CEST	49714	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:46.678142071 CEST	5899	49714	45.12.253.242	192.168.2.4
May 31, 2023 03:58:46.721414089 CEST	49714	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:46.747509003 CEST	5899	49714	45.12.253.242	192.168.2.4
May 31, 2023 03:58:46.799530029 CEST	49714	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:46.938618898 CEST	49714	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:47.029140949 CEST	5899	49714	45.12.253.242	192.168.2.4
May 31, 2023 03:58:47.597769022 CEST	49714	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:47.620662928 CEST	5899	49714	45.12.253.242	192.168.2.4
May 31, 2023 03:58:47.621068001 CEST	49714	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:52.110382080 CEST	49715	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:52.137804031 CEST	5899	49715	45.12.253.242	192.168.2.4
May 31, 2023 03:58:52.138048887 CEST	49715	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:52.346146107 CEST	49715	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:52.431437969 CEST	5899	49715	45.12.253.242	192.168.2.4
May 31, 2023 03:58:52.458816051 CEST	5899	49715	45.12.253.242	192.168.2.4
May 31, 2023 03:58:52.459671021 CEST	49715	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:52.487464905 CEST	5899	49715	45.12.253.242	192.168.2.4
May 31, 2023 03:58:52.523930073 CEST	49715	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:52.604527950 CEST	5899	49715	45.12.253.242	192.168.2.4
May 31, 2023 03:58:52.691296101 CEST	49715	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:52.716051102 CEST	5899	49715	45.12.253.242	192.168.2.4
May 31, 2023 03:58:52.718830109 CEST	5899	49715	45.12.253.242	192.168.2.4
May 31, 2023 03:58:52.719079971 CEST	49715	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:52.745805979 CEST	5899	49715	45.12.253.242	192.168.2.4
May 31, 2023 03:58:52.831876040 CEST	49715	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:52.832214117 CEST	49715	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:52.916520119 CEST	5899	49715	45.12.253.242	192.168.2.4
May 31, 2023 03:58:52.917433977 CEST	49715	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:52.947468996 CEST	5899	49715	45.12.253.242	192.168.2.4
May 31, 2023 03:58:53.018842936 CEST	49715	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:53.048240900 CEST	5899	49715	45.12.253.242	192.168.2.4
May 31, 2023 03:58:53.128138065 CEST	49715	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:53.159718990 CEST	49715	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:53.228214025 CEST	5899	49715	45.12.253.242	192.168.2.4
May 31, 2023 03:58:53.787554979 CEST	49715	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:53.868869066 CEST	5899	49715	45.12.253.242	192.168.2.4
May 31, 2023 03:58:54.784902096 CEST	49715	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:59.853517056 CEST	49716	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:59.879848003 CEST	5899	49716	45.12.253.242	192.168.2.4
May 31, 2023 03:58:59.883196115 CEST	49716	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:59.883660078 CEST	49716	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:58:59.962608099 CEST	5899	49716	45.12.253.242	192.168.2.4
May 31, 2023 03:59:00.084172010 CEST	5899	49716	45.12.253.242	192.168.2.4
May 31, 2023 03:59:00.128782034 CEST	49716	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:00.348609924 CEST	49716	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:00.375471115 CEST	5899	49716	45.12.253.242	192.168.2.4
May 31, 2023 03:59:00.381680965 CEST	49716	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:00.462656975 CEST	5899	49716	45.12.253.242	192.168.2.4
May 31, 2023 03:59:00.462867022 CEST	49716	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:00.540566921 CEST	5899	49716	45.12.253.242	192.168.2.4
May 31, 2023 03:59:00.558429003 CEST	5899	49716	45.12.253.242	192.168.2.4
May 31, 2023 03:59:00.613190889 CEST	49716	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:00.639074087 CEST	5899	49716	45.12.253.242	192.168.2.4
May 31, 2023 03:59:00.644486904 CEST	49716	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:00.728307009 CEST	5899	49716	45.12.253.242	192.168.2.4
May 31, 2023 03:59:00.865094900 CEST	49716	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:00.891936064 CEST	5899	49716	45.12.253.242	192.168.2.4
May 31, 2023 03:59:00.892117023 CEST	49716	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:00.918859005 CEST	5899	49716	45.12.253.242	192.168.2.4
May 31, 2023 03:59:00.972587109 CEST	49716	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:01.488743067 CEST	49716	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:01.572206020 CEST	5899	49716	45.12.253.242	192.168.2.4
May 31, 2023 03:59:02.535583973 CEST	49716	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:07.889334917 CEST	49717	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:07.922142029 CEST	5899	49717	45.12.253.242	192.168.2.4
May 31, 2023 03:59:07.922244072 CEST	49717	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:08.572865963 CEST	49717	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:08.666100979 CEST	5899	49717	45.12.253.242	192.168.2.4
May 31, 2023 03:59:08.695940018 CEST	49717	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:08.776021004 CEST	5899	49717	45.12.253.242	192.168.2.4
May 31, 2023 03:59:09.359720945 CEST	5899	49717	45.12.253.242	192.168.2.4
May 31, 2023 03:59:09.410799026 CEST	49717	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:09.461431980 CEST	49717	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:09.488966942 CEST	5899	49717	45.12.253.242	192.168.2.4
May 31, 2023 03:59:09.531826973 CEST	49717	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:09.619030952 CEST	5899	49717	45.12.253.242	192.168.2.4
May 31, 2023 03:59:09.715691090 CEST	5899	49717	45.12.253.242	192.168.2.4
May 31, 2023 03:59:09.817100048 CEST	49717	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:09.843616009 CEST	5899	49717	45.12.253.242	192.168.2.4
May 31, 2023 03:59:09.930694103 CEST	49717	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:10.025136948 CEST	5899	49717	45.12.253.242	192.168.2.4
May 31, 2023 03:59:10.025240898 CEST	49717	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:10.052603960 CEST	5899	49717	45.12.253.242	192.168.2.4
May 31, 2023 03:59:10.113975048 CEST	49717	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:10.141576052 CEST	5899	49717	45.12.253.242	192.168.2.4
May 31, 2023 03:59:10.317087889 CEST	49717	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:11.330387115 CEST	49717	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:15.398240089 CEST	49718	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:15.424793959 CEST	5899	49718	45.12.253.242	192.168.2.4
May 31, 2023 03:59:15.424989939 CEST	49718	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:15.425859928 CEST	49718	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:15.509692907 CEST	5899	49718	45.12.253.242	192.168.2.4
May 31, 2023 03:59:15.636802912 CEST	5899	49718	45.12.253.242	192.168.2.4
May 31, 2023 03:59:15.642366886 CEST	49718	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:15.670819044 CEST	5899	49718	45.12.253.242	192.168.2.4
May 31, 2023 03:59:15.678859949 CEST	49718	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:15.761101007 CEST	5899	49718	45.12.253.242	192.168.2.4
May 31, 2023 03:59:15.873051882 CEST	5899	49718	45.12.253.242	192.168.2.4
May 31, 2023 03:59:15.876729012 CEST	49718	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:15.905061007 CEST	5899	49718	45.12.253.242	192.168.2.4
May 31, 2023 03:59:15.906018972 CEST	49718	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:15.934827089 CEST	5899	49718	45.12.253.242	192.168.2.4
May 31, 2023 03:59:15.934986115 CEST	49718	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:15.965595007 CEST	5899	49718	45.12.253.242	192.168.2.4
May 31, 2023 03:59:16.020729065 CEST	49718	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:16.099292994 CEST	49718	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:16.182111025 CEST	5899	49718	45.12.253.242	192.168.2.4
May 31, 2023 03:59:17.099572897 CEST	49718	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:17.182117939 CEST	5899	49718	45.12.253.242	192.168.2.4
May 31, 2023 03:59:18.099520922 CEST	49718	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:22.157332897 CEST	49719	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:22.184158087 CEST	5899	49719	45.12.253.242	192.168.2.4
May 31, 2023 03:59:22.185645103 CEST	49719	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:22.203113079 CEST	49719	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:22.292140007 CEST	5899	49719	45.12.253.242	192.168.2.4
May 31, 2023 03:59:22.552952051 CEST	5899	49719	45.12.253.242	192.168.2.4
May 31, 2023 03:59:22.553766966 CEST	49719	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:22.580807924 CEST	5899	49719	45.12.253.242	192.168.2.4
May 31, 2023 03:59:22.589854002 CEST	49719	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:22.682934046 CEST	5899	49719	45.12.253.242	192.168.2.4
May 31, 2023 03:59:22.779875040 CEST	5899	49719	45.12.253.242	192.168.2.4
May 31, 2023 03:59:22.780563116 CEST	49719	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:22.806967974 CEST	5899	49719	45.12.253.242	192.168.2.4
May 31, 2023 03:59:22.849416018 CEST	49719	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:22.876900911 CEST	5899	49719	45.12.253.242	192.168.2.4
May 31, 2023 03:59:22.879254103 CEST	49719	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:22.906238079 CEST	5899	49719	45.12.253.242	192.168.2.4
May 31, 2023 03:59:22.906352043 CEST	49719	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:22.933212996 CEST	5899	49719	45.12.253.242	192.168.2.4
May 31, 2023 03:59:22.990020037 CEST	49719	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:23.103458881 CEST	49719	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:23.183226109 CEST	5899	49719	45.12.253.242	192.168.2.4
May 31, 2023 03:59:24.100224018 CEST	49719	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:28.215893030 CEST	49720	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:28.243963957 CEST	5899	49720	45.12.253.242	192.168.2.4
May 31, 2023 03:59:28.244065046 CEST	49720	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:28.244510889 CEST	49720	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:28.323226929 CEST	5899	49720	45.12.253.242	192.168.2.4
May 31, 2023 03:59:28.420653105 CEST	5899	49720	45.12.253.242	192.168.2.4
May 31, 2023 03:59:28.420887947 CEST	49720	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:28.448133945 CEST	5899	49720	45.12.253.242	192.168.2.4
May 31, 2023 03:59:28.453011036 CEST	49720	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:28.526608944 CEST	5899	49720	45.12.253.242	192.168.2.4
May 31, 2023 03:59:28.639368057 CEST	5899	49720	45.12.253.242	192.168.2.4
May 31, 2023 03:59:28.640043020 CEST	49720	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:28.668195009 CEST	5899	49720	45.12.253.242	192.168.2.4
May 31, 2023 03:59:28.709404945 CEST	49720	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:28.735852957 CEST	5899	49720	45.12.253.242	192.168.2.4
May 31, 2023 03:59:28.736109972 CEST	49720	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:28.763128042 CEST	5899	49720	45.12.253.242	192.168.2.4
May 31, 2023 03:59:28.763328075 CEST	49720	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:28.790319920 CEST	5899	49720	45.12.253.242	192.168.2.4
May 31, 2023 03:59:28.834275961 CEST	49720	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:29.175573111 CEST	49720	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:29.260998011 CEST	5899	49720	45.12.253.242	192.168.2.4
May 31, 2023 03:59:30.194526911 CEST	49720	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:34.266896009 CEST	49721	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:34.293391943 CEST	5899	49721	45.12.253.242	192.168.2.4
May 31, 2023 03:59:34.294928074 CEST	49721	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:34.295434952 CEST	49721	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:34.386571884 CEST	5899	49721	45.12.253.242	192.168.2.4
May 31, 2023 03:59:34.539602995 CEST	5899	49721	45.12.253.242	192.168.2.4
May 31, 2023 03:59:34.540112972 CEST	49721	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:34.567255020 CEST	5899	49721	45.12.253.242	192.168.2.4
May 31, 2023 03:59:34.572638035 CEST	49721	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:34.667150021 CEST	5899	49721	45.12.253.242	192.168.2.4
May 31, 2023 03:59:34.750900984 CEST	5899	49721	45.12.253.242	192.168.2.4
May 31, 2023 03:59:34.751914978 CEST	49721	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:34.778170109 CEST	5899	49721	45.12.253.242	192.168.2.4
May 31, 2023 03:59:34.819245100 CEST	49721	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:34.854573011 CEST	5899	49721	45.12.253.242	192.168.2.4
May 31, 2023 03:59:34.854846001 CEST	49721	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:34.882805109 CEST	5899	49721	45.12.253.242	192.168.2.4
May 31, 2023 03:59:34.882952929 CEST	49721	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:34.910048008 CEST	5899	49721	45.12.253.242	192.168.2.4
May 31, 2023 03:59:34.959847927 CEST	49721	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:35.241904020 CEST	49721	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:35.323280096 CEST	5899	49721	45.12.253.242	192.168.2.4
May 31, 2023 03:59:36.257148981 CEST	49721	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:40.329073906 CEST	49722	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:40.357595921 CEST	5899	49722	45.12.253.242	192.168.2.4
May 31, 2023 03:59:40.357722044 CEST	49722	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:40.358094931 CEST	49722	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:40.448525906 CEST	5899	49722	45.12.253.242	192.168.2.4
May 31, 2023 03:59:40.534470081 CEST	5899	49722	45.12.253.242	192.168.2.4
May 31, 2023 03:59:40.534866095 CEST	49722	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:40.562016964 CEST	5899	49722	45.12.253.242	192.168.2.4
May 31, 2023 03:59:40.567640066 CEST	49722	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:40.651407957 CEST	5899	49722	45.12.253.242	192.168.2.4
May 31, 2023 03:59:40.753910065 CEST	5899	49722	45.12.253.242	192.168.2.4
May 31, 2023 03:59:40.754545927 CEST	49722	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:40.799305916 CEST	5899	49722	45.12.253.242	192.168.2.4
May 31, 2023 03:59:40.800023079 CEST	49722	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:40.826836109 CEST	5899	49722	45.12.253.242	192.168.2.4
May 31, 2023 03:59:40.826920033 CEST	49722	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:40.853317976 CEST	5899	49722	45.12.253.242	192.168.2.4
May 31, 2023 03:59:40.906620979 CEST	49722	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:41.289827108 CEST	49722	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:41.370337009 CEST	5899	49722	45.12.253.242	192.168.2.4
May 31, 2023 03:59:42.289407015 CEST	49722	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:46.365015030 CEST	49723	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:46.391681910 CEST	5899	49723	45.12.253.242	192.168.2.4
May 31, 2023 03:59:46.391865969 CEST	49723	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:46.392270088 CEST	49723	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:46.479798079 CEST	5899	49723	45.12.253.242	192.168.2.4
May 31, 2023 03:59:46.479907036 CEST	49723	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:46.521106005 CEST	5899	49723	45.12.253.242	192.168.2.4
May 31, 2023 03:59:46.521337032 CEST	49723	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:46.548397064 CEST	5899	49723	45.12.253.242	192.168.2.4
May 31, 2023 03:59:46.553395987 CEST	49723	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:46.635922909 CEST	5899	49723	45.12.253.242	192.168.2.4
May 31, 2023 03:59:46.732711077 CEST	5899	49723	45.12.253.242	192.168.2.4
May 31, 2023 03:59:46.740307093 CEST	49723	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:46.766640902 CEST	5899	49723	45.12.253.242	192.168.2.4
May 31, 2023 03:59:46.767400980 CEST	49723	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:46.794240952 CEST	5899	49723	45.12.253.242	192.168.2.4
May 31, 2023 03:59:46.794341087 CEST	49723	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:46.821134090 CEST	5899	49723	45.12.253.242	192.168.2.4
May 31, 2023 03:59:46.867103100 CEST	49723	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:47.414494991 CEST	49723	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:47.495337963 CEST	5899	49723	45.12.253.242	192.168.2.4
May 31, 2023 03:59:48.458405972 CEST	49723	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:52.508066893 CEST	49724	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:52.534463882 CEST	5899	49724	45.12.253.242	192.168.2.4
May 31, 2023 03:59:52.534866095 CEST	49724	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:52.535511017 CEST	49724	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:52.620971918 CEST	5899	49724	45.12.253.242	192.168.2.4
May 31, 2023 03:59:52.695375919 CEST	5899	49724	45.12.253.242	192.168.2.4
May 31, 2023 03:59:52.695997953 CEST	49724	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:52.976999044 CEST	49724	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:52.979867935 CEST	5899	49724	45.12.253.242	192.168.2.4
May 31, 2023 03:59:52.979980946 CEST	49724	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:53.004013062 CEST	5899	49724	45.12.253.242	192.168.2.4
May 31, 2023 03:59:53.012010098 CEST	49724	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:53.104424000 CEST	5899	49724	45.12.253.242	192.168.2.4
May 31, 2023 03:59:53.201262951 CEST	5899	49724	45.12.253.242	192.168.2.4
May 31, 2023 03:59:53.202176094 CEST	49724	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:53.228899002 CEST	5899	49724	45.12.253.242	192.168.2.4
May 31, 2023 03:59:53.273864985 CEST	49724	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:53.300484896 CEST	5899	49724	45.12.253.242	192.168.2.4
May 31, 2023 03:59:53.301337004 CEST	49724	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:53.329035044 CEST	5899	49724	45.12.253.242	192.168.2.4
May 31, 2023 03:59:53.329169035 CEST	49724	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:53.356220007 CEST	5899	49724	45.12.253.242	192.168.2.4
May 31, 2023 03:59:53.398914099 CEST	49724	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:53.493125916 CEST	49724	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:53.573100090 CEST	5899	49724	45.12.253.242	192.168.2.4
May 31, 2023 03:59:54.509331942 CEST	49724	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:58.589555025 CEST	49725	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:58.620071888 CEST	5899	49725	45.12.253.242	192.168.2.4
May 31, 2023 03:59:58.620192051 CEST	49725	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:58.620723963 CEST	49725	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:58.713740110 CEST	5899	49725	45.12.253.242	192.168.2.4
May 31, 2023 03:59:58.851073980 CEST	5899	49725	45.12.253.242	192.168.2.4
May 31, 2023 03:59:58.851424932 CEST	49725	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:58.879175901 CEST	5899	49725	45.12.253.242	192.168.2.4
May 31, 2023 03:59:58.884120941 CEST	49725	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:58.963717937 CEST	5899	49725	45.12.253.242	192.168.2.4
May 31, 2023 03:59:59.090720892 CEST	5899	49725	45.12.253.242	192.168.2.4
May 31, 2023 03:59:59.092535973 CEST	49725	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:59.120332003 CEST	5899	49725	45.12.253.242	192.168.2.4
May 31, 2023 03:59:59.121124029 CEST	49725	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:59.147895098 CEST	5899	49725	45.12.253.242	192.168.2.4
May 31, 2023 03:59:59.148004055 CEST	49725	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:59.175724030 CEST	5899	49725	45.12.253.242	192.168.2.4
May 31, 2023 03:59:59.227511883 CEST	49725	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:59.543859005 CEST	49725	5899	192.168.2.4	45.12.253.242
May 31, 2023 03:59:59.620449066 CEST	5899	49725	45.12.253.242	192.168.2.4
May 31, 2023 04:00:00.541256905 CEST	49725	5899	192.168.2.4	45.12.253.242
May 31, 2023 04:00:05.094254971 CEST	49726	5899	192.168.2.4	45.12.253.242
May 31, 2023 04:00:05.125081062 CEST	5899	49726	45.12.253.242	192.168.2.4
May 31, 2023 04:00:05.125279903 CEST	49726	5899	192.168.2.4	45.12.253.242
May 31, 2023 04:00:05.187161922 CEST	49726	5899	192.168.2.4	45.12.253.242
May 31, 2023 04:00:05.276417017 CEST	5899	49726	45.12.253.242	192.168.2.4
May 31, 2023 04:00:05.391999960 CEST	5899	49726	45.12.253.242	192.168.2.4
May 31, 2023 04:00:05.494859934 CEST	49726	5899	192.168.2.4	45.12.253.242
May 31, 2023 04:00:05.564244986 CEST	49726	5899	192.168.2.4	45.12.253.242
May 31, 2023 04:00:05.595793962 CEST	5899	49726	45.12.253.242	192.168.2.4
May 31, 2023 04:00:05.601358891 CEST	49726	5899	192.168.2.4	45.12.253.242
May 31, 2023 04:00:05.683335066 CEST	5899	49726	45.12.253.242	192.168.2.4
May 31, 2023 04:00:05.780018091 CEST	5899	49726	45.12.253.242	192.168.2.4
May 31, 2023 04:00:05.781316042 CEST	49726	5899	192.168.2.4	45.12.253.242
May 31, 2023 04:00:05.809220076 CEST	5899	49726	45.12.253.242	192.168.2.4
May 31, 2023 04:00:05.810206890 CEST	49726	5899	192.168.2.4	45.12.253.242
May 31, 2023 04:00:05.837537050 CEST	5899	49726	45.12.253.242	192.168.2.4
May 31, 2023 04:00:05.838900089 CEST	49726	5899	192.168.2.4	45.12.253.242
May 31, 2023 04:00:05.867255926 CEST	5899	49726	45.12.253.242	192.168.2.4
May 31, 2023 04:00:05.867394924 CEST	49726	5899	192.168.2.4	45.12.253.242
May 31, 2023 04:00:05.948501110 CEST	5899	49726	45.12.253.242	192.168.2.4
May 31, 2023 04:00:05.994091034 CEST	49726	5899	192.168.2.4	45.12.253.242
May 31, 2023 04:00:06.086024046 CEST	5899	49726	45.12.253.242	192.168.2.4
May 31, 2023 04:00:07.009856939 CEST	49726	5899	192.168.2.4	45.12.253.242
May 31, 2023 04:00:07.088829041 CEST	5899	49726	45.12.253.242	192.168.2.4
May 31, 2023 04:00:08.042596102 CEST	49726	5899	192.168.2.4	45.12.253.242
May 31, 2023 04:00:12.098108053 CEST	49727	5899	192.168.2.4	45.12.253.242
May 31, 2023 04:00:12.124733925 CEST	5899	49727	45.12.253.242	192.168.2.4
May 31, 2023 04:00:12.124938011 CEST	49727	5899	192.168.2.4	45.12.253.242
May 31, 2023 04:00:12.125416994 CEST	49727	5899	192.168.2.4	45.12.253.242
May 31, 2023 04:00:12.213776112 CEST	5899	49727	45.12.253.242	192.168.2.4
May 31, 2023 04:00:12.610368013 CEST	5899	49727	45.12.253.242	192.168.2.4
May 31, 2023 04:00:12.610686064 CEST	49727	5899	192.168.2.4	45.12.253.242
May 31, 2023 04:00:12.637814045 CEST	5899	49727	45.12.253.242	192.168.2.4
May 31, 2023 04:00:12.642704964 CEST	49727	5899	192.168.2.4	45.12.253.242
May 31, 2023 04:00:12.729432106 CEST	5899	49727	45.12.253.242	192.168.2.4
May 31, 2023 04:00:12.825534105 CEST	5899	49727	45.12.253.242	192.168.2.4
May 31, 2023 04:00:12.826287031 CEST	49727	5899	192.168.2.4	45.12.253.242
May 31, 2023 04:00:12.852587938 CEST	5899	49727	45.12.253.242	192.168.2.4
May 31, 2023 04:00:12.900568008 CEST	49727	5899	192.168.2.4	45.12.253.242
May 31, 2023 04:00:12.926702976 CEST	5899	49727	45.12.253.242	192.168.2.4
May 31, 2023 04:00:12.927129030 CEST	49727	5899	192.168.2.4	45.12.253.242
May 31, 2023 04:00:12.954257011 CEST	5899	49727	45.12.253.242	192.168.2.4
May 31, 2023 04:00:12.954395056 CEST	49727	5899	192.168.2.4	45.12.253.242
May 31, 2023 04:00:12.981056929 CEST	5899	49727	45.12.253.242	192.168.2.4
May 31, 2023 04:00:13.025523901 CEST	49727	5899	192.168.2.4	45.12.253.242
May 31, 2023 04:00:13.057662010 CEST	49727	5899	192.168.2.4	45.12.253.242
May 31, 2023 04:00:13.135834932 CEST	5899	49727	45.12.253.242	192.168.2.4
May 31, 2023 04:00:14.072822094 CEST	49727	5899	192.168.2.4	45.12.253.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 31, 2023 03:56:25.428962946 CEST	59683	53	192.168.2.4	8.8.8.8
May 31, 2023 03:56:25.465596914 CEST	53	59683	8.8.8.8	192.168.2.4
May 31, 2023 03:56:36.539118052 CEST	64167	53	192.168.2.4	8.8.8.8
May 31, 2023 03:56:36.560214043 CEST	53	64167	8.8.8.8	192.168.2.4
May 31, 2023 03:56:46.999397993 CEST	58565	53	192.168.2.4	8.8.8.8
May 31, 2023 03:56:47.020541906 CEST	53	58565	8.8.8.8	192.168.2.4
May 31, 2023 03:56:53.121328115 CEST	60686	53	192.168.2.4	8.8.8.8
May 31, 2023 03:56:53.159699917 CEST	53	60686	8.8.8.8	192.168.2.4
May 31, 2023 03:56:59.515897989 CEST	61124	53	192.168.2.4	8.8.8.8
May 31, 2023 03:56:59.536422968 CEST	53	61124	8.8.8.8	192.168.2.4
May 31, 2023 03:57:06.878510952 CEST	59444	53	192.168.2.4	8.8.8.8
May 31, 2023 03:57:06.898711920 CEST	53	59444	8.8.8.8	192.168.2.4
May 31, 2023 03:57:13.813244104 CEST	55570	53	192.168.2.4	8.8.8.8
May 31, 2023 03:57:13.840467930 CEST	53	55570	8.8.8.8	192.168.2.4
May 31, 2023 03:57:20.025006056 CEST	64906	53	192.168.2.4	8.8.8.8
May 31, 2023 03:57:20.053575039 CEST	53	64906	8.8.8.8	192.168.2.4
May 31, 2023 03:57:27.530657053 CEST	59446	53	192.168.2.4	8.8.8.8
May 31, 2023 03:57:27.551162958 CEST	53	59446	8.8.8.8	192.168.2.4
May 31, 2023 03:57:35.186477900 CEST	50861	53	192.168.2.4	8.8.8.8
May 31, 2023 03:57:35.214668036 CEST	53	50861	8.8.8.8	192.168.2.4
May 31, 2023 03:57:40.406709909 CEST	61088	53	192.168.2.4	8.8.8.8
May 31, 2023 03:57:40.432471991 CEST	53	61088	8.8.8.8	192.168.2.4
May 31, 2023 03:57:47.809973001 CEST	58729	53	192.168.2.4	8.8.8.8
May 31, 2023 03:57:47.836530924 CEST	53	58729	8.8.8.8	192.168.2.4
May 31, 2023 03:57:55.374121904 CEST	64700	53	192.168.2.4	8.8.8.8
May 31, 2023 03:57:55.442423105 CEST	53	64700	8.8.8.8	192.168.2.4
May 31, 2023 03:58:03.514790058 CEST	56022	53	192.168.2.4	8.8.8.8
May 31, 2023 03:58:03.536453962 CEST	53	56022	8.8.8.8	192.168.2.4
May 31, 2023 03:58:11.356097937 CEST	60822	53	192.168.2.4	8.8.8.8
May 31, 2023 03:58:11.376375914 CEST	53	60822	8.8.8.8	192.168.2.4
May 31, 2023 03:58:18.318727970 CEST	49750	53	192.168.2.4	8.8.8.8
May 31, 2023 03:58:18.345449924 CEST	53	49750	8.8.8.8	192.168.2.4
May 31, 2023 03:58:24.905312061 CEST	60550	53	192.168.2.4	8.8.8.8
May 31, 2023 03:58:24.934217930 CEST	53	60550	8.8.8.8	192.168.2.4
May 31, 2023 03:58:31.910937071 CEST	54851	53	192.168.2.4	8.8.8.8
May 31, 2023 03:58:31.938338041 CEST	53	54851	8.8.8.8	192.168.2.4
May 31, 2023 03:58:39.020291090 CEST	57300	53	192.168.2.4	8.8.8.8
May 31, 2023 03:58:39.052367926 CEST	53	57300	8.8.8.8	192.168.2.4
May 31, 2023 03:58:45.686958075 CEST	54521	53	192.168.2.4	8.8.8.8
May 31, 2023 03:58:45.707653046 CEST	53	54521	8.8.8.8	192.168.2.4
May 31, 2023 03:58:51.902966976 CEST	58914	53	192.168.2.4	8.8.8.8
May 31, 2023 03:58:51.944811106 CEST	53	58914	8.8.8.8	192.168.2.4
May 31, 2023 03:58:59.820317984 CEST	51419	53	192.168.2.4	8.8.8.8
May 31, 2023 03:58:59.849915981 CEST	53	51419	8.8.8.8	192.168.2.4
May 31, 2023 03:59:07.705219030 CEST	51054	53	192.168.2.4	8.8.8.8
May 31, 2023 03:59:07.726438046 CEST	53	51054	8.8.8.8	192.168.2.4
May 31, 2023 03:59:15.351322889 CEST	55673	53	192.168.2.4	8.8.8.8
May 31, 2023 03:59:15.395586014 CEST	53	55673	8.8.8.8	192.168.2.4
May 31, 2023 03:59:22.133614063 CEST	49735	53	192.168.2.4	8.8.8.8
May 31, 2023 03:59:22.156400919 CEST	53	49735	8.8.8.8	192.168.2.4
May 31, 2023 03:59:28.191653967 CEST	52437	53	192.168.2.4	8.8.8.8
May 31, 2023 03:59:28.214536905 CEST	53	52437	8.8.8.8	192.168.2.4
May 31, 2023 03:59:34.228857040 CEST	52825	53	192.168.2.4	8.8.8.8
May 31, 2023 03:59:34.264384985 CEST	53	52825	8.8.8.8	192.168.2.4
May 31, 2023 03:59:40.298445940 CEST	58530	53	192.168.2.4	8.8.8.8
May 31, 2023 03:59:40.327013969 CEST	53	58530	8.8.8.8	192.168.2.4
May 31, 2023 03:59:46.319281101 CEST	64959	53	192.168.2.4	8.8.8.8
May 31, 2023 03:59:46.345963001 CEST	53	64959	8.8.8.8	192.168.2.4
May 31, 2023 03:59:52.477865934 CEST	63093	53	192.168.2.4	8.8.8.8
May 31, 2023 03:59:52.506506920 CEST	53	63093	8.8.8.8	192.168.2.4
May 31, 2023 03:59:58.553975105 CEST	50433	53	192.168.2.4	8.8.8.8
May 31, 2023 03:59:58.588646889 CEST	53	50433	8.8.8.8	192.168.2.4
May 31, 2023 04:00:04.980314970 CEST	53498	53	192.168.2.4	8.8.8.8
May 31, 2023 04:00:05.002305031 CEST	53	53498	8.8.8.8	192.168.2.4
May 31, 2023 04:00:12.072873116 CEST	61460	53	192.168.2.4	8.8.8.8
May 31, 2023 04:00:12.096570969 CEST	53	61460	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 31, 2023 03:56:25.428962946 CEST	192.168.2.4	8.8.8.8	0xcaa6	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:56:36.539118052 CEST	192.168.2.4	8.8.8.8	0x9872	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:56:46.999397993 CEST	192.168.2.4	8.8.8.8	0x1a22	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:56:53.121328115 CEST	192.168.2.4	8.8.8.8	0x9249	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:56:59.515897989 CEST	192.168.2.4	8.8.8.8	0x16ea	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:57:06.878510952 CEST	192.168.2.4	8.8.8.8	0x90db	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:57:13.813244104 CEST	192.168.2.4	8.8.8.8	0xbcdb	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:57:20.025006056 CEST	192.168.2.4	8.8.8.8	0x85d	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:57:27.530657053 CEST	192.168.2.4	8.8.8.8	0x5d1b	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:57:35.186477900 CEST	192.168.2.4	8.8.8.8	0x9329	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:57:40.406709909 CEST	192.168.2.4	8.8.8.8	0xf9ba	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:57:47.809973001 CEST	192.168.2.4	8.8.8.8	0xe469	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:57:55.374121904 CEST	192.168.2.4	8.8.8.8	0x61f1	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:58:03.514790058 CEST	192.168.2.4	8.8.8.8	0x2002	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:58:11.356097937 CEST	192.168.2.4	8.8.8.8	0x1e	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:58:18.318727970 CEST	192.168.2.4	8.8.8.8	0x7bd4	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:58:24.905312061 CEST	192.168.2.4	8.8.8.8	0xfa18	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:58:31.910937071 CEST	192.168.2.4	8.8.8.8	0x543f	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:58:39.020291090 CEST	192.168.2.4	8.8.8.8	0x1fa9	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:58:45.686958075 CEST	192.168.2.4	8.8.8.8	0x2fa2	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:58:51.902966976 CEST	192.168.2.4	8.8.8.8	0xdcdf	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:58:59.820317984 CEST	192.168.2.4	8.8.8.8	0x1d84	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:59:07.705219030 CEST	192.168.2.4	8.8.8.8	0xc269	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:59:15.351322889 CEST	192.168.2.4	8.8.8.8	0x9313	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:59:22.133614063 CEST	192.168.2.4	8.8.8.8	0x225a	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:59:28.191653967 CEST	192.168.2.4	8.8.8.8	0x891c	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:59:34.228857040 CEST	192.168.2.4	8.8.8.8	0xdd62	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:59:40.298445940 CEST	192.168.2.4	8.8.8.8	0xab23	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:59:46.319281101 CEST	192.168.2.4	8.8.8.8	0x80d7	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:59:52.477865934 CEST	192.168.2.4	8.8.8.8	0x1261	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 03:59:58.553975105 CEST	192.168.2.4	8.8.8.8	0xf13a	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 04:00:04.980314970 CEST	192.168.2.4	8.8.8.8	0x5330	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false
May 31, 2023 04:00:12.072873116 CEST	192.168.2.4	8.8.8.8	0x3b0a	Standard query (0)	ucnano180523.ddns.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 31, 2023 03:56:25.465596914 CEST	8.8.8.8	192.168.2.4	0xcaa6	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:56:36.560214043 CEST	8.8.8.8	192.168.2.4	0x9872	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:56:47.020541906 CEST	8.8.8.8	192.168.2.4	0x1a22	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:56:53.159699917 CEST	8.8.8.8	192.168.2.4	0x9249	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:56:59.536422968 CEST	8.8.8.8	192.168.2.4	0x16ea	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:57:06.898711920 CEST	8.8.8.8	192.168.2.4	0x90db	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:57:13.840467930 CEST	8.8.8.8	192.168.2.4	0xbcdb	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:57:20.053575039 CEST	8.8.8.8	192.168.2.4	0x85d	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:57:27.551162958 CEST	8.8.8.8	192.168.2.4	0x5d1b	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:57:35.214668036 CEST	8.8.8.8	192.168.2.4	0x9329	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:57:40.432471991 CEST	8.8.8.8	192.168.2.4	0xf9ba	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:57:47.836530924 CEST	8.8.8.8	192.168.2.4	0xe469	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:57:55.442423105 CEST	8.8.8.8	192.168.2.4	0x61f1	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:58:03.536453962 CEST	8.8.8.8	192.168.2.4	0x2002	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:58:11.376375914 CEST	8.8.8.8	192.168.2.4	0x1e	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:58:18.345449924 CEST	8.8.8.8	192.168.2.4	0x7bd4	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:58:24.934217930 CEST	8.8.8.8	192.168.2.4	0xfa18	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:58:31.938338041 CEST	8.8.8.8	192.168.2.4	0x543f	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:58:39.052367926 CEST	8.8.8.8	192.168.2.4	0x1fa9	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:58:45.707653046 CEST	8.8.8.8	192.168.2.4	0x2fa2	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:58:51.944811106 CEST	8.8.8.8	192.168.2.4	0xdcdf	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:58:59.849915981 CEST	8.8.8.8	192.168.2.4	0x1d84	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:59:07.726438046 CEST	8.8.8.8	192.168.2.4	0xc269	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:59:15.395586014 CEST	8.8.8.8	192.168.2.4	0x9313	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:59:22.156400919 CEST	8.8.8.8	192.168.2.4	0x225a	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:59:28.214536905 CEST	8.8.8.8	192.168.2.4	0x891c	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:59:34.264384985 CEST	8.8.8.8	192.168.2.4	0xdd62	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:59:40.327013969 CEST	8.8.8.8	192.168.2.4	0xab23	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:59:46.345963001 CEST	8.8.8.8	192.168.2.4	0x80d7	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:59:52.506506920 CEST	8.8.8.8	192.168.2.4	0x1261	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 03:59:58.588646889 CEST	8.8.8.8	192.168.2.4	0xf13a	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 04:00:05.002305031 CEST	8.8.8.8	192.168.2.4	0x5330	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false
May 31, 2023 04:00:12.096570969 CEST	8.8.8.8	192.168.2.4	0x3b0a	No error (0)	ucnano180523.ddns.net	45.12.253.242	A (IP address)	IN (0x0001)	false

Target ID:	1
Start time:	03:56:10
Start date:	31/05/2023
Path:	C:\Users\user\Desktop\Quotation Details.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Quotation Details.exe
Imagebase:	0xc40000
File size:	782336 bytes
MD5 hash:	5EC7A9D9A56FA3EB2D6F63A555969A37
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.565244380.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.565244380.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.565244380.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.565244380.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	3
Start time:	03:56:20
Start date:	31/05/2023
Path:	C:\Users\user\Desktop\Quotation Details.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Quotation Details.exe
Imagebase:	0xf50000
File size:	782336 bytes
MD5 hash:	5EC7A9D9A56FA3EB2D6F63A555969A37
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000003.578596362.0000000001511000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	4
Start time:	03:56:22
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpE4FD.tmp
Imagebase:	0xca0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	03:56:22
Start date:	31/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	03:56:22
Start date:	31/05/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpE6C3.tmp
Imagebase:	0xca0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	7
Start time:	03:56:22
Start date:	31/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	8
Start time:	03:56:24
Start date:	31/05/2023
Path:	C:\Users\user\Desktop\Quotation Details.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quotation Details.exe" 0
Imagebase:	0x190000
File size:	782336 bytes
MD5 hash:	5EC7A9D9A56FA3EB2D6F63A555969A37
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Target ID:	9
Start time:	03:56:24
Start date:	31/05/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Imagebase:	0xe0000
File size:	782336 bytes
MD5 hash:	5EC7A9D9A56FA3EB2D6F63A555969A37
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 42%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	10
Start time:	03:56:32
Start date:	31/05/2023
Path:	C:\Users\user\Desktop\Quotation Details.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Quotation Details.exe
Imagebase:	0x3a0000
File size:	782336 bytes
MD5 hash:	5EC7A9D9A56FA3EB2D6F63A555969A37
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	11
Start time:	03:56:32
Start date:	31/05/2023
Path:	C:\Users\user\Desktop\Quotation Details.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Quotation Details.exe
Imagebase:	0x6c0000
File size:	782336 bytes
MD5 hash:	5EC7A9D9A56FA3EB2D6F63A555969A37
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000B.00000002.623117634.0000000003AA7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.623117634.0000000003A9F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000B.00000002.623117634.0000000003A9F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.615605121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.615605121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.615605121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000B.00000002.615605121.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.621560780.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.621560780.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000B.00000002.621560780.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	12
Start time:	03:56:33
Start date:	31/05/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0xe0000
File size:	782336 bytes
MD5 hash:	5EC7A9D9A56FA3EB2D6F63A555969A37
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	13
Start time:	03:56:33
Start date:	31/05/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0x5a0000
File size:	782336 bytes
MD5 hash:	5EC7A9D9A56FA3EB2D6F63A555969A37
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.622362871.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.622362871.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000D.00000002.622362871.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000D.00000002.623726899.0000000003B6B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	14
Start time:	03:56:34
Start date:	31/05/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Imagebase:	0xb90000
File size:	782336 bytes
MD5 hash:	5EC7A9D9A56FA3EB2D6F63A555969A37
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Target ID:	15
Start time:	03:56:41
Start date:	31/05/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0x4f0000
File size:	782336 bytes
MD5 hash:	5EC7A9D9A56FA3EB2D6F63A555969A37
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	12.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	35.2%
Total number of Nodes:	165
Total number of Limit Nodes:	3

Executed Functions

Function 077990D0 Relevance: 1.9, Strings: 1, Instructions: 662
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 077998D4

Memory Dump Source

Source File: 00000001.00000002.569582576.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7790000_Quotation Details.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 71774bbc766a09b048027395ec31f7e91008898a656c269c7b4a3684caecd726
Instruction ID: 9de06174202d6498a132291d2b26245f488fb40abcfd84bba1603aa32cee77c8
Opcode Fuzzy Hash: 71774bbc766a09b048027395ec31f7e91008898a656c269c7b4a3684caecd726
Instruction Fuzzy Hash: B16203B4A01228CFDB64DF64C854BEDBBB2FB89301F5480EAD509AB294DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0779B168 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.569582576.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7790000_Quotation Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47c896ee53749caba0835b8d1b6c4e693c2e15688345b80a74771dd71111076
Instruction ID: 2dd5d42ec0e58cb07edd267d3bce2007ae00ef5aa06cb391b770434a43dd06ce
Opcode Fuzzy Hash: d47c896ee53749caba0835b8d1b6c4e693c2e15688345b80a74771dd71111076
Instruction Fuzzy Hash: 5C328CB0B026059FDB15DBA9E490BAEB7F7AF88740F148479E4459B3A1CB34ED02CB51

Uniqueness

Uniqueness Score: -1.00%

Function 07791698 Relevance: 1.8, APIs: 1, Instructions: 271
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0779190E

Memory Dump Source

Source File: 00000001.00000002.569582576.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7790000_Quotation Details.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 627e2631ee57052b582b1a9381cb61ba3b23e2d4450257579d9ac3622b69b6ff
Instruction ID: 9f64428f503dc8cea920dbb95272984875b9dce4159f7b58c8dfea3b888d3b18
Opcode Fuzzy Hash: 627e2631ee57052b582b1a9381cb61ba3b23e2d4450257579d9ac3622b69b6ff
Instruction Fuzzy Hash: C9A1AFB1D0125E8FDF10CFA8D8817EDBBB2BF48354F5485A9D848A7280DB748995CF91

Uniqueness

Uniqueness Score: -1.00%

Function 077916D8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0779190E

Memory Dump Source

Source File: 00000001.00000002.569582576.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7790000_Quotation Details.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 91699a219c3d2eebf867611a850aefa20e3b6497c46a58a83cb478f13f6e1694
Instruction ID: 43ce809cd5ac9869aafa81aed0b70a267e7f3f71a1f6f7621854fb1d7647bc29
Opcode Fuzzy Hash: 91699a219c3d2eebf867611a850aefa20e3b6497c46a58a83cb478f13f6e1694
Instruction Fuzzy Hash: 18916CB1D0125ACFDF14CFA8D840BEDBAB2BF48350F448569E848A7240DB749995CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02E09470 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02E096B6

Memory Dump Source

Source File: 00000001.00000002.563847429.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e00000_Quotation Details.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4af6131fbaa6b23998f13bff362e657ee5095340d2b058b10579877afe89a213
Instruction ID: 5960f147961ff4a663f2a536748ceafaa52a23d1486d36e3541279a87ee27cf3
Opcode Fuzzy Hash: 4af6131fbaa6b23998f13bff362e657ee5095340d2b058b10579877afe89a213
Instruction Fuzzy Hash: 43713770A00B058FD724DF6AD4847AABBF1BF88714F00892DD08AD7A81D734E846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02E0FDCC Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E0FEEA

Memory Dump Source

Source File: 00000001.00000002.563847429.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e00000_Quotation Details.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8d1954d26c1fe854f33b2589e0a1be2723cba251731ff05a29d84277ddbb3bb1
Instruction ID: d3511ee03c2d9567cbb415bcc9eb9037e15f5459958b28587a776b8f7b95b001
Opcode Fuzzy Hash: 8d1954d26c1fe854f33b2589e0a1be2723cba251731ff05a29d84277ddbb3bb1
Instruction Fuzzy Hash: C951B2B1D003499FDF14CF9AC884ADEBBB5FF48314F24812AE819AB250D7759986CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E0E16C Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E0FEEA

Memory Dump Source

Source File: 00000001.00000002.563847429.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e00000_Quotation Details.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3249bd3cebf46c1697b0ca6b1f0f1ace2590ef44781881c449e070d765a78d31
Instruction ID: 32f43e36bb1894e2e200a73d1dbf6f96fb93a4f5086244070455d1d093e56587
Opcode Fuzzy Hash: 3249bd3cebf46c1697b0ca6b1f0f1ace2590ef44781881c449e070d765a78d31
Instruction Fuzzy Hash: 6951A3B1D003099FDF14CF9AC884ADEBBB5FF48314F24812AE419AB650D7749986CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E05348 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02E05401

Memory Dump Source

Source File: 00000001.00000002.563847429.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e00000_Quotation Details.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ecc40d570d2184ef977e6a6c98fa7761388068d53b24e75e8b76cd2f87fadc70
Instruction ID: bfd3ba65bdea72216ba19c9be584c98d5e047ea3f2183e092c11c8ce6d67f1f7
Opcode Fuzzy Hash: ecc40d570d2184ef977e6a6c98fa7761388068d53b24e75e8b76cd2f87fadc70
Instruction Fuzzy Hash: 2341D271C00618CBDB24CFA9C884BDDFBB5BF58309F60815AD409BB255DB75698ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E03DE4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02E05401

Memory Dump Source

Source File: 00000001.00000002.563847429.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e00000_Quotation Details.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 237b65430276731ead9f650d64e56ac1c37532977db0f01ac4f2f247fc813cc7
Instruction ID: 1390f9c19e00f9579ce9315429e4144073f1ef0cf776f41a923b9c5cac0f3ed2
Opcode Fuzzy Hash: 237b65430276731ead9f650d64e56ac1c37532977db0f01ac4f2f247fc813cc7
Instruction Fuzzy Hash: AC41D271C00618CBDB24DFA9C884BDEFBB5BF58309F60805AD409BB255DB756986CF90

Uniqueness

Uniqueness Score: -1.00%

Function 077913B8 Relevance: 1.6, APIs: 1, Instructions: 78
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07791450

Memory Dump Source

Source File: 00000001.00000002.569582576.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7790000_Quotation Details.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 33ce39326f94f9ce57984397162e8e1ed0c450e48df9d4060e8f7dbd3370fd71
Instruction ID: 3276556ae643f6bbfda8f4f4c88944bce417935ef6038d4243296e09d22cab96
Opcode Fuzzy Hash: 33ce39326f94f9ce57984397162e8e1ed0c450e48df9d4060e8f7dbd3370fd71
Instruction Fuzzy Hash: 983178B19013499FCF10CFA9C8847EEBBF5EF48324F10842AE858A7240D778A941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 077913C0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07791450

Memory Dump Source

Source File: 00000001.00000002.569582576.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7790000_Quotation Details.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a581e689f9d8bb449f15f38ec3d4ea1f61b909679fa6beae4ed2041d0c3981b0
Instruction ID: d214f087f42edb44e9e537f2ed60ffe678dfc82ca622a47cd8a3b719c71d9908
Opcode Fuzzy Hash: a581e689f9d8bb449f15f38ec3d4ea1f61b909679fa6beae4ed2041d0c3981b0
Instruction Fuzzy Hash: ED213BB59003599FCF10CFA9C884BDEBBF5FF48354F50842AE918A7650D7789954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 077914D9 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07791560

Memory Dump Source

Source File: 00000001.00000002.569582576.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7790000_Quotation Details.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 38c078755d2bed40528387910db77a06b7747f886ba131206bbadf7dedf56085
Instruction ID: e4a8bc3ddd7802e613656c02bb084316e562804ff20feb1bd802c8927428337c
Opcode Fuzzy Hash: 38c078755d2bed40528387910db77a06b7747f886ba131206bbadf7dedf56085
Instruction Fuzzy Hash: F62128B1D003199FDF10DFAAC880AEEBBF5FF48320F50842AE559A7240D7789941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07790CA0 Relevance: 1.6, APIs: 1, Instructions: 66
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 07790D26

Memory Dump Source

Source File: 00000001.00000002.569582576.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7790000_Quotation Details.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: aa5ba9304461f7182602bed02414d4667914a5bb156a289a3da8ffe5911e63fd
Instruction ID: 5f020b6844b4f0685551fff83ef01e40a8f03b6b20a831e73dffc412268b14b3
Opcode Fuzzy Hash: aa5ba9304461f7182602bed02414d4667914a5bb156a289a3da8ffe5911e63fd
Instruction Fuzzy Hash: 2E214AB1D0020A9FCB10DFAAC4847EEBBF4AF58324F54842AD458A7640D778A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E0AB9C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E0B956,?,?,?,?,?), ref: 02E0BA17

Memory Dump Source

Source File: 00000001.00000002.563847429.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e00000_Quotation Details.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b9f4952d5797f473b473f9f583d1410fad3f6c27bc6f3b89c067518d4d507fdd
Instruction ID: b88ba68dfd935631ffe84cfb4d8577fc71fd00675e496d91253793fe3f9e08b3
Opcode Fuzzy Hash: b9f4952d5797f473b473f9f583d1410fad3f6c27bc6f3b89c067518d4d507fdd
Instruction Fuzzy Hash: 5321E4B5D002089FDB10CF9AD584AEEBBF8FB48324F14845AE958B7350D378A955CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02E0B988 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E0B956,?,?,?,?,?), ref: 02E0BA17

Memory Dump Source

Source File: 00000001.00000002.563847429.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e00000_Quotation Details.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e37a279000370e52f78a600f19949b1adf34f51f58c275767d255c6ba932ef07
Instruction ID: d334ffa000dc15e2ac2dbe47aeb47512368f8b2a7b5d4ba3107390c867f388d9
Opcode Fuzzy Hash: e37a279000370e52f78a600f19949b1adf34f51f58c275767d255c6ba932ef07
Instruction Fuzzy Hash: 8B21E3B59002189FDB50CF9AD584AEEBBF8FB48324F14841AE958B3350D378A955CF64

Uniqueness

Uniqueness Score: -1.00%

Function 077914E0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07791560

Memory Dump Source

Source File: 00000001.00000002.569582576.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7790000_Quotation Details.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 7b4354935736d75e2065b520fffa0fa047433bae48c79669b068c2b7893d7ecd
Instruction ID: a4f99ced43972b1102880d386e4ad822fffea3cfa426590f8d42cced4b2f8075
Opcode Fuzzy Hash: 7b4354935736d75e2065b520fffa0fa047433bae48c79669b068c2b7893d7ecd
Instruction Fuzzy Hash: 2A2128B1D003199FCF10DFAAC880AEEBBF5FF48310F50842AE519A7240D7789940CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07790CA8 Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 07790D26

Memory Dump Source

Source File: 00000001.00000002.569582576.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7790000_Quotation Details.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 883c4e4112c4891ec73e4ae94d25cc041a77813b2942c93cff6540080b1049f3
Instruction ID: ff8abe842e78b26a29fe943f725f0538b61fb749676268e30d41638336790629
Opcode Fuzzy Hash: 883c4e4112c4891ec73e4ae94d25cc041a77813b2942c93cff6540080b1049f3
Instruction Fuzzy Hash: 532135B1D003098FCB10DFAAC4847EEBBF4EF88364F54842AD419A7240DB78A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07791290 Relevance: 1.6, APIs: 1, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0779133E

Memory Dump Source

Source File: 00000001.00000002.569582576.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7790000_Quotation Details.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7c8d9d092340ae8fc63c4fa65b8c9bb75629c66b850acc4049dca8e95d1c19f0
Instruction ID: 267b870199e6ab56501bb080ada0d10b31abe1c053c6a60442446b068bba6d3e
Opcode Fuzzy Hash: 7c8d9d092340ae8fc63c4fa65b8c9bb75629c66b850acc4049dca8e95d1c19f0
Instruction Fuzzy Hash: D721CFB280438A8FCF01CFA9C8403DEBFF0AF45314F24886AD595A7251C7789544CB91

Uniqueness

Uniqueness Score: -1.00%

Function 077912C9 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0779133E

Memory Dump Source

Source File: 00000001.00000002.569582576.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7790000_Quotation Details.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b97bd698b7f0742a7446f9f788d341e6798571f3d4a8288bb51b90eca76c0710
Instruction ID: 4bdd233af2fcf059d529e6cb977c7fa7dbbc9d80acd2ed99ee795b77814484f7
Opcode Fuzzy Hash: b97bd698b7f0742a7446f9f788d341e6798571f3d4a8288bb51b90eca76c0710
Instruction Fuzzy Hash: D81159729002499FCF10DFAAC8447EEBFF5EF48324F14882AE519A7650C779A950CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E089D0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02E09731,00000800,00000000,00000000), ref: 02E09942

Memory Dump Source

Source File: 00000001.00000002.563847429.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e00000_Quotation Details.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: faa0d915b6e6406ac0583060b8782f9776e54b768b9922de9d836d86b67351a2
Instruction ID: d6c242e7e166992f3beb2d497f18b4c5f0d1d45fa4a63b406446226c33d44910
Opcode Fuzzy Hash: faa0d915b6e6406ac0583060b8782f9776e54b768b9922de9d836d86b67351a2
Instruction Fuzzy Hash: 3D1117B6D003498FCB10CF9AD484ADEFBF4EB58724F10842AD455A7641C374A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02E098D2 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02E09731,00000800,00000000,00000000), ref: 02E09942

Memory Dump Source

Source File: 00000001.00000002.563847429.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e00000_Quotation Details.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: bb929b80a52cd490987d3683d849c16736bf210ef96462d0ba93478499523347
Instruction ID: 15967ec6430be560939e5efc53e070a4b0a4f41f893994d3db06204c94b2c0c0
Opcode Fuzzy Hash: bb929b80a52cd490987d3683d849c16736bf210ef96462d0ba93478499523347
Instruction Fuzzy Hash: AA1126B6D002498FCB10CF9AC484ADEFBF8EB58724F14851AE459A7600C378A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 077912D0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0779133E

Memory Dump Source

Source File: 00000001.00000002.569582576.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7790000_Quotation Details.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 95e336e3f96f582c8bcad3f6405ffc918c90c97b6f192f085d39ff836e860808
Instruction ID: a1da3f8a89377b890a385fe1cd482cbb0f719200c69837cb0d494a9b5552ac9a
Opcode Fuzzy Hash: 95e336e3f96f582c8bcad3f6405ffc918c90c97b6f192f085d39ff836e860808
Instruction Fuzzy Hash: E9113A719002499FCF10DFAAC8446EFBFF5EF48324F148429E519A7650C779A954CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07790730 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0779079A

Memory Dump Source

Source File: 00000001.00000002.569582576.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7790000_Quotation Details.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 91e10a1c99159b8526c1040253982a8fd94d6a4dd6c9c4e0da65a4294b67ae4b
Instruction ID: a5bfa46f328d1d04eb114945a11ca6cf3557bc5d115232932af8eb7dc7c98c00
Opcode Fuzzy Hash: 91e10a1c99159b8526c1040253982a8fd94d6a4dd6c9c4e0da65a4294b67ae4b
Instruction Fuzzy Hash: 55115EB59003098BCF10DFAAD4847EEFBF4EF48324F10886AD415A7640C778A541CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02E0997A Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02E09731,00000800,00000000,00000000), ref: 02E09942

Memory Dump Source

Source File: 00000001.00000002.563847429.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e00000_Quotation Details.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9735cef93ae35892e7216f089029ddd69dfb4e99ec43b4aa16f890272175ba72
Instruction ID: 04d7b1a9a57a952c7f2f782cf26ff906024612bb1ebd985a145196ee324e4628
Opcode Fuzzy Hash: 9735cef93ae35892e7216f089029ddd69dfb4e99ec43b4aa16f890272175ba72
Instruction Fuzzy Hash: 0B11C476D003098FDB20CF9AD844BDABBF4EF94728F04815AE548A3652C375A545CF64

Uniqueness

Uniqueness Score: -1.00%

Function 07790738 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0779079A

Memory Dump Source

Source File: 00000001.00000002.569582576.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7790000_Quotation Details.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: efade0c193cb94fce620989450a98f2378f27ef99d9b1928173a212c82a97735
Instruction ID: f6b04464561ad8c2d38097f532777cc6f7c42d18fac93ddb55b155439fade7e0
Opcode Fuzzy Hash: efade0c193cb94fce620989450a98f2378f27ef99d9b1928173a212c82a97735
Instruction Fuzzy Hash: 131128B19003098BCF10DFAAC4447EEFBF9AB88324F14882AD419A7640C778A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0779A2B1 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0779A315

Memory Dump Source

Source File: 00000001.00000002.569582576.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7790000_Quotation Details.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 842542978ff8fd5919ab9b16160dd89c43eb3884ef118875eac82b6b98ede8df
Instruction ID: c03473a7e5cd5d7cec0f0107019301e8ba5a6d4ec4528ee38c05fa75653f2ae9
Opcode Fuzzy Hash: 842542978ff8fd5919ab9b16160dd89c43eb3884ef118875eac82b6b98ede8df
Instruction Fuzzy Hash: 8A11F5B58003599FDB10CF9AD884BDEFBF8EB48324F14841AE558A7600D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02E09650 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02E096B6

Memory Dump Source

Source File: 00000001.00000002.563847429.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e00000_Quotation Details.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 88402222a44362baddc7f6b9915525e08e48f4337cc41c7dad2598732db0c14c
Instruction ID: 785593b3a127adf28c87b09a1dd7a31cca9f82a2b7c8cd1ebd66a772d6728114
Opcode Fuzzy Hash: 88402222a44362baddc7f6b9915525e08e48f4337cc41c7dad2598732db0c14c
Instruction Fuzzy Hash: DB1116B5C002498FCB10CF9AD444ADEFBF8EF48324F10841AD419B7601D378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0779A2B8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0779A315

Memory Dump Source

Source File: 00000001.00000002.569582576.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7790000_Quotation Details.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 12f29323d7725b50bc85f27d51e761766f5054c8bd4cf93a9ef5f0f22c05214a
Instruction ID: a8eb3824664dafeb777ae8c4184d66f6031d879adf78b8f439fc0ac61990bf24
Opcode Fuzzy Hash: 12f29323d7725b50bc85f27d51e761766f5054c8bd4cf93a9ef5f0f22c05214a
Instruction Fuzzy Hash: 7811E5B58003599FDB10DF9AD584BDEFBF8EB58324F14841AE558A7600D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012ED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.563619548.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12ed000_Quotation Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6246a25ca0cffe133c16705a2788bfe7ca1969e1c503a1cc93822e26b5cb1766
Instruction ID: ac36828cfddd1f71cea5428c79e620a8165792bc3d77cfaa85bb5e9581687e18
Opcode Fuzzy Hash: 6246a25ca0cffe133c16705a2788bfe7ca1969e1c503a1cc93822e26b5cb1766
Instruction Fuzzy Hash: 96216A75510248DFDB01CF88C9C4B56BFE5FB94324F60C56DE9090B206C33AE846CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D7D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.563715038.0000000002D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d7d000_Quotation Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d3d1a4996e107eade4dce6456c737fa04d89ae4b52cb344973b9145a44fe7c1
Instruction ID: e9aa25963ce2d2a3d712645f4fa54c812276cc05fc67990c22f6b072793275fe
Opcode Fuzzy Hash: 1d3d1a4996e107eade4dce6456c737fa04d89ae4b52cb344973b9145a44fe7c1
Instruction Fuzzy Hash: D121D075604240DFDB15DF14D9C0B26BBA6EF84314F34C56DE84A4B346D33ED846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 02D7D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.563715038.0000000002D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2d7d000_Quotation Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8667dcfbd0c913b2887f8908a63ba8d3e0593db3a7e9e3dcbd6c7fe73b8e034
Instruction ID: 5d3731126ea0d56a6c105b9eb47d8d2f93e62edb5e0432660fb86e4a0e9063e3
Opcode Fuzzy Hash: b8667dcfbd0c913b2887f8908a63ba8d3e0593db3a7e9e3dcbd6c7fe73b8e034
Instruction Fuzzy Hash: E12195755093C08FC712CF24D590715BF72EF46214F28C5EAD8498F657D33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 012ED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.563619548.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12ed000_Quotation Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
Instruction ID: d2bb41af95c82d5557b3ba1f8f7aef02e0c3f244d477ff67bbb384c7190f33a9
Opcode Fuzzy Hash: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
Instruction Fuzzy Hash: 39110376404285DFDB12CF44D5C4B56BFB2FB94324F24C2A9D9490B617C33AE456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012ED731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.563619548.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12ed000_Quotation Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf7c363a6ccc90fc8c9d8ff60afed5f1055079e64e321136b3d3b8ba2b49578
Instruction ID: 01ee6971740434e80a8984a01ca13f8f0a9ba678bb15300f1b9b55b5cb983a5f
Opcode Fuzzy Hash: 2bf7c363a6ccc90fc8c9d8ff60afed5f1055079e64e321136b3d3b8ba2b49578
Instruction Fuzzy Hash: C50126754583C99AE7144B69CCC87A6FFD8EF85334F58C41AEE045B282D3B89844CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 012ED730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.563619548.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12ed000_Quotation Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebfe138ac7feeb93be2b8688c2e3281d5d40c1db2945175781e5ba4771228aa5
Instruction ID: 6b4cd654d5378fd96ee33f174b6b976ad751439566eb91d4ae5d576ba9a32a01
Opcode Fuzzy Hash: ebfe138ac7feeb93be2b8688c2e3281d5d40c1db2945175781e5ba4771228aa5
Instruction Fuzzy Hash: 6BF0C2724042889FE7158B1ACC88B62FFD8EB81334F18C55AEE485F286C3789844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07792248 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

Q, xrefs: 07793A93
6, xrefs: 0779236A

Memory Dump Source

Source File: 00000001.00000002.569582576.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7790000_Quotation Details.jbxd

Similarity

API ID:
String ID: 6$Q
API String ID: 0-841203956
Opcode ID: ba7e299681eeaf58fca51ed586b45f27a87fcc6cd305a7044ab202e9e8134409
Instruction ID: 9b50fcfa1c4e5559779269ab3ecfcb3a358664961b7850099468671696b8c2fe
Opcode Fuzzy Hash: ba7e299681eeaf58fca51ed586b45f27a87fcc6cd305a7044ab202e9e8134409
Instruction Fuzzy Hash: 77516DB1D05A598BEB1CDF6BDD4479EFAF3AFC9201F14C1BA840CAA255DB3046858E41

Uniqueness

Uniqueness Score: -1.00%

Function 07790DB0 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.569582576.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7790000_Quotation Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f05960683fb3b5384db9b678fa40cb332845c6f7fc92d02445f9bc977f0d95c
Instruction ID: b941b030c5905d592d20d93ab2098fe554d71e10f9a0dc123020fdc39e744571
Opcode Fuzzy Hash: 0f05960683fb3b5384db9b678fa40cb332845c6f7fc92d02445f9bc977f0d95c
Instruction Fuzzy Hash: 3FE139B4E0121ACFDB14DFA9D5949ADFBF2FB89300F248569D914AB345D730A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07790818 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.569582576.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7790000_Quotation Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b384be2f69cf19efd2bdcb4dd88078d924889053d59f2437a752ae24d8e65bf3
Instruction ID: cda1861255c9ba8c6c8ca1013bf1f49b772a6cf160c0b1152a588fe348dcfcbe
Opcode Fuzzy Hash: b384be2f69cf19efd2bdcb4dd88078d924889053d59f2437a752ae24d8e65bf3
Instruction Fuzzy Hash: B0E11AB4E1121ACFDB14DFA9D594AADFBF2FB89304F248569D904AB345C730A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02E0E650 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.563847429.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e00000_Quotation Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479633e96d85f37bb8fab056c0070ab3bee1d4d0404c76927297d8927ea58dd6
Instruction ID: b08e6f63a21eec554dbb1cb6153bb4529424f2b1335981cc5f354fda8f26a867
Opcode Fuzzy Hash: 479633e96d85f37bb8fab056c0070ab3bee1d4d0404c76927297d8927ea58dd6
Instruction Fuzzy Hash: 5812D7F16217468BEB98CF65EA9A1C93FF1B745328F904308E2611FAD9DBB4114ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 02E0C284 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.563847429.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e00000_Quotation Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781d621b6959aa7e4e7f6dd1fcb1927f0e799513f6fa84130a8315b4e293eaf1
Instruction ID: 82230189408d59a64ac4cbec99d866e78f26fed4fbb57d89586203cef8cfe610
Opcode Fuzzy Hash: 781d621b6959aa7e4e7f6dd1fcb1927f0e799513f6fa84130a8315b4e293eaf1
Instruction Fuzzy Hash: 50A18132E5020A8FCF05DFA5C8845DDBBF2FF85304B1591AAE805BB2A1DB75A956CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02E0E640 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.563847429.0000000002E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e00000_Quotation Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e15ec042c6d637934a800ff3abfd2ca23420ccafedbabddc06e8137efc27a6e1
Instruction ID: 62af8cc530d3dcb053b12cac7217c80a087922df8126cd531a9e281629a343b1
Opcode Fuzzy Hash: e15ec042c6d637934a800ff3abfd2ca23420ccafedbabddc06e8137efc27a6e1
Instruction Fuzzy Hash: B5C149F1A217468BDB98DF64EA8A1C93FB1BB85324F504308E1616FAD9DFB4144ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 077990C0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.569582576.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7790000_Quotation Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 607f8a642b9a605f74585f81da5cbaf6563a93b14141ed874ac53184398de75a
Instruction ID: e8269dc9b44204e5c1c752800a554c3f62ad85c39434fd93e3bd0ed99eef1918
Opcode Fuzzy Hash: 607f8a642b9a605f74585f81da5cbaf6563a93b14141ed874ac53184398de75a
Instruction Fuzzy Hash: F33198B1D056288BEB28CF679D153CAFAF3AFC9310F04C5EA854CAA255DB750A858F41

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Quotation Details.exePID: 2600, Parent PID: 1088COMMON

Execution Graph

Execution Coverage:	11.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	348
Total number of Limit Nodes:	14

Executed Functions

Function 00B69470 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B696B6

Strings

pN}, xrefs: 00B695EE
pN}, xrefs: 00B69613

Memory Dump Source

Source File: 00000008.00000002.591790075.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b60000_Quotation Details.jbxd

Similarity

API ID: HandleModule
String ID: pN}$pN}
API String ID: 4139908857-2130411268
Opcode ID: 4dd88feffb1f4809f68367c999bdec8a172fb39975222f37d7f9ae01cad4ab0f
Instruction ID: f58c80608879bcd9eb7601829f8647e99582f26e6b4145d9d65c57df5cd864f6
Opcode Fuzzy Hash: 4dd88feffb1f4809f68367c999bdec8a172fb39975222f37d7f9ae01cad4ab0f
Instruction Fuzzy Hash: 367127B0A00B058FDB64DF2AD04066ABBF5FF88314F008A69E45AD7B50DB39E9058F91

Uniqueness

Uniqueness Score: -1.00%

Function 068D1698 Relevance: 1.8, APIs: 1, Instructions: 259
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.599233223.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68d0000_Quotation Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6baca4e40bf16b47bdd3bfd2c7482fdb5c0d36eb8777461ac7e4d7e6028825a2
Instruction ID: 908d81db4ee197d1222ea374ec76c0b9f7a7ede4e416843cb3847eff4b46da9b
Opcode Fuzzy Hash: 6baca4e40bf16b47bdd3bfd2c7482fdb5c0d36eb8777461ac7e4d7e6028825a2
Instruction Fuzzy Hash: A2A17C71D00259DFDB50CFA8C8447EEBBB2BF48314F1485AAE889E7250DB749985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 068D16CD Relevance: 1.8, APIs: 1, Instructions: 251
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 068D190E

Memory Dump Source

Source File: 00000008.00000002.599233223.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68d0000_Quotation Details.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 91c5f5df820d84ec626ed018023f2bc626b28d65b3d67e79dfb1d30f98144d9f
Instruction ID: 0eee8a0dcb1cda8c02be166bfbb99c7d5bd0ebb2d900ba9a456406fe67760a1e
Opcode Fuzzy Hash: 91c5f5df820d84ec626ed018023f2bc626b28d65b3d67e79dfb1d30f98144d9f
Instruction Fuzzy Hash: 3AA16B71D00219DFDB50CFA9C885BEEBBB2BF48310F148569E849E7250DB749985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 068D16D8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 068D190E

Memory Dump Source

Source File: 00000008.00000002.599233223.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68d0000_Quotation Details.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7e1edf7c462b49b5ec8f036c9b1db765e74e0bdfe2d534f844dc97c5b389d4b6
Instruction ID: 44e5030bde71cd567fb935eacb5632b4337a25b8c13a8159d7e6090f5b0de661
Opcode Fuzzy Hash: 7e1edf7c462b49b5ec8f036c9b1db765e74e0bdfe2d534f844dc97c5b389d4b6
Instruction Fuzzy Hash: A9916971D002199FDB50CFA9C884BEEBBB2BF48310F0485A9E848E7250DB749985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B6FDCC Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00B6FEEA

Memory Dump Source

Source File: 00000008.00000002.591790075.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b60000_Quotation Details.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 53410916cd1b0d635ddb2919f167b0023bbbd3cadee2244ee93819741f92591a
Instruction ID: 1eb4aea4ca3536c16458ef6dff3fa9a83cf370384e384a23ce296ac634dcbce3
Opcode Fuzzy Hash: 53410916cd1b0d635ddb2919f167b0023bbbd3cadee2244ee93819741f92591a
Instruction Fuzzy Hash: E151BDB1D002499FDB14CFAAD884ADEBBB5FF48310F24826AE419AB250D7759985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B6E16C Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00B6FEEA

Memory Dump Source

Source File: 00000008.00000002.591790075.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b60000_Quotation Details.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: dfb89453684c08fd0e4d244f490a74d80184dd220ab5ee5a8680c5cd948152d2
Instruction ID: 9513e549e24db36dbba5cc4133a63e4e16ef4a4d909d13d6d60f8ea9b68146ec
Opcode Fuzzy Hash: dfb89453684c08fd0e4d244f490a74d80184dd220ab5ee5a8680c5cd948152d2
Instruction Fuzzy Hash: 8751BFB1D00209DFDB14CFAAD984ADEBBF5FF48310F24816AE419AB210D7759945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B65347 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00B65401

Memory Dump Source

Source File: 00000008.00000002.591790075.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b60000_Quotation Details.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 29595f289a791f519290f1872dcb24b6157381aa98c4730061113099ca1fc822
Instruction ID: 519210023f406c1a54cc420cd3db963e4cb6ba6e6b8fded59bca55364a70f827
Opcode Fuzzy Hash: 29595f289a791f519290f1872dcb24b6157381aa98c4730061113099ca1fc822
Instruction Fuzzy Hash: 0941D2B1C00618CBDB24CFA9C984B8DBBF5BF48304F2080AAD408BB255DB756986CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B63DE4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00B65401

Memory Dump Source

Source File: 00000008.00000002.591790075.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b60000_Quotation Details.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9f694bcf209dda110a3b19ba854113c3af1e40033f8f0b6ad684bb33e516f92e
Instruction ID: 97c2855d77d041670b1bf3ca1e162ca8abc42a3f1c57fe9fdcedefa0cb9a903c
Opcode Fuzzy Hash: 9f694bcf209dda110a3b19ba854113c3af1e40033f8f0b6ad684bb33e516f92e
Instruction Fuzzy Hash: 8341F371C00618CBDB24CFA9C884B9DBBF5BF48304F2480A9D408BB255DB756985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04AA2440 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04AA2501

Memory Dump Source

Source File: 00000008.00000002.596952682.0000000004AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4aa0000_Quotation Details.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 96effdaaad18957fcdd26a72c406cf9723a4fa0bc31a183bc17dc88aa7c24a5f
Instruction ID: f0f4e2cc5a699d01685eaa5eb1f8139957680394facd0aad96afb4e8eb7e73b6
Opcode Fuzzy Hash: 96effdaaad18957fcdd26a72c406cf9723a4fa0bc31a183bc17dc88aa7c24a5f
Instruction Fuzzy Hash: 6F413AB59002158FDB14CF99C488BAABBF5FF8C314F248499D519AB321D334E851CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 068D13B8 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 068D1450

Memory Dump Source

Source File: 00000008.00000002.599233223.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68d0000_Quotation Details.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 66cac4773170050e314c4a54e6a765a2ac4d1293013adbd26849287fa92916e1
Instruction ID: 2f1ed83391bb0cc350a3a265c72f132a305f2a19ecb7e1a65180e68e0231ec0d
Opcode Fuzzy Hash: 66cac4773170050e314c4a54e6a765a2ac4d1293013adbd26849287fa92916e1
Instruction Fuzzy Hash: 332137719003599FCB50CFA9C884BEEBBF5FF48324F54842AE959A7240C778A944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 068D13C0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 068D1450

Memory Dump Source

Source File: 00000008.00000002.599233223.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68d0000_Quotation Details.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e4c6c792138c1e57a66939a9dd7e7b747f526a7a293d50b2d5b124fb027621a2
Instruction ID: 7c84fe60000c1d30a0530ec057c6c9116725417b7461e1ee78708a25128c8c00
Opcode Fuzzy Hash: e4c6c792138c1e57a66939a9dd7e7b747f526a7a293d50b2d5b124fb027621a2
Instruction Fuzzy Hash: 75212675D003599FCB50CFAAC884BEEBBF5FF48324F54842AE958A7240C7789944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 068D1290 Relevance: 1.6, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 068D133E

Memory Dump Source

Source File: 00000008.00000002.599233223.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68d0000_Quotation Details.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 37d3ea607095cef54779d39f3536baafb1eec429a96f88b2dd53a67a6e659b06
Instruction ID: 31ce9278af180fcdf3be891f08dea0c3c851227829e1965fccf76543e0256430
Opcode Fuzzy Hash: 37d3ea607095cef54779d39f3536baafb1eec429a96f88b2dd53a67a6e659b06
Instruction Fuzzy Hash: B821DE719003898FDF15DFA9C8447EEBFF1EF49314F18845AE199A7251C7389501CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 068D0CA0 Relevance: 1.6, APIs: 1, Instructions: 66threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 068D0D26

Memory Dump Source

Source File: 00000008.00000002.599233223.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68d0000_Quotation Details.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 1df29f0957237ba9e3efad424248922c72ee97b48ccacdccf71298a34ba40139
Instruction ID: fbf356324b641257cecfc62ee465d8598d59fe53d5e7a3fa5443bb26f3cd8755
Opcode Fuzzy Hash: 1df29f0957237ba9e3efad424248922c72ee97b48ccacdccf71298a34ba40139
Instruction Fuzzy Hash: 23213871D002098FDB50DFAAC4847EEBBF4EF98324F54842AD559A7240CB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 068D14D9 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 068D1560

Memory Dump Source

Source File: 00000008.00000002.599233223.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68d0000_Quotation Details.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2708cc18a8837510f2c9f81003d1a52832ff8bc556d27fd4649cb24fa9727421
Instruction ID: e6c2080027f1225d74d8178d32449f73f10e2c6741fbec557904d6c2cf182288
Opcode Fuzzy Hash: 2708cc18a8837510f2c9f81003d1a52832ff8bc556d27fd4649cb24fa9727421
Instruction Fuzzy Hash: 662148B1C003099FCB10CFAAC884AEEBBF5FF48320F50842AE559A7250C7389940DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B6AB9C Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B6B956,?,?,?,?,?), ref: 00B6BA17

Memory Dump Source

Source File: 00000008.00000002.591790075.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b60000_Quotation Details.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 86efe6aac8404dfb4953849165c66345f254703f010f9f4649528bd19a0b26d4
Instruction ID: 72acd8cd8d66ac5fdb2371eae62dadd95d60c871728f1ba1659328772eb3cbb8
Opcode Fuzzy Hash: 86efe6aac8404dfb4953849165c66345f254703f010f9f4649528bd19a0b26d4
Instruction Fuzzy Hash: 9C21E3B5D00218AFDB10CF9AD584AEEBBF8EB48324F14805AE954B3310D378A954DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B6B988 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B6B956,?,?,?,?,?), ref: 00B6BA17

Memory Dump Source

Source File: 00000008.00000002.591790075.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b60000_Quotation Details.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ebea2499bf7a020110424c0d16bdb741b56f2f092fb1a057d843fb6d7e257394
Instruction ID: 76daecbefaaf66d7c50c032044fa2603d846e4107f99172481b99a9bd801867c
Opcode Fuzzy Hash: ebea2499bf7a020110424c0d16bdb741b56f2f092fb1a057d843fb6d7e257394
Instruction Fuzzy Hash: CE2105B5900248DFDB10CFAAD584ADEBFF4EB48324F14805AE954A3310C378A954CF65

Uniqueness

Uniqueness Score: -1.00%

Function 068D0CA8 Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 068D0D26

Memory Dump Source

Source File: 00000008.00000002.599233223.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68d0000_Quotation Details.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 0b176940a3c85e3ed151c8ce90771cbb6371038e48154a58c87f5acb9876c936
Instruction ID: eac1b7305145f7a9b8c6b92550ba45d7ea453a2aadf1930204c0f733d0a6abf7
Opcode Fuzzy Hash: 0b176940a3c85e3ed151c8ce90771cbb6371038e48154a58c87f5acb9876c936
Instruction Fuzzy Hash: 31213571D002098FDB50DFAAC4847EEBBF4EF48324F54842AD519A7240CB78A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 068D14E0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 068D1560

Memory Dump Source

Source File: 00000008.00000002.599233223.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68d0000_Quotation Details.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c2922b58f07d978bdc45a95bcec0eb56d579955130d5173781618ec7e556c1d9
Instruction ID: 0eb9c04e726349a6cb5e616d1f8513936769170755afa3bc3ac93141512563ce
Opcode Fuzzy Hash: c2922b58f07d978bdc45a95bcec0eb56d579955130d5173781618ec7e556c1d9
Instruction Fuzzy Hash: F02137B1C003599FCF10DFAAC884AEEBBF5FF48320F50842AE559A7240C7789944DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B698D0 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B69731,00000800,00000000,00000000), ref: 00B69942

Memory Dump Source

Source File: 00000008.00000002.591790075.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b60000_Quotation Details.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 449344586558c36541533e01dcc2ac8255b6c7c2b4fd74b39268e8c70bb7ddd8
Instruction ID: 86864b2f0324a6035e897fa22ff3e4de6999a07bccd4febdae0fb8de64c04d1e
Opcode Fuzzy Hash: 449344586558c36541533e01dcc2ac8255b6c7c2b4fd74b39268e8c70bb7ddd8
Instruction Fuzzy Hash: DA2137B6C00209DFCB10CF9AD484AEEBBF8EB98324F10846ED515A7640C3799945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B689D0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B69731,00000800,00000000,00000000), ref: 00B69942

Memory Dump Source

Source File: 00000008.00000002.591790075.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b60000_Quotation Details.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 93ea9da476be6e6c4af4eae3aabd8993bf4e333a1c47433ddff306dd2ce851f2
Instruction ID: 3abcb241a1651d7a2f47900b7732ae09805e729c4156a7d76412bb5dbd31d4cb
Opcode Fuzzy Hash: 93ea9da476be6e6c4af4eae3aabd8993bf4e333a1c47433ddff306dd2ce851f2
Instruction Fuzzy Hash: BA1114B6D002499FDB10CF9AC444ADEFBF8EB58324F14846EE555B7600C378A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 068D12C9 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 068D133E

Memory Dump Source

Source File: 00000008.00000002.599233223.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68d0000_Quotation Details.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 619a2a701bd4669cb4c8a11d92fa994c6a2ab400d640607aad234e1c7fb59dc4
Instruction ID: c42a75baa1797bd30f9b6d0266f42dd7ce3ebcf9c1f5c332b4e531fa6f8dc20b
Opcode Fuzzy Hash: 619a2a701bd4669cb4c8a11d92fa994c6a2ab400d640607aad234e1c7fb59dc4
Instruction Fuzzy Hash: DA118972D002499FCF14CFA9C8846EFBBF5EF48320F14841AE515A7610C7389540CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 068D12D0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 068D133E

Memory Dump Source

Source File: 00000008.00000002.599233223.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68d0000_Quotation Details.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3bed606d02252c09356f82980c6d8e92bd0abfce66ea655a4e1247f8548b3f7c
Instruction ID: 128afcaa17f5a6daa6ef4d86b8c001630a2939844ffd71a66667b0c4fc0d2852
Opcode Fuzzy Hash: 3bed606d02252c09356f82980c6d8e92bd0abfce66ea655a4e1247f8548b3f7c
Instruction Fuzzy Hash: 6E1156729002499BCB10DFAAC8446EEBBF5EF48324F14841AE515A7250C779A944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 068D0730 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 068D079A

Memory Dump Source

Source File: 00000008.00000002.599233223.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68d0000_Quotation Details.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: df80bca02956449b6b88751822f4ee91ed214767feb834360d97815edc216411
Instruction ID: 4b6cdd711421af9eafe4253201c00728a6038017fea3a23976be08f84e8ad215
Opcode Fuzzy Hash: df80bca02956449b6b88751822f4ee91ed214767feb834360d97815edc216411
Instruction Fuzzy Hash: 05114971D002098BCB10DFAAC4447EFFFF8AF88324F148419D555A7240CB79A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 068DB2B8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,068DBC89,?,?), ref: 068DBE30

Memory Dump Source

Source File: 00000008.00000002.599233223.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68d0000_Quotation Details.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 9a33fd7c32cd66854783d54112ae8cbf81620dac74cc16d153ce971dfd3b481d
Instruction ID: b9251dbf9fc971f9d39338e7f39b0d9a16a2eca21d85154fba3f88fe8bd03c0c
Opcode Fuzzy Hash: 9a33fd7c32cd66854783d54112ae8cbf81620dac74cc16d153ce971dfd3b481d
Instruction Fuzzy Hash: B31155B18002088FDB50CF9AC484BEEBBF4EB48324F14845AE958A7740D338A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 068D0738 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 068D079A

Memory Dump Source

Source File: 00000008.00000002.599233223.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68d0000_Quotation Details.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2e9b1df059179b0590c4e76e40ec45d99ae7b38032f2eb225ef66eef1da98fd2
Instruction ID: 4d4eb45a7b9e8806498c888cd2a89f41c5c99117008d64540f351d0964eb960f
Opcode Fuzzy Hash: 2e9b1df059179b0590c4e76e40ec45d99ae7b38032f2eb225ef66eef1da98fd2
Instruction Fuzzy Hash: 08113AB1D003498BCB10DFAAC4447EEFBF9EF88324F14841AD519A7240C779A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B69650 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B696B6

Memory Dump Source

Source File: 00000008.00000002.591790075.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b60000_Quotation Details.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 82f6a9def816074c51a1dd799a9bc2e0aaf1dbcbd2932d11483ce5a786e1dfad
Instruction ID: 585e50b948ce2e25ca1c7a54da11681cdfa9b585f0dc729e077e2369f398e2c2
Opcode Fuzzy Hash: 82f6a9def816074c51a1dd799a9bc2e0aaf1dbcbd2932d11483ce5a786e1dfad
Instruction Fuzzy Hash: 3D110FB6C003498FCB10CF9AC444ADEFBF8EB88324F14855AD429B7610D378A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 068DA860 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 068DA8BD

Memory Dump Source

Source File: 00000008.00000002.599233223.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_68d0000_Quotation Details.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6bb8a9d081240dc76ab9176bb3aee16503b24bb370f7125a16f8f7fb97581b73
Instruction ID: 08d1692968ca2149ef9d30608c01140449e44a517f36aaf549dda043c45a850f
Opcode Fuzzy Hash: 6bb8a9d081240dc76ab9176bb3aee16503b24bb370f7125a16f8f7fb97581b73
Instruction Fuzzy Hash: 571115B5C003489FDB10CF9AC884BDEBBF8FB48324F20841AE914A3600C378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0077D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.589665950.000000000077D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_77d000_Quotation Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc33de2ba6bbab79fa5420fe3af2fa413c79d17a9d1c9b36e382ad087fdc11e1
Instruction ID: 95353dc72405b784c063cdece15faa039926cb20fdb1fb358647f1c50b2de84c
Opcode Fuzzy Hash: fc33de2ba6bbab79fa5420fe3af2fa413c79d17a9d1c9b36e382ad087fdc11e1
Instruction Fuzzy Hash: 2021D1B6500284DFDF21DF54D9C0B26BB75EB94364F24C569E9090A206C33AEC46DAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0077D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.589665950.000000000077D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_77d000_Quotation Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
Instruction ID: 4062ca6bcd8bffbaa23c57d33a4a53d4cdb1e153d7106762d59daa165d4501d0
Opcode Fuzzy Hash: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
Instruction Fuzzy Hash: E5119D76504280DFDF12CF14D5C4B16BF72FB94324F24C6A9DC490A616C33AE856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0077D731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.589665950.000000000077D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_77d000_Quotation Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c4bcc54009c0143ee63d64f7bd4593c9084752e3ab940900f6436e10c4d61f7
Instruction ID: 7da842d135cb178b7ae82365a813327543d837b17eecc00fa2f493d09d766585
Opcode Fuzzy Hash: 3c4bcc54009c0143ee63d64f7bd4593c9084752e3ab940900f6436e10c4d61f7
Instruction Fuzzy Hash: 0C01F7714043849AEB244A29CC80766BFA8EF543B4F18C51AED485B242D27C9C40CAF1

Uniqueness

Uniqueness Score: -1.00%

Function 0077D730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.589665950.000000000077D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_77d000_Quotation Details.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7a4e4e9006784e8f39ef38ed654ebe994f610dbb05afea52424563d8605349b
Instruction ID: 15ccd046f0d7bdc5f80cb67b8ab679cf2d0c4eafb0c955dab6399581721a6754
Opcode Fuzzy Hash: b7a4e4e9006784e8f39ef38ed654ebe994f610dbb05afea52424563d8605349b
Instruction Fuzzy Hash: FEF0C2724042849BEB248A1ACC84B62FFA8EF94374F18C55AED485B282C37C9C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dhcpmon.exePID: 1276, Parent PID: 1088COMMON

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	131
Total number of Limit Nodes:	8

Executed Functions

Function 00A9B759 Relevance: 6.1, APIs: 4, Instructions: 125
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00A9B7C8
GetCurrentThread.KERNEL32 ref: 00A9B805
GetCurrentProcess.KERNEL32 ref: 00A9B842
GetCurrentThreadId.KERNEL32 ref: 00A9B89B

Memory Dump Source

Source File: 00000009.00000002.594485077.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a90000_dhcpmon.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 532c02cc1eda51497f02f5dfdcc8b238d5cf5e2a479732b4b850cadf1bda6623
Instruction ID: 78db3fae90d56a77391ef4494b9dc1d6da99646961920530a6b38ae61e2c6044
Opcode Fuzzy Hash: 532c02cc1eda51497f02f5dfdcc8b238d5cf5e2a479732b4b850cadf1bda6623
Instruction Fuzzy Hash: D95155B0E006488FDB10CFAADA88BDEBBF5BF48314F248559E409B7250D7746884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00A9B768 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00A9B7C8
GetCurrentThread.KERNEL32 ref: 00A9B805
GetCurrentProcess.KERNEL32 ref: 00A9B842
GetCurrentThreadId.KERNEL32 ref: 00A9B89B

Memory Dump Source

Source File: 00000009.00000002.594485077.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a90000_dhcpmon.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2b261293f22a44492d60ba038545f61184f309178459b08b937a5fc1af462dd0
Instruction ID: 49e991cc87998c59d1975aba0116d6caa990c8f71606ce6d3b61f5a9ba9eaa5d
Opcode Fuzzy Hash: 2b261293f22a44492d60ba038545f61184f309178459b08b937a5fc1af462dd0
Instruction Fuzzy Hash: 315144B0E006488FDB50CFAADA88BDEBBF5AF48314F208559E409A7650D7746884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00A99470 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00A996B6

Strings

pNu, xrefs: 00A99613
pNu, xrefs: 00A995EE

Memory Dump Source

Source File: 00000009.00000002.594485077.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a90000_dhcpmon.jbxd

Similarity

API ID: HandleModule
String ID: pNu$pNu
API String ID: 4139908857-1079033079
Opcode ID: f14984c27243e6b69b105dce98f132445de64a7756ecb1d82670a5e348ebe0ee
Instruction ID: c0b4b88756c95538f1b2cb5ee02813dcf395d441e545f81701598e0d5506dd9f
Opcode Fuzzy Hash: f14984c27243e6b69b105dce98f132445de64a7756ecb1d82670a5e348ebe0ee
Instruction Fuzzy Hash: 63713670A00B059FDB25CF2AD1457ABBBF1BF88314F00892DE44AD7A50DB35E849CB91

Uniqueness

Uniqueness Score: -1.00%

Function 068916CD Relevance: 1.8, APIs: 1, Instructions: 251
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0689190E

Memory Dump Source

Source File: 00000009.00000002.605135784.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6890000_dhcpmon.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f62f3f07b2732ce896fa3b4ab77664b7e628d5496df242e470263edbbcc033f3
Instruction ID: 99747290a80358c37ced70f72dcac6a860b59d96ef9b5137ca4e08d32091af92
Opcode Fuzzy Hash: f62f3f07b2732ce896fa3b4ab77664b7e628d5496df242e470263edbbcc033f3
Instruction Fuzzy Hash: 9FA16D71D0421A9FDF54CFA8C885BDEBBB2BF48310F188569E849E7240DB749985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 068916D8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0689190E

Memory Dump Source

Source File: 00000009.00000002.605135784.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6890000_dhcpmon.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 667317e3bf7b8e1a33084661e05830378dd1c9d4a6e59bc30efb68bd99858686
Instruction ID: aa422ad7139b706a0f8725aa244d575d06f2f40c8547d4a3a05f656bd59cacfa
Opcode Fuzzy Hash: 667317e3bf7b8e1a33084661e05830378dd1c9d4a6e59bc30efb68bd99858686
Instruction Fuzzy Hash: 68917D71D0421A9FDF54CFA8C884BDEBBB2BF48310F188569E849E7240DB749985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A9FDCC Relevance: 1.6, APIs: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00A9FEEA

Memory Dump Source

Source File: 00000009.00000002.594485077.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a90000_dhcpmon.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 52ce30fed23e75e163177d306fbbac5e63db9721683be9109a46dd58ae7d014e
Instruction ID: c69e4c838bf4a075660da67f13ac82eb31b4389c7162dd1741c919fa60462bb8
Opcode Fuzzy Hash: 52ce30fed23e75e163177d306fbbac5e63db9721683be9109a46dd58ae7d014e
Instruction Fuzzy Hash: 4651C0B1D003499FDF14CFAAC884ADEBBF5BF49354F24812AE819AB250D7759885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A9FDD8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00A9FEEA

Memory Dump Source

Source File: 00000009.00000002.594485077.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a90000_dhcpmon.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b2378e614260aa156675c5815225eb6b2c44c597064b3541db8ea9550d632fd6
Instruction ID: c52e9d6581b556d53c572e4559b747e625f8a759687086fcb1f89aaa93af894a
Opcode Fuzzy Hash: b2378e614260aa156675c5815225eb6b2c44c597064b3541db8ea9550d632fd6
Instruction Fuzzy Hash: F741C1B1D003099FDF14CFAAC884ADEBBF5BF48310F24812AE819AB210D7749885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A95344 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00A95401

Memory Dump Source

Source File: 00000009.00000002.594485077.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a90000_dhcpmon.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d4d1d96d10adc8865b825899e5bcf0f8af3acfd241922517f94f0fb32586ca54
Instruction ID: 4dd521d0daad50e6e6d8b3e09383c098cf9e0e58c3d2f7a7631dccec263e6918
Opcode Fuzzy Hash: d4d1d96d10adc8865b825899e5bcf0f8af3acfd241922517f94f0fb32586ca54
Instruction Fuzzy Hash: E1412471C00618CFDB24CFA9C885BDEBBF2BF49304F208069D409AB251DB74698ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A93DE4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00A95401

Memory Dump Source

Source File: 00000009.00000002.594485077.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a90000_dhcpmon.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 047069976d51f9070c306c59323e9921b64ed2b89f9cecf72d2ff7ab22cb2ce5
Instruction ID: f1e96f0191f9651dbb9979682d0da2e724e969a2c19282c735ff1b41097cc22c
Opcode Fuzzy Hash: 047069976d51f9070c306c59323e9921b64ed2b89f9cecf72d2ff7ab22cb2ce5
Instruction Fuzzy Hash: E941E371D00628CBDF24DFA9C985B8EBBF6BF48304F208069D409BB251DB756989CF90

Uniqueness

Uniqueness Score: -1.00%

Function 068913B8 Relevance: 1.6, APIs: 1, Instructions: 74
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06891450

Memory Dump Source

Source File: 00000009.00000002.605135784.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6890000_dhcpmon.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6f4803833e2f6da1e958086dfcbe5dea6af045eda0fcd27c570401611daddb36
Instruction ID: b7de2c820bd16e9e310ae454475ba757898884f49e1bcc0b116c4dc09388bc51
Opcode Fuzzy Hash: 6f4803833e2f6da1e958086dfcbe5dea6af045eda0fcd27c570401611daddb36
Instruction Fuzzy Hash: B12146719003199FCF10CFA9C884BEEBBF5FF48314F54842AE959A7240D778A941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 068913C0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06891450

Memory Dump Source

Source File: 00000009.00000002.605135784.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6890000_dhcpmon.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 28a6d643c56dda36adc8f828480cb665fd8bd78e7ac9a25b174ae7cb8dd4e889
Instruction ID: 5cdb0fa725e8be71752fc21a51d422b0f21a5d6db741f91e08cc45f1e614c21b
Opcode Fuzzy Hash: 28a6d643c56dda36adc8f828480cb665fd8bd78e7ac9a25b174ae7cb8dd4e889
Instruction Fuzzy Hash: 3F2126719003599FCF50CFAAC884BEEBBF5FF48314F54842AE959A7640D778A944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A9B988 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A9BA17

Memory Dump Source

Source File: 00000009.00000002.594485077.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a90000_dhcpmon.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a00c1de99e6f2ee90b03020d5cb5e4b4e825a52c38078b4ec0d89ed92f6024ff
Instruction ID: b1d230acdce39e380c9bb118e4b95f22f535e1809116323d46a24c8f34ec8372
Opcode Fuzzy Hash: a00c1de99e6f2ee90b03020d5cb5e4b4e825a52c38078b4ec0d89ed92f6024ff
Instruction Fuzzy Hash: B121E6B59002499FDB10CFAAD584ADEFFF9FB48324F14801AE954A3710D378A954CF64

Uniqueness

Uniqueness Score: -1.00%

Function 06890CA0 Relevance: 1.6, APIs: 1, Instructions: 66threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 06890D26

Memory Dump Source

Source File: 00000009.00000002.605135784.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6890000_dhcpmon.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 5dfe7bec4decdae26c1bef3beae4cb0db1e097d1cb7611cfabcfe39dc6147a6a
Instruction ID: 7baa7e9684d5349b9ca8ab32a3985b95dbcae7f8cbde05c814c3e7e3d09841ee
Opcode Fuzzy Hash: 5dfe7bec4decdae26c1bef3beae4cb0db1e097d1cb7611cfabcfe39dc6147a6a
Instruction Fuzzy Hash: 2C215771D002098FCB50DFAAC4847EEBBF4EF48364F54842EE459A7340CB78A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 068914D9 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06891560

Memory Dump Source

Source File: 00000009.00000002.605135784.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6890000_dhcpmon.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d7b01ddf5b4fdc5ea852f3174dcfc68dea1704a67e1ebff77d6fc4af78b0edc6
Instruction ID: f7a743212f47d53e9434bbd162b28b17635ad2c63bbe1da8afa8fa0681468c2d
Opcode Fuzzy Hash: d7b01ddf5b4fdc5ea852f3174dcfc68dea1704a67e1ebff77d6fc4af78b0edc6
Instruction Fuzzy Hash: F02136B1C003099FCF10CFAAC884AEEBBB5FF48310F50842AE559A3650C738A941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06890CA8 Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 06890D26

Memory Dump Source

Source File: 00000009.00000002.605135784.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6890000_dhcpmon.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: f675adba14be02fd15c1e9a19b38a328854808111ad81bcba0421b5534571157
Instruction ID: 01bac576027cf59abed135701d1d00800b159085d2468a02dc1441feb1cc8906
Opcode Fuzzy Hash: f675adba14be02fd15c1e9a19b38a328854808111ad81bcba0421b5534571157
Instruction Fuzzy Hash: C4213471D002098FCB50DFAAC4847EEBBF8EF48324F54842ED519A7240DB78A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 068914E0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06891560

Memory Dump Source

Source File: 00000009.00000002.605135784.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6890000_dhcpmon.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 7417c2119c2e799a78201573f3450058bf8134ef9d44c1763ad99e598f7629f8
Instruction ID: 9e9062df01b94403a343dfb47878845fbb05570176a978621459f2695fbf7315
Opcode Fuzzy Hash: 7417c2119c2e799a78201573f3450058bf8134ef9d44c1763ad99e598f7629f8
Instruction Fuzzy Hash: 3A2139B1C003599FCF10DFAAC884AEEBBF5FF48310F54842AE559A7240D7789944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A9B990 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A9BA17

Memory Dump Source

Source File: 00000009.00000002.594485077.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a90000_dhcpmon.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f63a509e293396a61181c1ee11c74854e19ab4aa54ec3cb9254b65ce72c7d586
Instruction ID: 474f10499576dbf418866049afbdc94cbc10b2cf6132dcdea31dc0f98c0d2f1e
Opcode Fuzzy Hash: f63a509e293396a61181c1ee11c74854e19ab4aa54ec3cb9254b65ce72c7d586
Instruction Fuzzy Hash: C421E2B59002089FDB10CFAAD984ADEBBF8EB48324F14801AE954A3710D378A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A989D0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00A99731,00000800,00000000,00000000), ref: 00A99942

Memory Dump Source

Source File: 00000009.00000002.594485077.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a90000_dhcpmon.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 01dd49bd8c3785378c80533b09f9697b3559e135222e22dad7705fccaa0eb46b
Instruction ID: c2ac60b840a591cc0f84db1823d9ad2657de96c972b51f0d68fb30217b2be9af
Opcode Fuzzy Hash: 01dd49bd8c3785378c80533b09f9697b3559e135222e22dad7705fccaa0eb46b
Instruction Fuzzy Hash: C91114B69002499FDB10CF9AD544ADFFBF8EB58320F10842EE859A7610C374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A998D4 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00A99731,00000800,00000000,00000000), ref: 00A99942

Memory Dump Source

Source File: 00000009.00000002.594485077.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a90000_dhcpmon.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6df69669623c4cfde02ad9c11e5c9210d8804503f64208065a378601fc8425af
Instruction ID: 90f388170e7f87094e4f386997ba64c25f55538b1d3288f95bdab1297156ec7b
Opcode Fuzzy Hash: 6df69669623c4cfde02ad9c11e5c9210d8804503f64208065a378601fc8425af
Instruction Fuzzy Hash: 701114B69002499FDB10CF9AD484ADFFBF8EB58320F14842EE455A7610C379A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 068912C9 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0689133E

Memory Dump Source

Source File: 00000009.00000002.605135784.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6890000_dhcpmon.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: af4690231ae4d711a29f1a83ddc36668c8b5517544b322a7c1da523d092cdaae
Instruction ID: b1da025c7e0733cd3a299127253c5ab32960496cbf49458333341026afcad012
Opcode Fuzzy Hash: af4690231ae4d711a29f1a83ddc36668c8b5517544b322a7c1da523d092cdaae
Instruction Fuzzy Hash: 25116A729002499FCF10DFA9C884BEFBBF5EF48324F14841AE519A7650C779A554CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 068912D0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0689133E

Memory Dump Source

Source File: 00000009.00000002.605135784.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6890000_dhcpmon.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 50ce53e2e851032d95252cb049fd7e30f26f9b15017dea72a7cdb27bfc820525
Instruction ID: ca186f91d48aa489cdd50f1571c531b908d1fc5eb1a707172959ff73f448b857
Opcode Fuzzy Hash: 50ce53e2e851032d95252cb049fd7e30f26f9b15017dea72a7cdb27bfc820525
Instruction Fuzzy Hash: 111137729002499FCF10DFAAC844AEFBFF9EF48324F14841AE559A7650C779A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06890730 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0689079A

Memory Dump Source

Source File: 00000009.00000002.605135784.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6890000_dhcpmon.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3ce83ea124702e83d6e37826e850f2634e0ff33c09d5a2f650b5a96dba7f9bfb
Instruction ID: 1bdd078219d26d41107420a90bfd496c18919374df61e0da34214348b3717b74
Opcode Fuzzy Hash: 3ce83ea124702e83d6e37826e850f2634e0ff33c09d5a2f650b5a96dba7f9bfb
Instruction Fuzzy Hash: BD111971D002499BCB10DFAAD4487EFFBF9AF88324F148419D515A7640CB796944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06890738 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0689079A

Memory Dump Source

Source File: 00000009.00000002.605135784.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6890000_dhcpmon.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0eb7fff5e6680d1b51556ad291b8179781ae9862f7a0063a4877f43b76153514
Instruction ID: def8eaae0c9bda1a6bed34d3c4824da4077f3413ae6bf177601355615c8aae0f
Opcode Fuzzy Hash: 0eb7fff5e6680d1b51556ad291b8179781ae9862f7a0063a4877f43b76153514
Instruction Fuzzy Hash: D511F8B1D006498BCB10DFAAC4447EFBBF9AB88324F14841AD519A7640D779A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A99650 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00A996B6

Memory Dump Source

Source File: 00000009.00000002.594485077.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a90000_dhcpmon.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ca8f510ea3ff98f2ab158ff1cec65e69ade8ac7be978e7a54a2d028a9064d268
Instruction ID: 9506803251918240dc8aed3154091f114f0383a99ed5a9c920cee33a928c5037
Opcode Fuzzy Hash: ca8f510ea3ff98f2ab158ff1cec65e69ade8ac7be978e7a54a2d028a9064d268
Instruction Fuzzy Hash: F3110FB6D002498FDB10CF9AC444ADFFBF8AB88324F10841AD919B7600D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0689BDD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0689BE30

Memory Dump Source

Source File: 00000009.00000002.605135784.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6890000_dhcpmon.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: bc75e3c917fc1a6402ac344e6325f61d93deaa9d89dadf6475bbaa1afad1c718
Instruction ID: b240f47478734f3d1937afc196fb053529cd7675feac2a00009022427c2688b9
Opcode Fuzzy Hash: bc75e3c917fc1a6402ac344e6325f61d93deaa9d89dadf6475bbaa1afad1c718
Instruction Fuzzy Hash: 681133B28002098FCB10CF9AD584BDFBBF8EB48320F14845AD958A7640D738A584CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0689A860 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0689A8BD

Memory Dump Source

Source File: 00000009.00000002.605135784.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6890000_dhcpmon.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d4d425ae9f1a5cb76abe0137ae209380bb19d33f0949a13b274d6e6deb5d62ad
Instruction ID: 9f5878de0bf638d5c37e2198d13e7df566b737d1a98d597c205787c2193f10a1
Opcode Fuzzy Hash: d4d425ae9f1a5cb76abe0137ae209380bb19d33f0949a13b274d6e6deb5d62ad
Instruction Fuzzy Hash: 2D1103B58003499FDB10CF9AD984BDFBBF8EB48324F14841AE514A3600D374A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04FBFC60 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.604687887.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4fb0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5d78d1193d70965bad6ea7eea23cc1dc62410d441c3c226ba0f3dc24f4c81e
Instruction ID: e35fd49278ad8bad62544501505159daf15b8f278b80bf4de9362f7b28c47171
Opcode Fuzzy Hash: 5d5d78d1193d70965bad6ea7eea23cc1dc62410d441c3c226ba0f3dc24f4c81e
Instruction Fuzzy Hash: 2B51A371B002158FCB25DBB9CC542EE7AB2AF89354F200569C556E7381EB39AD0287F1

Uniqueness

Uniqueness Score: -1.00%

Function 04FBF258 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.604687887.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4fb0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ecdff5436cfb5f10dc18c0badaadcd2319428a99b49c7c66b89587c0976da3
Instruction ID: b0df9266afd9ee0a82e33f73605dc42f483f9b3a0cdf77f493c9ef00d1e9760d
Opcode Fuzzy Hash: 58ecdff5436cfb5f10dc18c0badaadcd2319428a99b49c7c66b89587c0976da3
Instruction Fuzzy Hash: 0A11CA39F001089BCB249E7A8C142FF7AA6EFC6760F148129E946D7345EF34A80287E1

Uniqueness

Uniqueness Score: -1.00%

Function 04FBF1F2 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.604687887.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4fb0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005b351a70b2a86a3b909622663e3e2667214b81e5175eddbe8e69c8d519cffc
Instruction ID: 51745a10d86975a5a1b07fa787d0d43d05ccf3922bfd3e55d0293b9bafbbeb2e
Opcode Fuzzy Hash: 005b351a70b2a86a3b909622663e3e2667214b81e5175eddbe8e69c8d519cffc
Instruction Fuzzy Hash: 68F01D34A45218EFCB46DFA8DC05AADBFB5EB49300F04C1AAE814D7251D7359A12DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04FBFEB8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.604687887.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4fb0000_dhcpmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e17f9bc1cfea05f9bc38168cd9fbc8b900524a3dd5014e3fd9b84b6dd4e86f
Instruction ID: 2000992eba44463a73cdf2b46ada585a38db0733e9aed394aee4c5dbaeb81bb8
Opcode Fuzzy Hash: 66e17f9bc1cfea05f9bc38168cd9fbc8b900524a3dd5014e3fd9b84b6dd4e86f
Instruction Fuzzy Hash: EFF03038E45118EFC705DFA9D8556ACBBB5EB49300F5481A9D80897341D7316D47CB91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Quotation Details.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation Details.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

C:\Users\user\AppData\Local\Temp\tmpE4FD.tmp

C:\Users\user\AppData\Local\Temp\tmpE6C3.tmp

Windows Analysis Report
Quotation Details.exe