Play interactive tour

Edit tour

Analysis Report Waybill Document 22700456.pif

Overview

General Information

Sample Name:	Waybill Document 22700456.pif (renamed file extension from pif to exe)
Analysis ID:	410974
MD5:	135ab6c14011003e72cc82fabef66b83
SHA1:	cb269c2bd704562b6206a79bd25e19f0a3498cc1
SHA256:	a205490d99143217a75fab698df9a450827728eed168b9659a89218e863deabe
Tags:	NanoCorepif
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Yara detected Nanocore RAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Executable has a suspicious name (potential lure to open the executable)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses dynamic DNS services

Antivirus or Machine Learning detection for unpacked file

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Startup

System is w10x64

Waybill Document 22700456.exe (PID: 984 cmdline: 'C:\Users\user\Desktop\Waybill Document 22700456.exe' MD5: 135AB6C14011003E72CC82FABEF66B83)

Waybill Document 22700456.exe (PID: 5240 cmdline: C:\Users\user\Desktop\Waybill Document 22700456.exe MD5: 135AB6C14011003E72CC82FABEF66B83)

Waybill Document 22700456.exe (PID: 492 cmdline: C:\Users\user\Desktop\Waybill Document 22700456.exe MD5: 135AB6C14011003E72CC82FABEF66B83)

dhcpmon.exe (PID: 4700 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 135AB6C14011003E72CC82FABEF66B83)

dhcpmon.exe (PID: 1172 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 135AB6C14011003E72CC82FABEF66B83)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "219dbe8c-bf77-47e0-9661-f64e0b4e", "Group": "", "Domain1": "", "Domain2": "copieronlineph209.ddns.net", "Port": 6596, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2515, "WanTimeout": 8015, "BufferSize": "36000100", "MaxPacketSize": "0000a000", "GCThreshold": "f6ff9f00", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.917424043.0000000005C80000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000002.00000002.917424043.0000000005C80000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000004.00000002.699050992.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.699050992.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.699050992.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000003.00000002.685126012.000000000435A000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10b1d:$x1: NanoCore.ClientPluginHost 0x4333d:$x1: NanoCore.ClientPluginHost 0x10b5a:$x2: IClientNetworkHost 0x4337a:$x2: IClientNetworkHost 0x1468d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46ead:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000002.685126012.000000000435A000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.685126012.000000000435A000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10885:$a: NanoCore 0x10895:$a: NanoCore 0x10ac9:$a: NanoCore 0x10add:$a: NanoCore 0x10b1d:$a: NanoCore 0x430a5:$a: NanoCore 0x430b5:$a: NanoCore 0x432e9:$a: NanoCore 0x432fd:$a: NanoCore 0x4333d:$a: NanoCore 0x108e4:$b: ClientPlugin 0x10ae6:$b: ClientPlugin 0x10b26:$b: ClientPlugin 0x43104:$b: ClientPlugin 0x43306:$b: ClientPlugin 0x43346:$b: ClientPlugin 0x10a0b:$c: ProjectData 0x4322b:$c: ProjectData 0x11412:$d: DESCrypto 0x43c32:$d: DESCrypto 0x18dde:$e: KeepAlive
00000003.00000002.685085276.00000000042D9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x21add:$x1: NanoCore.ClientPluginHost 0x21b1a:$x2: IClientNetworkHost 0x2564d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000002.685085276.00000000042D9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.685085276.00000000042D9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x21a89:$a: NanoCore 0x21a9d:$a: NanoCore 0x21add:$a: NanoCore 0x21aa6:$b: ClientPlugin 0x21ae6:$b: ClientPlugin 0x1b36f:$c: ProjectData 0x219cb:$c: ProjectData 0x223d2:$d: DESCrypto 0x29d9e:$e: KeepAlive 0x27d8c:$g: LogClientMessage 0x1a1c5:$i: get_Connected 0x1b969:$i: get_Connected 0x23f87:$i: get_Connected 0x22708:$j: #=q 0x22738:$j: #=q 0x22754:$j: #=q 0x22784:$j: #=q 0x227a0:$j: #=q 0x227bc:$j: #=q 0x227ec:$j: #=q 0x22808:$j: #=q
00000000.00000002.651950199.0000000004129000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x21add:$x1: NanoCore.ClientPluginHost 0x21b1a:$x2: IClientNetworkHost 0x2564d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.651950199.0000000004129000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.651950199.0000000004129000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x21a89:$a: NanoCore 0x21a9d:$a: NanoCore 0x21add:$a: NanoCore 0x21aa6:$b: ClientPlugin 0x21ae6:$b: ClientPlugin 0x1b36f:$c: ProjectData 0x219cb:$c: ProjectData 0x223d2:$d: DESCrypto 0x29d9e:$e: KeepAlive 0x27d8c:$g: LogClientMessage 0x1a1c5:$i: get_Connected 0x1b969:$i: get_Connected 0x23f87:$i: get_Connected 0x22708:$j: #=q 0x22738:$j: #=q 0x22754:$j: #=q 0x22784:$j: #=q 0x227a0:$j: #=q 0x227bc:$j: #=q 0x227ec:$j: #=q 0x22808:$j: #=q
00000002.00000002.915082806.0000000004399000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000002.00000002.915082806.0000000004399000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2f25:$a: NanoCore 0x2f7e:$a: NanoCore 0x2fbb:$a: NanoCore 0x3034:$a: NanoCore 0x166df:$a: NanoCore 0x166f4:$a: NanoCore 0x16729:$a: NanoCore 0x2f1ab:$a: NanoCore 0x2f1c0:$a: NanoCore 0x2f1f5:$a: NanoCore 0x2f87:$b: ClientPlugin 0x2fc4:$b: ClientPlugin 0x38c2:$b: ClientPlugin 0x38cf:$b: ClientPlugin 0x1649b:$b: ClientPlugin 0x164b6:$b: ClientPlugin 0x164e6:$b: ClientPlugin 0x166fd:$b: ClientPlugin 0x16732:$b: ClientPlugin 0x2ef67:$b: ClientPlugin 0x2ef82:$b: ClientPlugin
00000002.00000002.917556465.0000000006480000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000002.00000002.917556465.0000000006480000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000002.00000002.917556465.0000000006480000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.651983968.00000000041AA000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10b1d:$x1: NanoCore.ClientPluginHost 0x4333d:$x1: NanoCore.ClientPluginHost 0x10b5a:$x2: IClientNetworkHost 0x4337a:$x2: IClientNetworkHost 0x1468d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46ead:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.651983968.00000000041AA000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.651983968.00000000041AA000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10885:$a: NanoCore 0x10895:$a: NanoCore 0x10ac9:$a: NanoCore 0x10add:$a: NanoCore 0x10b1d:$a: NanoCore 0x430a5:$a: NanoCore 0x430b5:$a: NanoCore 0x432e9:$a: NanoCore 0x432fd:$a: NanoCore 0x4333d:$a: NanoCore 0x108e4:$b: ClientPlugin 0x10ae6:$b: ClientPlugin 0x10b26:$b: ClientPlugin 0x43104:$b: ClientPlugin 0x43306:$b: ClientPlugin 0x43346:$b: ClientPlugin 0x10a0b:$c: ProjectData 0x4322b:$c: ProjectData 0x11412:$d: DESCrypto 0x43c32:$d: DESCrypto 0x18dde:$e: KeepAlive
00000002.00000002.913974492.0000000003351000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000002.00000002.912708984.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000002.912708984.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000002.00000002.912708984.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000004.00000002.699678398.0000000003F29000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.699678398.0000000003F29000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42f25:$a: NanoCore 0x42f7e:$a: NanoCore 0x42fbb:$a: NanoCore 0x43034:$a: NanoCore 0x566df:$a: NanoCore 0x566f4:$a: NanoCore 0x56729:$a: NanoCore 0x6f1ab:$a: NanoCore 0x6f1c0:$a: NanoCore 0x6f1f5:$a: NanoCore 0x42f87:$b: ClientPlugin 0x42fc4:$b: ClientPlugin 0x438c2:$b: ClientPlugin 0x438cf:$b: ClientPlugin 0x5649b:$b: ClientPlugin 0x564b6:$b: ClientPlugin 0x564e6:$b: ClientPlugin 0x566fd:$b: ClientPlugin 0x56732:$b: ClientPlugin 0x6ef67:$b: ClientPlugin 0x6ef82:$b: ClientPlugin
00000004.00000002.699608061.0000000002F21000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.699608061.0000000002F21000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69437:$a: NanoCore 0x69490:$a: NanoCore 0x694cd:$a: NanoCore 0x69546:$a: NanoCore 0x69499:$b: ClientPlugin 0x694d6:$b: ClientPlugin 0x69dd4:$b: ClientPlugin 0x69de1:$b: ClientPlugin 0x5f091:$e: KeepAlive 0x69921:$g: LogClientMessage 0x698a1:$i: get_Connected 0x5986d:$j: #=q 0x5989d:$j: #=q 0x598d9:$j: #=q 0x59901:$j: #=q 0x59931:$j: #=q 0x59961:$j: #=q 0x59991:$j: #=q 0x599c1:$j: #=q 0x599dd:$j: #=q 0x59a0d:$j: #=q
Process Memory Space: dhcpmon.exe PID: 1172	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x29a9:$x1: NanoCore.ClientPluginHost 0x3c0c3:$x1: NanoCore.ClientPluginHost 0x41c82:$x1: NanoCore.ClientPluginHost 0x52ae8:$x1: NanoCore.ClientPluginHost 0x883cb:$x1: NanoCore.ClientPluginHost 0x2a0a:$x2: IClientNetworkHost 0x3c0e9:$x2: IClientNetworkHost 0x41cc7:$x2: IClientNetworkHost 0x52b2d:$x2: IClientNetworkHost 0x883f1:$x2: IClientNetworkHost 0x7e0f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x15d81:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 1172	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 1172	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24ae:$a: NanoCore 0x24ca:$a: NanoCore 0x2625:$a: NanoCore 0x2634:$a: NanoCore 0x290d:$a: NanoCore 0x2939:$a: NanoCore 0x29a9:$a: NanoCore 0x123eb:$a: NanoCore 0x123fd:$a: NanoCore 0x12439:$a: NanoCore 0x2addc:$a: NanoCore 0x3bfb5:$a: NanoCore 0x3c056:$a: NanoCore 0x3c0c3:$a: NanoCore 0x3c184:$a: NanoCore 0x3d055:$a: NanoCore 0x3d0a8:$a: NanoCore 0x3d0e1:$a: NanoCore 0x3d154:$a: NanoCore 0x41bfc:$a: NanoCore 0x41c29:$a: NanoCore
Process Memory Space: Waybill Document 22700456.exe PID: 492	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10d517:$x1: NanoCore.ClientPluginHost 0x1130d6:$x1: NanoCore.ClientPluginHost 0x123f3c:$x1: NanoCore.ClientPluginHost 0x20a970:$x1: NanoCore.ClientPluginHost 0x2639af:$x1: NanoCore.ClientPluginHost 0x312d4a:$x1: NanoCore.ClientPluginHost 0x10d53d:$x2: IClientNetworkHost 0x11311b:$x2: IClientNetworkHost 0x123f81:$x2: IClientNetworkHost 0x20a9b5:$x2: IClientNetworkHost 0x2639d5:$x2: IClientNetworkHost 0x312dab:$x2: IClientNetworkHost 0x3181b0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x326122:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Waybill Document 22700456.exe PID: 492	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Waybill Document 22700456.exe PID: 492	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10d409:$a: NanoCore 0x10d4aa:$a: NanoCore 0x10d517:$a: NanoCore 0x10d5d8:$a: NanoCore 0x10e4a9:$a: NanoCore 0x10e4fc:$a: NanoCore 0x10e535:$a: NanoCore 0x10e5a8:$a: NanoCore 0x113050:$a: NanoCore 0x11307d:$a: NanoCore 0x1130d6:$a: NanoCore 0x11a8e5:$a: NanoCore 0x11a8f8:$a: NanoCore 0x11a92a:$a: NanoCore 0x123eb6:$a: NanoCore 0x123ee3:$a: NanoCore 0x123f3c:$a: NanoCore 0x12b74b:$a: NanoCore 0x12b75e:$a: NanoCore 0x12b790:$a: NanoCore 0x17543b:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 4700	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4dd2:$x1: NanoCore.ClientPluginHost 0x2389d:$x1: NanoCore.ClientPluginHost 0x52bea:$x1: NanoCore.ClientPluginHost 0x4e33:$x2: IClientNetworkHost 0x238fe:$x2: IClientNetworkHost 0x52c4b:$x2: IClientNetworkHost 0xa238:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x181aa:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x28d03:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x36c75:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x58050:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x65fa9:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 4700	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 4700	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x48d7:$a: NanoCore 0x48f3:$a: NanoCore 0x4a4e:$a: NanoCore 0x4a5d:$a: NanoCore 0x4d36:$a: NanoCore 0x4d62:$a: NanoCore 0x4dd2:$a: NanoCore 0x14814:$a: NanoCore 0x14826:$a: NanoCore 0x14862:$a: NanoCore 0x233a2:$a: NanoCore 0x233be:$a: NanoCore 0x23519:$a: NanoCore 0x23528:$a: NanoCore 0x23801:$a: NanoCore 0x2382d:$a: NanoCore 0x2389d:$a: NanoCore 0x332df:$a: NanoCore 0x332f1:$a: NanoCore 0x3332d:$a: NanoCore 0x52b4e:$a: NanoCore
Process Memory Space: Waybill Document 22700456.exe PID: 984	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x991f1:$x1: NanoCore.ClientPluginHost 0xf2aee:$x1: NanoCore.ClientPluginHost 0x11154b:$x1: NanoCore.ClientPluginHost 0x99252:$x2: IClientNetworkHost 0xf2b4f:$x2: IClientNetworkHost 0x1115ac:$x2: IClientNetworkHost 0x9e657:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xac5b0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xf7f54:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x105ec6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1169b1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x124923:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Waybill Document 22700456.exe PID: 984	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Waybill Document 22700456.exe PID: 984	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x99155:$a: NanoCore 0x99181:$a: NanoCore 0x991f1:$a: NanoCore 0xa8c1a:$a: NanoCore 0xa8c2c:$a: NanoCore 0xa8c68:$a: NanoCore 0xf25f3:$a: NanoCore 0xf260f:$a: NanoCore 0xf276a:$a: NanoCore 0xf2779:$a: NanoCore 0xf2a52:$a: NanoCore 0xf2a7e:$a: NanoCore 0xf2aee:$a: NanoCore 0x102530:$a: NanoCore 0x102542:$a: NanoCore 0x10257e:$a: NanoCore 0x111050:$a: NanoCore 0x11106c:$a: NanoCore 0x1111c7:$a: NanoCore 0x1111d6:$a: NanoCore 0x1114af:$a: NanoCore
Click to see the 37 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.Waybill Document 22700456.exe.33a4e9c.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
2.2.Waybill Document 22700456.exe.33a4e9c.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0.2.Waybill Document 22700456.exe.31cddc0.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe
4.2.dhcpmon.exe.2f89658.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
4.2.dhcpmon.exe.2f89658.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
2.2.Waybill Document 22700456.exe.5c80000.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
2.2.Waybill Document 22700456.exe.5c80000.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0.2.Waybill Document 22700456.exe.31cddc0.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe
2.2.Waybill Document 22700456.exe.43a45a5.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c50:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c7d:$x2: IClientNetworkHost
2.2.Waybill Document 22700456.exe.43a45a5.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c50:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d2b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c6a:$s5: IClientLoggingHost
2.2.Waybill Document 22700456.exe.43a45a5.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.Waybill Document 22700456.exe.439ff7c.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28279:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x282a6:$x2: IClientNetworkHost
2.2.Waybill Document 22700456.exe.439ff7c.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28279:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29354:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28293:$s5: IClientLoggingHost
2.2.Waybill Document 22700456.exe.439ff7c.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.dhcpmon.exe.337dd44.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe
2.2.Waybill Document 22700456.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.2.Waybill Document 22700456.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
2.2.Waybill Document 22700456.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.Waybill Document 22700456.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.2.dhcpmon.exe.3f6ff7c.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28279:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x282a6:$x2: IClientNetworkHost
4.2.dhcpmon.exe.3f6ff7c.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28279:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29354:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28293:$s5: IClientLoggingHost
4.2.dhcpmon.exe.3f6ff7c.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.dhcpmon.exe.3f6b146.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0af:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0dc:$x2: IClientNetworkHost
4.2.dhcpmon.exe.3f6b146.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d0af:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e18a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0c9:$s5: IClientLoggingHost
4.2.dhcpmon.exe.3f6b146.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.dhcpmon.exe.3f6b146.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d065:$a: NanoCore 0x2d07a:$a: NanoCore 0x2d0af:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce21:$b: ClientPlugin 0x2ce3c:$b: ClientPlugin
3.2.dhcpmon.exe.435a990.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x429ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x429ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.2.dhcpmon.exe.435a990.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42725:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x429ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x43fe6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x43fda:$s2: FileCommand 0x1266b:$s3: PipeExists 0x44e8b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ac42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x429d7:$s5: IClientLoggingHost
3.2.dhcpmon.exe.435a990.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.dhcpmon.exe.435a990.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42715:$a: NanoCore 0x42725:$a: NanoCore 0x42959:$a: NanoCore 0x4296d:$a: NanoCore 0x429ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42774:$b: ClientPlugin 0x42976:$b: ClientPlugin 0x429b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4289b:$c: ProjectData 0x10a82:$d: DESCrypto 0x432a2:$d: DESCrypto 0x1844e:$e: KeepAlive
4.2.dhcpmon.exe.3f6ff7c.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
4.2.dhcpmon.exe.3f6ff7c.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
4.2.dhcpmon.exe.3f6ff7c.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Waybill Document 22700456.exe.41aa990.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Waybill Document 22700456.exe.41aa990.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.Waybill Document 22700456.exe.41aa990.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Waybill Document 22700456.exe.41aa990.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
2.2.Waybill Document 22700456.exe.6480000.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
2.2.Waybill Document 22700456.exe.6480000.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
2.2.Waybill Document 22700456.exe.6480000.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.dhcpmon.exe.337dd44.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe
2.2.Waybill Document 22700456.exe.439ff7c.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
2.2.Waybill Document 22700456.exe.439ff7c.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
2.2.Waybill Document 22700456.exe.439ff7c.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Waybill Document 22700456.exe.41aa990.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x429ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x429ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Waybill Document 22700456.exe.41aa990.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42725:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x429ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x43fe6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x43fda:$s2: FileCommand 0x1266b:$s3: PipeExists 0x44e8b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ac42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x429d7:$s5: IClientLoggingHost
0.2.Waybill Document 22700456.exe.41aa990.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Waybill Document 22700456.exe.41aa990.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42715:$a: NanoCore 0x42725:$a: NanoCore 0x42959:$a: NanoCore 0x4296d:$a: NanoCore 0x429ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42774:$b: ClientPlugin 0x42976:$b: ClientPlugin 0x429b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4289b:$c: ProjectData 0x10a82:$d: DESCrypto 0x432a2:$d: DESCrypto 0x1844e:$e: KeepAlive
2.2.Waybill Document 22700456.exe.6484629.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
2.2.Waybill Document 22700456.exe.6484629.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
2.2.Waybill Document 22700456.exe.6484629.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.2.dhcpmon.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.dhcpmon.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
2.2.Waybill Document 22700456.exe.439b146.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0af:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0dc:$x2: IClientNetworkHost
2.2.Waybill Document 22700456.exe.439b146.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d0af:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e18a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0c9:$s5: IClientLoggingHost
2.2.Waybill Document 22700456.exe.439b146.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.Waybill Document 22700456.exe.439b146.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d065:$a: NanoCore 0x2d07a:$a: NanoCore 0x2d0af:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce21:$b: ClientPlugin 0x2ce3c:$b: ClientPlugin
4.2.dhcpmon.exe.3f745a5.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c50:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c7d:$x2: IClientNetworkHost
4.2.dhcpmon.exe.3f745a5.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c50:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d2b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c6a:$s5: IClientLoggingHost
4.2.dhcpmon.exe.3f745a5.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.dhcpmon.exe.435a990.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.2.dhcpmon.exe.435a990.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
3.2.dhcpmon.exe.435a990.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.dhcpmon.exe.435a990.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
2.2.Waybill Document 22700456.exe.6480000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
2.2.Waybill Document 22700456.exe.6480000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
2.2.Waybill Document 22700456.exe.6480000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Waybill Document 22700456.exe.4129530.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215ad:$x1: NanoCore.ClientPluginHost 0x215ea:$x2: IClientNetworkHost 0x2511d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Waybill Document 22700456.exe.4129530.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x215ad:$x2: NanoCore.ClientPluginHost 0x22be6:$s1: PluginCommand 0x22bda:$s2: FileCommand 0x23a8b:$s3: PipeExists 0x29842:$s4: PipeCreated 0x215d7:$s5: IClientLoggingHost
0.2.Waybill Document 22700456.exe.4129530.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Waybill Document 22700456.exe.4129530.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x21559:$a: NanoCore 0x2156d:$a: NanoCore 0x215ad:$a: NanoCore 0x21576:$b: ClientPlugin 0x215b6:$b: ClientPlugin 0x1ae3f:$c: ProjectData 0x2149b:$c: ProjectData 0x21ea2:$d: DESCrypto 0x2986e:$e: KeepAlive 0x2785c:$g: LogClientMessage 0x19c95:$i: get_Connected 0x1b439:$i: get_Connected 0x23a57:$i: get_Connected 0x221d8:$j: #=q 0x22208:$j: #=q 0x22224:$j: #=q 0x22254:$j: #=q 0x22270:$j: #=q 0x2228c:$j: #=q 0x222bc:$j: #=q 0x222d8:$j: #=q
3.2.dhcpmon.exe.42d9530.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215ad:$x1: NanoCore.ClientPluginHost 0x215ea:$x2: IClientNetworkHost 0x2511d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.2.dhcpmon.exe.42d9530.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x215ad:$x2: NanoCore.ClientPluginHost 0x22be6:$s1: PluginCommand 0x22bda:$s2: FileCommand 0x23a8b:$s3: PipeExists 0x29842:$s4: PipeCreated 0x215d7:$s5: IClientLoggingHost
3.2.dhcpmon.exe.42d9530.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.dhcpmon.exe.42d9530.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x21559:$a: NanoCore 0x2156d:$a: NanoCore 0x215ad:$a: NanoCore 0x21576:$b: ClientPlugin 0x215b6:$b: ClientPlugin 0x1ae3f:$c: ProjectData 0x2149b:$c: ProjectData 0x21ea2:$d: DESCrypto 0x2986e:$e: KeepAlive 0x2785c:$g: LogClientMessage 0x19c95:$i: get_Connected 0x1b439:$i: get_Connected 0x23a57:$i: get_Connected 0x221d8:$j: #=q 0x22208:$j: #=q 0x22224:$j: #=q 0x22254:$j: #=q 0x22270:$j: #=q 0x2228c:$j: #=q 0x222bc:$j: #=q 0x222d8:$j: #=q
Click to see the 72 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Waybill Document 22700456.exe, ProcessId: 492, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000002.00000002.915082806.0000000004399000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "219dbe8c-bf77-47e0-9661-f64e0b4e", "Group": "", "Domain1": "", "Domain2": "copieronlineph209.ddns.net", "Port": 6596, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2515, "WanTimeout": 8015, "BufferSize": "36000100", "MaxPacketSize": "0000a000", "GCThreshold": "f6ff9f00", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for submitted file

Show sources

Source: Waybill Document 22700456.exe

Virustotal: Detection: 27%

Perma Link

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.699050992.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.685126012.000000000435A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.685085276.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.651950199.0000000004129000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.915082806.0000000004399000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.917556465.0000000006480000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.651983968.00000000041AA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.913974492.0000000003351000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.912708984.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.699678398.0000000003F29000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.699608061.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1172, type: MEMORY
Source: Yara match	File source: Process Memory Space: Waybill Document 22700456.exe PID: 492, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4700, type: MEMORY
Source: Yara match	File source: Process Memory Space: Waybill Document 22700456.exe PID: 984, type: MEMORY
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.43a45a5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.439ff7c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dhcpmon.exe.3f6ff7c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dhcpmon.exe.3f6b146.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dhcpmon.exe.435a990.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dhcpmon.exe.3f6ff7c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Waybill Document 22700456.exe.41aa990.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.6480000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.439ff7c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Waybill Document 22700456.exe.41aa990.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.6484629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.439b146.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dhcpmon.exe.3f745a5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dhcpmon.exe.435a990.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.6480000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Waybill Document 22700456.exe.4129530.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dhcpmon.exe.42d9530.4.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Waybill Document 22700456.exe

Joe Sandbox ML: detected

Source: 2.2.Waybill Document 22700456.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.2.Waybill Document 22700456.exe.6480000.10.unpack	Avira: Label: TR/NanoCore.fadte

Source: Waybill Document 22700456.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown	HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.4:49699 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.4:49714 version: TLS 1.0

Source: Waybill Document 22700456.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\AMD RYZEN 3\Desktop\calmclientandserver\obj\Debug\IsolatedStorage.pdb source: Waybill Document 22700456.exe, 00000000.00000002.651950199.0000000004129000.00000004.00000001.sdmp, dhcpmon.exe, 00000003.00000002.685085276.00000000042D9000.00000004.00000001.sdmp
Source:	Binary string: b.pdbl source: Waybill Document 22700456.exe, 00000002.00000002.913159154.00000000014F2000.00000004.00000020.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: copieronlineph209.ddns.net

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: copieronlineph209.ddns.net

Source: global traffic

TCP traffic: 192.168.2.4:49706 -> 79.134.225.7:6596

Source: global traffic	HTTP traffic detected: GET /attachments/809311531652087809/839856358152208434/May_Blessing.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /attachments/809311531652087809/839856358152208434/May_Blessing.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 162.159.129.233 162.159.129.233
Source: Joe Sandbox View	IP Address: 162.159.129.233 162.159.129.233
Source: Joe Sandbox View	IP Address: 162.159.135.233 162.159.135.233
Source: Joe Sandbox View	IP Address: 162.159.135.233 162.159.135.233

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.4:49699 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.4:49714 version: TLS 1.0

Source: global traffic	HTTP traffic detected: GET /attachments/809311531652087809/839856358152208434/May_Blessing.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /attachments/809311531652087809/839856358152208434/May_Blessing.exe HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Source: Waybill Document 22700456.exe, 00000000.00000002.651854440.000000000316D000.00000004.00000001.sdmp, dhcpmon.exe, 00000003.00000002.684991565.000000000331D000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
Source: Waybill Document 22700456.exe, 00000000.00000002.651854440.000000000316D000.00000004.00000001.sdmp, dhcpmon.exe, 00000003.00000002.684991565.000000000331D000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.discordapp.com
Source: dhcpmon.exe, Waybill Document 22700456.exe	String found in binary or memory: http://cdn.discordapp.com/attachments/809311531652087809/839856358152208434/May_Blessing.exe
Source: Waybill Document 22700456.exe, 00000000.00000002.651897934.00000000031B2000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.discordapp.com4Rk
Source: dhcpmon.exe, 00000003.00000002.685028073.0000000003362000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.discordapp.com4RkT~7
Source: Waybill Document 22700456.exe, 00000000.00000002.651854440.000000000316D000.00000004.00000001.sdmp, dhcpmon.exe, 00000003.00000002.684991565.000000000331D000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
Source: Waybill Document 22700456.exe, 00000000.00000002.651854440.000000000316D000.00000004.00000001.sdmp, dhcpmon.exe, 00000003.00000002.684991565.000000000331D000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: Waybill Document 22700456.exe, 00000000.00000002.651854440.000000000316D000.00000004.00000001.sdmp, dhcpmon.exe, 00000003.00000002.684991565.000000000331D000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0
Source: Waybill Document 22700456.exe, 00000000.00000002.651854440.000000000316D000.00000004.00000001.sdmp, dhcpmon.exe, 00000003.00000002.684991565.000000000331D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Waybill Document 22700456.exe, 00000000.00000002.651854440.000000000316D000.00000004.00000001.sdmp, dhcpmon.exe, 00000003.00000002.684991565.000000000331D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: Waybill Document 22700456.exe, 00000000.00000002.651805678.000000000310C000.00000004.00000001.sdmp, dhcpmon.exe, 00000003.00000002.684939889.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Waybill Document 22700456.exe, 00000000.00000002.651854440.000000000316D000.00000004.00000001.sdmp, dhcpmon.exe, 00000003.00000002.684991565.000000000331D000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0v
Source: Waybill Document 22700456.exe, 00000000.00000002.651805678.000000000310C000.00000004.00000001.sdmp, dhcpmon.exe, 00000003.00000002.684939889.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com
Source: Waybill Document 22700456.exe, 00000000.00000002.651854440.000000000316D000.00000004.00000001.sdmp, Waybill Document 22700456.exe, 00000000.00000002.651904169.00000000031C6000.00000004.00000001.sdmp, dhcpmon.exe, 00000003.00000002.684991565.000000000331D000.00000004.00000001.sdmp, dhcpmon.exe, 00000003.00000002.685035879.0000000003376000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/809311531652087809/839856358152208434/May_Blessing.exe
Source: dhcpmon.exe	String found in binary or memory: https://cdn.discordapp.com/attachments/841595401253158954/841595626680221726/asd
Source: Waybill Document 22700456.exe	String found in binary or memory: https://cdn.discordapp.com/attachments/841595401253158954/841595626680221726/asd;IsolatedStorage.pac
Source: Waybill Document 22700456.exe, 00000000.00000002.651805678.000000000310C000.00000004.00000001.sdmp, dhcpmon.exe, 00000003.00000002.684939889.00000000032BC000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com4Rk
Source: Waybill Document 22700456.exe, 00000000.00000002.651882681.000000000318E000.00000004.00000001.sdmp, Waybill Document 22700456.exe, 00000000.00000002.651854440.000000000316D000.00000004.00000001.sdmp, dhcpmon.exe, 00000003.00000002.685010233.000000000333E000.00000004.00000001.sdmp, dhcpmon.exe, 00000003.00000002.684991565.000000000331D000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: Waybill Document 22700456.exe, 00000000.00000002.651854440.000000000316D000.00000004.00000001.sdmp, dhcpmon.exe, 00000003.00000002.684991565.000000000331D000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: Waybill Document 22700456.exe, 00000002.00000002.915082806.0000000004399000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.699050992.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.685126012.000000000435A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.685085276.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.651950199.0000000004129000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.915082806.0000000004399000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.917556465.0000000006480000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.651983968.00000000041AA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.913974492.0000000003351000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.912708984.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.699678398.0000000003F29000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.699608061.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1172, type: MEMORY
Source: Yara match	File source: Process Memory Space: Waybill Document 22700456.exe PID: 492, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4700, type: MEMORY
Source: Yara match	File source: Process Memory Space: Waybill Document 22700456.exe PID: 984, type: MEMORY
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.43a45a5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.439ff7c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dhcpmon.exe.3f6ff7c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dhcpmon.exe.3f6b146.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dhcpmon.exe.435a990.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dhcpmon.exe.3f6ff7c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Waybill Document 22700456.exe.41aa990.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.6480000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.439ff7c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Waybill Document 22700456.exe.41aa990.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.6484629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.439b146.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dhcpmon.exe.3f745a5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dhcpmon.exe.435a990.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.6480000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Waybill Document 22700456.exe.4129530.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dhcpmon.exe.42d9530.4.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000002.00000002.917424043.0000000005C80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.699050992.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.699050992.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.685126012.000000000435A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.685126012.000000000435A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.685085276.00000000042D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.685085276.00000000042D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.651950199.0000000004129000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.651950199.0000000004129000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.915082806.0000000004399000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.917556465.0000000006480000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.651983968.00000000041AA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.651983968.00000000041AA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.912708984.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.912708984.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.699678398.0000000003F29000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.699608061.0000000002F21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 1172, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 1172, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Waybill Document 22700456.exe PID: 492, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Waybill Document 22700456.exe PID: 492, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 4700, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 4700, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Waybill Document 22700456.exe PID: 984, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Waybill Document 22700456.exe PID: 984, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Waybill Document 22700456.exe.33a4e9c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.dhcpmon.exe.2f89658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Waybill Document 22700456.exe.5c80000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Waybill Document 22700456.exe.43a45a5.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Waybill Document 22700456.exe.439ff7c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Waybill Document 22700456.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Waybill Document 22700456.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.dhcpmon.exe.3f6ff7c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.dhcpmon.exe.3f6b146.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.dhcpmon.exe.3f6b146.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.dhcpmon.exe.435a990.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.dhcpmon.exe.435a990.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.dhcpmon.exe.3f6ff7c.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Waybill Document 22700456.exe.41aa990.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Waybill Document 22700456.exe.41aa990.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Waybill Document 22700456.exe.6480000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Waybill Document 22700456.exe.439ff7c.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Waybill Document 22700456.exe.41aa990.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Waybill Document 22700456.exe.41aa990.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Waybill Document 22700456.exe.6484629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Waybill Document 22700456.exe.439b146.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Waybill Document 22700456.exe.439b146.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.dhcpmon.exe.3f745a5.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.dhcpmon.exe.435a990.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.dhcpmon.exe.435a990.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Waybill Document 22700456.exe.6480000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Waybill Document 22700456.exe.4129530.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Waybill Document 22700456.exe.4129530.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.dhcpmon.exe.42d9530.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.dhcpmon.exe.42d9530.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: Waybill Document 22700456.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample	Static PE information: Filename: Waybill Document 22700456.exe
Source: initial sample	Static PE information: Filename: Waybill Document 22700456.exe

Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Code function: 0_2_02F82158	0_2_02F82158
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Code function: 0_2_02F82156	0_2_02F82156
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Code function: 2_2_0325E471	2_2_0325E471
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Code function: 2_2_0325E480	2_2_0325E480
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Code function: 2_2_0325BBD4	2_2_0325BBD4
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Code function: 2_2_06870040	2_2_06870040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 3_2_01922157	3_2_01922157
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 3_2_01920631	3_2_01920631
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_0152E471	4_2_0152E471
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_0152E480	4_2_0152E480
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_0152BBD4	4_2_0152BBD4

Source: Waybill Document 22700456.exe, 00000000.00000002.652807578.0000000006260000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Waybill Document 22700456.exe
Source: Waybill Document 22700456.exe, 00000000.00000000.645897352.0000000000C88000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamenaolog.exeP vs Waybill Document 22700456.exe
Source: Waybill Document 22700456.exe, 00000000.00000002.651950199.0000000004129000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIsolatedStorage.dll@ vs Waybill Document 22700456.exe
Source: Waybill Document 22700456.exe, 00000001.00000000.649985671.0000000000118000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamenaolog.exeP vs Waybill Document 22700456.exe
Source: Waybill Document 22700456.exe, 00000002.00000002.918001731.0000000007100000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Waybill Document 22700456.exe
Source: Waybill Document 22700456.exe, 00000002.00000002.912802127.0000000000F38000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamenaolog.exeP vs Waybill Document 22700456.exe
Source: Waybill Document 22700456.exe, 00000002.00000002.915082806.0000000004399000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Waybill Document 22700456.exe
Source: Waybill Document 22700456.exe, 00000002.00000002.915082806.0000000004399000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs Waybill Document 22700456.exe
Source: Waybill Document 22700456.exe, 00000002.00000002.915082806.0000000004399000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Waybill Document 22700456.exe
Source: Waybill Document 22700456.exe, 00000002.00000002.917461983.0000000006390000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Waybill Document 22700456.exe
Source: Waybill Document 22700456.exe	Binary or memory string: OriginalFilenamenaolog.exeP vs Waybill Document 22700456.exe

Source: Waybill Document 22700456.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000002.00000002.917424043.0000000005C80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.917424043.0000000005C80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.699050992.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.699050992.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.685126012.000000000435A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.685126012.000000000435A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.685085276.00000000042D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.685085276.00000000042D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.651950199.0000000004129000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.651950199.0000000004129000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.915082806.0000000004399000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.917556465.0000000006480000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.917556465.0000000006480000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.651983968.00000000041AA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.651983968.00000000041AA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.912708984.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.912708984.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.699678398.0000000003F29000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.699608061.0000000002F21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 1172, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 1172, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Waybill Document 22700456.exe PID: 492, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Waybill Document 22700456.exe PID: 492, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 4700, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 4700, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Waybill Document 22700456.exe PID: 984, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Waybill Document 22700456.exe PID: 984, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.Waybill Document 22700456.exe.33a4e9c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Waybill Document 22700456.exe.33a4e9c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Waybill Document 22700456.exe.31cddc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.dhcpmon.exe.2f89658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.dhcpmon.exe.2f89658.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Waybill Document 22700456.exe.5c80000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Waybill Document 22700456.exe.5c80000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Waybill Document 22700456.exe.31cddc0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Waybill Document 22700456.exe.43a45a5.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Waybill Document 22700456.exe.43a45a5.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Waybill Document 22700456.exe.439ff7c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Waybill Document 22700456.exe.439ff7c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.dhcpmon.exe.337dd44.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Waybill Document 22700456.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Waybill Document 22700456.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Waybill Document 22700456.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.dhcpmon.exe.3f6ff7c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.dhcpmon.exe.3f6ff7c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.dhcpmon.exe.3f6b146.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.dhcpmon.exe.3f6b146.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.dhcpmon.exe.3f6b146.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.dhcpmon.exe.435a990.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.dhcpmon.exe.435a990.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.dhcpmon.exe.435a990.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.dhcpmon.exe.3f6ff7c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.dhcpmon.exe.3f6ff7c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Waybill Document 22700456.exe.41aa990.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Waybill Document 22700456.exe.41aa990.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Waybill Document 22700456.exe.41aa990.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.Waybill Document 22700456.exe.6480000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Waybill Document 22700456.exe.6480000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.dhcpmon.exe.337dd44.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Waybill Document 22700456.exe.439ff7c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Waybill Document 22700456.exe.439ff7c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Waybill Document 22700456.exe.41aa990.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Waybill Document 22700456.exe.41aa990.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Waybill Document 22700456.exe.41aa990.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.Waybill Document 22700456.exe.6484629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Waybill Document 22700456.exe.6484629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.Waybill Document 22700456.exe.439b146.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Waybill Document 22700456.exe.439b146.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Waybill Document 22700456.exe.439b146.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.dhcpmon.exe.3f745a5.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.dhcpmon.exe.3f745a5.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.dhcpmon.exe.435a990.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.dhcpmon.exe.435a990.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.dhcpmon.exe.435a990.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.2.Waybill Document 22700456.exe.6480000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Waybill Document 22700456.exe.6480000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Waybill Document 22700456.exe.4129530.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Waybill Document 22700456.exe.4129530.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Waybill Document 22700456.exe.4129530.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.dhcpmon.exe.42d9530.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.dhcpmon.exe.42d9530.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.dhcpmon.exe.42d9530.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: 2.2.Waybill Document 22700456.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.Waybill Document 22700456.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.Waybill Document 22700456.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 2.2.Waybill Document 22700456.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.2.Waybill Document 22700456.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 4.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/5@28/4

Source: C:\Users\user\Desktop\Waybill Document 22700456.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\Waybill Document 22700456.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Waybill Document 22700456.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Waybill Document 22700456.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\{219dbe8c-bf77-47e0-9661-f64e0b4e549c}

Source: Waybill Document 22700456.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\Waybill Document 22700456.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Waybill Document 22700456.exe

Virustotal: Detection: 27%

Source: C:\Users\user\Desktop\Waybill Document 22700456.exe

File read: C:\Users\user\Desktop\Waybill Document 22700456.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Waybill Document 22700456.exe 'C:\Users\user\Desktop\Waybill Document 22700456.exe'
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process created: C:\Users\user\Desktop\Waybill Document 22700456.exe C:\Users\user\Desktop\Waybill Document 22700456.exe
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process created: C:\Users\user\Desktop\Waybill Document 22700456.exe C:\Users\user\Desktop\Waybill Document 22700456.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process created: C:\Users\user\Desktop\Waybill Document 22700456.exe C:\Users\user\Desktop\Waybill Document 22700456.exe	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process created: C:\Users\user\Desktop\Waybill Document 22700456.exe C:\Users\user\Desktop\Waybill Document 22700456.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior

Source: C:\Users\user\Desktop\Waybill Document 22700456.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Waybill Document 22700456.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Waybill Document 22700456.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Waybill Document 22700456.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\AMD RYZEN 3\Desktop\calmclientandserver\obj\Debug\IsolatedStorage.pdb source: Waybill Document 22700456.exe, 00000000.00000002.651950199.0000000004129000.00000004.00000001.sdmp, dhcpmon.exe, 00000003.00000002.685085276.00000000042D9000.00000004.00000001.sdmp
Source:	Binary string: b.pdbl source: Waybill Document 22700456.exe, 00000002.00000002.913159154.00000000014F2000.00000004.00000020.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 2.2.Waybill Document 22700456.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Waybill Document 22700456.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: 2.2.Waybill Document 22700456.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 2.2.Waybill Document 22700456.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 4.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 4.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\Waybill Document 22700456.exe

File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\Waybill Document 22700456.exe

File opened: C:\Users\user\Desktop\Waybill Document 22700456.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Window / User API: threadDelayed 1874	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Window / User API: threadDelayed 7633	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Window / User API: foregroundWindowGot 941	Jump to behavior

Source: C:\Users\user\Desktop\Waybill Document 22700456.exe TID: 4788	Thread sleep count: 95 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe TID: 4788	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe TID: 2804	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe TID: 5696	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe TID: 5752	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5664	Thread sleep count: 348 > 30	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5664	Thread sleep count: 73 > 30	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1368	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6120	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6096	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Waybill Document 22700456.exe, 00000002.00000002.913276458.000000000157E000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQh9=
Source: Waybill Document 22700456.exe, 00000000.00000002.652807578.0000000006260000.00000002.00000001.sdmp, Waybill Document 22700456.exe, 00000002.00000002.918001731.0000000007100000.00000002.00000001.sdmp, dhcpmon.exe, 00000003.00000002.685932190.0000000006570000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Waybill Document 22700456.exe, 00000000.00000002.652807578.0000000006260000.00000002.00000001.sdmp, Waybill Document 22700456.exe, 00000002.00000002.918001731.0000000007100000.00000002.00000001.sdmp, dhcpmon.exe, 00000003.00000002.685932190.0000000006570000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Waybill Document 22700456.exe, 00000000.00000002.652807578.0000000006260000.00000002.00000001.sdmp, Waybill Document 22700456.exe, 00000002.00000002.918001731.0000000007100000.00000002.00000001.sdmp, dhcpmon.exe, 00000003.00000002.685932190.0000000006570000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Waybill Document 22700456.exe, 00000000.00000002.652807578.0000000006260000.00000002.00000001.sdmp, Waybill Document 22700456.exe, 00000002.00000002.918001731.0000000007100000.00000002.00000001.sdmp, dhcpmon.exe, 00000003.00000002.685932190.0000000006570000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Waybill Document 22700456.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Waybill Document 22700456.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Memory written: C:\Users\user\Desktop\Waybill Document 22700456.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process created: C:\Users\user\Desktop\Waybill Document 22700456.exe C:\Users\user\Desktop\Waybill Document 22700456.exe	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Process created: C:\Users\user\Desktop\Waybill Document 22700456.exe C:\Users\user\Desktop\Waybill Document 22700456.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior

Source: Waybill Document 22700456.exe, 00000002.00000002.914304387.000000000361C000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: Waybill Document 22700456.exe, 00000002.00000002.913444817.0000000001C00000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Waybill Document 22700456.exe, 00000002.00000002.913444817.0000000001C00000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Waybill Document 22700456.exe, 00000002.00000002.913444817.0000000001C00000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Queries volume information: C:\Users\user\Desktop\Waybill Document 22700456.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Queries volume information: C:\Users\user\Desktop\Waybill Document 22700456.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Waybill Document 22700456.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Waybill Document 22700456.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.699050992.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.685126012.000000000435A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.685085276.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.651950199.0000000004129000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.915082806.0000000004399000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.917556465.0000000006480000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.651983968.00000000041AA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.913974492.0000000003351000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.912708984.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.699678398.0000000003F29000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.699608061.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1172, type: MEMORY
Source: Yara match	File source: Process Memory Space: Waybill Document 22700456.exe PID: 492, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4700, type: MEMORY
Source: Yara match	File source: Process Memory Space: Waybill Document 22700456.exe PID: 984, type: MEMORY
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.43a45a5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.439ff7c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dhcpmon.exe.3f6ff7c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dhcpmon.exe.3f6b146.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dhcpmon.exe.435a990.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dhcpmon.exe.3f6ff7c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Waybill Document 22700456.exe.41aa990.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.6480000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.439ff7c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Waybill Document 22700456.exe.41aa990.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.6484629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.439b146.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dhcpmon.exe.3f745a5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dhcpmon.exe.435a990.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.6480000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Waybill Document 22700456.exe.4129530.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dhcpmon.exe.42d9530.4.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: Waybill Document 22700456.exe, 00000000.00000002.651950199.0000000004129000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Waybill Document 22700456.exe, 00000002.00000002.915082806.0000000004399000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Waybill Document 22700456.exe, 00000002.00000002.915082806.0000000004399000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000003.00000002.685126012.000000000435A000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000004.00000002.699050992.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000004.00000002.699678398.0000000003F29000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.699050992.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.685126012.000000000435A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.685085276.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.651950199.0000000004129000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.915082806.0000000004399000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.917556465.0000000006480000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.651983968.00000000041AA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.913974492.0000000003351000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.912708984.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.699678398.0000000003F29000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.699608061.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1172, type: MEMORY
Source: Yara match	File source: Process Memory Space: Waybill Document 22700456.exe PID: 492, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4700, type: MEMORY
Source: Yara match	File source: Process Memory Space: Waybill Document 22700456.exe PID: 984, type: MEMORY
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.43a45a5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.439ff7c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dhcpmon.exe.3f6ff7c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dhcpmon.exe.3f6b146.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dhcpmon.exe.435a990.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dhcpmon.exe.3f6ff7c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Waybill Document 22700456.exe.41aa990.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.6480000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.439ff7c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Waybill Document 22700456.exe.41aa990.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.6484629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.439b146.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.dhcpmon.exe.3f745a5.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dhcpmon.exe.435a990.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Waybill Document 22700456.exe.6480000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Waybill Document 22700456.exe.4129530.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dhcpmon.exe.42d9530.4.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection112	Masquerading2	Input Capture11	Security Software Discovery1	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Ingress Tool Transfer1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol23	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing11	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
Waybill Document 22700456.exe	27%	Virustotal	Browse
Waybill Document 22700456.exe	9%	ReversingLabs
Waybill Document 22700456.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	9%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.Waybill Document 22700456.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
4.2.dhcpmon.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
2.2.Waybill Document 22700456.exe.6480000.10.unpack	100%	Avira	TR/NanoCore.fadte	Download File

Domains

Source	Detection	Scanner	Label	Link
copieronlineph209.ddns.net	5%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
	0%	Avira URL Cloud	safe
https://cdn.discordapp.com4Rk	0%	Avira URL Cloud	safe
http://cdn.discordapp.com4RkT~7	0%	Avira URL Cloud	safe
copieronlineph209.ddns.net	0%	Avira URL Cloud	safe
http://cdn.discordapp.com4Rk	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cdn.discordapp.com	162.159.133.233	true	false		high
copieronlineph209.ddns.net	79.134.225.7	true	true	5%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
copieronlineph209.ddns.net	true	Avira URL Cloud: safe	unknown
http://cdn.discordapp.com/attachments/809311531652087809/839856358152208434/May_Blessing.exe	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://cdn.discordapp.com4Rk	Waybill Document 22700456.exe, 00000000.00000002.651805678.000000000310C000.00000004.00000001.sdmp, dhcpmon.exe, 00000003.00000002.684939889.00000000032BC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/attachments/809311531652087809/839856358152208434/May_Blessing.exe	Waybill Document 22700456.exe, 00000000.00000002.651854440.000000000316D000.00000004.00000001.sdmp, Waybill Document 22700456.exe, 00000000.00000002.651904169.00000000031C6000.00000004.00000001.sdmp, dhcpmon.exe, 00000003.00000002.684991565.000000000331D000.00000004.00000001.sdmp, dhcpmon.exe, 00000003.00000002.685035879.0000000003376000.00000004.00000001.sdmp	false		high
http://cdn.discordapp.com4RkT~7	dhcpmon.exe, 00000003.00000002.685028073.0000000003362000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://cdn.discordapp.com	Waybill Document 22700456.exe, 00000000.00000002.651805678.000000000310C000.00000004.00000001.sdmp, dhcpmon.exe, 00000003.00000002.684939889.00000000032BC000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/841595401253158954/841595626680221726/asd;IsolatedStorage.pac	Waybill Document 22700456.exe	false		high
http://cdn.discordapp.com4Rk	Waybill Document 22700456.exe, 00000000.00000002.651897934.00000000031B2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Waybill Document 22700456.exe, 00000000.00000002.651805678.000000000310C000.00000004.00000001.sdmp, dhcpmon.exe, 00000003.00000002.684939889.00000000032BC000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/841595401253158954/841595626680221726/asd	dhcpmon.exe	false		high
http://cdn.discordapp.com	Waybill Document 22700456.exe, 00000000.00000002.651854440.000000000316D000.00000004.00000001.sdmp, dhcpmon.exe, 00000003.00000002.684991565.000000000331D000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
162.159.129.233	unknown	United States	13335	CLOUDFLARENETUS	false
162.159.135.233	unknown	United States	13335	CLOUDFLARENETUS	false
162.159.133.233	cdn.discordapp.com	United States	13335	CLOUDFLARENETUS	false
79.134.225.7	copieronlineph209.ddns.net	Switzerland	6775	FINK-TELECOM-SERVICESCH	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	410974
Start date:	11.05.2021
Start time:	14:07:20
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Waybill Document 22700456.pif (renamed file extension from pif to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/5@28/4
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 66 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Excluded IPs from analysis (whitelisted): 168.61.161.212, 52.147.198.201, 52.255.188.83 Excluded domains from analysis (whitelisted): skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, watson.telemetry.microsoft.com Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:08:10	API Interceptor	1047x Sleep call for process: Waybill Document 22700456.exe modified
14:08:13	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
14:08:25	API Interceptor	1x Sleep call for process: dhcpmon.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
162.159.129.233	cotizacin.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/812102734177763331/819187064415191071/bextrit.exe
	SecuriteInfo.com.PWS-FCXDF96A01717A58.15363.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/819169403979038784/819184830453514270/fraem.exe
	7G5RoevPnu.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/807746340997431316/809208342068199434/118fir2crtg.exe
	70% Balance Payment.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/785631384156110868/785631871395561492/italianmassloga.exe
	TT20201712.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/788973775433498687/788974151649722398/damianox.scr
	ENQ-015August 2020 R1 Proj LOT.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/722888184203051118/757862128198877274/Stub.jpg
162.159.135.233	COMPANY REQUIREMENT.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/819674896988242004/819677189900861500/harcout.exe
	Email data form.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/789279517516365865/789279697203757066/angelx.scr
	Down Payment.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/788946375533789214/788947376849027092/atlasx.scr
	Vessel details.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/780175015496777751/781048233136226304/mocux.exe
	Teklif Rusya 24 09 2020.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/733818080668680222/758418625429372978/p2.jpg

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cdn.discordapp.com	755c95c8_by_Libranalysis.exe	Get hash	malicious	Browse	162.159.134.233
	98c87992_by_Libranalysis.exe	Get hash	malicious	Browse	162.159.133.233
	0908000000.exe	Get hash	malicious	Browse	162.159.129.233
	AS90800009000000.exe	Get hash	malicious	Browse	162.159.130.233
	New Order PO#42617.exe	Get hash	malicious	Browse	162.159.135.233
	QbaOijF6WG.exe	Get hash	malicious	Browse	162.159.135.233
	New order list.exe	Get hash	malicious	Browse	162.159.130.233
	cfe14e87_by_Libranalysis.rtf	Get hash	malicious	Browse	162.159.130.233
	Il nuovo ordine e nell'elenco allegato.exe	Get hash	malicious	Browse	162.159.133.233
	SecuriteInfo.com.Trojan.Discord.8711.exe	Get hash	malicious	Browse	162.159.135.233
	8B1C960881FC789460B5B274ABD43BADDB1C92E1A942D.exe	Get hash	malicious	Browse	162.159.134.233
	Spetrum-invoice-95144511.vbs	Get hash	malicious	Browse	162.159.133.233
	Swift-Correction.exe	Get hash	malicious	Browse	162.159.130.233
	QLODCmfl1h.exe	Get hash	malicious	Browse	162.159.135.233
	products order pdf .exe	Get hash	malicious	Browse	162.159.130.233
	Contract_Documents_pdf.exe	Get hash	malicious	Browse	162.159.133.233
	Purchase Order 002393440.exe	Get hash	malicious	Browse	162.159.135.233
	Notice of payment of 04.05.2021.exe	Get hash	malicious	Browse	162.159.135.233
	9a4b975c_by_Libranalysis.exe	Get hash	malicious	Browse	162.159.130.233
	Orden de compra 65843,pdf.exe	Get hash	malicious	Browse	162.159.135.233
copieronlineph209.ddns.net	Orden de compra 65843,pdf.exe	Get hash	malicious	Browse	79.134.225.7

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	be8928c5_by_Libranalysis.exe	Get hash	malicious	Browse	104.21.19.200
	Purchase Order.exe	Get hash	malicious	Browse	104.21.32.235
	Octamod 2021 -#U2026P014 New Order.exe	Get hash	malicious	Browse	172.67.188.154
	PURCHASE_ORDER_0098_PDF.exe	Get hash	malicious	Browse	104.21.19.200
	Invoice.exe	Get hash	malicious	Browse	172.67.188.154
	New Order.exe	Get hash	malicious	Browse	23.227.38.74
	3kURg3sVdn.exe	Get hash	malicious	Browse	104.21.15.11
	0000195221990024.exe	Get hash	malicious	Browse	172.67.188.154
	TPV5CBWxMf.exe	Get hash	malicious	Browse	104.21.86.143
	FuiZSHt8Hx.dll	Get hash	malicious	Browse	104.20.184.68
	slot Charges.exe	Get hash	malicious	Browse	23.227.38.74
	QvGe1ACVtQ.exe	Get hash	malicious	Browse	172.67.188.120
	755c95c8_by_Libranalysis.exe	Get hash	malicious	Browse	162.159.134.233
	#Ud83d#Udce9-vesna.starcevic.htm	Get hash	malicious	Browse	104.18.11.207
	FA42jRFW5U.exe	Get hash	malicious	Browse	172.67.160.253
	k7RjPyffkU.exe	Get hash	malicious	Browse	104.21.15.11
	tjcEHwn7c5.exe	Get hash	malicious	Browse	104.21.85.176
	fVp0qHaDXO.exe	Get hash	malicious	Browse	104.21.86.143
	RFmRn1TPR8.exe	Get hash	malicious	Browse	104.21.85.176
	xeYCELkqqI.exe	Get hash	malicious	Browse	172.67.176.229
CLOUDFLARENETUS	be8928c5_by_Libranalysis.exe	Get hash	malicious	Browse	104.21.19.200
	Purchase Order.exe	Get hash	malicious	Browse	104.21.32.235
	Octamod 2021 -#U2026P014 New Order.exe	Get hash	malicious	Browse	172.67.188.154
	PURCHASE_ORDER_0098_PDF.exe	Get hash	malicious	Browse	104.21.19.200
	Invoice.exe	Get hash	malicious	Browse	172.67.188.154
	New Order.exe	Get hash	malicious	Browse	23.227.38.74
	3kURg3sVdn.exe	Get hash	malicious	Browse	104.21.15.11
	0000195221990024.exe	Get hash	malicious	Browse	172.67.188.154
	TPV5CBWxMf.exe	Get hash	malicious	Browse	104.21.86.143
	FuiZSHt8Hx.dll	Get hash	malicious	Browse	104.20.184.68
	slot Charges.exe	Get hash	malicious	Browse	23.227.38.74
	QvGe1ACVtQ.exe	Get hash	malicious	Browse	172.67.188.120
	755c95c8_by_Libranalysis.exe	Get hash	malicious	Browse	162.159.134.233
	#Ud83d#Udce9-vesna.starcevic.htm	Get hash	malicious	Browse	104.18.11.207
	FA42jRFW5U.exe	Get hash	malicious	Browse	172.67.160.253
	k7RjPyffkU.exe	Get hash	malicious	Browse	104.21.15.11
	tjcEHwn7c5.exe	Get hash	malicious	Browse	104.21.85.176
	fVp0qHaDXO.exe	Get hash	malicious	Browse	104.21.86.143
	RFmRn1TPR8.exe	Get hash	malicious	Browse	104.21.85.176
	xeYCELkqqI.exe	Get hash	malicious	Browse	172.67.176.229
CLOUDFLARENETUS	be8928c5_by_Libranalysis.exe	Get hash	malicious	Browse	104.21.19.200
	Purchase Order.exe	Get hash	malicious	Browse	104.21.32.235
	Octamod 2021 -#U2026P014 New Order.exe	Get hash	malicious	Browse	172.67.188.154
	PURCHASE_ORDER_0098_PDF.exe	Get hash	malicious	Browse	104.21.19.200
	Invoice.exe	Get hash	malicious	Browse	172.67.188.154
	New Order.exe	Get hash	malicious	Browse	23.227.38.74
	3kURg3sVdn.exe	Get hash	malicious	Browse	104.21.15.11
	0000195221990024.exe	Get hash	malicious	Browse	172.67.188.154
	TPV5CBWxMf.exe	Get hash	malicious	Browse	104.21.86.143
	FuiZSHt8Hx.dll	Get hash	malicious	Browse	104.20.184.68
	slot Charges.exe	Get hash	malicious	Browse	23.227.38.74
	QvGe1ACVtQ.exe	Get hash	malicious	Browse	172.67.188.120
	755c95c8_by_Libranalysis.exe	Get hash	malicious	Browse	162.159.134.233
	#Ud83d#Udce9-vesna.starcevic.htm	Get hash	malicious	Browse	104.18.11.207
	FA42jRFW5U.exe	Get hash	malicious	Browse	172.67.160.253
	k7RjPyffkU.exe	Get hash	malicious	Browse	104.21.15.11
	tjcEHwn7c5.exe	Get hash	malicious	Browse	104.21.85.176
	fVp0qHaDXO.exe	Get hash	malicious	Browse	104.21.86.143
	RFmRn1TPR8.exe	Get hash	malicious	Browse	104.21.85.176
	xeYCELkqqI.exe	Get hash	malicious	Browse	172.67.176.229

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	be8928c5_by_Libranalysis.exe	Get hash	malicious	Browse	162.159.129.233 162.159.133.233
	Octamod 2021 -#U2026P014 New Order.exe	Get hash	malicious	Browse	162.159.129.233 162.159.133.233
	Invoice.exe	Get hash	malicious	Browse	162.159.129.233 162.159.133.233
	0000195221990024.exe	Get hash	malicious	Browse	162.159.129.233 162.159.133.233
	Z4uLK26mIK.exe	Get hash	malicious	Browse	162.159.129.233 162.159.133.233
	S.O.A.exe	Get hash	malicious	Browse	162.159.129.233 162.159.133.233
	Consignment Details.exe	Get hash	malicious	Browse	162.159.129.233 162.159.133.233
	Original Receipt.exe	Get hash	malicious	Browse	162.159.129.233 162.159.133.233
	order 39305.exe	Get hash	malicious	Browse	162.159.129.233 162.159.133.233
	Eliorhcq.exe	Get hash	malicious	Browse	162.159.129.233 162.159.133.233
	purchase order.exe	Get hash	malicious	Browse	162.159.129.233 162.159.133.233
	NEW PO - CE AUSTRALIA PTY LTD.xls	Get hash	malicious	Browse	162.159.129.233 162.159.133.233
	XPBPS2DL.exe	Get hash	malicious	Browse	162.159.129.233 162.159.133.233
	TWI-SHA 202102.exe	Get hash	malicious	Browse	162.159.129.233 162.159.133.233
	Reconfirm invoice.exe	Get hash	malicious	Browse	162.159.129.233 162.159.133.233
	INQUIRY.exe	Get hash	malicious	Browse	162.159.129.233 162.159.133.233
	0908000000.exe	Get hash	malicious	Browse	162.159.129.233 162.159.133.233
	Nuovo ordine _WJO-001, pdf.exe	Get hash	malicious	Browse	162.159.129.233 162.159.133.233
	59932e6d_by_Libranalysis.exe	Get hash	malicious	Browse	162.159.129.233 162.159.133.233
	LPO-6809.exe	Get hash	malicious	Browse	162.159.129.233 162.159.133.233

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Users\user\Desktop\Waybill Document 22700456.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	1.8962292638353349
Encrypted:	false
SSDEEP:	192:j6fr/yJE//7p+UTsHw7P+zwTZOjAvPIM:j6fjyJEX7f2W+zwTZOjAvP
MD5:	135AB6C14011003E72CC82FABEF66B83
SHA1:	CB269C2BD704562B6206A79BD25E19F0A3498CC1
SHA-256:	A205490D99143217A75FAB698DF9A450827728EED168B9659A89218E863DEABE
SHA-512:	1CC7DBA5734D7F92EECA4887FBB97EF0A6139E6EF2288A5D09E946CB4C85E0358ADD3383A6D5FC03B34B9C1C5B1CFDE84FFE3E470B9959F26439B9762E55040F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 9%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...FN.`.....................l.......,... ...@....@.. ....................................@..................................,..O....@...i........................................................................... ............... ..H............text........ ...................... ..`.rsrc....i...@...j..................@..@.reloc...............z..............@..B.................,......H.......d!..(...........................................................Z ....(....~....o....&..0..........s.....(....~....-........s.........~....o....&~....o....&(.....r...po....o.....(.....r...p.r...p..................~.........r...po.....................o...... ........t....o....&..&.....,..o................. ...............2.s.........*...BSJB............v4.0.30319......l.......#~..h.......#Strings....x.......#US.L.......#GUID...\.......#Blob...........WU........%3....

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\Waybill Document 22700456.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Waybill Document 22700456.exe.log Download File
Process:	C:\Users\user\Desktop\Waybill Document 22700456.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.365622957937216
Encrypted:	false
SSDEEP:	24:ML9E4Ks29E4KnKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7K84j:MxHKX9HKnYHKhQnoPtHoxHhAHKzvKvj
MD5:	FC95B72FA9788BDF0B8075C768FFDCEB
SHA1:	2ED2BE675DAF980B3061A622CBF795050F9A68DC
SHA-256:	37D8549A8145090B163B3C5D4A91231AFE1F66E7C1A7203BDE5D48147B0C3B5E
SHA-512:	B6CDA7870B3154B1D77663E4005EFA1C4EA210F955456FC8F8B2445FFCD52B41EAFAC2144E4F1B3BC86D4604F0E86DF5664921C354B313EF7E256162D604E459
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutra

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.365622957937216
Encrypted:	false
SSDEEP:	24:ML9E4Ks29E4KnKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7K84j:MxHKX9HKnYHKhQnoPtHoxHhAHKzvKvj
MD5:	FC95B72FA9788BDF0B8075C768FFDCEB
SHA1:	2ED2BE675DAF980B3061A622CBF795050F9A68DC
SHA-256:	37D8549A8145090B163B3C5D4A91231AFE1F66E7C1A7203BDE5D48147B0C3B5E
SHA-512:	B6CDA7870B3154B1D77663E4005EFA1C4EA210F955456FC8F8B2445FFCD52B41EAFAC2144E4F1B3BC86D4604F0E86DF5664921C354B313EF7E256162D604E459
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutra

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\Waybill Document 22700456.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:Wkqt:WkW
MD5:	52E160DC57C5C37EA48CB09022D4D9AA
SHA1:	50CEB9893634431F79186C77D50892F192865B57
SHA-256:	1FB2B21722CC24AE0B92F8657BF5A97A61303CE2A75812606B2156EBD5833048
SHA-512:	65EE20B1CAF3E78EC0F2823C5DF3C7EA4CAAA15A8A9592507106F01293EE770ECC5CB57E3FAEC87A871745C91A0FAEB94DCDDD9686AD91E5244BD7DB33EF361E
Malicious:	true
Reputation:	low
Preview:	...su..H

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	1.8962292638353349
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Waybill Document 22700456.exe
File size:	31744
MD5:	135ab6c14011003e72cc82fabef66b83
SHA1:	cb269c2bd704562b6206a79bd25e19f0a3498cc1
SHA256:	a205490d99143217a75fab698df9a450827728eed168b9659a89218e863deabe
SHA512:	1cc7dba5734d7f92eeca4887fbb97ef0a6139e6ef2288a5d09e946cb4c85e0358add3383a6d5fc03b34b9c1c5b1cfde84ffe3e470b9959f26439b9762e55040f
SSDEEP:	192:j6fr/yJE//7p+UTsHw7P+zwTZOjAvPIM:j6fjyJEX7f2W+zwTZOjAvP
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...FN.`.....................l.......,... ...@....@.. ....................................@................................

File Icon


Icon Hash:	1717489679719640

Static PE Info

General
Entrypoint:	0x402cde
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x609A4E46 [Tue May 11 09:28:38 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2c8c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x69b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xce4	0xe00	False	0.528459821429	data	4.95221209609	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x69b8	0x6a00	False	0.069538620283	data	1.32542925867	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x4130	0x6328	data
RT_GROUP_ICON	0xa458	0x14	data
RT_VERSION	0xa46c	0x360	data
RT_MANIFEST	0xa7cc	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2021 Chia Network
Assembly Version	0.0.0.0
InternalName	naolog.exe
FileVersion	1.1.4.0
CompanyName	Chia Network
Comments	GUI for Chia Blockchain
ProductName	GUI for Chia Blockchain
ProductVersion	1.1.4.0
FileDescription	Setup.exe
OriginalFilename	naolog.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 11, 2021 14:08:08.919827938 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:08.960763931 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:08.960899115 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:08.999187946 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.040070057 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.043958902 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.043993950 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.044013977 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.044105053 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.054272890 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.095210075 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.095426083 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.141886950 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.159697056 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.200643063 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.228517056 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.228538990 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.228549004 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.228564978 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.228596926 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.228612900 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.228625059 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.228643894 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.228717089 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.229020119 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.229032993 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.229101896 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.229516029 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.229532957 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.229607105 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.230473042 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.230499983 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.230559111 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.231405973 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.231424093 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.231487036 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.232374907 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.232393980 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.232460022 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.233331919 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.233354092 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.233470917 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.234304905 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.234330893 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.234402895 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.235256910 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.235280037 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.235368967 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.236238003 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.236268044 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.236403942 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.237207890 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.237255096 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.237299919 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.238154888 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.238183975 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.238239050 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.239101887 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.239134073 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.239228010 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.240082026 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.240113974 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.240190029 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.241070032 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.241202116 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.269490004 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.269517899 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.269685030 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.269860029 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.269891977 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.269969940 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.270802021 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.271280050 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.271311998 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.271348953 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.272249937 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.272273064 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.272321939 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.273216963 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.273235083 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.273288012 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.274159908 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.274179935 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.274245977 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.275136948 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.275154114 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.275213957 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.276067972 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.276087046 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.276134968 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.277041912 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.277059078 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.277101040 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.278021097 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.278039932 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.278096914 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.278960943 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.278980017 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.279022932 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.279901028 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.279918909 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.279956102 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.280873060 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.280889034 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.280929089 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.281863928 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.281883001 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.281929970 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.282833099 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.282855034 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.282943010 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.283751011 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.283767939 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.283824921 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.284719944 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.284737110 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.284792900 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.285695076 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.285712004 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.285765886 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.286700964 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.286724091 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.286767960 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.287584066 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.287607908 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.287655115 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.288522005 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.288543940 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.288608074 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.289479017 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.289495945 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.289630890 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.290448904 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.290468931 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.290524960 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.291429996 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.291449070 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.291508913 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.310570002 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.310597897 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.310782909 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.311288118 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.311312914 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.311388969 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.312109947 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.312166929 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.313133955 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.313159943 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.313240051 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.314011097 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.314037085 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.314120054 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.314404011 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.314435005 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.314512014 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.315247059 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.315272093 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.315443039 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.316092014 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.316112995 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.316185951 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.317848921 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.317871094 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.317960024 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.318814993 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.318834066 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.318912029 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.319259882 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.319288015 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.319375038 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.320751905 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.320770979 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.320842028 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.321667910 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.321700096 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.321778059 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.322673082 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.322695017 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.322757006 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.420250893 CEST	49701	80	192.168.2.4	162.159.135.233
May 11, 2021 14:08:09.461122036 CEST	80	49701	162.159.135.233	192.168.2.4
May 11, 2021 14:08:09.461287975 CEST	49701	80	192.168.2.4	162.159.135.233
May 11, 2021 14:08:09.461775064 CEST	49701	80	192.168.2.4	162.159.135.233
May 11, 2021 14:08:09.504034042 CEST	80	49701	162.159.135.233	192.168.2.4
May 11, 2021 14:08:09.518337011 CEST	80	49701	162.159.135.233	192.168.2.4
May 11, 2021 14:08:09.523385048 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.563815117 CEST	49701	80	192.168.2.4	162.159.135.233
May 11, 2021 14:08:09.600748062 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.600776911 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.600789070 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.600928068 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.601062059 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.601100922 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.601123095 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.601130962 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.601146936 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.601182938 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.602035999 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.602058887 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.602082968 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.602179050 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.602921009 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.602941036 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.602952957 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.603024960 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.603806973 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.603832960 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.603867054 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.603899956 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.603924990 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.604671955 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.604691982 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.604707003 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.604772091 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.605582952 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.605603933 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.605623007 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.605686903 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.605752945 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.606393099 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.606411934 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.606436014 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.606477022 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.607295990 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.607315063 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.607345104 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.607368946 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.607388973 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.608167887 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.608190060 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.608206034 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.608244896 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.609055996 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.609076977 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.609102964 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.609133959 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.609162092 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.609935045 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.609955072 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.609981060 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.610044956 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.610796928 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.610817909 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.610838890 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.610873938 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.610920906 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.611700058 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.611717939 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.611732006 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.611800909 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.612552881 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.612575054 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.612601995 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.612637997 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.612680912 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.613434076 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.613466024 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.613504887 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.613547087 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.614285946 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.614363909 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.614593029 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.614629030 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.614645958 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.614697933 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.615492105 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.615513086 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.615546942 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.615577936 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.615612984 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.616358995 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.616379023 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.616391897 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.616453886 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.617357969 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.617412090 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.617429972 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.617444992 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.617485046 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.618165016 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.618185997 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.618211031 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.618254900 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.618993044 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.619016886 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.619031906 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.619071007 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.619117022 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.619901896 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.619925022 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.619940042 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.619992971 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.620762110 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.620783091 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.620795012 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.620857000 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.621690035 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.621711969 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.621723890 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.621779919 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.641768932 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.641798019 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.641834974 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.641911983 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.642966986 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.642988920 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.643024921 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.643075943 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.643377066 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.643405914 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.643424988 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.643448114 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.643508911 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.644273996 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.644292116 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.644366026 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.644613028 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.644650936 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.644668102 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.644727945 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.645564079 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.645589113 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.645622969 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.645648956 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.645700932 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.646428108 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.646450996 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.646486044 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.646502018 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.647290945 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.647315025 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.647346020 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.647368908 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.647422075 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.648154974 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.648175001 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.648188114 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.648257017 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.651402950 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.651426077 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.651442051 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.651479959 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.651492119 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.651509047 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.651530981 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.651550055 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.651562929 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.651571035 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.651590109 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.651591063 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.651653051 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.652419090 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.652441025 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.652455091 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.652532101 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.653002024 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.653075933 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.653212070 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.653229952 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.653291941 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.654000044 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.654025078 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.654036999 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.654118061 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.654670000 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.654690027 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.654715061 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.654756069 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.654788971 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.655249119 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.655445099 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.655477047 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.655497074 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.655513048 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.655553102 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.656341076 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.656363010 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.656392097 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.656439066 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.657221079 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.657241106 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.657255888 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.657300949 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.657350063 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.658219099 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.658241034 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.658271074 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.658283949 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.659002066 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.659079075 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.659095049 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.659095049 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.659142017 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.659869909 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.659892082 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.659920931 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.659986973 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.660758018 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.660778999 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.660795927 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.660842896 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.660866022 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.661597013 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.661617041 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.661648035 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.661690950 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.662544012 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.662568092 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.662602901 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.662631035 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.662657976 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.682835102 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.682867050 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.682878971 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.682890892 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.682902098 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.683007956 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:09.684247017 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.684269905 CEST	443	49699	162.159.133.233	192.168.2.4
May 11, 2021 14:08:09.684329987 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:10.536722898 CEST	49699	443	192.168.2.4	162.159.133.233
May 11, 2021 14:08:10.537005901 CEST	49701	80	192.168.2.4	162.159.135.233
May 11, 2021 14:08:13.303057909 CEST	49706	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:13.378969908 CEST	6596	49706	79.134.225.7	192.168.2.4
May 11, 2021 14:08:13.892266035 CEST	49706	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:13.968075037 CEST	6596	49706	79.134.225.7	192.168.2.4
May 11, 2021 14:08:14.471115112 CEST	49706	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:14.547166109 CEST	6596	49706	79.134.225.7	192.168.2.4
May 11, 2021 14:08:18.675342083 CEST	49711	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:18.752909899 CEST	6596	49711	79.134.225.7	192.168.2.4
May 11, 2021 14:08:19.267786026 CEST	49711	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:19.343775988 CEST	6596	49711	79.134.225.7	192.168.2.4
May 11, 2021 14:08:19.845901966 CEST	49711	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:19.921881914 CEST	6596	49711	79.134.225.7	192.168.2.4
May 11, 2021 14:08:22.931750059 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:22.972712994 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:22.972806931 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:22.995369911 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.036312103 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.046123028 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.046153069 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.046164036 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.046292067 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.050856113 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.091708899 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.093992949 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.143071890 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.166918039 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.208601952 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.231758118 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.231786013 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.231803894 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.231822014 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.231848001 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.231873989 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.231901884 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.231949091 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.232724905 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.232755899 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.232861042 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.233309031 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.233340025 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.233412027 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.234338045 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.234375000 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.234543085 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.235352039 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.235385895 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.235513926 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.236354113 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.236386061 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.236444950 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.237420082 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.237456083 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.237519026 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.238390923 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.238425970 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.238492012 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.239396095 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.239430904 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.239494085 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.240396976 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.240433931 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.240503073 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.241410017 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.241446972 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.241524935 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.242415905 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.242449999 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.242513895 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.243431091 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.243458986 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.243560076 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.244424105 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.244456053 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.244539976 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.245609045 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.245639086 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.245723963 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.274554014 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.274596930 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.274672031 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.274956942 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.274986982 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.275027037 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.276094913 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.276134014 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.276211977 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.276984930 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.277019024 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.277064085 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.277995110 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.278034925 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.278131962 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.279009104 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.279042006 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.279124975 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.280008078 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.280040979 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.280126095 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.281028986 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.281060934 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.281128883 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.282033920 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.282075882 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.282135010 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.283041954 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.283073902 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.283145905 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.284041882 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.284070969 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.284148932 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.285068989 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.285099983 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.285195112 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.286103010 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.286133051 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.286250114 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.287070036 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.287101984 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.287177086 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.288094997 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.288127899 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.288198948 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.289096117 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.289134979 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.289207935 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.290112972 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.290153027 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.290220976 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.291138887 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.291172981 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.291312933 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.292145014 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.292181969 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.292273045 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.293147087 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.293175936 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.293232918 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.294181108 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.294214010 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.294276953 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.295155048 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.295188904 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.295274973 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.296164989 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.296197891 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.296279907 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.297158957 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.297183037 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.297270060 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.315675974 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.315706015 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.315818071 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.315994978 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.316014051 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.316083908 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.317004919 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.317030907 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.317133904 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.317827940 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.317857027 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.317934036 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.318885088 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.318911076 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.318979025 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.319848061 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.319873095 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.319950104 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.320864916 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.320888042 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.320936918 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.321852922 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.321877956 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.321954012 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.322889090 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.322917938 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.323023081 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.323924065 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.323949099 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.324023962 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.324841976 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.324846983 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.325037956 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.325908899 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.325936079 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.326030970 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.778228998 CEST	49715	80	192.168.2.4	162.159.135.233
May 11, 2021 14:08:23.819194078 CEST	80	49715	162.159.135.233	192.168.2.4
May 11, 2021 14:08:23.819305897 CEST	49715	80	192.168.2.4	162.159.135.233
May 11, 2021 14:08:23.819638968 CEST	49715	80	192.168.2.4	162.159.135.233
May 11, 2021 14:08:23.860559940 CEST	80	49715	162.159.135.233	192.168.2.4
May 11, 2021 14:08:23.879271984 CEST	80	49715	162.159.135.233	192.168.2.4
May 11, 2021 14:08:23.881136894 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.924405098 CEST	49715	80	192.168.2.4	162.159.135.233
May 11, 2021 14:08:23.964314938 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.974592924 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.974620104 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.974633932 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.974922895 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.974963903 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.975001097 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.975003958 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.975027084 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.975044012 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.975076914 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.975953102 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.975970984 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.975989103 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.976027012 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.976049900 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.976814985 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.976835012 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.976850986 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.976932049 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.977699041 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.977716923 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.977735043 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.977752924 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.977802992 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.978585958 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.978604078 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.978621006 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.978677988 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.979470968 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.979490042 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.979507923 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.979522943 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.979543924 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.980392933 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.980415106 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.980431080 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.980469942 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.981328964 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.981352091 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.981369972 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.981405973 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.981446028 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.982203007 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.982227087 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.982244015 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.982289076 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.983056068 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.983076096 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.983092070 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.983129025 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.983169079 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.984009981 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.984035969 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.984052896 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.984105110 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.984852076 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.984879017 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.984894991 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.984930992 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.984963894 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.985768080 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.985790968 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.985807896 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.985883951 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.986658096 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.986680031 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.986697912 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.986742973 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.986814976 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:23.987534046 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.987555981 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.987574100 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:23.987638950 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.017823935 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.017853975 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.017872095 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.017898083 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.017934084 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.018143892 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.018163919 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.018181086 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.018212080 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.019073963 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.019107103 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.019124985 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.019136906 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.019186974 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.019938946 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.019963980 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.019982100 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.020014048 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.020890951 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.020915985 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.020935059 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.020950079 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.020952940 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.021007061 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.021785021 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.021806002 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.021822929 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.021856070 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.021892071 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.022749901 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.022773027 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.022789955 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.022845984 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.023751974 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.023777008 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.023792982 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.023809910 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.023852110 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.024482012 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.024506092 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.024527073 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.024564981 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.025933027 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.025938988 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.025966883 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.026020050 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.026051998 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.026345015 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.026365995 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.026382923 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.026437998 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.027518034 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.027544022 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.027559996 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.027596951 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.027642965 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.028107882 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.028134108 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.028151989 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.028187990 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.029006004 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.029031038 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.029047966 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.029077053 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.029115915 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.029915094 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.029937983 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.029954910 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.030009031 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.030792952 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.030813932 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.030831099 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.030848026 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.030883074 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.060779095 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.060811996 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.060870886 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.060996056 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.061014891 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.061032057 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.061075926 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.061902046 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.061928034 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.061948061 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.061976910 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.062004089 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.062906027 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.062937975 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.062956095 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.063020945 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.063688040 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.063707113 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.063750029 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.063977957 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.063997030 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.064013958 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.064030886 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.064054012 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.064903021 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.065182924 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.065202951 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.065238953 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.066678047 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.066704988 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.066723108 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.066746950 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.066771030 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.067107916 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.067128897 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.067145109 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.067197084 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.068877935 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.068886042 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.068911076 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.068963051 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.068984032 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.069283009 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.069303036 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.069319010 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.069355965 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.070210934 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.070234060 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.070254087 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.070277929 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.070301056 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.071089029 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.071115017 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.071131945 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.071165085 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.071997881 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.072021961 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.072037935 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.072051048 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.072082996 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.072890043 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.072913885 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.072931051 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.072985888 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.073790073 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.073812962 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.073829889 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.073859930 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.073899031 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.074692011 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.074717999 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.074736118 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.074814081 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.097083092 CEST	49716	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:24.101716995 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.101751089 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.101768017 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.101784945 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.101811886 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.102072954 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.102092981 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.102109909 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.102166891 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.102981091 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.103008986 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.103027105 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.103035927 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.103070021 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.103895903 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.103926897 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.103945971 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.103975058 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.104787111 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.104811907 CEST	443	49714	162.159.129.233	192.168.2.4
May 11, 2021 14:08:24.104846001 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.158775091 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:24.173151970 CEST	6596	49716	79.134.225.7	192.168.2.4
May 11, 2021 14:08:24.674484968 CEST	49716	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:24.752315998 CEST	6596	49716	79.134.225.7	192.168.2.4
May 11, 2021 14:08:25.252654076 CEST	49716	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:25.329433918 CEST	6596	49716	79.134.225.7	192.168.2.4
May 11, 2021 14:08:25.973839998 CEST	49715	80	192.168.2.4	162.159.135.233
May 11, 2021 14:08:25.974054098 CEST	49714	443	192.168.2.4	162.159.129.233
May 11, 2021 14:08:29.633198977 CEST	49717	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:29.710078001 CEST	6596	49717	79.134.225.7	192.168.2.4
May 11, 2021 14:08:30.221890926 CEST	49717	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:30.297816038 CEST	6596	49717	79.134.225.7	192.168.2.4
May 11, 2021 14:08:30.800065041 CEST	49717	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:30.876727104 CEST	6596	49717	79.134.225.7	192.168.2.4
May 11, 2021 14:08:34.985227108 CEST	49718	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:35.061060905 CEST	6596	49718	79.134.225.7	192.168.2.4
May 11, 2021 14:08:35.565992117 CEST	49718	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:35.641808033 CEST	6596	49718	79.134.225.7	192.168.2.4
May 11, 2021 14:08:36.144273043 CEST	49718	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:36.220273972 CEST	6596	49718	79.134.225.7	192.168.2.4
May 11, 2021 14:08:40.329875946 CEST	49719	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:40.405898094 CEST	6596	49719	79.134.225.7	192.168.2.4
May 11, 2021 14:08:40.910248995 CEST	49719	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:40.986145973 CEST	6596	49719	79.134.225.7	192.168.2.4
May 11, 2021 14:08:41.488333941 CEST	49719	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:41.564250946 CEST	6596	49719	79.134.225.7	192.168.2.4
May 11, 2021 14:08:45.698544025 CEST	49720	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:45.774560928 CEST	6596	49720	79.134.225.7	192.168.2.4
May 11, 2021 14:08:46.285804033 CEST	49720	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:46.361859083 CEST	6596	49720	79.134.225.7	192.168.2.4
May 11, 2021 14:08:46.863997936 CEST	49720	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:46.940074921 CEST	6596	49720	79.134.225.7	192.168.2.4
May 11, 2021 14:08:51.101411104 CEST	49721	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:51.177592993 CEST	6596	49721	79.134.225.7	192.168.2.4
May 11, 2021 14:08:51.692461014 CEST	49721	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:51.768347025 CEST	6596	49721	79.134.225.7	192.168.2.4
May 11, 2021 14:08:52.270685911 CEST	49721	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:52.346904993 CEST	6596	49721	79.134.225.7	192.168.2.4
May 11, 2021 14:08:56.437927961 CEST	49722	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:56.514750957 CEST	6596	49722	79.134.225.7	192.168.2.4
May 11, 2021 14:08:57.020942926 CEST	49722	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:57.096906900 CEST	6596	49722	79.134.225.7	192.168.2.4
May 11, 2021 14:08:57.599528074 CEST	49722	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:08:57.675431013 CEST	6596	49722	79.134.225.7	192.168.2.4
May 11, 2021 14:09:02.096884012 CEST	49723	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:02.172899008 CEST	6596	49723	79.134.225.7	192.168.2.4
May 11, 2021 14:09:02.677699089 CEST	49723	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:02.753516912 CEST	6596	49723	79.134.225.7	192.168.2.4
May 11, 2021 14:09:03.255903959 CEST	49723	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:03.331783056 CEST	6596	49723	79.134.225.7	192.168.2.4
May 11, 2021 14:09:07.460714102 CEST	49724	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:07.537796974 CEST	6596	49724	79.134.225.7	192.168.2.4
May 11, 2021 14:09:08.053169012 CEST	49724	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:08.131026983 CEST	6596	49724	79.134.225.7	192.168.2.4
May 11, 2021 14:09:08.631419897 CEST	49724	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:08.707513094 CEST	6596	49724	79.134.225.7	192.168.2.4
May 11, 2021 14:09:12.797525883 CEST	49725	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:12.873572111 CEST	6596	49725	79.134.225.7	192.168.2.4
May 11, 2021 14:09:13.381695032 CEST	49725	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:13.461863995 CEST	6596	49725	79.134.225.7	192.168.2.4
May 11, 2021 14:09:13.975522995 CEST	49725	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:14.051733017 CEST	6596	49725	79.134.225.7	192.168.2.4
May 11, 2021 14:09:18.233115911 CEST	49726	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:18.309047937 CEST	6596	49726	79.134.225.7	192.168.2.4
May 11, 2021 14:09:18.819818974 CEST	49726	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:18.895787954 CEST	6596	49726	79.134.225.7	192.168.2.4
May 11, 2021 14:09:19.397857904 CEST	49726	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:19.474149942 CEST	6596	49726	79.134.225.7	192.168.2.4
May 11, 2021 14:09:23.563060045 CEST	49727	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:23.639210939 CEST	6596	49727	79.134.225.7	192.168.2.4
May 11, 2021 14:09:24.148422003 CEST	49727	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:24.224498987 CEST	6596	49727	79.134.225.7	192.168.2.4
May 11, 2021 14:09:24.726432085 CEST	49727	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:24.802359104 CEST	6596	49727	79.134.225.7	192.168.2.4
May 11, 2021 14:09:28.971724033 CEST	49728	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:29.047739983 CEST	6596	49728	79.134.225.7	192.168.2.4
May 11, 2021 14:09:29.555061102 CEST	49728	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:29.630801916 CEST	6596	49728	79.134.225.7	192.168.2.4
May 11, 2021 14:09:30.133393049 CEST	49728	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:30.209352016 CEST	6596	49728	79.134.225.7	192.168.2.4
May 11, 2021 14:09:34.303905010 CEST	49729	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:34.380064964 CEST	6596	49729	79.134.225.7	192.168.2.4
May 11, 2021 14:09:34.883733034 CEST	49729	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:34.959747076 CEST	6596	49729	79.134.225.7	192.168.2.4
May 11, 2021 14:09:35.461754084 CEST	49729	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:35.537738085 CEST	6596	49729	79.134.225.7	192.168.2.4
May 11, 2021 14:09:39.678194046 CEST	49730	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:39.757082939 CEST	6596	49730	79.134.225.7	192.168.2.4
May 11, 2021 14:09:40.259147882 CEST	49730	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:40.338151932 CEST	6596	49730	79.134.225.7	192.168.2.4
May 11, 2021 14:09:40.852871895 CEST	49730	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:40.931765079 CEST	6596	49730	79.134.225.7	192.168.2.4
May 11, 2021 14:09:45.104336023 CEST	49731	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:45.180285931 CEST	6596	49731	79.134.225.7	192.168.2.4
May 11, 2021 14:09:45.681420088 CEST	49731	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:45.757409096 CEST	6596	49731	79.134.225.7	192.168.2.4
May 11, 2021 14:09:46.259733915 CEST	49731	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:46.335601091 CEST	6596	49731	79.134.225.7	192.168.2.4
May 11, 2021 14:09:50.433186054 CEST	49732	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:50.509152889 CEST	6596	49732	79.134.225.7	192.168.2.4
May 11, 2021 14:09:51.009912968 CEST	49732	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:51.085763931 CEST	6596	49732	79.134.225.7	192.168.2.4
May 11, 2021 14:09:51.588205099 CEST	49732	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:51.664133072 CEST	6596	49732	79.134.225.7	192.168.2.4
May 11, 2021 14:09:55.801934958 CEST	49733	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:55.878637075 CEST	6596	49733	79.134.225.7	192.168.2.4
May 11, 2021 14:09:56.385577917 CEST	49733	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:56.461571932 CEST	6596	49733	79.134.225.7	192.168.2.4
May 11, 2021 14:09:56.964443922 CEST	49733	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:09:57.040323019 CEST	6596	49733	79.134.225.7	192.168.2.4
May 11, 2021 14:10:01.156198978 CEST	49734	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:10:01.232115984 CEST	6596	49734	79.134.225.7	192.168.2.4
May 11, 2021 14:10:01.745296001 CEST	49734	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:10:01.821204901 CEST	6596	49734	79.134.225.7	192.168.2.4
May 11, 2021 14:10:02.323436975 CEST	49734	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:10:02.399511099 CEST	6596	49734	79.134.225.7	192.168.2.4
May 11, 2021 14:10:06.510554075 CEST	49735	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:10:06.586746931 CEST	6596	49735	79.134.225.7	192.168.2.4
May 11, 2021 14:10:07.089690924 CEST	49735	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:10:07.165395975 CEST	6596	49735	79.134.225.7	192.168.2.4
May 11, 2021 14:10:07.668013096 CEST	49735	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:10:07.744589090 CEST	6596	49735	79.134.225.7	192.168.2.4
May 11, 2021 14:10:11.857836008 CEST	49736	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:10:11.936630011 CEST	6596	49736	79.134.225.7	192.168.2.4
May 11, 2021 14:10:12.449404001 CEST	49736	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:10:12.528079033 CEST	6596	49736	79.134.225.7	192.168.2.4
May 11, 2021 14:10:13.043072939 CEST	49736	6596	192.168.2.4	79.134.225.7
May 11, 2021 14:10:13.121803999 CEST	6596	49736	79.134.225.7	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 11, 2021 14:08:00.888112068 CEST	49182	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:00.936826944 CEST	53	49182	8.8.8.8	192.168.2.4
May 11, 2021 14:08:01.811009884 CEST	59920	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:01.861994028 CEST	53	59920	8.8.8.8	192.168.2.4
May 11, 2021 14:08:02.751594067 CEST	57458	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:02.803714037 CEST	53	57458	8.8.8.8	192.168.2.4
May 11, 2021 14:08:05.368330002 CEST	50579	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:05.418459892 CEST	53	50579	8.8.8.8	192.168.2.4
May 11, 2021 14:08:06.214721918 CEST	51703	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:06.263360977 CEST	53	51703	8.8.8.8	192.168.2.4
May 11, 2021 14:08:07.561328888 CEST	65248	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:07.612814903 CEST	53	65248	8.8.8.8	192.168.2.4
May 11, 2021 14:08:08.836345911 CEST	53723	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:08.899810076 CEST	53	53723	8.8.8.8	192.168.2.4
May 11, 2021 14:08:09.163006067 CEST	64646	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:09.214704990 CEST	53	64646	8.8.8.8	192.168.2.4
May 11, 2021 14:08:09.357295990 CEST	65298	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:09.418320894 CEST	53	65298	8.8.8.8	192.168.2.4
May 11, 2021 14:08:10.076247931 CEST	59123	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:10.127697945 CEST	53	59123	8.8.8.8	192.168.2.4
May 11, 2021 14:08:11.582963943 CEST	54531	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:11.631668091 CEST	53	54531	8.8.8.8	192.168.2.4
May 11, 2021 14:08:12.390048981 CEST	49714	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:12.438889027 CEST	53	49714	8.8.8.8	192.168.2.4
May 11, 2021 14:08:13.228873014 CEST	58028	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:13.230568886 CEST	53097	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:13.285917044 CEST	53	58028	8.8.8.8	192.168.2.4
May 11, 2021 14:08:13.289357901 CEST	53	53097	8.8.8.8	192.168.2.4
May 11, 2021 14:08:15.360857964 CEST	49257	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:15.412416935 CEST	53	49257	8.8.8.8	192.168.2.4
May 11, 2021 14:08:16.376435995 CEST	62389	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:16.427968979 CEST	53	62389	8.8.8.8	192.168.2.4
May 11, 2021 14:08:17.260313034 CEST	49910	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:17.311815977 CEST	53	49910	8.8.8.8	192.168.2.4
May 11, 2021 14:08:18.208034039 CEST	55854	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:18.261504889 CEST	53	55854	8.8.8.8	192.168.2.4
May 11, 2021 14:08:18.612277031 CEST	64549	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:18.672712088 CEST	53	64549	8.8.8.8	192.168.2.4
May 11, 2021 14:08:19.032377958 CEST	63153	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:19.083467007 CEST	53	63153	8.8.8.8	192.168.2.4
May 11, 2021 14:08:19.862903118 CEST	52991	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:19.911659956 CEST	53	52991	8.8.8.8	192.168.2.4
May 11, 2021 14:08:22.851417065 CEST	53700	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:22.902051926 CEST	53	53700	8.8.8.8	192.168.2.4
May 11, 2021 14:08:23.349486113 CEST	51726	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:23.398307085 CEST	53	51726	8.8.8.8	192.168.2.4
May 11, 2021 14:08:24.042949915 CEST	56794	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:24.095645905 CEST	53	56794	8.8.8.8	192.168.2.4
May 11, 2021 14:08:29.570244074 CEST	56534	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:29.631570101 CEST	53	56534	8.8.8.8	192.168.2.4
May 11, 2021 14:08:34.927721977 CEST	56627	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:34.976428032 CEST	53	56627	8.8.8.8	192.168.2.4
May 11, 2021 14:08:40.274612904 CEST	56621	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:40.323412895 CEST	53	56621	8.8.8.8	192.168.2.4
May 11, 2021 14:08:45.635874987 CEST	63116	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:45.696279049 CEST	53	63116	8.8.8.8	192.168.2.4
May 11, 2021 14:08:51.041683912 CEST	64078	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:51.098967075 CEST	53	64078	8.8.8.8	192.168.2.4
May 11, 2021 14:08:56.378653049 CEST	64801	53	192.168.2.4	8.8.8.8
May 11, 2021 14:08:56.436254025 CEST	53	64801	8.8.8.8	192.168.2.4
May 11, 2021 14:09:01.991609097 CEST	61721	53	192.168.2.4	8.8.8.8
May 11, 2021 14:09:02.049312115 CEST	53	61721	8.8.8.8	192.168.2.4
May 11, 2021 14:09:07.380795956 CEST	51255	53	192.168.2.4	8.8.8.8
May 11, 2021 14:09:07.437877893 CEST	53	51255	8.8.8.8	192.168.2.4
May 11, 2021 14:09:12.732844114 CEST	61522	53	192.168.2.4	8.8.8.8
May 11, 2021 14:09:12.796494961 CEST	53	61522	8.8.8.8	192.168.2.4
May 11, 2021 14:09:18.167540073 CEST	52337	53	192.168.2.4	8.8.8.8
May 11, 2021 14:09:18.230365038 CEST	53	52337	8.8.8.8	192.168.2.4
May 11, 2021 14:09:23.509829998 CEST	55046	53	192.168.2.4	8.8.8.8
May 11, 2021 14:09:23.560766935 CEST	53	55046	8.8.8.8	192.168.2.4
May 11, 2021 14:09:28.910937071 CEST	49612	53	192.168.2.4	8.8.8.8
May 11, 2021 14:09:28.969799995 CEST	53	49612	8.8.8.8	192.168.2.4
May 11, 2021 14:09:34.244220972 CEST	49285	53	192.168.2.4	8.8.8.8
May 11, 2021 14:09:34.301676989 CEST	53	49285	8.8.8.8	192.168.2.4
May 11, 2021 14:09:39.619286060 CEST	50601	53	192.168.2.4	8.8.8.8
May 11, 2021 14:09:39.676676989 CEST	53	50601	8.8.8.8	192.168.2.4
May 11, 2021 14:09:45.051172018 CEST	60875	53	192.168.2.4	8.8.8.8
May 11, 2021 14:09:45.102828979 CEST	53	60875	8.8.8.8	192.168.2.4
May 11, 2021 14:09:50.372221947 CEST	56448	53	192.168.2.4	8.8.8.8
May 11, 2021 14:09:50.431382895 CEST	53	56448	8.8.8.8	192.168.2.4
May 11, 2021 14:09:55.741588116 CEST	59172	53	192.168.2.4	8.8.8.8
May 11, 2021 14:09:55.798669100 CEST	53	59172	8.8.8.8	192.168.2.4
May 11, 2021 14:10:01.096632004 CEST	62420	53	192.168.2.4	8.8.8.8
May 11, 2021 14:10:01.154195070 CEST	53	62420	8.8.8.8	192.168.2.4
May 11, 2021 14:10:06.427695036 CEST	60579	53	192.168.2.4	8.8.8.8
May 11, 2021 14:10:06.489603043 CEST	53	60579	8.8.8.8	192.168.2.4
May 11, 2021 14:10:11.770201921 CEST	50183	53	192.168.2.4	8.8.8.8
May 11, 2021 14:10:11.832556009 CEST	53	50183	8.8.8.8	192.168.2.4
May 11, 2021 14:10:17.139323950 CEST	61531	53	192.168.2.4	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 11, 2021 14:08:08.836345911 CEST	192.168.2.4	8.8.8.8	0x687	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)
May 11, 2021 14:08:09.357295990 CEST	192.168.2.4	8.8.8.8	0x36a7	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)
May 11, 2021 14:08:13.230568886 CEST	192.168.2.4	8.8.8.8	0xdb50	Standard query (0)	copieronlineph209.ddns.net	A (IP address)	IN (0x0001)
May 11, 2021 14:08:18.612277031 CEST	192.168.2.4	8.8.8.8	0x3bf9	Standard query (0)	copieronlineph209.ddns.net	A (IP address)	IN (0x0001)
May 11, 2021 14:08:22.851417065 CEST	192.168.2.4	8.8.8.8	0x956b	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)
May 11, 2021 14:08:23.349486113 CEST	192.168.2.4	8.8.8.8	0x9e43	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)
May 11, 2021 14:08:24.042949915 CEST	192.168.2.4	8.8.8.8	0xa43f	Standard query (0)	copieronlineph209.ddns.net	A (IP address)	IN (0x0001)
May 11, 2021 14:08:29.570244074 CEST	192.168.2.4	8.8.8.8	0xc4a0	Standard query (0)	copieronlineph209.ddns.net	A (IP address)	IN (0x0001)
May 11, 2021 14:08:34.927721977 CEST	192.168.2.4	8.8.8.8	0xa2ef	Standard query (0)	copieronlineph209.ddns.net	A (IP address)	IN (0x0001)
May 11, 2021 14:08:40.274612904 CEST	192.168.2.4	8.8.8.8	0x948e	Standard query (0)	copieronlineph209.ddns.net	A (IP address)	IN (0x0001)
May 11, 2021 14:08:45.635874987 CEST	192.168.2.4	8.8.8.8	0xda38	Standard query (0)	copieronlineph209.ddns.net	A (IP address)	IN (0x0001)
May 11, 2021 14:08:51.041683912 CEST	192.168.2.4	8.8.8.8	0xe12	Standard query (0)	copieronlineph209.ddns.net	A (IP address)	IN (0x0001)
May 11, 2021 14:08:56.378653049 CEST	192.168.2.4	8.8.8.8	0x3126	Standard query (0)	copieronlineph209.ddns.net	A (IP address)	IN (0x0001)
May 11, 2021 14:09:01.991609097 CEST	192.168.2.4	8.8.8.8	0xbf12	Standard query (0)	copieronlineph209.ddns.net	A (IP address)	IN (0x0001)
May 11, 2021 14:09:07.380795956 CEST	192.168.2.4	8.8.8.8	0x1ac4	Standard query (0)	copieronlineph209.ddns.net	A (IP address)	IN (0x0001)
May 11, 2021 14:09:12.732844114 CEST	192.168.2.4	8.8.8.8	0x1a4e	Standard query (0)	copieronlineph209.ddns.net	A (IP address)	IN (0x0001)
May 11, 2021 14:09:18.167540073 CEST	192.168.2.4	8.8.8.8	0x6268	Standard query (0)	copieronlineph209.ddns.net	A (IP address)	IN (0x0001)
May 11, 2021 14:09:23.509829998 CEST	192.168.2.4	8.8.8.8	0x74d0	Standard query (0)	copieronlineph209.ddns.net	A (IP address)	IN (0x0001)
May 11, 2021 14:09:28.910937071 CEST	192.168.2.4	8.8.8.8	0x768b	Standard query (0)	copieronlineph209.ddns.net	A (IP address)	IN (0x0001)
May 11, 2021 14:09:34.244220972 CEST	192.168.2.4	8.8.8.8	0xce0d	Standard query (0)	copieronlineph209.ddns.net	A (IP address)	IN (0x0001)
May 11, 2021 14:09:39.619286060 CEST	192.168.2.4	8.8.8.8	0x2774	Standard query (0)	copieronlineph209.ddns.net	A (IP address)	IN (0x0001)
May 11, 2021 14:09:45.051172018 CEST	192.168.2.4	8.8.8.8	0x9d5	Standard query (0)	copieronlineph209.ddns.net	A (IP address)	IN (0x0001)
May 11, 2021 14:09:50.372221947 CEST	192.168.2.4	8.8.8.8	0x3dbe	Standard query (0)	copieronlineph209.ddns.net	A (IP address)	IN (0x0001)
May 11, 2021 14:09:55.741588116 CEST	192.168.2.4	8.8.8.8	0xab39	Standard query (0)	copieronlineph209.ddns.net	A (IP address)	IN (0x0001)
May 11, 2021 14:10:01.096632004 CEST	192.168.2.4	8.8.8.8	0x4ded	Standard query (0)	copieronlineph209.ddns.net	A (IP address)	IN (0x0001)
May 11, 2021 14:10:06.427695036 CEST	192.168.2.4	8.8.8.8	0x11cb	Standard query (0)	copieronlineph209.ddns.net	A (IP address)	IN (0x0001)
May 11, 2021 14:10:11.770201921 CEST	192.168.2.4	8.8.8.8	0xe480	Standard query (0)	copieronlineph209.ddns.net	A (IP address)	IN (0x0001)
May 11, 2021 14:10:17.139323950 CEST	192.168.2.4	8.8.8.8	0x20f7	Standard query (0)	copieronlineph209.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
May 11, 2021 14:08:08.899810076 CEST	8.8.8.8	192.168.2.4	0x687	No error (0)	cdn.discordapp.com	162.159.133.233	A (IP address)	IN (0x0001)
May 11, 2021 14:08:08.899810076 CEST	8.8.8.8	192.168.2.4	0x687	No error (0)	cdn.discordapp.com	162.159.134.233	A (IP address)	IN (0x0001)
May 11, 2021 14:08:08.899810076 CEST	8.8.8.8	192.168.2.4	0x687	No error (0)	cdn.discordapp.com	162.159.135.233	A (IP address)	IN (0x0001)
May 11, 2021 14:08:08.899810076 CEST	8.8.8.8	192.168.2.4	0x687	No error (0)	cdn.discordapp.com	162.159.129.233	A (IP address)	IN (0x0001)
May 11, 2021 14:08:08.899810076 CEST	8.8.8.8	192.168.2.4	0x687	No error (0)	cdn.discordapp.com	162.159.130.233	A (IP address)	IN (0x0001)
May 11, 2021 14:08:09.418320894 CEST	8.8.8.8	192.168.2.4	0x36a7	No error (0)	cdn.discordapp.com	162.159.135.233	A (IP address)	IN (0x0001)
May 11, 2021 14:08:09.418320894 CEST	8.8.8.8	192.168.2.4	0x36a7	No error (0)	cdn.discordapp.com	162.159.133.233	A (IP address)	IN (0x0001)
May 11, 2021 14:08:09.418320894 CEST	8.8.8.8	192.168.2.4	0x36a7	No error (0)	cdn.discordapp.com	162.159.130.233	A (IP address)	IN (0x0001)
May 11, 2021 14:08:09.418320894 CEST	8.8.8.8	192.168.2.4	0x36a7	No error (0)	cdn.discordapp.com	162.159.134.233	A (IP address)	IN (0x0001)
May 11, 2021 14:08:09.418320894 CEST	8.8.8.8	192.168.2.4	0x36a7	No error (0)	cdn.discordapp.com	162.159.129.233	A (IP address)	IN (0x0001)
May 11, 2021 14:08:13.289357901 CEST	8.8.8.8	192.168.2.4	0xdb50	No error (0)	copieronlineph209.ddns.net	79.134.225.7	A (IP address)	IN (0x0001)
May 11, 2021 14:08:18.672712088 CEST	8.8.8.8	192.168.2.4	0x3bf9	No error (0)	copieronlineph209.ddns.net	79.134.225.7	A (IP address)	IN (0x0001)
May 11, 2021 14:08:22.902051926 CEST	8.8.8.8	192.168.2.4	0x956b	No error (0)	cdn.discordapp.com	162.159.129.233	A (IP address)	IN (0x0001)
May 11, 2021 14:08:22.902051926 CEST	8.8.8.8	192.168.2.4	0x956b	No error (0)	cdn.discordapp.com	162.159.134.233	A (IP address)	IN (0x0001)
May 11, 2021 14:08:22.902051926 CEST	8.8.8.8	192.168.2.4	0x956b	No error (0)	cdn.discordapp.com	162.159.133.233	A (IP address)	IN (0x0001)
May 11, 2021 14:08:22.902051926 CEST	8.8.8.8	192.168.2.4	0x956b	No error (0)	cdn.discordapp.com	162.159.130.233	A (IP address)	IN (0x0001)
May 11, 2021 14:08:22.902051926 CEST	8.8.8.8	192.168.2.4	0x956b	No error (0)	cdn.discordapp.com	162.159.135.233	A (IP address)	IN (0x0001)
May 11, 2021 14:08:23.398307085 CEST	8.8.8.8	192.168.2.4	0x9e43	No error (0)	cdn.discordapp.com	162.159.135.233	A (IP address)	IN (0x0001)
May 11, 2021 14:08:23.398307085 CEST	8.8.8.8	192.168.2.4	0x9e43	No error (0)	cdn.discordapp.com	162.159.133.233	A (IP address)	IN (0x0001)
May 11, 2021 14:08:23.398307085 CEST	8.8.8.8	192.168.2.4	0x9e43	No error (0)	cdn.discordapp.com	162.159.130.233	A (IP address)	IN (0x0001)
May 11, 2021 14:08:23.398307085 CEST	8.8.8.8	192.168.2.4	0x9e43	No error (0)	cdn.discordapp.com	162.159.134.233	A (IP address)	IN (0x0001)
May 11, 2021 14:08:23.398307085 CEST	8.8.8.8	192.168.2.4	0x9e43	No error (0)	cdn.discordapp.com	162.159.129.233	A (IP address)	IN (0x0001)
May 11, 2021 14:08:24.095645905 CEST	8.8.8.8	192.168.2.4	0xa43f	No error (0)	copieronlineph209.ddns.net	79.134.225.7	A (IP address)	IN (0x0001)
May 11, 2021 14:08:29.631570101 CEST	8.8.8.8	192.168.2.4	0xc4a0	No error (0)	copieronlineph209.ddns.net	79.134.225.7	A (IP address)	IN (0x0001)
May 11, 2021 14:08:34.976428032 CEST	8.8.8.8	192.168.2.4	0xa2ef	No error (0)	copieronlineph209.ddns.net	79.134.225.7	A (IP address)	IN (0x0001)
May 11, 2021 14:08:40.323412895 CEST	8.8.8.8	192.168.2.4	0x948e	No error (0)	copieronlineph209.ddns.net	79.134.225.7	A (IP address)	IN (0x0001)
May 11, 2021 14:08:45.696279049 CEST	8.8.8.8	192.168.2.4	0xda38	No error (0)	copieronlineph209.ddns.net	79.134.225.7	A (IP address)	IN (0x0001)
May 11, 2021 14:08:51.098967075 CEST	8.8.8.8	192.168.2.4	0xe12	No error (0)	copieronlineph209.ddns.net	79.134.225.7	A (IP address)	IN (0x0001)
May 11, 2021 14:08:56.436254025 CEST	8.8.8.8	192.168.2.4	0x3126	No error (0)	copieronlineph209.ddns.net	79.134.225.7	A (IP address)	IN (0x0001)
May 11, 2021 14:09:02.049312115 CEST	8.8.8.8	192.168.2.4	0xbf12	No error (0)	copieronlineph209.ddns.net	79.134.225.7	A (IP address)	IN (0x0001)
May 11, 2021 14:09:07.437877893 CEST	8.8.8.8	192.168.2.4	0x1ac4	No error (0)	copieronlineph209.ddns.net	79.134.225.7	A (IP address)	IN (0x0001)
May 11, 2021 14:09:12.796494961 CEST	8.8.8.8	192.168.2.4	0x1a4e	No error (0)	copieronlineph209.ddns.net	79.134.225.7	A (IP address)	IN (0x0001)
May 11, 2021 14:09:18.230365038 CEST	8.8.8.8	192.168.2.4	0x6268	No error (0)	copieronlineph209.ddns.net	79.134.225.7	A (IP address)	IN (0x0001)
May 11, 2021 14:09:23.560766935 CEST	8.8.8.8	192.168.2.4	0x74d0	No error (0)	copieronlineph209.ddns.net	79.134.225.7	A (IP address)	IN (0x0001)
May 11, 2021 14:09:28.969799995 CEST	8.8.8.8	192.168.2.4	0x768b	No error (0)	copieronlineph209.ddns.net	79.134.225.7	A (IP address)	IN (0x0001)
May 11, 2021 14:09:34.301676989 CEST	8.8.8.8	192.168.2.4	0xce0d	No error (0)	copieronlineph209.ddns.net	79.134.225.7	A (IP address)	IN (0x0001)
May 11, 2021 14:09:39.676676989 CEST	8.8.8.8	192.168.2.4	0x2774	No error (0)	copieronlineph209.ddns.net	79.134.225.7	A (IP address)	IN (0x0001)
May 11, 2021 14:09:45.102828979 CEST	8.8.8.8	192.168.2.4	0x9d5	No error (0)	copieronlineph209.ddns.net	79.134.225.7	A (IP address)	IN (0x0001)
May 11, 2021 14:09:50.431382895 CEST	8.8.8.8	192.168.2.4	0x3dbe	No error (0)	copieronlineph209.ddns.net	79.134.225.7	A (IP address)	IN (0x0001)
May 11, 2021 14:09:55.798669100 CEST	8.8.8.8	192.168.2.4	0xab39	No error (0)	copieronlineph209.ddns.net	79.134.225.7	A (IP address)	IN (0x0001)
May 11, 2021 14:10:01.154195070 CEST	8.8.8.8	192.168.2.4	0x4ded	No error (0)	copieronlineph209.ddns.net	79.134.225.7	A (IP address)	IN (0x0001)
May 11, 2021 14:10:06.489603043 CEST	8.8.8.8	192.168.2.4	0x11cb	No error (0)	copieronlineph209.ddns.net	79.134.225.7	A (IP address)	IN (0x0001)
May 11, 2021 14:10:11.832556009 CEST	8.8.8.8	192.168.2.4	0xe480	No error (0)	copieronlineph209.ddns.net	79.134.225.7	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

cdn.discordapp.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49701	162.159.135.233	80	C:\Users\user\Desktop\Waybill Document 22700456.exe

Timestamp	kBytes transferred	Direction	Data
May 11, 2021 14:08:09.461775064 CEST	234	OUT	GET /attachments/809311531652087809/839856358152208434/May_Blessing.exe HTTP/1.1 Host: cdn.discordapp.com Connection: Keep-Alive
May 11, 2021 14:08:09.518337011 CEST	240	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 11 May 2021 12:08:09 GMT Transfer-Encoding: chunked Connection: keep-alive Cache-Control: max-age=3600 Expires: Tue, 11 May 2021 13:08:09 GMT Location: https://cdn.discordapp.com/attachments/809311531652087809/839856358152208434/May_Blessing.exe cf-request-id: 09fcece61500004dbe5337f000000001 X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=un9eJpCHRxxnq%2B7LyETtGBonFT%2FZqaVdzcjbfjkGRUa%2BwCAnsTbMYR8zVcsLPnFo%2BnsAJDknlC552SOumYe1%2FTwKGhGtiAC805dcSyTkgvhAOiM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 64db4a8358414dbe-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49715	162.159.135.233	80	C:\Users\user\Desktop\Waybill Document 22700456.exe

Timestamp	kBytes transferred	Direction	Data
May 11, 2021 14:08:23.819638968 CEST	736	OUT	GET /attachments/809311531652087809/839856358152208434/May_Blessing.exe HTTP/1.1 Host: cdn.discordapp.com Connection: Keep-Alive
May 11, 2021 14:08:23.879271984 CEST	737	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 11 May 2021 12:08:23 GMT Transfer-Encoding: chunked Connection: keep-alive Cache-Control: max-age=3600 Expires: Tue, 11 May 2021 13:08:23 GMT Location: https://cdn.discordapp.com/attachments/809311531652087809/839856358152208434/May_Blessing.exe cf-request-id: 09fced1e2c00004e13cf8a5000000001 X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=XT3GsUHkJRGm5ke4kfwHGxPIiUnPVBlONRGj%2FXWPTzJUU6AqynF7bRVZc9gULarSiZamZFulPm4lFSrf1fMXGP7%2B55MNS17Zj7f4BWYg1TovcHU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 64db4add18944e13-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
May 11, 2021 14:08:09.044013977 CEST	162.159.133.233	443	192.168.2.4	49699	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Tue Jan 19 01:00:00 CET 2021 Mon Jan 27 13:46:39 CET 2020	Wed Jan 19 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
May 11, 2021 14:08:09.044013977 CEST	162.159.133.233	443	192.168.2.4	49699	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:46:39 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad
May 11, 2021 14:08:23.046164036 CEST	162.159.129.233	443	192.168.2.4	49714	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Tue Jan 19 01:00:00 CET 2021 Mon Jan 27 13:46:39 CET 2020	Wed Jan 19 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
May 11, 2021 14:08:23.046164036 CEST	162.159.129.233	443	192.168.2.4	49714	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:46:39 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Waybill Document 22700456.exe PID: 984 Parent PID: 5884

General

Start time:	14:08:07
Start date:	11/05/2021
Path:	C:\Users\user\Desktop\Waybill Document 22700456.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Waybill Document 22700456.exe'
Imagebase:	0xc80000
File size:	31744 bytes
MD5 hash:	135AB6C14011003E72CC82FABEF66B83
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.651950199.0000000004129000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.651950199.0000000004129000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.651950199.0000000004129000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.651983968.00000000041AA000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.651983968.00000000041AA000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.651983968.00000000041AA000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: Waybill Document 22700456.exe PID: 5240 Parent PID: 984

General

Start time:	14:08:09
Start date:	11/05/2021
Path:	C:\Users\user\Desktop\Waybill Document 22700456.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Waybill Document 22700456.exe
Imagebase:	0x110000
File size:	31744 bytes
MD5 hash:	135AB6C14011003E72CC82FABEF66B83
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: Waybill Document 22700456.exe PID: 492 Parent PID: 984

General

Start time:	14:08:09
Start date:	11/05/2021
Path:	C:\Users\user\Desktop\Waybill Document 22700456.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Waybill Document 22700456.exe
Imagebase:	0xf30000
File size:	31744 bytes
MD5 hash:	135AB6C14011003E72CC82FABEF66B83
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.917424043.0000000005C80000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.917424043.0000000005C80000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.915082806.0000000004399000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000002.00000002.915082806.0000000004399000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.917556465.0000000006480000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.917556465.0000000006480000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.917556465.0000000006480000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.913974492.0000000003351000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.912708984.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.912708984.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000002.00000002.912708984.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 4700 Parent PID: 3424

General

Start time:	14:08:21
Start date:	11/05/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0xf80000
File size:	31744 bytes
MD5 hash:	135AB6C14011003E72CC82FABEF66B83
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.685126012.000000000435A000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.685126012.000000000435A000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000002.685126012.000000000435A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.685085276.00000000042D9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.685085276.00000000042D9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000002.685085276.00000000042D9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 9%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 1172 Parent PID: 4700

General

Start time:	14:08:23
Start date:	11/05/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0xbb0000
File size:	31744 bytes
MD5 hash:	135AB6C14011003E72CC82FABEF66B83
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.699050992.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.699050992.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.699050992.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.699678398.0000000003F29000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.699678398.0000000003F29000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.699608061.0000000002F21000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.699608061.0000000002F21000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Waybill Document 22700456.exe PID: 984 Parent PID: 5884 Waybill Document 22700456.exeCOMMON

Executed Functions

Function 02F82158, Relevance: .6, Instructions: 636COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.651757622.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 515772771ddffb657e93246a9e00ad90cbfeaf2a82e9228d77a1f875455d4f05
Instruction ID: 3b75a81dfeca556c5f0a599a3c212dfca2470da54e6febd0e6d7c5d0a8041459
Opcode Fuzzy Hash: 515772771ddffb657e93246a9e00ad90cbfeaf2a82e9228d77a1f875455d4f05
Instruction Fuzzy Hash: 2F62B075E012288FEB64EF65CC44BEDB7B2AB89344F1081E9D60DA7290DB345E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02F82156, Relevance: .5, Instructions: 497COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.651757622.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e386e00818b2ea9d22dfee53753c584f42f700c44bd008a226d1ca00887cda
Instruction ID: f2fe027954dd80ef3a9505e42dc316b58158de1186a7c81850728606f719311e
Opcode Fuzzy Hash: 85e386e00818b2ea9d22dfee53753c584f42f700c44bd008a226d1ca00887cda
Instruction Fuzzy Hash: 6C32A075E012288FEB64EF65CC54BEDB6B2AB89344F1081EAD60DA7290DB345EC5CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02F81D88, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 239processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,?), ref: 02F82F1F

Strings

[@Sd, xrefs: 02F82D81

Memory Dump Source

Source File: 00000000.00000002.651757622.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID: CreateProcess
String ID: [@Sd
API String ID: 963392458-2526769577
Opcode ID: 82c030061319e4857f4bd8c364474083ed22374e1b4215f323a87c835243d7dc
Instruction ID: fb4d558d3c352316399bd39c2a604785c3869d1a0f64d23c0dc55164b94b7081
Opcode Fuzzy Hash: 82c030061319e4857f4bd8c364474083ed22374e1b4215f323a87c835243d7dc
Instruction Fuzzy Hash: B881CF71D0426D9FCB25DF64C884BDDBBF1AB59304F0490AAEA49B7210DB70AA85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02F82D35, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 238processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,?), ref: 02F82F1F

Strings

[@Sd, xrefs: 02F82D81

Memory Dump Source

Source File: 00000000.00000002.651757622.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID: CreateProcess
String ID: [@Sd
API String ID: 963392458-2526769577
Opcode ID: d162a2d64cbd3037a675e86a78cbdbc7f9c0e0fe553af17320920bffb0f65cfd
Instruction ID: e6bc13f4c3d9db634cb21619d0ae50cfcc824fb1591a396929b1545b507fb535
Opcode Fuzzy Hash: d162a2d64cbd3037a675e86a78cbdbc7f9c0e0fe553af17320920bffb0f65cfd
Instruction Fuzzy Hash: 0281CF71D0426D9FCB25DF64C884BDDBBF1BB59308F0490AAE649B7210DB70AA85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02F836C1, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 02F83796

Strings

[@Sd, xrefs: 02F836ED

Memory Dump Source

Source File: 00000000.00000002.651757622.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID: [@Sd
API String ID: 3559483778-2526769577
Opcode ID: 2497d895f69e798aadd93fff30d94c8b394c4cd9bf37a5b9c2595b94f744bf1f
Instruction ID: ea727da050b1ac1464e50056d4f10e021ae3e123ded14a76c4de6649c7a3b54d
Opcode Fuzzy Hash: 2497d895f69e798aadd93fff30d94c8b394c4cd9bf37a5b9c2595b94f744bf1f
Instruction Fuzzy Hash: B2419AB9D042589FCB00CFA9D984ADEFBF1BB09314F24906AE914B7310D375AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 02F81DD0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 02F83796

Strings

[@Sd, xrefs: 02F836ED

Memory Dump Source

Source File: 00000000.00000002.651757622.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID: [@Sd
API String ID: 3559483778-2526769577
Opcode ID: 9929d63422fc3a178d68e39d56c086bb5ced34e3c1de7552fd033b2a082a5048
Instruction ID: 1602339bfa3102d48925c3deebabf9dfe6240faf1b298ab66fa4c7a7cc8a92c1
Opcode Fuzzy Hash: 9929d63422fc3a178d68e39d56c086bb5ced34e3c1de7552fd033b2a082a5048
Instruction Fuzzy Hash: 2E4178B5D042589FCB10CFA9D984ADEFBF1BB09314F24906AE918B7310D375AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 02F83070, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNEL32(?,?), ref: 02F83122

Strings

[@Sd, xrefs: 02F8309A

Memory Dump Source

Source File: 00000000.00000002.651757622.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID: ContextThread
String ID: [@Sd
API String ID: 1591575202-2526769577
Opcode ID: 97b26db846d5e3ec6947f4ae5392b30f7df3ccdb76fb785dffd5ed852ca92b22
Instruction ID: 52b75c9a4193b791f75bc7b953169a55ab81fc70a68fc1a8deabed64b259f811
Opcode Fuzzy Hash: 97b26db846d5e3ec6947f4ae5392b30f7df3ccdb76fb785dffd5ed852ca92b22
Instruction Fuzzy Hash: F4410FB5D052588FCB10DFA9D884ADEFBF0EB09714F14806AE415BB211D379994ACF60

Uniqueness

Uniqueness Score: -1.00%

Function 02F81DAC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,00000000,?), ref: 02F83235

Strings

[@Sd, xrefs: 02F831AD

Memory Dump Source

Source File: 00000000.00000002.651757622.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID: [@Sd
API String ID: 1726664587-2526769577
Opcode ID: 89dc3ac48cadd983be534005a8bc0588d0b0684f8bd3546013fb159ee9e0bb78
Instruction ID: 59d632b8f902994fd4576bea2ed6c7944ad33de5bc17ac5191199b9d9993b50f
Opcode Fuzzy Hash: 89dc3ac48cadd983be534005a8bc0588d0b0684f8bd3546013fb159ee9e0bb78
Instruction Fuzzy Hash: 404177B9D04258DFCF10CFA9D984ADEFBB1BB19310F10906AE914B7210D375A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02F83183, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,00000000,?), ref: 02F83235

Strings

[@Sd, xrefs: 02F831AD

Memory Dump Source

Source File: 00000000.00000002.651757622.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID: [@Sd
API String ID: 1726664587-2526769577
Opcode ID: 093e33165ec3ac7cbde46e33031647b8a7688218c13a613bad367351323bd545
Instruction ID: 72f59ce845a5569fc8b521eea5b603ee6a5a217d68a1a951c8b61d3489d560f0
Opcode Fuzzy Hash: 093e33165ec3ac7cbde46e33031647b8a7688218c13a613bad367351323bd545
Instruction Fuzzy Hash: 953197B9D04258DFCF10CFA9D884ADEFBB1BB09310F10906AE814B7210D375A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02F81DC4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,00000000,?), ref: 02F83345

Strings

[@Sd, xrefs: 02F832BD

Memory Dump Source

Source File: 00000000.00000002.651757622.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: [@Sd
API String ID: 4275171209-2526769577
Opcode ID: 70aa695655823668bfc25bcb4ee283b1c4bcd97826bfb9d0b85d69e6ec52e87d
Instruction ID: e09e72cb5b4e27e7787b3c97075050f850095edce9f01fe6d33fcdbb9e1ceca7
Opcode Fuzzy Hash: 70aa695655823668bfc25bcb4ee283b1c4bcd97826bfb9d0b85d69e6ec52e87d
Instruction Fuzzy Hash: 543187B9D042589FCF10CFA9D884A9EFBB0BB59310F10906AE924B7310D375A906CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02F8329B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,00000000,?), ref: 02F83345

Strings

[@Sd, xrefs: 02F832BD

Memory Dump Source

Source File: 00000000.00000002.651757622.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: [@Sd
API String ID: 4275171209-2526769577
Opcode ID: 7e9473e5c84e7da51d37d84a73e6112bafb8e1fd63269077f3792e61d3d45878
Instruction ID: 34463ade9ee6d09594a5926d8b153c34259e7ad5de2915a89de8b605931c993d
Opcode Fuzzy Hash: 7e9473e5c84e7da51d37d84a73e6112bafb8e1fd63269077f3792e61d3d45878
Instruction Fuzzy Hash: 033184B9D002589FCF10CFA9D984ADEFBB5BB59310F10A02AE824B7310D335A906CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02F81DDC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 91threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNEL32(?,?), ref: 02F83122

Strings

[@Sd, xrefs: 02F8309A

Memory Dump Source

Source File: 00000000.00000002.651757622.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID: ContextThread
String ID: [@Sd
API String ID: 1591575202-2526769577
Opcode ID: d51f72b33ab473d79b5e1cdc5e39dc41f5e1cbce8fc19345b732f22bc49fff91
Instruction ID: 09ae172d8f6e01874ce6dc0a64f57ccbfb3660e1c0e81dfbd5c5d728dd45997a
Opcode Fuzzy Hash: d51f72b33ab473d79b5e1cdc5e39dc41f5e1cbce8fc19345b732f22bc49fff91
Instruction Fuzzy Hash: 5331AAB5D012589FCB10CFA9D884AEEFBF1BB49714F14806AE418B7310D379A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02F81D94, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 91threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNEL32(?,?), ref: 02F83122

Strings

[@Sd, xrefs: 02F8309A

Memory Dump Source

Source File: 00000000.00000002.651757622.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID: ContextThread
String ID: [@Sd
API String ID: 1591575202-2526769577
Opcode ID: 47d413a373347560348a069d698c6f6ea268a4c14294629365f33130bd5817d5
Instruction ID: d94d0a9eb38bfcd2827affed9ab861a069b5ed25237b142a4c3e7558912e8bb7
Opcode Fuzzy Hash: 47d413a373347560348a069d698c6f6ea268a4c14294629365f33130bd5817d5
Instruction Fuzzy Hash: 8231A8B5E012589FCB10CFA9D884AEEFBF1BB49714F14806AE418B7310D379A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02F83077, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNEL32(?,?), ref: 02F83122

Strings

[@Sd, xrefs: 02F8309A

Memory Dump Source

Source File: 00000000.00000002.651757622.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID: ContextThread
String ID: [@Sd
API String ID: 1591575202-2526769577
Opcode ID: 048a411bade3c70d9bd9414668d10414d1d0a483f4550649f1ed9b20c1a11299
Instruction ID: 72b2ccac9ffc8bd1bec9522502619205cd995530c9f93d8725c0472aed78dc65
Opcode Fuzzy Hash: 048a411bade3c70d9bd9414668d10414d1d0a483f4550649f1ed9b20c1a11299
Instruction Fuzzy Hash: 853197B5D012589FCB10CFA9D984AEEFBF1BB09314F24906AE418B7310D379AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 02F83800, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?), ref: 02F8387E

Strings

[@Sd, xrefs: 02F83825

Memory Dump Source

Source File: 00000000.00000002.651757622.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID: ResumeThread
String ID: [@Sd
API String ID: 947044025-2526769577
Opcode ID: 3638b2cf98e85bf806060867e0be3fdd14b47b86178f102a7f3693e5e3af5480
Instruction ID: 5578bbccbf81a34e50ae444cc7a1cb0c80a60ce185a02843773c9aa644747714
Opcode Fuzzy Hash: 3638b2cf98e85bf806060867e0be3fdd14b47b86178f102a7f3693e5e3af5480
Instruction Fuzzy Hash: 052179B5E002199FCB10CFA9D484ADEFBF4EB49324F14906AE918B7310D375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02F81DF4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?), ref: 02F8387E

Strings

[@Sd, xrefs: 02F83825

Memory Dump Source

Source File: 00000000.00000002.651757622.0000000002F80000.00000040.00000001.sdmp, Offset: 02F80000, based on PE: false

Similarity

API ID: ResumeThread
String ID: [@Sd
API String ID: 947044025-2526769577
Opcode ID: e97b0803336a4e934de84abeef5122dd1cd25eb671073b90765a4af8325bfd38
Instruction ID: bde69504b46d40ebcad08db1f636afd38f29a8e73fce721bc5b83553719c54e9
Opcode Fuzzy Hash: e97b0803336a4e934de84abeef5122dd1cd25eb671073b90765a4af8325bfd38
Instruction Fuzzy Hash: 7C2197B5E042189FCB10CFA9D484ADEFBF4EB09324F14906AE929B7310D375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 011FD6F0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.651501955.00000000011FD000.00000040.00000001.sdmp, Offset: 011FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70e7d20a2efef1e289cd31b6a432db6c3490ae30689e7b77dc7ba181e8b3af37
Instruction ID: ad466260338e89d27c57660fe460d51d92a9108842272ecfc7994cc4e8539e1a
Opcode Fuzzy Hash: 70e7d20a2efef1e289cd31b6a432db6c3490ae30689e7b77dc7ba181e8b3af37
Instruction Fuzzy Hash: D72108B5504680DFDF09DF54E8C4B26BFA5FB84318F24866DEA054F206C336D845C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 011FD6EB, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.651501955.00000000011FD000.00000040.00000001.sdmp, Offset: 011FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction ID: 078a3b3563bcf3db9ce1cdea7fe38e51f132c4f8705013f4ebd3194a240c8752
Opcode Fuzzy Hash: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction Fuzzy Hash: 3D11AF76504680DFCF16CF54D5C4B2ABF71FB84324F2886ADD9050B616C336D456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 011FD045, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.651501955.00000000011FD000.00000040.00000001.sdmp, Offset: 011FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58fbd9dfbaf3b815687f155522499e53c429937c6b3ab9e86868372176c1e7aa
Instruction ID: 724b10540c5cef55eb6ed5fa549700aaf3682e314ee7599a0f23c9af9b68c36b
Opcode Fuzzy Hash: 58fbd9dfbaf3b815687f155522499e53c429937c6b3ab9e86868372176c1e7aa
Instruction Fuzzy Hash: C301F7710083409AEB194A65DC84777FBD8EF452A4F09C15EEF044B286C3799842CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 011FD044, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.651501955.00000000011FD000.00000040.00000001.sdmp, Offset: 011FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4ec4a5a6cb1136283a976662c498fa573b393ed2a23a28d103959899a9e9b5
Instruction ID: c939a753aa7de73b1e46ca05678a9308c80077aaa15f30d125dcb9ddbd7c3b22
Opcode Fuzzy Hash: fd4ec4a5a6cb1136283a976662c498fa573b393ed2a23a28d103959899a9e9b5
Instruction Fuzzy Hash: 51F0C8714042449AEB158E15DCC8773FF98EB45774F18C15AEE044B287C3795845CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: Waybill Document 22700456.exe PID: 492 Parent PID: 984 Waybill Document 22700456.exeCOMMON

Executed Functions

Function 0325B6C0, Relevance: 6.1, APIs: 4, Instructions: 127threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0325B730
GetCurrentThread.KERNEL32 ref: 0325B76D
GetCurrentProcess.KERNEL32 ref: 0325B7AA
GetCurrentThreadId.KERNEL32 ref: 0325B803

Memory Dump Source

Source File: 00000002.00000002.913626074.0000000003250000.00000040.00000001.sdmp, Offset: 03250000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b1d3c3f57ad7cb7e72891f30ee9de1ff18e67b0e08ad21bbb6ad066eabb3736d
Instruction ID: 9a0678ddeede72066a4a5b515cbe5cb170e028be352e30eeb3c5ca49e2df07ad
Opcode Fuzzy Hash: b1d3c3f57ad7cb7e72891f30ee9de1ff18e67b0e08ad21bbb6ad066eabb3736d
Instruction Fuzzy Hash: 2B5164B09102498FDB14CFA9D988BDEBBF0FF49314F24846AE419A7350D774A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0325B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0325B730
GetCurrentThread.KERNEL32 ref: 0325B76D
GetCurrentProcess.KERNEL32 ref: 0325B7AA
GetCurrentThreadId.KERNEL32 ref: 0325B803

Memory Dump Source

Source File: 00000002.00000002.913626074.0000000003250000.00000040.00000001.sdmp, Offset: 03250000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0b93cb4816d026f82ecbf6f58c156c4e9930501d2cdf5bbef857d3847791a332
Instruction ID: 3c4953e8130b9790a0a2b256b82f9db080a1eb4675ff562f0b17d56e65f485d4
Opcode Fuzzy Hash: 0b93cb4816d026f82ecbf6f58c156c4e9930501d2cdf5bbef857d3847791a332
Instruction Fuzzy Hash: F15163B09102498FDB14CFA9D588BDEBBF0BF48314F24846AE419A3350D774A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06873558, Relevance: 1.7, APIs: 1, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.917797557.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d09bcd3639d00de7beb5726757b6aae9fe242f37315c849ee3c96724f2b87e
Instruction ID: ab4c91b60795018e92451e98f609f163d9c7b05bbd7f410cf8893e683e3555a5
Opcode Fuzzy Hash: 43d09bcd3639d00de7beb5726757b6aae9fe242f37315c849ee3c96724f2b87e
Instruction Fuzzy Hash: AE8168B1D0420D9FDB14DFA9D8816EEBBB1FF88314F20812AD515EB250DB709949DF92

Uniqueness

Uniqueness Score: -1.00%

Function 032593E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0325962E

Memory Dump Source

Source File: 00000002.00000002.913626074.0000000003250000.00000040.00000001.sdmp, Offset: 03250000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4e09db3215d212cf3bb10292f02a9bb08905b7cbbf1435e99a74ddde3243296a
Instruction ID: af855d770c21065e9d601a480317058ac81667ef64dbeec68b5bad746e240e4b
Opcode Fuzzy Hash: 4e09db3215d212cf3bb10292f02a9bb08905b7cbbf1435e99a74ddde3243296a
Instruction Fuzzy Hash: 18712670A10B058FD724DF2AC44075AB7F5FF88214F048A6EE88AD7A50D774E985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06873604, Relevance: 1.6, APIs: 1, Instructions: 145networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06873738

Memory Dump Source

Source File: 00000002.00000002.917797557.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 31b4fd30f1960277d4acefd7d6e8c594292878cbaaff7aea41a1ba25ec0c5712
Instruction ID: b99529b72f35b265da3d962491461ad41dc86c44a29aa69a49f761177aebff93
Opcode Fuzzy Hash: 31b4fd30f1960277d4acefd7d6e8c594292878cbaaff7aea41a1ba25ec0c5712
Instruction Fuzzy Hash: 005123B1D042599FDF14CFA9C884ADEFBB1FF48318F24812AE914AB240DB749946DF91

Uniqueness

Uniqueness Score: -1.00%

Function 0687190C, Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06873738

Memory Dump Source

Source File: 00000002.00000002.917797557.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: e156b1ffbe31e7e16ad296d7646f03c006db85626d77784186c05f06217a391d
Instruction ID: f91faacd4e6769489938cff126b1b276b61ee4401a4bce1d29dab78a43813def
Opcode Fuzzy Hash: e156b1ffbe31e7e16ad296d7646f03c006db85626d77784186c05f06217a391d
Instruction Fuzzy Hash: 555102B1D0421D9FDF54CFA9C884ADEBBB5FF48304F24812AE914A7240DB74A946DF91

Uniqueness

Uniqueness Score: -1.00%

Function 0325FBEC, Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0325FD0A

Memory Dump Source

Source File: 00000002.00000002.913626074.0000000003250000.00000040.00000001.sdmp, Offset: 03250000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b1f4bd856d4d6188cd3402fd55b64733aeae5f0e7d69991907beefec83e28740
Instruction ID: 4dc4176682c23ae8dabcfe7859ec6fa9d8944005bf92cd5cbdee95fa4b80d402
Opcode Fuzzy Hash: b1f4bd856d4d6188cd3402fd55b64733aeae5f0e7d69991907beefec83e28740
Instruction Fuzzy Hash: DB51C0B1D10209EFDB14CFA9C984ADEBBB1FF48314F24852AE819AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0325FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0325FD0A

Memory Dump Source

Source File: 00000002.00000002.913626074.0000000003250000.00000040.00000001.sdmp, Offset: 03250000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c6aff887a34eb8556adda8fe823ab5237107a9f54303be4392e1f8e10fac56ab
Instruction ID: 3723e25b6b24582a3011621a1fbd2f85233a6beeb78be0c5f37befb43d4dced3
Opcode Fuzzy Hash: c6aff887a34eb8556adda8fe823ab5237107a9f54303be4392e1f8e10fac56ab
Instruction Fuzzy Hash: 3E41AEB1D10309EFDB14CF99C984ADEBBB5BF48314F24852AE819AB210D7759985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0325BCF9, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0325BD87

Memory Dump Source

Source File: 00000002.00000002.913626074.0000000003250000.00000040.00000001.sdmp, Offset: 03250000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1f39b4b130eb31d986498554036f692cae63f5ad735e5f75ffcab7b08aaad3c9
Instruction ID: 98880c2ae9172586d110144777d63ace23b2f9c9ef41f44485cb485d130668a6
Opcode Fuzzy Hash: 1f39b4b130eb31d986498554036f692cae63f5ad735e5f75ffcab7b08aaad3c9
Instruction Fuzzy Hash: 2021D2B5901248AFDB10CFA9D884AEEBFF8EB49320F14841AE954A7310D375A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0325BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0325BD87

Memory Dump Source

Source File: 00000002.00000002.913626074.0000000003250000.00000040.00000001.sdmp, Offset: 03250000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 530d1384c294b049599d7c2e447e62ed52cd57a4017164ff4510dfaae535c8b8
Instruction ID: 9e4b479f5f257a67b13343065ed4b60f7f5d12e8f74f1bc602cc27ec98d85e46
Opcode Fuzzy Hash: 530d1384c294b049599d7c2e447e62ed52cd57a4017164ff4510dfaae535c8b8
Instruction Fuzzy Hash: 0A21D5B59012499FDB10CF99D884ADEFBF4FB48324F14841AE914A3310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03258768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,032596A9,00000800,00000000,00000000), ref: 032598BA

Memory Dump Source

Source File: 00000002.00000002.913626074.0000000003250000.00000040.00000001.sdmp, Offset: 03250000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 267ed6b2f1fe19aece821cfe88cc4ffb83d66c794797010b360b64c485bf8969
Instruction ID: 483d65425f38b4df01bc8ceb2781c6529e375692f7ba712cfb6f47b047425b5f
Opcode Fuzzy Hash: 267ed6b2f1fe19aece821cfe88cc4ffb83d66c794797010b360b64c485bf8969
Instruction Fuzzy Hash: 6D1106B69002499FDB10CF9AD448BDEFBF4EB48310F04842EE915A7600C375A985CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 03259849, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,032596A9,00000800,00000000,00000000), ref: 032598BA

Memory Dump Source

Source File: 00000002.00000002.913626074.0000000003250000.00000040.00000001.sdmp, Offset: 03250000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0ab994f1a5d1ba988abf95f4b3198ac8cfe746110a5c21aef4a9124b34a4a115
Instruction ID: 7283e24d151d637ca82dbd0dd9e1ec5a83a9a197a2ff96d5aa93b7797ccbf404
Opcode Fuzzy Hash: 0ab994f1a5d1ba988abf95f4b3198ac8cfe746110a5c21aef4a9124b34a4a115
Instruction Fuzzy Hash: 901106B2C002499FDB10CF9AD448BDEFBF4EB49310F04842EE815A7600C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 032595C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0325962E

Memory Dump Source

Source File: 00000002.00000002.913626074.0000000003250000.00000040.00000001.sdmp, Offset: 03250000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7b9d89b5a625ea56440fd8f91cafb3596b72ed7390b0f4355d3803a8d6754fa9
Instruction ID: 55a7738b8d2896509849fbb1235edfa9cc7c405e6d4972e534a0d8acbf0561a2
Opcode Fuzzy Hash: 7b9d89b5a625ea56440fd8f91cafb3596b72ed7390b0f4355d3803a8d6754fa9
Instruction Fuzzy Hash: 8C11E3B5C002498FDB10CF9AC444BDEFBF4EB89324F14841AD829A7600D375A589CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0325FE38, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0325FE9D

Memory Dump Source

Source File: 00000002.00000002.913626074.0000000003250000.00000040.00000001.sdmp, Offset: 03250000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 2fd80d45ad459599a161c5c54f0f4e08850fbef55b30d8f4df0e43ab05f0fa45
Instruction ID: 52f85267284191b5fdb7e9cc73fe3036d4e62a36ca16ed3ba3adbe08c248caee
Opcode Fuzzy Hash: 2fd80d45ad459599a161c5c54f0f4e08850fbef55b30d8f4df0e43ab05f0fa45
Instruction Fuzzy Hash: 1E1103B5800249DFDB10CF99D589BDEBBF4FB48324F14841AE914A7301C374AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0325FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0325FE9D

Memory Dump Source

Source File: 00000002.00000002.913626074.0000000003250000.00000040.00000001.sdmp, Offset: 03250000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: eaa130ab43a477ab8264a3f38bfd399e62e2944daa52c266016e0498302b8575
Instruction ID: e7363e5dd6c555617994205e3398ba712989593a48a6ff460870dafe7e4d5365
Opcode Fuzzy Hash: eaa130ab43a477ab8264a3f38bfd399e62e2944daa52c266016e0498302b8575
Instruction Fuzzy Hash: 0311D0B58002499FDB10DF99D589BDEBBF8EB48324F14841AE919A7741C3B4AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0170D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.913356432.000000000170D000.00000040.00000001.sdmp, Offset: 0170D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e219ce289f7299911ed26e16c3392537a0c17c24fb17035381356763154c6255
Instruction ID: 6c62537625fb2d7b444ec53c01ed609cd142a618fc44139df374b3dc51d6efa4
Opcode Fuzzy Hash: e219ce289f7299911ed26e16c3392537a0c17c24fb17035381356763154c6255
Instruction Fuzzy Hash: DB2103B1604300DFDB26CF94D8C4B16FBA5FB88354F24C5A9D90D4B286C376D847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0170D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.913356432.000000000170D000.00000040.00000001.sdmp, Offset: 0170D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21dbda9fffde9beb189af7165341122266bd3c9337f42a4093e234a02c9dbdce
Instruction ID: e9e3b472955d0ddc531c42cc24acc772cdba521fed767522e0c738718771305a
Opcode Fuzzy Hash: 21dbda9fffde9beb189af7165341122266bd3c9337f42a4093e234a02c9dbdce
Instruction Fuzzy Hash: AA11BB75504380CFCB22CF54D5D4B15FBA1FB88324F28C6AAD8094B696C33AD44ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 4700 Parent PID: 3424 dhcpmon.exeCOMMON

Executed Functions

Function 01922D35, Relevance: 1.7, APIs: 1, Instructions: 238processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01922F1F

Memory Dump Source

Source File: 00000003.00000002.684876286.0000000001920000.00000040.00000001.sdmp, Offset: 01920000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5e1f4a11ed95f4698bfd9035b4a21aefa0e60ff0df35b2c84947c19279cf2867
Instruction ID: 90581a79a65fa9681a36104e6f5400eb56cbdf4436cdc3ebee5cdd334f5f545f
Opcode Fuzzy Hash: 5e1f4a11ed95f4698bfd9035b4a21aefa0e60ff0df35b2c84947c19279cf2867
Instruction Fuzzy Hash: E081D071D0426D9FCF25CF68C884BDDBBB5BB19304F0590AAE548B7210DB70AA85DF94

Uniqueness

Uniqueness Score: -1.00%

Function 01922D40, Relevance: 1.7, APIs: 1, Instructions: 236processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01922F1F

Memory Dump Source

Source File: 00000003.00000002.684876286.0000000001920000.00000040.00000001.sdmp, Offset: 01920000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0a0f22a4eb1e23da71a705a8e09022bd20d8a10d062554eb6ef2b18c9b114056
Instruction ID: 37d7d7af1b243972d4abf104e7e636a3cfdfbb5fa2776ed559c8aa2c9a07214b
Opcode Fuzzy Hash: 0a0f22a4eb1e23da71a705a8e09022bd20d8a10d062554eb6ef2b18c9b114056
Instruction Fuzzy Hash: 6C81D071D0426D8FCB25CF68C884BDDBBB5BB19304F0590AAE548B7210DB70AA85DF94

Uniqueness

Uniqueness Score: -1.00%

Function 019233A0, Relevance: 1.6, APIs: 1, Instructions: 112injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 01923476

Memory Dump Source

Source File: 00000003.00000002.684876286.0000000001920000.00000040.00000001.sdmp, Offset: 01920000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 608ef9fcda563de5c015253004204c300dbd10b9b5c61758116db2bb6622a617
Instruction ID: 9191fdba393c8ede9bb4e9aece8b549528777d767557b5216c7814d3fe268477
Opcode Fuzzy Hash: 608ef9fcda563de5c015253004204c300dbd10b9b5c61758116db2bb6622a617
Instruction Fuzzy Hash: 00416AB9D002589FCB00CFA9D984ADEFBF5BB49314F14906AE918B7310D379AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 019233A8, Relevance: 1.6, APIs: 1, Instructions: 110injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 01923476

Memory Dump Source

Source File: 00000003.00000002.684876286.0000000001920000.00000040.00000001.sdmp, Offset: 01920000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6cda0ff6d333e12033e680abc7f90c73daac89e674523d8111103fcf5117b945
Instruction ID: 053d7e123a8b3dc3ee37dfa9f7cbb912b9e3985e8a430b59ae8752903b59d7d0
Opcode Fuzzy Hash: 6cda0ff6d333e12033e680abc7f90c73daac89e674523d8111103fcf5117b945
Instruction Fuzzy Hash: EE416AB5D002589FCF00CFA9D984ADEFBF5BB49314F14906AE918B7210D379AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 01923182, Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 01923235

Memory Dump Source

Source File: 00000003.00000002.684876286.0000000001920000.00000040.00000001.sdmp, Offset: 01920000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5bb977b3aa3b1f82d41f6768a8a4c20ed0f5876c1b87d0bf40b4a8353c794160
Instruction ID: 285da770838b59be6ff6f93e3fde5304ea6accc5da7385567c7286fa5763ca33
Opcode Fuzzy Hash: 5bb977b3aa3b1f82d41f6768a8a4c20ed0f5876c1b87d0bf40b4a8353c794160
Instruction Fuzzy Hash: B53178B9D04258DFCF10CFA9D984ADEFBB5BB0A310F10902AE814B7210D375AA45CF65

Uniqueness

Uniqueness Score: -1.00%

Function 01923188, Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 01923235

Memory Dump Source

Source File: 00000003.00000002.684876286.0000000001920000.00000040.00000001.sdmp, Offset: 01920000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f7d13426b4d50f17b86514374bed80c6b14629411f4128d3e8bef58790705b1a
Instruction ID: 3f9aa66f904ff3eb29c32da2cec458b065e3df1e6adb5a7afbb4107309548bd8
Opcode Fuzzy Hash: f7d13426b4d50f17b86514374bed80c6b14629411f4128d3e8bef58790705b1a
Instruction Fuzzy Hash: F43168B9D042589FCF10CFA9D984ADEFBB5BB1A310F14902AE814B7210D375AA45CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0192329A, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 01923345

Memory Dump Source

Source File: 00000003.00000002.684876286.0000000001920000.00000040.00000001.sdmp, Offset: 01920000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 237ef4758b9f7253d277af24afa66ee53b9621d03b5bfffcb27b63c6ca92f832
Instruction ID: 313bcfc66d7ad90ef59d979947296222aac931950923b3b9867ad1f8d171233f
Opcode Fuzzy Hash: 237ef4758b9f7253d277af24afa66ee53b9621d03b5bfffcb27b63c6ca92f832
Instruction Fuzzy Hash: 203176B9D002589FCF10CFA9D884ADEFBB5BB19310F14A02AE914B7310D775A946CF65

Uniqueness

Uniqueness Score: -1.00%

Function 019232A0, Relevance: 1.6, APIs: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 01923345

Memory Dump Source

Source File: 00000003.00000002.684876286.0000000001920000.00000040.00000001.sdmp, Offset: 01920000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: af558bd71d288bbf3d528ce144ad8d7fc81626636db0f34acacbfdffb5b9f1d3
Instruction ID: 6e598ed05a1ae195ff1c1fb2983a1757ac6ac24555fe07e100bd022ce6f4ea51
Opcode Fuzzy Hash: af558bd71d288bbf3d528ce144ad8d7fc81626636db0f34acacbfdffb5b9f1d3
Instruction Fuzzy Hash: 3E3177B9D002589FCF10CFA9D884ADEFBB5BB19310F10A02AE814B7310D375A946CF65

Uniqueness

Uniqueness Score: -1.00%

Function 01923078, Relevance: 1.6, APIs: 1, Instructions: 88threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNEL32(?,?), ref: 01923122

Memory Dump Source

Source File: 00000003.00000002.684876286.0000000001920000.00000040.00000001.sdmp, Offset: 01920000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 2bda2d7600baa99a06e3eae7550ca9b02c50a159d9330ede5c2c4e9f7749a0e9
Instruction ID: 1f73e8902ac3ecc0490da0884d1ca9bb5f17147720c1178d8d277462f1bdca4d
Opcode Fuzzy Hash: 2bda2d7600baa99a06e3eae7550ca9b02c50a159d9330ede5c2c4e9f7749a0e9
Instruction Fuzzy Hash: AF319AB5D012589FCB10CFA9D884ADEFBF5BB49314F24902AE418B7300D378AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 01923077, Relevance: 1.6, APIs: 1, Instructions: 86threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNEL32(?,?), ref: 01923122

Memory Dump Source

Source File: 00000003.00000002.684876286.0000000001920000.00000040.00000001.sdmp, Offset: 01920000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 23552e0011e70feb19e4f9562a44163e9115b0124249b5fd0891d86268635b3a
Instruction ID: f6b503fdcee87565a17cf12690588537eb284d350ac5d5bab10fd29905c8872c
Opcode Fuzzy Hash: 23552e0011e70feb19e4f9562a44163e9115b0124249b5fd0891d86268635b3a
Instruction Fuzzy Hash: 5A3199B5D012589FCB10CFA9D984ADEFBF1BB09314F24902AE418B7300D378AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 019234E2, Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?), ref: 0192355E

Memory Dump Source

Source File: 00000003.00000002.684876286.0000000001920000.00000040.00000001.sdmp, Offset: 01920000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 68c159aff41a9f45b045db8cd4707f4e32cf1bbc7f3c70979ec32decbd5fa546
Instruction ID: 016187d6b847fe1dcfed580b1a1a3e25b66a817ad7aedf3e53d7cb5b8bf7f792
Opcode Fuzzy Hash: 68c159aff41a9f45b045db8cd4707f4e32cf1bbc7f3c70979ec32decbd5fa546
Instruction Fuzzy Hash: 052174B9D002189FCB10CFA9D484ADEFBF4BB49324F14902AE818B7300D375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 019234E8, Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?), ref: 0192355E

Memory Dump Source

Source File: 00000003.00000002.684876286.0000000001920000.00000040.00000001.sdmp, Offset: 01920000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 95daf42f916c56c1d283c088aeebf9ffa6d84d5c243d5265e61f2422daf89212
Instruction ID: d864ea0436cf95e9b0f0f07b09a4016ae131ed4cff690e560ee5751ebd61ee99
Opcode Fuzzy Hash: 95daf42f916c56c1d283c088aeebf9ffa6d84d5c243d5265e61f2422daf89212
Instruction Fuzzy Hash: 822175B9D002189FCB10CFA9D484ADEFBF4BB49324F14902AE818B7300D375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01923070, Relevance: 1.6, APIs: 1, Instructions: 52threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNEL32(?,?), ref: 01923122

Memory Dump Source

Source File: 00000003.00000002.684876286.0000000001920000.00000040.00000001.sdmp, Offset: 01920000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: b042c7d4a1e02a3ae31e5598ec2e4bffa5f63b86f8afa43d1c76d444730d936c
Instruction ID: 9d42cf3253865b5be818f06d639f84686b43acd5934724e830c8f9e4900d6e6a
Opcode Fuzzy Hash: b042c7d4a1e02a3ae31e5598ec2e4bffa5f63b86f8afa43d1c76d444730d936c
Instruction Fuzzy Hash: 1F119D75D052589FDB10CF98E484AEDBBF1BB09314F249059E414B7251C3799A49CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0183D6F0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.684792274.000000000183D000.00000040.00000001.sdmp, Offset: 0183D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb843a5189b074e3d114925de5bee96765d30b3c804b0f3a4f3e399cad95febd
Instruction ID: f3e134c996d084cb45a1225779242d96d02fab28ca72a693da3a178be791f892
Opcode Fuzzy Hash: fb843a5189b074e3d114925de5bee96765d30b3c804b0f3a4f3e399cad95febd
Instruction Fuzzy Hash: 9A2148B1504284DFCB02DF54D8C0B26BFA1FBC8324F288669E9058B207C336D956CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0183D6EB, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.684792274.000000000183D000.00000040.00000001.sdmp, Offset: 0183D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction ID: 232c3c9774ff8cf500a69dda9389420341bc40ddcabed4b30d261e9e0b51baf8
Opcode Fuzzy Hash: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction Fuzzy Hash: 6611BE76904280DFCB12CF54D9C4B1ABF71FB88320F2886A9D8044B617C33AD55ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0183D045, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.684792274.000000000183D000.00000040.00000001.sdmp, Offset: 0183D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629de5edb6326b29ac85bc6bbf401e604bfec45c0b4bee7b660a90a940c98872
Instruction ID: 1a7f83aff9146ff00f17e96948bdea77a4acbcb184dfe6a32f211a8f4943f5f5
Opcode Fuzzy Hash: 629de5edb6326b29ac85bc6bbf401e604bfec45c0b4bee7b660a90a940c98872
Instruction Fuzzy Hash: D701F7714083849AE7104A65CC94B67FBD8EFC1BB8F4CC25AEE049B246C379D946CAF1

Uniqueness

Uniqueness Score: -1.00%

Function 0183D044, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.684792274.000000000183D000.00000040.00000001.sdmp, Offset: 0183D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005f671c493a7cfab219fa161110971f659d467157c302d9c00e9b0e413441ad
Instruction ID: 080c79e4d2dd86bd65a05da22c59a326f87fb947289b4e0bb018c625d17d771b
Opcode Fuzzy Hash: 005f671c493a7cfab219fa161110971f659d467157c302d9c00e9b0e413441ad
Instruction Fuzzy Hash: 91F096714043849EEB118E59CCC8B63FFD8EB86774F18C55AED089B286C379A845CAF1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 1172 Parent PID: 4700 dhcpmon.exeCOMMON

Executed Functions

Function 0152B6C0, Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0152B730
GetCurrentThread.KERNEL32 ref: 0152B76D
GetCurrentProcess.KERNEL32 ref: 0152B7AA
GetCurrentThreadId.KERNEL32 ref: 0152B803

Memory Dump Source

Source File: 00000004.00000002.699473365.0000000001520000.00000040.00000001.sdmp, Offset: 01520000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b8d2cd4cb5f76594da0beef5d3254372c953113eb1d164448155cd104a586c4c
Instruction ID: 9ec5fcadafb247d08539b294cc3f080ef17045abd7c6840630fd75fd8f0c04c7
Opcode Fuzzy Hash: b8d2cd4cb5f76594da0beef5d3254372c953113eb1d164448155cd104a586c4c
Instruction Fuzzy Hash: 065154B4D002588FDB14CFA9C688B9EBBF0BF4A314F28895AE419AB390C7745944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0152B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0152B730
GetCurrentThread.KERNEL32 ref: 0152B76D
GetCurrentProcess.KERNEL32 ref: 0152B7AA
GetCurrentThreadId.KERNEL32 ref: 0152B803

Memory Dump Source

Source File: 00000004.00000002.699473365.0000000001520000.00000040.00000001.sdmp, Offset: 01520000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 49872f2adaca7281b81d3002075d48edd0bc084c89f17e54b8c0d59bf7c8ae1d
Instruction ID: ffd3220040e87876df0ec33c263c431abcca7035810ff0b1e28e6997d99266dc
Opcode Fuzzy Hash: 49872f2adaca7281b81d3002075d48edd0bc084c89f17e54b8c0d59bf7c8ae1d
Instruction Fuzzy Hash: 915165B0D002088FDB14CFAAC588BDEBBF1BF49314F24895AE419A7390C7746944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 015293E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0152962E

Memory Dump Source

Source File: 00000004.00000002.699473365.0000000001520000.00000040.00000001.sdmp, Offset: 01520000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f89712c0a286a0cffa6a448a3fd52d38bd7a6331a00f832e07304ab8febb3016
Instruction ID: f1a0dfff47684d30cd4aa1dafb08fbc4042de9c4bfce173d9289347cb2993259
Opcode Fuzzy Hash: f89712c0a286a0cffa6a448a3fd52d38bd7a6331a00f832e07304ab8febb3016
Instruction Fuzzy Hash: 3B713671A00B258FD724CF69D44079ABBF1BF89218F008A2DD58ADBB90D775E849CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0152FBEC, Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0152FD0A

Memory Dump Source

Source File: 00000004.00000002.699473365.0000000001520000.00000040.00000001.sdmp, Offset: 01520000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 41504c708fe6c3f90471efbc34a9aec3410154e5271f6d67cbf541c5df35ffc3
Instruction ID: 2d5bda07db2e828a3afe290c5e459592235480bda19fc2e795d3ac02bcee7b64
Opcode Fuzzy Hash: 41504c708fe6c3f90471efbc34a9aec3410154e5271f6d67cbf541c5df35ffc3
Instruction Fuzzy Hash: A751DFB1D00318DFDB14CFA9D884ADEBBB5FF49314F24852AE819AB250D774A885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0152FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0152FD0A

Memory Dump Source

Source File: 00000004.00000002.699473365.0000000001520000.00000040.00000001.sdmp, Offset: 01520000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c3acc44beb31db82279947bdc1d2d1c0314d3b3ee33c154723c284ecbc1152a1
Instruction ID: 44596c65b559670145ca0388ce8163dfe0f731a2e166eed185b9d41a769a4f33
Opcode Fuzzy Hash: c3acc44beb31db82279947bdc1d2d1c0314d3b3ee33c154723c284ecbc1152a1
Instruction Fuzzy Hash: 5841C0B1D00318DFDB14CF9AD884ADEBBB5FF48314F24812AE819AB250D775A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0152BCF9, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0152BD87

Memory Dump Source

Source File: 00000004.00000002.699473365.0000000001520000.00000040.00000001.sdmp, Offset: 01520000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8de48fc8e68c5149f4c5fa0dc8bfa8ad20c8ab69c09ff1828945822c470de1f3
Instruction ID: e7275fbd5f7e3f5c8e20f326a4e65cabf24a060a3465bd8c114332841efb7298
Opcode Fuzzy Hash: 8de48fc8e68c5149f4c5fa0dc8bfa8ad20c8ab69c09ff1828945822c470de1f3
Instruction Fuzzy Hash: 4421B2B6D002189FDB10CF99D984BDEBBF4BB48324F14841AE915A7250D378A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0152BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0152BD87

Memory Dump Source

Source File: 00000004.00000002.699473365.0000000001520000.00000040.00000001.sdmp, Offset: 01520000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e9804b35cdaed284fcfcdde2f5d7b92c543ed1a1cfce8ee7313c93d329f5b206
Instruction ID: 8a645a070fd40949484b2225f624573b85c68f3d57c73e7cda5afa0d99d3dc42
Opcode Fuzzy Hash: e9804b35cdaed284fcfcdde2f5d7b92c543ed1a1cfce8ee7313c93d329f5b206
Instruction Fuzzy Hash: ED21C4B59002189FDB10CF9AD484ADEFBF8FB49324F14841AE915A7350D374A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01528768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,015296A9,00000800,00000000,00000000), ref: 015298BA

Memory Dump Source

Source File: 00000004.00000002.699473365.0000000001520000.00000040.00000001.sdmp, Offset: 01520000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1efe347e61ea4b756c47d6bade589c2c5d423005634e1a95cae2a03c3638d3de
Instruction ID: af0955b02edc9b9ffb266ea6fcf398e8ed533228fa82fec5be62a5eabb65849b
Opcode Fuzzy Hash: 1efe347e61ea4b756c47d6bade589c2c5d423005634e1a95cae2a03c3638d3de
Instruction Fuzzy Hash: 8B11F4B69002199FDB10CF9AC444B9EFBF4FB49314F14842AE515A7740C3B5A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01529849, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,015296A9,00000800,00000000,00000000), ref: 015298BA

Memory Dump Source

Source File: 00000004.00000002.699473365.0000000001520000.00000040.00000001.sdmp, Offset: 01520000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: daedfaf6e3f56d4dc6ae55a920e7debbb87563746a7b57bd07958adbda869058
Instruction ID: f361d1f47947ec8973169d3540249c0d38c6153b382cda0a282cbd6eda566755
Opcode Fuzzy Hash: daedfaf6e3f56d4dc6ae55a920e7debbb87563746a7b57bd07958adbda869058
Instruction Fuzzy Hash: EF11CFB6D002198FDB10CFAAD484BDEFBF4BB49324F15842AD529A7740C3B5A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015295C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0152962E

Memory Dump Source

Source File: 00000004.00000002.699473365.0000000001520000.00000040.00000001.sdmp, Offset: 01520000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bdd7a1a49aa2f5710fdfd980fef016f995f63b3889359f123310d64adc981735
Instruction ID: df19c069fde115852cfd52fa407f3144bbdaf990fe477544b5003e5cba3fd984
Opcode Fuzzy Hash: bdd7a1a49aa2f5710fdfd980fef016f995f63b3889359f123310d64adc981735
Instruction Fuzzy Hash: 8511C0B6C002598BDB20CF9AD444B9EFBF4AB89224F14841AD429A7740C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0152FE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0152FE9D

Memory Dump Source

Source File: 00000004.00000002.699473365.0000000001520000.00000040.00000001.sdmp, Offset: 01520000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: ae896add23b57a990d1cbbc1f3bdf88034e196bee3269815cad64142a10ac41d
Instruction ID: d581c0a6e8bf7f7c474a1948088df471caa3f7c2a25a5a8a37a7186f990d09c2
Opcode Fuzzy Hash: ae896add23b57a990d1cbbc1f3bdf88034e196bee3269815cad64142a10ac41d
Instruction Fuzzy Hash: 8911E0B6800219CFDB10CF99D589BDEBBF8FB49324F10841AD954B7641C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0152FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0152FE9D

Memory Dump Source

Source File: 00000004.00000002.699473365.0000000001520000.00000040.00000001.sdmp, Offset: 01520000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 3ff917e833613e476ab4648af89daadffbcd75efd144f386508147c469b69592
Instruction ID: 51d826a1d919f8bc9b4908f522f12b9ecf55e731b04bedbb42e7ebe6fc39c907
Opcode Fuzzy Hash: 3ff917e833613e476ab4648af89daadffbcd75efd144f386508147c469b69592
Instruction Fuzzy Hash: D811D3B58002599FDB10CF99D589BDEBBF8FB49724F10841AE915A7740C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Waybill Document 22700456.pif

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

Stealing of Sensitive Information:

Remote Access Functionality:

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets