Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report e1f063d6_by_Libranalysis

Overview

General Information

Sample Name:e1f063d6_by_Libranalysis (renamed file extension from none to exe)
Analysis ID:411585
MD5:e1f063d63a75e0e0e864052b1a50ab06
SHA1:75d941a28cf0ade2ef2c16dfacbdeb36a51ccaf7
SHA256:8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7
Infos:

Most interesting Screenshot:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Raccine Uninstall
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses reg.exe to modify the Windows registry
Uses taskkill to terminate processes
Yara detected PsExec sysinternal tool

Classification

Startup

  • System is w10x64
  • e1f063d6_by_Libranalysis.exe (PID: 5964 cmdline: 'C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exe' MD5: E1F063D63A75E0E0E864052B1A50AB06)
    • taskkill.exe (PID: 6092 cmdline: 'taskkill' /F /IM RaccineSettings.exe MD5: 530C6A6CBA137EAA7021CEF9B234E8D4)
      • conhost.exe (PID: 5436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • conhost.exe (PID: 6240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • reg.exe (PID: 5868 cmdline: 'reg' delete 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /V 'Raccine Tray' /F MD5: E3DACF0B31841FA02064B4457D44B357)
      • conhost.exe (PID: 3340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • reg.exe (PID: 2508 cmdline: 'reg' delete HKCU\Software\Raccine /F MD5: E3DACF0B31841FA02064B4457D44B357)
      • conhost.exe (PID: 5624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 5112 cmdline: 'schtasks' /DELETE /TN 'Raccine Rules Updater' /F MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
      • conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • netsh.exe (PID: 6084 cmdline: 'netsh' advfirewall firewall set rule group=\'Network Discovery\' new enable=Yes MD5: 98CC37BBF363A38834253E22C80A8F32)
      • conhost.exe (PID: 1000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 5660 cmdline: 'sc.exe' config Dnscache start= auto MD5: D79784553A9410D15E04766AAAB77CD6)
      • conhost.exe (PID: 5112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 6092 cmdline: 'sc.exe' config SSDPSRV start= auto MD5: D79784553A9410D15E04766AAAB77CD6)
    • sc.exe (PID: 6232 cmdline: 'sc.exe' config SQLTELEMETRY start= disabled MD5: D79784553A9410D15E04766AAAB77CD6)
      • conhost.exe (PID: 6292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 6284 cmdline: 'sc.exe' config SQLWriter start= disabled MD5: D79784553A9410D15E04766AAAB77CD6)
      • conhost.exe (PID: 6332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 6324 cmdline: 'sc.exe' config FDResPub start= auto MD5: D79784553A9410D15E04766AAAB77CD6)
      • conhost.exe (PID: 6372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 6364 cmdline: 'sc.exe' config upnphost start= auto MD5: D79784553A9410D15E04766AAAB77CD6)
      • conhost.exe (PID: 6420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 6412 cmdline: 'sc.exe' config SQLTELEMETRY$ECWDB2 start= disabled MD5: D79784553A9410D15E04766AAAB77CD6)
      • conhost.exe (PID: 6460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 6452 cmdline: 'sc.exe' config SstpSvc start= disabled MD5: D79784553A9410D15E04766AAAB77CD6)
      • conhost.exe (PID: 6508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • netsh.exe (PID: 6500 cmdline: 'netsh' advfirewall firewall set rule group=\'File and Printer Sharing\' new enable=Yes MD5: 98CC37BBF363A38834253E22C80A8F32)
      • conhost.exe (PID: 6560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • taskkill.exe (PID: 6732 cmdline: 'taskkill.exe' /IM mspub.exe /F MD5: 530C6A6CBA137EAA7021CEF9B234E8D4)
      • conhost.exe (PID: 6752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • taskkill.exe (PID: 6744 cmdline: 'taskkill.exe' /IM xfssvccon.exe /F MD5: 530C6A6CBA137EAA7021CEF9B234E8D4)
      • conhost.exe (PID: 6772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • taskkill.exe (PID: 6764 cmdline: 'taskkill.exe' /IM mydesktopqos.exe /F MD5: 530C6A6CBA137EAA7021CEF9B234E8D4)
      • conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • taskkill.exe (PID: 6820 cmdline: 'taskkill.exe' /IM sqlbrowser.exe /F MD5: 530C6A6CBA137EAA7021CEF9B234E8D4)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_PsExecYara detected PsExec sysinternal toolJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Raccine UninstallShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: 'schtasks' /DELETE /TN 'Raccine Rules Updater' /F, CommandLine: 'schtasks' /DELETE /TN 'Raccine Rules Updater' /F, CommandLine|base64offset|contains: 11, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exe' , ParentImage: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exe, ParentProcessId: 5964, ProcessCommandLine: 'schtasks' /DELETE /TN 'Raccine Rules Updater' /F, ProcessId: 5112

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: e1f063d6_by_Libranalysis.exeVirustotal: Detection: 50%Perma Link
    Source: e1f063d6_by_Libranalysis.exeReversingLabs: Detection: 59%
    Machine Learning detection for sampleShow sources
    Source: e1f063d6_by_Libranalysis.exeJoe Sandbox ML: detected
    Source: e1f063d6_by_Libranalysis.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: e1f063d6_by_Libranalysis.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Yara matchFile source: dump.pcap, type: PCAP
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.6
    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
    Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
    Source: unknownDNS traffic detected: queries for: www.poweradmin.com
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49676
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
    Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49682
    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443

    System Summary:

    barindex
    Source: e1f063d6_by_Libranalysis.exe, 00000000.00000000.233109888.0000000000616000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegVcWDWENI84 vs e1f063d6_by_Libranalysis.exe
    Source: e1f063d6_by_Libranalysis.exeBinary or memory string: OriginalFilenamegVcWDWENI84 vs e1f063d6_by_Libranalysis.exe
    Source: e1f063d6_by_Libranalysis.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\reg.exe 'reg' delete 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /V 'Raccine Tray' /F
    Source: e1f063d6_by_Libranalysis.exe, SmartAssembly.Zip/SimpleZip.csCryptographic APIs: 'TransformFinalBlock'
    Source: 0.0.e1f063d6_by_Libranalysis.exe.5f0000.0.unpack, SmartAssembly.Zip/SimpleZip.csCryptographic APIs: 'TransformFinalBlock'
    Source: e1f063d6_by_Libranalysis.exe, qYAjLWajCJpnf/bTJSgdVkQM.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: e1f063d6_by_Libranalysis.exe, qYAjLWajCJpnf/bTJSgdVkQM.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl(System.Security.AccessControl.AccessControlSections)
    Source: e1f063d6_by_Libranalysis.exe, qYAjLWajCJpnf/bTJSgdVkQM.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: e1f063d6_by_Libranalysis.exe, qYAjLWajCJpnf/bTJSgdVkQM.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
    Source: e1f063d6_by_Libranalysis.exe, qYAjLWajCJpnf/sJWKyMjQFWbP.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: e1f063d6_by_Libranalysis.exe, qYAjLWajCJpnf/sJWKyMjQFWbP.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: 0.0.e1f063d6_by_Libranalysis.exe.5f0000.0.unpack, qYAjLWajCJpnf/bTJSgdVkQM.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 0.0.e1f063d6_by_Libranalysis.exe.5f0000.0.unpack, qYAjLWajCJpnf/bTJSgdVkQM.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl(System.Security.AccessControl.AccessControlSections)
    Source: 0.0.e1f063d6_by_Libranalysis.exe.5f0000.0.unpack, qYAjLWajCJpnf/bTJSgdVkQM.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: 0.0.e1f063d6_by_Libranalysis.exe.5f0000.0.unpack, qYAjLWajCJpnf/bTJSgdVkQM.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
    Source: 0.0.e1f063d6_by_Libranalysis.exe.5f0000.0.unpack, qYAjLWajCJpnf/sJWKyMjQFWbP.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 0.0.e1f063d6_by_Libranalysis.exe.5f0000.0.unpack, qYAjLWajCJpnf/sJWKyMjQFWbP.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: classification engineClassification label: mal72.evad.winEXE@48/0@4/100
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6420:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5112:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6292:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5436:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6560:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6752:120:WilError_01
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeMutant created: \Sessions\1\BaseNamedObjects\Global\a24f6fef-8c36-4314-91c5-2f98ae613662
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6240:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1000:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6772:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6508:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6460:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3340:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6372:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6332:120:WilError_01
    Source: e1f063d6_by_Libranalysis.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "RaccineSettings.exe")
    Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "synctime.exe")
    Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "RaccineSettings.exe")
    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "agntsvc.exe")
    Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mspub.exe")
    Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "xfssvccon.exe")
    Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "powerpnt.exe")
    Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mydesktopqos.exe")
    Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sqlagent.exe")
    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "oracle.exe")
    Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "sqlbrowser.exe")
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: e1f063d6_by_Libranalysis.exeVirustotal: Detection: 50%
    Source: e1f063d6_by_Libranalysis.exeReversingLabs: Detection: 59%
    Source: unknownProcess created: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exe 'C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exe'
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\taskkill.exe 'taskkill' /F /IM RaccineSettings.exe
    Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\reg.exe 'reg' delete 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /V 'Raccine Tray' /F
    Source: C:\Windows\System32\reg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\reg.exe 'reg' delete HKCU\Software\Raccine /F
    Source: C:\Windows\System32\reg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\schtasks.exe 'schtasks' /DELETE /TN 'Raccine Rules Updater' /F
    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\netsh.exe 'netsh' advfirewall firewall set rule group=\'Network Discovery\' new enable=Yes
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\sc.exe 'sc.exe' config Dnscache start= auto
    Source: C:\Windows\System32\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\sc.exe 'sc.exe' config SSDPSRV start= auto
    Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\sc.exe 'sc.exe' config SQLTELEMETRY start= disabled
    Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\sc.exe 'sc.exe' config SQLWriter start= disabled
    Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\sc.exe 'sc.exe' config FDResPub start= auto
    Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\sc.exe 'sc.exe' config upnphost start= auto
    Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\sc.exe 'sc.exe' config SQLTELEMETRY$ECWDB2 start= disabled
    Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\sc.exe 'sc.exe' config SstpSvc start= disabled
    Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\netsh.exe 'netsh' advfirewall firewall set rule group=\'File and Printer Sharing\' new enable=Yes
    Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\taskkill.exe 'taskkill.exe' /IM mspub.exe /F
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\taskkill.exe 'taskkill.exe' /IM xfssvccon.exe /F
    Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\taskkill.exe 'taskkill.exe' /IM mydesktopqos.exe /F
    Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\taskkill.exe 'taskkill.exe' /IM sqlbrowser.exe /F
    Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\taskkill.exe 'taskkill' /F /IM RaccineSettings.exeJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\reg.exe 'reg' delete 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /V 'Raccine Tray' /FJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\reg.exe 'reg' delete HKCU\Software\Raccine /FJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\schtasks.exe 'schtasks' /DELETE /TN 'Raccine Rules Updater' /FJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\netsh.exe 'netsh' advfirewall firewall set rule group=\'Network Discovery\' new enable=YesJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\sc.exe 'sc.exe' config Dnscache start= autoJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\taskkill.exe 'taskkill' /F /IM RaccineSettings.exeJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\sc.exe 'sc.exe' config SQLTELEMETRY start= disabledJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\sc.exe 'sc.exe' config SQLWriter start= disabledJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\sc.exe 'sc.exe' config FDResPub start= autoJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\sc.exe 'sc.exe' config upnphost start= autoJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
    Source: e1f063d6_by_Libranalysis.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: e1f063d6_by_Libranalysis.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

    Persistence and Installation Behavior:

    barindex
    Uses cmd line tools excessively to alter registry or file dataShow sources
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: reg.exe
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: reg.exe
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: reg.exeJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: reg.exeJump to behavior

    Boot Survival:

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\schtasks.exe 'schtasks' /DELETE /TN 'Raccine Rules Updater' /F
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\sc.exe 'sc.exe' config Dnscache start= auto
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeWindow / User API: threadDelayed 4122Jump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exe TID: 2016Thread sleep count: 4122 > 30Jump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: sc.exe, 0000000D.00000002.260521976.000002B9A8140000.00000002.00000001.sdmp, sc.exe, 00000012.00000002.261933051.0000020DB5E60000.00000002.00000001.sdmp, sc.exe, 00000014.00000002.263192916.000001D5AE8F0000.00000002.00000001.sdmp, sc.exe, 0000001A.00000002.266702255.0000020542C30000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: sc.exe, 0000000D.00000002.260521976.000002B9A8140000.00000002.00000001.sdmp, sc.exe, 00000012.00000002.261933051.0000020DB5E60000.00000002.00000001.sdmp, sc.exe, 00000014.00000002.263192916.000001D5AE8F0000.00000002.00000001.sdmp, sc.exe, 0000001A.00000002.266702255.0000020542C30000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: sc.exe, 0000000D.00000002.260521976.000002B9A8140000.00000002.00000001.sdmp, sc.exe, 00000012.00000002.261933051.0000020DB5E60000.00000002.00000001.sdmp, sc.exe, 00000014.00000002.263192916.000001D5AE8F0000.00000002.00000001.sdmp, sc.exe, 0000001A.00000002.266702255.0000020542C30000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: sc.exe, 0000000D.00000002.260521976.000002B9A8140000.00000002.00000001.sdmp, sc.exe, 00000012.00000002.261933051.0000020DB5E60000.00000002.00000001.sdmp, sc.exe, 00000014.00000002.263192916.000001D5AE8F0000.00000002.00000001.sdmp, sc.exe, 0000001A.00000002.266702255.0000020542C30000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeMemory allocated: page read and write | page guardJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\taskkill.exe 'taskkill' /F /IM RaccineSettings.exeJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\reg.exe 'reg' delete 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /V 'Raccine Tray' /FJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\reg.exe 'reg' delete HKCU\Software\Raccine /FJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\schtasks.exe 'schtasks' /DELETE /TN 'Raccine Rules Updater' /FJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\netsh.exe 'netsh' advfirewall firewall set rule group=\'Network Discovery\' new enable=YesJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\sc.exe 'sc.exe' config Dnscache start= autoJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\taskkill.exe 'taskkill' /F /IM RaccineSettings.exeJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\sc.exe 'sc.exe' config SQLTELEMETRY start= disabledJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\sc.exe 'sc.exe' config SQLWriter start= disabledJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\sc.exe 'sc.exe' config FDResPub start= autoJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\sc.exe 'sc.exe' config upnphost start= autoJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\taskkill.exe 'taskkill' /F /IM RaccineSettings.exeJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\taskkill.exe 'taskkill' /F /IM RaccineSettings.exeJump to behavior
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeQueries volume information: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exe VolumeInformationJump to behavior
    Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior

    Lowering of HIPS / PFW / Operating System Security Settings:

    barindex
    Modifies the windows firewallShow sources
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\netsh.exe 'netsh' advfirewall firewall set rule group=\'Network Discovery\' new enable=Yes
    Uses netsh to modify the Windows network and firewall settingsShow sources
    Source: C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exeProcess created: C:\Windows\System32\netsh.exe 'netsh' advfirewall firewall set rule group=\'Network Discovery\' new enable=Yes
    Source: Yara matchFile source: dump.pcap, type: PCAP

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management Instrumentation11Windows Service1Windows Service1Modify Registry1OS Credential DumpingSecurity Software Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsCommand and Scripting Interpreter1Scheduled Task/Job1Process Injection11Virtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsScheduled Task/Job1Logon Script (Windows)Scheduled Task/Job1Disable or Modify Tools211Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsService Execution1Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 411585 Sample: e1f063d6_by_Libranalysis Startdate: 12/05/2021 Architecture: WINDOWS Score: 72 36 www.poweradmin.com 2->36 38 poweradmin.com 2->38 40 live.sysinternals.com 2->40 48 Multi AV Scanner detection for submitted file 2->48 50 Machine Learning detection for sample 2->50 52 Sigma detected: Raccine Uninstall 2->52 8 e1f063d6_by_Libranalysis.exe 2->8         started        signatures3 process4 dnsIp5 42 192.168.2.100 unknown unknown 8->42 44 192.168.2.101 unknown unknown 8->44 46 98 other IPs or domains 8->46 54 Uses cmd line tools excessively to alter registry or file data 8->54 56 Uses schtasks.exe or at.exe to add and modify task schedules 8->56 58 Uses netsh to modify the Windows network and firewall settings 8->58 60 Modifies the windows firewall 8->60 12 taskkill.exe 1 8->12         started        14 taskkill.exe 1 8->14         started        16 taskkill.exe 1 8->16         started        18 15 other processes 8->18 signatures6 process7 process8 20 conhost.exe 12->20         started        22 conhost.exe 12->22         started        24 conhost.exe 14->24         started        26 conhost.exe 16->26         started        28 conhost.exe 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 18->32         started        34 10 other processes 18->34

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    e1f063d6_by_Libranalysis.exe50%VirustotalBrowse
    e1f063d6_by_Libranalysis.exe60%ReversingLabsByteCode-MSIL.Ransomware.Thanos
    e1f063d6_by_Libranalysis.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    poweradmin.com0%VirustotalBrowse
    www.poweradmin.com0%VirustotalBrowse

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    poweradmin.com
    		52.1.55.52
    		truefalseunknown
    live.sysinternals.com
    		unknown
    		unknownfalse
      		high
      www.poweradmin.com
      		unknown
      		unknownfalseunknown

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious

      Private

      IP
      192.168.2.148
      192.168.2.149
      192.168.2.146
      192.168.2.147
      192.168.2.140
      192.168.2.141
      192.168.2.144
      192.168.2.145
      192.168.2.142
      192.168.2.143
      192.168.2.159
      192.168.2.157
      192.168.2.158
      192.168.2.151
      192.168.2.152
      192.168.2.150
      192.168.2.155
      192.168.2.156
      192.168.2.153
      192.168.2.154
      192.168.2.126
      192.168.2.247
      192.168.2.248
      192.168.2.127
      192.168.2.124
      192.168.2.245
      192.168.2.125
      192.168.2.246
      192.168.2.128
      192.168.2.249
      192.168.2.129
      192.168.2.240
      192.168.2.122
      192.168.2.243
      192.168.2.123
      192.168.2.244
      192.168.2.241
      192.168.2.120
      192.168.2.121
      192.168.2.242
      192.168.2.137
      192.168.2.97
      192.168.2.138
      192.168.2.96
      192.168.2.135
      192.168.2.99
      192.168.2.136
      192.168.2.98
      192.168.2.139
      192.168.2.250
      192.168.2.130
      192.168.2.251
      192.168.2.91
      192.168.2.90
      192.168.2.254
      192.168.2.133
      192.168.2.93
      192.168.2.255
      192.168.2.134
      192.168.2.92
      192.168.2.131
      192.168.2.95
      192.168.2.252
      192.168.2.132
      192.168.2.94
      192.168.2.253
      192.168.2.104
      192.168.2.225
      192.168.2.105
      192.168.2.226
      192.168.2.223
      192.168.2.102
      192.168.2.103
      192.168.2.224
      192.168.2.108
      192.168.2.229
      192.168.2.109
      192.168.2.106
      192.168.2.227
      192.168.2.107
      192.168.2.228
      192.168.2.221
      192.168.2.100
      192.168.2.222
      192.168.2.101
      192.168.2.220
      192.168.2.236
      192.168.2.115
      192.168.2.237
      192.168.2.116
      192.168.2.113
      192.168.2.234
      192.168.2.114
      192.168.2.235
      192.168.2.119
      192.168.2.238
      192.168.2.117
      192.168.2.239
      192.168.2.118
      192.168.2.111

      General Information

      Joe Sandbox Version:32.0.0 Black Diamond
      Analysis ID:411585
      Start date:12.05.2021
      Start time:02:23:13
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 6m 46s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:e1f063d6_by_Libranalysis (renamed file extension from none to exe)
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:40
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal72.evad.winEXE@48/0@4/100
      EGA Information:Failed
      HDC Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      Warnings:
      Show All
      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
      • Excluded IPs from analysis (whitelisted): 104.42.151.234, 20.82.210.154, 204.79.197.200, 13.107.21.200, 52.255.188.83, 92.122.145.220, 23.218.208.56, 92.122.213.247, 92.122.213.194, 8.241.90.126, 8.241.82.126, 8.241.78.254, 8.241.89.254, 8.241.88.254, 52.155.217.156, 20.54.26.129, 20.50.102.62, 172.217.168.68, 20.49.223.105
      • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, sysazlive.uksouth.cloudapp.azure.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, www.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, sysinternalvmss.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
      • Report size getting too big, too many NtAllocateVirtualMemory calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      02:26:18AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

      ASN

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
      Entropy (8bit):6.69311631555943
      TrID:
      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
      • Win32 Executable (generic) a (10002005/4) 49.75%
      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
      • Windows Screen Saver (13104/52) 0.07%
      • Generic Win/DOS Executable (2004/3) 0.01%
      File name:e1f063d6_by_Libranalysis.exe
      File size:145920
      MD5:e1f063d63a75e0e0e864052b1a50ab06
      SHA1:75d941a28cf0ade2ef2c16dfacbdeb36a51ccaf7
      SHA256:8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7
      SHA512:25681b210ee18bd60ba3fef496769283d51dc516569e1f1834d6d23a5927c1684b25ff67baf5fba66c908b364a13784f49facdde7a98b2fb8a8a41a2ec792ae3
      SSDEEP:3072:stjs/3uSKCHtJJlvRCKnel9XBZorbISN1qfR5FA+beml:stoFLJlvBk9xZorbISHo/A+bd
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....1.`.............................L... ...`....@.. ....................................@................................

      File Icon

      Icon Hash:00828e8e8686b000

      Static PE Info

      General

      Entrypoint:0x424cfe
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Time Stamp:0x609A31A7 [Tue May 11 07:26:31 2021 UTC]
      TLS Callbacks:
      CLR (.Net) Version:v4.0.30319
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

      Entrypoint Preview

      Instruction
      jmp dword ptr [00402000h]
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x24cb40x4a.text
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x260000x6e5.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x280000xc.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x20000x22d040x22e00False0.593981014785data6.73843222711IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      .rsrc0x260000x6e50x800False0.37451171875data4.12292302953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x280000xc0x200False0.041015625data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountry
      RT_VERSION0x2605c0x364data
      RT_MANIFEST0x263fc0x2e9ASCII text, with CRLF line terminators

      Imports

      DLLImport
      mscoree.dll_CorExeMain

      Version Infos

      DescriptionData
      Translation0x0000 0x04b0
      LegalCopyrightCopyright 2019 CU1dE2XqGn
      Assembly Version4.5.0.0
      InternalNameh6fhhMtoyZ
      FileVersion4.5.0.0
      CompanyNameglI2R3Bj9w QulOQ4bWqM
      LegalTrademarkss3pYFSAXn1 TYhO5t4LOp
      ProductNamedfZfk9SMuk
      ProductVersion4.5.0.0
      FileDescriptionSQL Database
      OriginalFilenamegVcWDWENI8

      Network Behavior

      Snort IDS Alerts

      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
      05/12/21-02:24:29.324944ICMP382ICMP PING Windows192.168.2.7192.168.2.1
      05/12/21-02:24:29.324944ICMP384ICMP PING192.168.2.7192.168.2.1
      05/12/21-02:24:29.324980ICMP408ICMP Echo Reply192.168.2.1192.168.2.7
      05/12/21-02:24:35.390738ICMP382ICMP PING Windows192.168.2.7192.168.2.255
      05/12/21-02:24:35.390738ICMP384ICMP PING192.168.2.7192.168.2.255
      05/12/21-02:26:16.527846ICMP382ICMP PING Windows192.168.2.7192.168.2.1
      05/12/21-02:26:16.527846ICMP384ICMP PING192.168.2.7192.168.2.1
      05/12/21-02:26:16.527889ICMP408ICMP Echo Reply192.168.2.1192.168.2.7

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      May 12, 2021 02:23:58.761101961 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:58.761143923 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:58.761313915 CEST49682443192.168.2.720.190.160.6
      May 12, 2021 02:23:58.771115065 CEST49682443192.168.2.720.190.160.6
      May 12, 2021 02:23:58.771169901 CEST49682443192.168.2.720.190.160.6
      May 12, 2021 02:23:58.818166018 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:58.861675978 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:58.862382889 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:58.862416983 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:58.862443924 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:58.862468958 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:58.862490892 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:58.862514973 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:58.862538099 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:58.862550020 CEST49685443192.168.2.720.190.160.6
      May 12, 2021 02:23:58.862560987 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:58.862588882 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:58.862633944 CEST49685443192.168.2.720.190.160.6
      May 12, 2021 02:23:58.891594887 CEST49685443192.168.2.720.190.160.6
      May 12, 2021 02:23:58.891683102 CEST49685443192.168.2.720.190.160.6
      May 12, 2021 02:23:58.941626072 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:58.978168011 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:58.978198051 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:58.978297949 CEST49682443192.168.2.720.190.160.6
      May 12, 2021 02:23:58.985421896 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:59.098439932 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:59.098474026 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:59.098488092 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:59.098500013 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:59.098516941 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:59.098534107 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:59.098550081 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:59.098566055 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:59.098586082 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:59.098684072 CEST49685443192.168.2.720.190.160.6
      May 12, 2021 02:23:59.098735094 CEST49685443192.168.2.720.190.160.6
      May 12, 2021 02:23:59.128380060 CEST49682443192.168.2.720.190.160.6
      May 12, 2021 02:23:59.128449917 CEST49682443192.168.2.720.190.160.6
      May 12, 2021 02:23:59.175324917 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:59.217367887 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:59.329720020 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:59.329781055 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:59.329824924 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:59.329865932 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:59.329906940 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:59.329909086 CEST49682443192.168.2.720.190.160.6
      May 12, 2021 02:23:59.329947948 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:59.329988003 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:59.330001116 CEST49682443192.168.2.720.190.160.6
      May 12, 2021 02:23:59.330027103 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:59.330066919 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:59.330070019 CEST49682443192.168.2.720.190.160.6
      May 12, 2021 02:23:59.330158949 CEST49682443192.168.2.720.190.160.6
      May 12, 2021 02:23:59.360280991 CEST49685443192.168.2.720.190.160.6
      May 12, 2021 02:23:59.360349894 CEST49685443192.168.2.720.190.160.6
      May 12, 2021 02:23:59.364131927 CEST49682443192.168.2.720.190.160.6
      May 12, 2021 02:23:59.364173889 CEST49682443192.168.2.720.190.160.6
      May 12, 2021 02:23:59.409573078 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:59.409595966 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:59.415081978 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:59.415106058 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:59.567116022 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:59.567157984 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:59.567182064 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:59.567205906 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:59.567229033 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:59.567253113 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:59.567267895 CEST49682443192.168.2.720.190.160.6
      May 12, 2021 02:23:59.567280054 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:59.567295074 CEST49682443192.168.2.720.190.160.6
      May 12, 2021 02:23:59.567310095 CEST49682443192.168.2.720.190.160.6
      May 12, 2021 02:23:59.567310095 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:59.567339897 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:23:59.567379951 CEST49682443192.168.2.720.190.160.6
      May 12, 2021 02:23:59.567823887 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:59.567850113 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:59.567873955 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:59.567898989 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:59.567919970 CEST49685443192.168.2.720.190.160.6
      May 12, 2021 02:23:59.567923069 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:59.567948103 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:59.567971945 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:59.567995071 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:59.568006992 CEST49685443192.168.2.720.190.160.6
      May 12, 2021 02:23:59.568018913 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:23:59.568068027 CEST49685443192.168.2.720.190.160.6
      May 12, 2021 02:23:59.619337082 CEST49685443192.168.2.720.190.160.6
      May 12, 2021 02:23:59.619352102 CEST49682443192.168.2.720.190.160.6
      May 12, 2021 02:24:55.459692001 CEST804968093.184.220.29192.168.2.7
      May 12, 2021 02:24:55.461400032 CEST4968080192.168.2.793.184.220.29
      May 12, 2021 02:24:56.827115059 CEST804967993.184.220.29192.168.2.7
      May 12, 2021 02:24:56.827311993 CEST4967980192.168.2.793.184.220.29
      May 12, 2021 02:25:44.254055023 CEST4967980192.168.2.793.184.220.29
      May 12, 2021 02:25:44.254587889 CEST49676443192.168.2.720.190.160.6
      May 12, 2021 02:25:44.296401978 CEST804967993.184.220.29192.168.2.7
      May 12, 2021 02:25:44.296540022 CEST4967980192.168.2.793.184.220.29
      May 12, 2021 02:25:44.303159952 CEST4434967620.190.160.6192.168.2.7
      May 12, 2021 02:25:44.303340912 CEST49676443192.168.2.720.190.160.6
      May 12, 2021 02:25:47.394809008 CEST49682443192.168.2.720.190.160.6
      May 12, 2021 02:25:47.394896030 CEST49685443192.168.2.720.190.160.6
      May 12, 2021 02:25:47.443438053 CEST4434968220.190.160.6192.168.2.7
      May 12, 2021 02:25:47.443469048 CEST4434968520.190.160.6192.168.2.7
      May 12, 2021 02:25:47.443623066 CEST49682443192.168.2.720.190.160.6
      May 12, 2021 02:25:47.443782091 CEST49685443192.168.2.720.190.160.6
      May 12, 2021 02:25:56.904874086 CEST804968093.184.220.29192.168.2.7
      May 12, 2021 02:25:56.905003071 CEST4968080192.168.2.793.184.220.29
      May 12, 2021 02:26:09.085006952 CEST804968093.184.220.29192.168.2.7
      May 12, 2021 02:26:09.085232019 CEST4968080192.168.2.793.184.220.29
      May 12, 2021 02:26:13.606247902 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:13.740448952 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:13.740575075 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:13.741137028 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:13.877072096 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:13.877103090 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:13.877120972 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:13.877182007 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:13.885706902 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.021519899 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.023221016 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.160139084 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.160197973 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.160248041 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.160284996 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.160319090 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.160360098 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.160379887 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.160420895 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.160459995 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.160478115 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.160526991 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.160571098 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.160593033 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.160631895 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.160670042 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.160696983 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.160739899 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.160797119 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.294975042 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.295031071 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.295069933 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.295128107 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.295162916 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.295205116 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.295254946 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.295298100 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.295345068 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.295366049 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.295422077 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.295473099 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.295492887 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.295543909 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.295583010 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.295600891 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.295639992 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.295677900 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.295697927 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.295744896 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.295788050 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.295805931 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.295845985 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.295885086 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.295902014 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.295948982 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.296001911 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.296017885 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.296065092 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.296102047 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.296122074 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.296159983 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.296200991 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.296216965 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.296257019 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.296334982 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.430295944 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.430362940 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.430408001 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.430448055 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.430474043 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.430504084 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.430537939 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.430577993 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.430618048 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.430638075 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.430679083 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.430733919 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.430747032 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.430787086 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.430824041 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.430840969 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.430881023 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.430926085 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.430937052 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.430977106 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.431013107 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.431030035 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.431080103 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.431128979 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.431140900 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.431180000 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.431227922 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.431241035 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.431279898 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.431325912 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.431338072 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.431387901 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.431436062 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.431447983 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.431488991 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.431535959 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.431550026 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.431596041 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.431652069 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.431665897 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.431715965 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.431760073 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.431778908 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.431821108 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.431859016 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.431899071 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.431916952 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.431957960 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.431977034 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.432017088 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.432054996 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.432075977 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.432126045 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.432176113 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.432193041 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.432248116 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.432290077 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.432322979 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.432352066 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.432398081 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.432410955 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.432450056 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.432487965 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.432507992 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.432555914 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.432600021 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.432636976 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.432663918 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.432703972 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.432723045 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.432773113 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.432821989 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.566907883 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.566987038 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.567049980 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.567107916 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.567157030 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.567183018 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.567253113 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.567317009 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.567373991 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.567397118 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.567441940 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.567483902 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.567522049 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.567540884 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.567575932 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.567610979 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.567660093 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.567703962 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.567744017 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.567764997 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.567810059 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.567825079 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.567867994 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.567907095 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.567972898 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.567991972 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.568028927 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.568088055 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.568134069 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.568182945 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.568238974 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.568276882 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.568335056 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.568367004 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.568409920 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.568459034 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.568514109 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.568542004 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.568603039 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.568654060 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.568701029 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.568747997 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.568779945 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.568819046 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.568839073 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.568864107 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.568902969 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.568947077 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.568994999 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.569016933 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.569058895 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.569087029 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.569137096 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.569180012 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.569220066 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.569242001 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.569271088 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.569299936 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.569340944 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.569434881 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.569509029 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.569525003 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.569566965 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.569598913 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.569641113 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.569679976 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.569735050 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.569751024 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.569804907 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.569844961 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.569914103 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.570452929 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.703922987 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.703967094 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.703994036 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704019070 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704041004 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704066992 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.704085112 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.704098940 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704123974 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704147100 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704171896 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704186916 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.704212904 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704221964 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.704248905 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704263926 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.704288960 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704315901 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704343081 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704365969 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704377890 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.704401970 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704425097 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704447031 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704464912 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704478979 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.704484940 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.704502106 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.704518080 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704543114 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704571962 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704585075 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.704611063 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704623938 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.704646111 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704669952 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704694033 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704715967 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704726934 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.704750061 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.704757929 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704783916 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704808950 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704833031 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704849958 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.704871893 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704880953 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.704901934 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704926968 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704955101 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.704962969 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.704982996 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.704999924 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.705025911 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.705044985 CEST4434974352.1.55.52192.168.2.7
      May 12, 2021 02:26:14.705073118 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:14.705106020 CEST49743443192.168.2.752.1.55.52
      May 12, 2021 02:26:15.991614103 CEST4968080192.168.2.793.184.220.29
      May 12, 2021 02:26:16.032277107 CEST804968093.184.220.29192.168.2.7

      UDP Packets

      TimestampSource PortDest PortSource IPDest IP
      May 12, 2021 02:23:59.234335899 CEST5312953192.168.2.78.8.8.8
      May 12, 2021 02:23:59.287035942 CEST53531298.8.8.8192.168.2.7
      May 12, 2021 02:23:59.671509027 CEST6245253192.168.2.78.8.8.8
      May 12, 2021 02:23:59.728662014 CEST53624528.8.8.8192.168.2.7
      May 12, 2021 02:24:00.530673981 CEST5782053192.168.2.78.8.8.8
      May 12, 2021 02:24:00.552372932 CEST5084853192.168.2.78.8.8.8
      May 12, 2021 02:24:00.582250118 CEST53578208.8.8.8192.168.2.7
      May 12, 2021 02:24:00.609018087 CEST53508488.8.8.8192.168.2.7
      May 12, 2021 02:24:02.573972940 CEST6124253192.168.2.78.8.8.8
      May 12, 2021 02:24:02.628433943 CEST53612428.8.8.8192.168.2.7
      May 12, 2021 02:24:03.477829933 CEST5856253192.168.2.78.8.8.8
      May 12, 2021 02:24:03.526549101 CEST53585628.8.8.8192.168.2.7
      May 12, 2021 02:24:03.909331083 CEST5659053192.168.2.78.8.8.8
      May 12, 2021 02:24:03.967650890 CEST53565908.8.8.8192.168.2.7
      May 12, 2021 02:24:04.496669054 CEST6050153192.168.2.78.8.8.8
      May 12, 2021 02:24:04.549942970 CEST53605018.8.8.8192.168.2.7
      May 12, 2021 02:24:05.341583014 CEST5377553192.168.2.78.8.8.8
      May 12, 2021 02:24:05.401645899 CEST53537758.8.8.8192.168.2.7
      May 12, 2021 02:24:06.561137915 CEST5183753192.168.2.78.8.8.8
      May 12, 2021 02:24:06.620980978 CEST53518378.8.8.8192.168.2.7
      May 12, 2021 02:24:07.681329012 CEST5541153192.168.2.78.8.8.8
      May 12, 2021 02:24:07.738629103 CEST53554118.8.8.8192.168.2.7
      May 12, 2021 02:24:09.023803949 CEST6366853192.168.2.78.8.8.8
      May 12, 2021 02:24:09.072552919 CEST53636688.8.8.8192.168.2.7
      May 12, 2021 02:24:11.329884052 CEST5464053192.168.2.78.8.8.8
      May 12, 2021 02:24:11.380841017 CEST53546408.8.8.8192.168.2.7
      May 12, 2021 02:24:12.518608093 CEST5873953192.168.2.78.8.8.8
      May 12, 2021 02:24:12.581053972 CEST53587398.8.8.8192.168.2.7
      May 12, 2021 02:24:13.885335922 CEST6033853192.168.2.78.8.8.8
      May 12, 2021 02:24:13.942657948 CEST53603388.8.8.8192.168.2.7
      May 12, 2021 02:24:15.328852892 CEST5871753192.168.2.78.8.8.8
      May 12, 2021 02:24:15.377600908 CEST53587178.8.8.8192.168.2.7
      May 12, 2021 02:24:16.653407097 CEST5976253192.168.2.78.8.8.8
      May 12, 2021 02:24:16.713121891 CEST53597628.8.8.8192.168.2.7
      May 12, 2021 02:24:17.786389112 CEST5432953192.168.2.78.8.8.8
      May 12, 2021 02:24:17.835092068 CEST53543298.8.8.8192.168.2.7
      May 12, 2021 02:24:18.887445927 CEST5805253192.168.2.78.8.8.8
      May 12, 2021 02:24:18.943770885 CEST53580528.8.8.8192.168.2.7
      May 12, 2021 02:24:22.554928064 CEST5400853192.168.2.78.8.8.8
      May 12, 2021 02:24:22.605132103 CEST53540088.8.8.8192.168.2.7
      May 12, 2021 02:24:24.417440891 CEST5945153192.168.2.78.8.8.8
      May 12, 2021 02:24:24.474648952 CEST53594518.8.8.8192.168.2.7
      May 12, 2021 02:24:26.502182007 CEST5291453192.168.2.78.8.8.8
      May 12, 2021 02:24:26.553018093 CEST53529148.8.8.8192.168.2.7
      May 12, 2021 02:24:31.195421934 CEST6456953192.168.2.78.8.8.8
      May 12, 2021 02:24:31.245270967 CEST53645698.8.8.8192.168.2.7
      May 12, 2021 02:24:32.472074032 CEST5281653192.168.2.78.8.8.8
      May 12, 2021 02:24:32.520737886 CEST53528168.8.8.8192.168.2.7
      May 12, 2021 02:24:33.735950947 CEST5078153192.168.2.78.8.8.8
      May 12, 2021 02:24:33.793301105 CEST53507818.8.8.8192.168.2.7
      May 12, 2021 02:24:34.905491114 CEST5423053192.168.2.78.8.8.8
      May 12, 2021 02:24:34.954310894 CEST53542308.8.8.8192.168.2.7
      May 12, 2021 02:24:38.727338076 CEST5491153192.168.2.78.8.8.8
      May 12, 2021 02:24:38.792570114 CEST53549118.8.8.8192.168.2.7
      May 12, 2021 02:24:47.238135099 CEST4995853192.168.2.78.8.8.8
      May 12, 2021 02:24:47.297678947 CEST53499588.8.8.8192.168.2.7
      May 12, 2021 02:24:55.738006115 CEST5086053192.168.2.78.8.8.8
      May 12, 2021 02:24:55.788809061 CEST53508608.8.8.8192.168.2.7
      May 12, 2021 02:24:55.891386986 CEST5045253192.168.2.78.8.8.8
      May 12, 2021 02:24:55.950472116 CEST53504528.8.8.8192.168.2.7
      May 12, 2021 02:25:19.638885021 CEST5973053192.168.2.78.8.8.8
      May 12, 2021 02:25:19.698481083 CEST53597308.8.8.8192.168.2.7
      May 12, 2021 02:25:22.367999077 CEST5931053192.168.2.78.8.8.8
      May 12, 2021 02:25:22.429711103 CEST53593108.8.8.8192.168.2.7
      May 12, 2021 02:25:28.948553085 CEST5191953192.168.2.78.8.8.8
      May 12, 2021 02:25:28.998121977 CEST53519198.8.8.8192.168.2.7
      May 12, 2021 02:25:29.453366041 CEST6429653192.168.2.78.8.8.8
      May 12, 2021 02:25:29.513613939 CEST53642968.8.8.8192.168.2.7
      May 12, 2021 02:25:30.015614986 CEST5668053192.168.2.78.8.8.8
      May 12, 2021 02:25:30.072673082 CEST53566808.8.8.8192.168.2.7
      May 12, 2021 02:25:30.554110050 CEST5882053192.168.2.78.8.8.8
      May 12, 2021 02:25:30.605623007 CEST53588208.8.8.8192.168.2.7
      May 12, 2021 02:25:30.726777077 CEST6098353192.168.2.78.8.8.8
      May 12, 2021 02:25:30.783682108 CEST53609838.8.8.8192.168.2.7
      May 12, 2021 02:25:31.050759077 CEST4924753192.168.2.78.8.8.8
      May 12, 2021 02:25:31.110187054 CEST53492478.8.8.8192.168.2.7
      May 12, 2021 02:25:31.606375933 CEST5228653192.168.2.78.8.8.8
      May 12, 2021 02:25:31.666471958 CEST53522868.8.8.8192.168.2.7
      May 12, 2021 02:25:32.047724009 CEST5606453192.168.2.78.8.8.8
      May 12, 2021 02:25:32.106234074 CEST53560648.8.8.8192.168.2.7
      May 12, 2021 02:25:32.687417030 CEST6374453192.168.2.78.8.8.8
      May 12, 2021 02:25:32.739056110 CEST53637448.8.8.8192.168.2.7
      May 12, 2021 02:25:33.412689924 CEST6145753192.168.2.78.8.8.8
      May 12, 2021 02:25:33.461370945 CEST53614578.8.8.8192.168.2.7
      May 12, 2021 02:25:33.841306925 CEST5836753192.168.2.78.8.8.8
      May 12, 2021 02:25:33.892798901 CEST53583678.8.8.8192.168.2.7
      May 12, 2021 02:25:53.109848022 CEST6059953192.168.2.78.8.8.8
      May 12, 2021 02:25:53.166996956 CEST53605998.8.8.8192.168.2.7
      May 12, 2021 02:25:53.555330992 CEST5957153192.168.2.78.8.8.8
      May 12, 2021 02:25:53.622461081 CEST53595718.8.8.8192.168.2.7
      May 12, 2021 02:26:12.135572910 CEST5268953192.168.2.78.8.8.8
      May 12, 2021 02:26:12.192837000 CEST53526898.8.8.8192.168.2.7
      May 12, 2021 02:26:13.480292082 CEST5029053192.168.2.78.8.8.8
      May 12, 2021 02:26:13.542099953 CEST53502908.8.8.8192.168.2.7
      May 12, 2021 02:26:13.544945955 CEST6042753192.168.2.78.8.8.8
      May 12, 2021 02:26:13.605001926 CEST53604278.8.8.8192.168.2.7
      May 12, 2021 02:26:14.710372925 CEST5620953192.168.2.78.8.8.8
      May 12, 2021 02:26:14.817440987 CEST53562098.8.8.8192.168.2.7
      May 12, 2021 02:26:14.819259882 CEST5958253192.168.2.78.8.8.8
      May 12, 2021 02:26:14.907476902 CEST53595828.8.8.8192.168.2.7
      May 12, 2021 02:26:16.082575083 CEST595833192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.082804918 CEST595843192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.082921028 CEST595853192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.083025932 CEST595863192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.083219051 CEST595873192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.083324909 CEST595883192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.083422899 CEST595893192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.083534002 CEST595903192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.083626986 CEST595913192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.083719969 CEST595923192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.083817959 CEST595933192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.084034920 CEST595943192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.084095955 CEST595953192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.084292889 CEST595963192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.084892035 CEST595973192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.085131884 CEST595983192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.085412979 CEST595993192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.085503101 CEST596003192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.085670948 CEST596013192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.085844040 CEST596023192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.086025953 CEST596033192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.086225986 CEST596043192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.086394072 CEST596053192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.086566925 CEST596063192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.086735964 CEST596073192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.086921930 CEST596083192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.087094069 CEST596093192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.087275982 CEST596103192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.087457895 CEST596113192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.087630987 CEST596123192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.087805033 CEST596133192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.087973118 CEST596143192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.088139057 CEST596153192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.088330030 CEST596163192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.088520050 CEST596173192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.088726997 CEST596183192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.088903904 CEST596193192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.089174986 CEST596203192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.089248896 CEST596213192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.089421034 CEST596223192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.089596033 CEST596233192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.089766026 CEST596243192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.089937925 CEST596253192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.090105057 CEST596263192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.090265989 CEST596273192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.129967928 CEST596283192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.178601980 CEST596293192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.178827047 CEST596303192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.179014921 CEST596313192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.179184914 CEST596323192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.179352045 CEST596333192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.179531097 CEST596343192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.179716110 CEST596353192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.179887056 CEST596363192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.180088043 CEST596373192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.180258036 CEST596383192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.180429935 CEST596393192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.180665016 CEST596403192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.180784941 CEST596413192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.180964947 CEST596423192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.181147099 CEST596433192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.181314945 CEST596443192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.181490898 CEST596453192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.181659937 CEST596463192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.181819916 CEST596473192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.182009935 CEST596483192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.182200909 CEST596493192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.182370901 CEST596503192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.182535887 CEST596513192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.182717085 CEST596523192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.182888985 CEST596533192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.183059931 CEST596543192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.183238029 CEST596553192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.183404922 CEST596563192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.183582067 CEST596573192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.183747053 CEST596583192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.183904886 CEST596593192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.184077024 CEST596603192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.184245110 CEST596613192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.184417963 CEST596623192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.184596062 CEST596633192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.184770107 CEST596643192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.184935093 CEST596653192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.185108900 CEST596663192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.185285091 CEST596673192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.185451984 CEST596683192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.185627937 CEST596693192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.185798883 CEST596703192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.185961962 CEST596713192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.186137915 CEST596723192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.186306000 CEST596733192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.186484098 CEST596743192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.186664104 CEST596753192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.186830997 CEST596763192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.187019110 CEST596773192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.187211037 CEST596783192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.187393904 CEST596793192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.187562943 CEST596803192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.187742949 CEST596813192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.187908888 CEST596823192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.188165903 CEST596833192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.188348055 CEST596843192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.188512087 CEST596853192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.188699007 CEST596863192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.188878059 CEST596873192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.189044952 CEST596883192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.189227104 CEST596893192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.189397097 CEST596903192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.189552069 CEST596913192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.189727068 CEST596923192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.189894915 CEST596933192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.190071106 CEST596943192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.190244913 CEST596953192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.190413952 CEST596963192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.190587044 CEST596973192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.190757990 CEST596983192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.190931082 CEST596993192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.191099882 CEST597003192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.191276073 CEST597013192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.191446066 CEST597023192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.191612959 CEST597033192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.191807985 CEST597043192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.245085001 CEST597053192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.245258093 CEST597063192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.245361090 CEST597073192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.245481014 CEST597083192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.245584965 CEST597093192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.245683908 CEST597103192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.245793104 CEST597113192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.245889902 CEST597123192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.245985985 CEST597133192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.246083975 CEST597143192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.246191025 CEST597153192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.246284962 CEST597163192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.246388912 CEST597173192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.246475935 CEST597183192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.246576071 CEST597193192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.246673107 CEST597203192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.246764898 CEST597213192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.246870995 CEST597223192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.246965885 CEST597233192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.247057915 CEST597243192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.247162104 CEST597253192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.247257948 CEST597263192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.247350931 CEST597273192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.247448921 CEST597283192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.247550964 CEST597293192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.247644901 CEST597303192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.247733116 CEST597313192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.263778925 CEST597323192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.264060020 CEST597333192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.264271975 CEST597343192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.264488935 CEST597353192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.497880936 CEST597363192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.498086929 CEST597373192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.498294115 CEST597383192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.498501062 CEST597393192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.498697042 CEST597403192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.498830080 CEST597413192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.498948097 CEST597423192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.499078989 CEST597433192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.499280930 CEST597443192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.499466896 CEST597453192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.499604940 CEST597463192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.499763966 CEST597473192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.499969006 CEST597483192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.500124931 CEST597493192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.500379086 CEST597503192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.500601053 CEST597513192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.501075029 CEST597523192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.501324892 CEST597533192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.501813889 CEST597543192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.502015114 CEST597553192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.502183914 CEST597563192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.502367020 CEST597573192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.502574921 CEST597583192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.502830029 CEST597593192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.503058910 CEST597603192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.503242016 CEST597613192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.503421068 CEST597623192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.503592968 CEST597633192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.503730059 CEST597643192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.503926039 CEST597653192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.504111052 CEST597663192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.504478931 CEST597673192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.504678011 CEST597683192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.504847050 CEST597693192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.504961014 CEST597703192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.505063057 CEST597713192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.505198002 CEST597723192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.505294085 CEST597733192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.505414009 CEST597743192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.505517960 CEST597753192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.505624056 CEST597763192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.505734921 CEST597773192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.505939960 CEST597783192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.506064892 CEST597793192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.506169081 CEST597803192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.506541014 CEST597813192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.506715059 CEST597823192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.506834984 CEST597833192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.506956100 CEST597843192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.507066011 CEST597853192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.507158995 CEST597863192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.507266998 CEST597873192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.507365942 CEST597883192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.507463932 CEST597893192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.507566929 CEST597903192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.507687092 CEST597913192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.507783890 CEST597923192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.507884026 CEST597933192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.508121014 CEST597953192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.508128881 CEST597943192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.508229971 CEST597963192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.508343935 CEST597973192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.508445024 CEST597983192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.508538008 CEST597993192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.508644104 CEST598003192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.508735895 CEST598013192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.508840084 CEST598023192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.509040117 CEST598033192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.509311914 CEST598043192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.509525061 CEST598053192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.509625912 CEST598063192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.509721041 CEST598073192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.509831905 CEST598083192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.509974957 CEST598093192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.510176897 CEST598103192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.510354996 CEST598113192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.510488033 CEST598123192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.510598898 CEST598133192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.510826111 CEST598143192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.511109114 CEST598153192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.511382103 CEST598163192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.511650085 CEST598173192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.511836052 CEST598183192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.511938095 CEST598193192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.512048960 CEST598203192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.512154102 CEST598213192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.512376070 CEST598223192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.512897968 CEST598233192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.513688087 CEST598243192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.513884068 CEST598253192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.515094995 CEST598263192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.515418053 CEST598273192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.516294956 CEST598283192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.516999960 CEST598293192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.517222881 CEST598303192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.517414093 CEST598313192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.517595053 CEST598323192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.517760992 CEST598333192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.517930031 CEST598343192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.518102884 CEST598353192.168.2.7192.168.2.255
      May 12, 2021 02:26:16.518285990 CEST598363192.168.2.7192.168.2.255

      ICMP Packets

      TimestampSource IPDest IPChecksumCodeType
      May 12, 2021 02:24:29.324944019 CEST192.168.2.7192.168.2.14d5aEcho
      May 12, 2021 02:24:29.324980021 CEST192.168.2.1192.168.2.7555aEcho Reply
      May 12, 2021 02:24:35.390738010 CEST192.168.2.7192.168.2.2554d4fEcho
      May 12, 2021 02:26:16.527846098 CEST192.168.2.7192.168.2.14c5cEcho
      May 12, 2021 02:26:16.527889013 CEST192.168.2.1192.168.2.7545cEcho Reply

      DNS Queries

      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
      May 12, 2021 02:26:13.480292082 CEST192.168.2.78.8.8.80xfe7cStandard query (0)www.poweradmin.comA (IP address)IN (0x0001)
      May 12, 2021 02:26:13.544945955 CEST192.168.2.78.8.8.80x44e1Standard query (0)www.poweradmin.comA (IP address)IN (0x0001)
      May 12, 2021 02:26:14.710372925 CEST192.168.2.78.8.8.80xc098Standard query (0)live.sysinternals.comA (IP address)IN (0x0001)
      May 12, 2021 02:26:14.819259882 CEST192.168.2.78.8.8.80x2775Standard query (0)live.sysinternals.comA (IP address)IN (0x0001)

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
      May 12, 2021 02:26:13.542099953 CEST8.8.8.8192.168.2.70xfe7cNo error (0)www.poweradmin.compoweradmin.comCNAME (Canonical name)IN (0x0001)
      May 12, 2021 02:26:13.542099953 CEST8.8.8.8192.168.2.70xfe7cNo error (0)poweradmin.com52.1.55.52A (IP address)IN (0x0001)
      May 12, 2021 02:26:13.605001926 CEST8.8.8.8192.168.2.70x44e1No error (0)www.poweradmin.compoweradmin.comCNAME (Canonical name)IN (0x0001)
      May 12, 2021 02:26:13.605001926 CEST8.8.8.8192.168.2.70x44e1No error (0)poweradmin.com52.1.55.52A (IP address)IN (0x0001)
      May 12, 2021 02:26:14.817440987 CEST8.8.8.8192.168.2.70xc098No error (0)live.sysinternals.comsysinternalvmss.trafficmanager.netCNAME (Canonical name)IN (0x0001)
      May 12, 2021 02:26:14.907476902 CEST8.8.8.8192.168.2.70x2775No error (0)live.sysinternals.comsysinternalvmss.trafficmanager.netCNAME (Canonical name)IN (0x0001)

      Code Manipulations

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      Analysis Process: e1f063d6_by_Libranalysis.exe PID: 5964 Parent PID: 5776

      General

      Start time:02:24:08
      Start date:12/05/2021
      Path:C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exe
      Wow64 process (32bit):false
      Commandline:'C:\Users\user\Desktop\e1f063d6_by_Libranalysis.exe'
      Imagebase:0x5f0000
      File size:145920 bytes
      MD5 hash:E1F063D63A75E0E0E864052B1A50AB06
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Reputation:low

      Chronological Activities

      Analysis Process: taskkill.exe PID: 6092 Parent PID: 5964

      General

      Start time:02:24:15
      Start date:12/05/2021
      Path:C:\Windows\System32\taskkill.exe
      Wow64 process (32bit):false
      Commandline:'taskkill' /F /IM RaccineSettings.exe
      Imagebase:0x7ff7f5a80000
      File size:94720 bytes
      MD5 hash:530C6A6CBA137EAA7021CEF9B234E8D4
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Chronological Activities

      Analysis Process: conhost.exe PID: 5436 Parent PID: 6092

      General

      Start time:02:24:15
      Start date:12/05/2021
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff774ee0000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Chronological Activities

      Analysis Process: reg.exe PID: 5868 Parent PID: 5964

      General

      Start time:02:24:16
      Start date:12/05/2021
      Path:C:\Windows\System32\reg.exe
      Wow64 process (32bit):false
      Commandline:'reg' delete 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /V 'Raccine Tray' /F
      Imagebase:0x7ff7ef960000
      File size:72704 bytes
      MD5 hash:E3DACF0B31841FA02064B4457D44B357
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Chronological Activities

      Analysis Process: conhost.exe PID: 3340 Parent PID: 5868

      General

      Start time:02:24:16
      Start date:12/05/2021
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff774ee0000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Chronological Activities

      Analysis Process: reg.exe PID: 2508 Parent PID: 5964

      General

      Start time:02:24:17
      Start date:12/05/2021
      Path:C:\Windows\System32\reg.exe
      Wow64 process (32bit):false
      Commandline:'reg' delete HKCU\Software\Raccine /F
      Imagebase:0x7ff7ef960000
      File size:72704 bytes
      MD5 hash:E3DACF0B31841FA02064B4457D44B357
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Chronological Activities

      Analysis Process: conhost.exe PID: 5624 Parent PID: 2508

      General

      Start time:02:24:17
      Start date:12/05/2021
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff774ee0000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Chronological Activities

      Analysis Process: schtasks.exe PID: 5112 Parent PID: 5964

      General

      Start time:02:24:18
      Start date:12/05/2021
      Path:C:\Windows\System32\schtasks.exe
      Wow64 process (32bit):false
      Commandline:'schtasks' /DELETE /TN 'Raccine Rules Updater' /F
      Imagebase:0x7ff6fb500000
      File size:226816 bytes
      MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Chronological Activities

      Analysis Process: conhost.exe PID: 5440 Parent PID: 5112

      General

      Start time:02:24:19
      Start date:12/05/2021
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff774ee0000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Chronological Activities

      Analysis Process: netsh.exe PID: 6084 Parent PID: 5964

      General

      Start time:02:24:19
      Start date:12/05/2021
      Path:C:\Windows\System32\netsh.exe
      Wow64 process (32bit):false
      Commandline:'netsh' advfirewall firewall set rule group=\'Network Discovery\' new enable=Yes
      Imagebase:0x7ff722160000
      File size:92672 bytes
      MD5 hash:98CC37BBF363A38834253E22C80A8F32
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Chronological Activities

      Analysis Process: sc.exe PID: 5660 Parent PID: 5964

      General

      Start time:02:24:20
      Start date:12/05/2021
      Path:C:\Windows\System32\sc.exe
      Wow64 process (32bit):false
      Commandline:'sc.exe' config Dnscache start= auto
      Imagebase:0x7ff699e00000
      File size:69120 bytes
      MD5 hash:D79784553A9410D15E04766AAAB77CD6
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Chronological Activities

      Analysis Process: conhost.exe PID: 1000 Parent PID: 6084

      General

      Start time:02:24:20
      Start date:12/05/2021
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff774ee0000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Chronological Activities

      Analysis Process: sc.exe PID: 6092 Parent PID: 5964

      General

      Start time:02:24:20
      Start date:12/05/2021
      Path:C:\Windows\System32\sc.exe
      Wow64 process (32bit):false
      Commandline:'sc.exe' config SSDPSRV start= auto
      Imagebase:0x7ff699e00000
      File size:69120 bytes
      MD5 hash:D79784553A9410D15E04766AAAB77CD6
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Chronological Activities

      Analysis Process: conhost.exe PID: 5112 Parent PID: 5660

      General

      Start time:02:24:20
      Start date:12/05/2021
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff774ee0000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: sc.exe PID: 6232 Parent PID: 5964

      General

      Start time:02:24:21
      Start date:12/05/2021
      Path:C:\Windows\System32\sc.exe
      Wow64 process (32bit):false
      Commandline:'sc.exe' config SQLTELEMETRY start= disabled
      Imagebase:0x7ff699e00000
      File size:69120 bytes
      MD5 hash:D79784553A9410D15E04766AAAB77CD6
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: conhost.exe PID: 6240 Parent PID: 6092

      General

      Start time:02:24:21
      Start date:12/05/2021
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff774ee0000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: sc.exe PID: 6284 Parent PID: 5964

      General

      Start time:02:24:21
      Start date:12/05/2021
      Path:C:\Windows\System32\sc.exe
      Wow64 process (32bit):false
      Commandline:'sc.exe' config SQLWriter start= disabled
      Imagebase:0x7ff699e00000
      File size:69120 bytes
      MD5 hash:D79784553A9410D15E04766AAAB77CD6
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: conhost.exe PID: 6292 Parent PID: 6232

      General

      Start time:02:24:21
      Start date:12/05/2021
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff774ee0000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: sc.exe PID: 6324 Parent PID: 5964

      General

      Start time:02:24:21
      Start date:12/05/2021
      Path:C:\Windows\System32\sc.exe
      Wow64 process (32bit):false
      Commandline:'sc.exe' config FDResPub start= auto
      Imagebase:0x7ff699e00000
      File size:69120 bytes
      MD5 hash:D79784553A9410D15E04766AAAB77CD6
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: conhost.exe PID: 6332 Parent PID: 6284

      General

      Start time:02:24:21
      Start date:12/05/2021
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff774ee0000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: sc.exe PID: 6364 Parent PID: 5964

      General

      Start time:02:24:22
      Start date:12/05/2021
      Path:C:\Windows\System32\sc.exe
      Wow64 process (32bit):false
      Commandline:'sc.exe' config upnphost start= auto
      Imagebase:0x7ff699e00000
      File size:69120 bytes
      MD5 hash:D79784553A9410D15E04766AAAB77CD6
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: conhost.exe PID: 6372 Parent PID: 6324

      General

      Start time:02:24:22
      Start date:12/05/2021
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff774ee0000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: sc.exe PID: 6412 Parent PID: 5964

      General

      Start time:02:24:22
      Start date:12/05/2021
      Path:C:\Windows\System32\sc.exe
      Wow64 process (32bit):false
      Commandline:'sc.exe' config SQLTELEMETRY$ECWDB2 start= disabled
      Imagebase:0x7ff699e00000
      File size:69120 bytes
      MD5 hash:D79784553A9410D15E04766AAAB77CD6
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: conhost.exe PID: 6420 Parent PID: 6364

      General

      Start time:02:24:22
      Start date:12/05/2021
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff774ee0000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: sc.exe PID: 6452 Parent PID: 5964

      General

      Start time:02:24:22
      Start date:12/05/2021
      Path:C:\Windows\System32\sc.exe
      Wow64 process (32bit):false
      Commandline:'sc.exe' config SstpSvc start= disabled
      Imagebase:0x7ff699e00000
      File size:69120 bytes
      MD5 hash:D79784553A9410D15E04766AAAB77CD6
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: conhost.exe PID: 6460 Parent PID: 6412

      General

      Start time:02:24:23
      Start date:12/05/2021
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff774ee0000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: netsh.exe PID: 6500 Parent PID: 5964

      General

      Start time:02:24:23
      Start date:12/05/2021
      Path:C:\Windows\System32\netsh.exe
      Wow64 process (32bit):false
      Commandline:'netsh' advfirewall firewall set rule group=\'File and Printer Sharing\' new enable=Yes
      Imagebase:0x7ff722160000
      File size:92672 bytes
      MD5 hash:98CC37BBF363A38834253E22C80A8F32
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: conhost.exe PID: 6508 Parent PID: 6452

      General

      Start time:02:24:23
      Start date:12/05/2021
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff774ee0000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: conhost.exe PID: 6560 Parent PID: 6500

      General

      Start time:02:24:24
      Start date:12/05/2021
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff774ee0000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: taskkill.exe PID: 6732 Parent PID: 5964

      General

      Start time:02:24:26
      Start date:12/05/2021
      Path:C:\Windows\System32\taskkill.exe
      Wow64 process (32bit):false
      Commandline:'taskkill.exe' /IM mspub.exe /F
      Imagebase:0x7ff65dd40000
      File size:94720 bytes
      MD5 hash:530C6A6CBA137EAA7021CEF9B234E8D4
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: taskkill.exe PID: 6744 Parent PID: 5964

      General

      Start time:02:24:26
      Start date:12/05/2021
      Path:C:\Windows\System32\taskkill.exe
      Wow64 process (32bit):false
      Commandline:'taskkill.exe' /IM xfssvccon.exe /F
      Imagebase:0x7ff65dd40000
      File size:94720 bytes
      MD5 hash:530C6A6CBA137EAA7021CEF9B234E8D4
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: conhost.exe PID: 6752 Parent PID: 6732

      General

      Start time:02:24:26
      Start date:12/05/2021
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff774ee0000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: taskkill.exe PID: 6764 Parent PID: 5964

      General

      Start time:02:24:26
      Start date:12/05/2021
      Path:C:\Windows\System32\taskkill.exe
      Wow64 process (32bit):false
      Commandline:'taskkill.exe' /IM mydesktopqos.exe /F
      Imagebase:0x7ff65dd40000
      File size:94720 bytes
      MD5 hash:530C6A6CBA137EAA7021CEF9B234E8D4
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: conhost.exe PID: 6772 Parent PID: 6744

      General

      Start time:02:24:27
      Start date:12/05/2021
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff774ee0000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: taskkill.exe PID: 6820 Parent PID: 5964

      General

      Start time:02:24:27
      Start date:12/05/2021
      Path:C:\Windows\System32\taskkill.exe
      Wow64 process (32bit):false
      Commandline:'taskkill.exe' /IM sqlbrowser.exe /F
      Imagebase:0x7ff65dd40000
      File size:94720 bytes
      MD5 hash:530C6A6CBA137EAA7021CEF9B234E8D4
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Analysis Process: conhost.exe PID: 6828 Parent PID: 6764

      General

      Start time:02:24:27
      Start date:12/05/2021
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff774ee0000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Chronological Activities

      Disassembly

      Code Analysis

      Reset < >