Play interactive tour

Edit tour

Windows Analysis Report tj9KzQvUFy.exe

Overview

General Information

Sample Name:	tj9KzQvUFy.exe
Analysis ID:	527671
MD5:	e8ae42cfaafd650a14285aaf700d1f2b
SHA1:	d4da7fb39e1ef6aa56b01173ebb48fbd80acb416
SHA256:	c398ec8923c9de2fe4ff2b9804f41663b1e929b22b3ee848576014f89663618a
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Sigma detected: Suspicius Add Task From User AppData Temp

.NET source code contains potential unpacker

Sigma detected: Powershell Defender Exclusion

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

tj9KzQvUFy.exe (PID: 7016 cmdline: "C:\Users\user\Desktop\tj9KzQvUFy.exe" MD5: E8AE42CFAAFD650A14285AAF700D1F2B)

powershell.exe (PID: 6344 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6320 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QWtzAVmnpKpJx" /XML "C:\Users\user\AppData\Local\Temp\tmp6B9E.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

tj9KzQvUFy.exe (PID: 6192 cmdline: C:\Users\user\Desktop\tj9KzQvUFy.exe MD5: E8AE42CFAAFD650A14285AAF700D1F2B)

schtasks.exe (PID: 6548 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpC635.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6572 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpCF6D.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

tj9KzQvUFy.exe (PID: 5776 cmdline: C:\Users\user\Desktop\tj9KzQvUFy.exe 0 MD5: E8AE42CFAAFD650A14285AAF700D1F2B)

powershell.exe (PID: 7064 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5724 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QWtzAVmnpKpJx" /XML "C:\Users\user\AppData\Local\Temp\tmpB52A.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

tj9KzQvUFy.exe (PID: 1992 cmdline: C:\Users\user\Desktop\tj9KzQvUFy.exe MD5: E8AE42CFAAFD650A14285AAF700D1F2B)

tj9KzQvUFy.exe (PID: 4804 cmdline: C:\Users\user\Desktop\tj9KzQvUFy.exe MD5: E8AE42CFAAFD650A14285AAF700D1F2B)

dhcpmon.exe (PID: 6732 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: E8AE42CFAAFD650A14285AAF700D1F2B)

dhcpmon.exe (PID: 7072 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: E8AE42CFAAFD650A14285AAF700D1F2B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000001B.00000002.448411736.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001B.00000002.448411736.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001B.00000002.448411736.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000009.00000000.377573313.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000009.00000000.377573313.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000009.00000000.377573313.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001B.00000000.428587320.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001B.00000000.428587320.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001B.00000000.428587320.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000009.00000002.610929952.0000000002CF1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000011.00000002.405648724.0000000002AC1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000001B.00000000.430610675.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001B.00000000.430610675.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001B.00000000.430610675.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000002.380810422.0000000002C41000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000001B.00000002.449720348.0000000004499000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001B.00000002.449720348.0000000004499000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x435a5:$a: NanoCore 0x435fe:$a: NanoCore 0x4363b:$a: NanoCore 0x436b4:$a: NanoCore 0x56d5f:$a: NanoCore 0x56d74:$a: NanoCore 0x56da9:$a: NanoCore 0x6fd43:$a: NanoCore 0x6fd58:$a: NanoCore 0x6fd8d:$a: NanoCore 0x43607:$b: ClientPlugin 0x43644:$b: ClientPlugin 0x43f42:$b: ClientPlugin 0x43f4f:$b: ClientPlugin 0x56b1b:$b: ClientPlugin 0x56b36:$b: ClientPlugin 0x56b66:$b: ClientPlugin 0x56d7d:$b: ClientPlugin 0x56db2:$b: ClientPlugin 0x6faff:$b: ClientPlugin 0x6fb1a:$b: ClientPlugin
0000001B.00000002.449610369.0000000003491000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001B.00000002.449610369.0000000003491000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6936b:$a: NanoCore 0x693c4:$a: NanoCore 0x69401:$a: NanoCore 0x6947a:$a: NanoCore 0x693cd:$b: ClientPlugin 0x6940a:$b: ClientPlugin 0x69d08:$b: ClientPlugin 0x69d15:$b: ClientPlugin 0x5f4e0:$e: KeepAlive 0x69855:$g: LogClientMessage 0x697d5:$i: get_Connected 0x597a1:$j: #=q 0x597d1:$j: #=q 0x5980d:$j: #=q 0x59835:$j: #=q 0x59865:$j: #=q 0x59895:$j: #=q 0x598c5:$j: #=q 0x598f5:$j: #=q 0x59911:$j: #=q 0x59941:$j: #=q
0000000E.00000002.435389639.0000000002FC1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000009.00000002.607967437.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000009.00000002.607967437.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000009.00000002.607967437.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000002.381024024.0000000002D5E000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000009.00000000.370237715.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000009.00000000.370237715.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000009.00000000.370237715.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000002.437386781.0000000003FC9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf95e5:$x1: NanoCore.ClientPluginHost 0x12c205:$x1: NanoCore.ClientPluginHost 0x2849ad:$x1: NanoCore.ClientPluginHost 0xf9622:$x2: IClientNetworkHost 0x12c242:$x2: IClientNetworkHost 0x2849ea:$x2: IClientNetworkHost 0xfd155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x12fd75:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x28851d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.437386781.0000000003FC9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.437386781.0000000003FC9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf934d:$a: NanoCore 0xf935d:$a: NanoCore 0xf9591:$a: NanoCore 0xf95a5:$a: NanoCore 0xf95e5:$a: NanoCore 0x12bf6d:$a: NanoCore 0x12bf7d:$a: NanoCore 0x12c1b1:$a: NanoCore 0x12c1c5:$a: NanoCore 0x12c205:$a: NanoCore 0x284715:$a: NanoCore 0x284725:$a: NanoCore 0x284959:$a: NanoCore 0x28496d:$a: NanoCore 0x2849ad:$a: NanoCore 0xf93ac:$b: ClientPlugin 0xf95ae:$b: ClientPlugin 0xf95ee:$b: ClientPlugin 0x12bfcc:$b: ClientPlugin 0x12c1ce:$b: ClientPlugin 0x12c20e:$b: ClientPlugin
00000001.00000002.382063003.0000000003C49000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf95e5:$x1: NanoCore.ClientPluginHost 0x12c205:$x1: NanoCore.ClientPluginHost 0x2849ad:$x1: NanoCore.ClientPluginHost 0xf9622:$x2: IClientNetworkHost 0x12c242:$x2: IClientNetworkHost 0x2849ea:$x2: IClientNetworkHost 0xfd155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x12fd75:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x28851d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.382063003.0000000003C49000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.382063003.0000000003C49000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf934d:$a: NanoCore 0xf935d:$a: NanoCore 0xf9591:$a: NanoCore 0xf95a5:$a: NanoCore 0xf95e5:$a: NanoCore 0x12bf6d:$a: NanoCore 0x12bf7d:$a: NanoCore 0x12c1b1:$a: NanoCore 0x12c1c5:$a: NanoCore 0x12c205:$a: NanoCore 0x284715:$a: NanoCore 0x284725:$a: NanoCore 0x284959:$a: NanoCore 0x28496d:$a: NanoCore 0x2849ad:$a: NanoCore 0xf93ac:$b: ClientPlugin 0xf95ae:$b: ClientPlugin 0xf95ee:$b: ClientPlugin 0x12bfcc:$b: ClientPlugin 0x12c1ce:$b: ClientPlugin 0x12c20e:$b: ClientPlugin
00000009.00000000.378298727.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000009.00000000.378298727.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000009.00000000.378298727.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001B.00000000.429163974.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001B.00000000.429163974.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001B.00000000.429163974.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000009.00000002.613519812.0000000003CF9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000009.00000002.613519812.0000000003CF9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x435a5:$a: NanoCore 0x435fe:$a: NanoCore 0x4363b:$a: NanoCore 0x436b4:$a: NanoCore 0x56d5f:$a: NanoCore 0x56d74:$a: NanoCore 0x56da9:$a: NanoCore 0x6fd43:$a: NanoCore 0x6fd58:$a: NanoCore 0x6fd8d:$a: NanoCore 0x43607:$b: ClientPlugin 0x43644:$b: ClientPlugin 0x43f42:$b: ClientPlugin 0x43f4f:$b: ClientPlugin 0x56b1b:$b: ClientPlugin 0x56b36:$b: ClientPlugin 0x56b66:$b: ClientPlugin 0x56d7d:$b: ClientPlugin 0x56db2:$b: ClientPlugin 0x6faff:$b: ClientPlugin 0x6fb1a:$b: ClientPlugin
00000009.00000000.376991452.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000009.00000000.376991452.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000009.00000000.376991452.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001B.00000000.429929302.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001B.00000000.429929302.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001B.00000000.429929302.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000009.00000002.615717844.00000000055F0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000009.00000002.615717844.00000000055F0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000009.00000002.616228293.0000000006470000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000009.00000002.616228293.0000000006470000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000009.00000002.616228293.0000000006470000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.436014172.00000000030EB000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000013.00000002.428142089.0000000002CC1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: tj9KzQvUFy.exe PID: 7016	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xa4024:$x1: NanoCore.ClientPluginHost 0xa4061:$x2: IClientNetworkHost 0xa75e0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb238a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xbe350:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x17b977:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: tj9KzQvUFy.exe PID: 7016	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: tj9KzQvUFy.exe PID: 7016	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: tj9KzQvUFy.exe PID: 7016	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xa3d51:$a: NanoCore 0xa3d61:$a: NanoCore 0xa3dc9:$a: NanoCore 0xa3dd8:$a: NanoCore 0xa3fd0:$a: NanoCore 0xa3fe4:$a: NanoCore 0xa4024:$a: NanoCore 0xae9f4:$a: NanoCore 0xaea06:$a: NanoCore 0xaea42:$a: NanoCore 0xba9ba:$a: NanoCore 0xba9cc:$a: NanoCore 0xbaa08:$a: NanoCore 0x177fe1:$a: NanoCore 0x177ff3:$a: NanoCore 0x17802f:$a: NanoCore 0xa3d75:$b: ClientPlugin 0xa3e22:$b: ClientPlugin 0xa3fed:$b: ClientPlugin 0xa402d:$b: ClientPlugin 0xaea0f:$b: ClientPlugin
Process Memory Space: tj9KzQvUFy.exe PID: 6192	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xcc58:$x1: NanoCore.ClientPluginHost 0xcc72:$x2: IClientNetworkHost 0x21689:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2c3b0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: tj9KzQvUFy.exe PID: 6192	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: tj9KzQvUFy.exe PID: 6192	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3202:$a: NanoCore 0x325d:$a: NanoCore 0x32d4:$a: NanoCore 0xcbc2:$a: NanoCore 0xcc1b:$a: NanoCore 0xcc58:$a: NanoCore 0xccd1:$a: NanoCore 0xd2bc:$a: NanoCore 0xd30f:$a: NanoCore 0xd348:$a: NanoCore 0xd3bb:$a: NanoCore 0x1dfde:$a: NanoCore 0x1dfee:$a: NanoCore 0x1e049:$a: NanoCore 0x1e058:$a: NanoCore 0x28a1a:$a: NanoCore 0x28a2c:$a: NanoCore 0x28a68:$a: NanoCore 0x6aee5:$a: NanoCore 0x6aef8:$a: NanoCore 0x6af2a:$a: NanoCore
Process Memory Space: tj9KzQvUFy.exe PID: 5776	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x629e3:$x1: NanoCore.ClientPluginHost 0x62a20:$x2: IClientNetworkHost 0x660f0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x70f63:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7cf29:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x13a6a4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: tj9KzQvUFy.exe PID: 5776	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: tj9KzQvUFy.exe PID: 5776	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: tj9KzQvUFy.exe PID: 5776	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x626ed:$a: NanoCore 0x626fd:$a: NanoCore 0x62788:$a: NanoCore 0x62797:$a: NanoCore 0x6298f:$a: NanoCore 0x629a3:$a: NanoCore 0x629e3:$a: NanoCore 0x6d5cd:$a: NanoCore 0x6d5df:$a: NanoCore 0x6d61b:$a: NanoCore 0x79593:$a: NanoCore 0x795a5:$a: NanoCore 0x795e1:$a: NanoCore 0x136d0e:$a: NanoCore 0x136d20:$a: NanoCore 0x136d5c:$a: NanoCore 0x62727:$b: ClientPlugin 0x627e1:$b: ClientPlugin 0x629ac:$b: ClientPlugin 0x629ec:$b: ClientPlugin 0x6d5e8:$b: ClientPlugin
Process Memory Space: dhcpmon.exe PID: 6732	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 7072	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: tj9KzQvUFy.exe PID: 4804	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb91e:$x1: NanoCore.ClientPluginHost 0xb95b:$x2: IClientNetworkHost 0xf02b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x19ea6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: tj9KzQvUFy.exe PID: 4804	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: tj9KzQvUFy.exe PID: 4804	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb61f:$a: NanoCore 0xb62f:$a: NanoCore 0xb6ba:$a: NanoCore 0xb6c9:$a: NanoCore 0xb8ca:$a: NanoCore 0xb8de:$a: NanoCore 0xb91e:$a: NanoCore 0x16510:$a: NanoCore 0x16522:$a: NanoCore 0x1655e:$a: NanoCore 0x2faa7:$a: NanoCore 0x2fb02:$a: NanoCore 0x2fb76:$a: NanoCore 0x44a50:$a: NanoCore 0x44cb2:$a: NanoCore 0x44d05:$a: NanoCore 0x44d3e:$a: NanoCore 0x44db1:$a: NanoCore 0x4aaf8:$a: NanoCore 0x4ab0b:$a: NanoCore 0x4ab3d:$a: NanoCore
Click to see the 65 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.tj9KzQvUFy.exe.6470000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
9.2.tj9KzQvUFy.exe.6470000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
9.2.tj9KzQvUFy.exe.6470000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.tj9KzQvUFy.exe.2c617a8.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
9.0.tj9KzQvUFy.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.0.tj9KzQvUFy.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
9.0.tj9KzQvUFy.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.0.tj9KzQvUFy.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
27.0.tj9KzQvUFy.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
27.0.tj9KzQvUFy.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
27.0.tj9KzQvUFy.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
27.0.tj9KzQvUFy.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
9.2.tj9KzQvUFy.exe.3d405fc.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
9.2.tj9KzQvUFy.exe.3d405fc.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
9.2.tj9KzQvUFy.exe.3d405fc.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
27.2.tj9KzQvUFy.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
27.2.tj9KzQvUFy.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
27.2.tj9KzQvUFy.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
27.2.tj9KzQvUFy.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
27.0.tj9KzQvUFy.exe.400000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
27.0.tj9KzQvUFy.exe.400000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
27.0.tj9KzQvUFy.exe.400000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
27.0.tj9KzQvUFy.exe.400000.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
27.2.tj9KzQvUFy.exe.34f958c.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
27.2.tj9KzQvUFy.exe.34f958c.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
1.2.tj9KzQvUFy.exe.3d32458.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.tj9KzQvUFy.exe.3d32458.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.tj9KzQvUFy.exe.3d32458.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.tj9KzQvUFy.exe.3d32458.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
27.2.tj9KzQvUFy.exe.44e05fc.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28791:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287be:$x2: IClientNetworkHost
27.2.tj9KzQvUFy.exe.44e05fc.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28791:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2986c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287ab:$s5: IClientLoggingHost
27.2.tj9KzQvUFy.exe.44e05fc.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.tj9KzQvUFy.exe.2d1db74.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
9.2.tj9KzQvUFy.exe.2d1db74.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
27.0.tj9KzQvUFy.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
27.0.tj9KzQvUFy.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
27.0.tj9KzQvUFy.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
27.0.tj9KzQvUFy.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
27.0.tj9KzQvUFy.exe.400000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
27.0.tj9KzQvUFy.exe.400000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
27.0.tj9KzQvUFy.exe.400000.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
27.0.tj9KzQvUFy.exe.400000.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
9.0.tj9KzQvUFy.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.0.tj9KzQvUFy.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
9.0.tj9KzQvUFy.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.0.tj9KzQvUFy.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
9.2.tj9KzQvUFy.exe.3d44c25.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24168:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x24195:$x2: IClientNetworkHost
9.2.tj9KzQvUFy.exe.3d44c25.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24168:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25243:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x24182:$s5: IClientLoggingHost
9.2.tj9KzQvUFy.exe.3d44c25.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.tj9KzQvUFy.exe.40b2458.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.tj9KzQvUFy.exe.40b2458.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
14.2.tj9KzQvUFy.exe.40b2458.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.tj9KzQvUFy.exe.40b2458.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
9.2.tj9KzQvUFy.exe.6470000.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
9.2.tj9KzQvUFy.exe.6470000.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
9.2.tj9KzQvUFy.exe.6470000.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.0.tj9KzQvUFy.exe.400000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.0.tj9KzQvUFy.exe.400000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
9.0.tj9KzQvUFy.exe.400000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.0.tj9KzQvUFy.exe.400000.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
27.0.tj9KzQvUFy.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
27.0.tj9KzQvUFy.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
27.0.tj9KzQvUFy.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
27.0.tj9KzQvUFy.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
27.2.tj9KzQvUFy.exe.44db7c6.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5c7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5f4:$x2: IClientNetworkHost
27.2.tj9KzQvUFy.exe.44db7c6.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5c7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6a2:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5e1:$s5: IClientLoggingHost
27.2.tj9KzQvUFy.exe.44db7c6.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
27.2.tj9KzQvUFy.exe.44db7c6.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d57d:$a: NanoCore 0x2d592:$a: NanoCore 0x2d5c7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d339:$b: ClientPlugin 0x2d354:$b: ClientPlugin
14.2.tj9KzQvUFy.exe.40e5078.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.tj9KzQvUFy.exe.40e5078.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
14.2.tj9KzQvUFy.exe.40e5078.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.tj9KzQvUFy.exe.40e5078.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.2.tj9KzQvUFy.exe.3de55e0.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe83cd:$x1: NanoCore.ClientPluginHost 0xe840a:$x2: IClientNetworkHost 0xebf3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.tj9KzQvUFy.exe.3de55e0.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.tj9KzQvUFy.exe.3de55e0.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe8135:$a: NanoCore 0xe8145:$a: NanoCore 0xe8379:$a: NanoCore 0xe838d:$a: NanoCore 0xe83cd:$a: NanoCore 0xe8194:$b: ClientPlugin 0xe8396:$b: ClientPlugin 0xe83d6:$b: ClientPlugin 0x183c6:$c: ProjectData 0x845e6:$c: ProjectData 0xe82bb:$c: ProjectData 0xe8cc2:$d: DESCrypto 0xf068e:$e: KeepAlive 0xee67c:$g: LogClientMessage 0xea877:$i: get_Connected 0xe8ff8:$j: #=q 0xe9028:$j: #=q 0xe9044:$j: #=q 0xe9074:$j: #=q 0xe9090:$j: #=q 0xe90ac:$j: #=q
9.2.tj9KzQvUFy.exe.3d3b7c6.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5c7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5f4:$x2: IClientNetworkHost
9.2.tj9KzQvUFy.exe.3d3b7c6.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5c7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6a2:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5e1:$s5: IClientLoggingHost
9.2.tj9KzQvUFy.exe.3d3b7c6.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.tj9KzQvUFy.exe.3d3b7c6.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d57d:$a: NanoCore 0x2d592:$a: NanoCore 0x2d5c7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d339:$b: ClientPlugin 0x2d354:$b: ClientPlugin
14.2.tj9KzQvUFy.exe.2fe17a8.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
9.2.tj9KzQvUFy.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.2.tj9KzQvUFy.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
9.2.tj9KzQvUFy.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.tj9KzQvUFy.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
9.2.tj9KzQvUFy.exe.55f0000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
9.2.tj9KzQvUFy.exe.55f0000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
27.2.tj9KzQvUFy.exe.44e05fc.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
27.2.tj9KzQvUFy.exe.44e05fc.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
27.2.tj9KzQvUFy.exe.44e05fc.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.tj9KzQvUFy.exe.3d405fc.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28791:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287be:$x2: IClientNetworkHost
9.2.tj9KzQvUFy.exe.3d405fc.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28791:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2986c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287ab:$s5: IClientLoggingHost
9.2.tj9KzQvUFy.exe.3d405fc.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.tj9KzQvUFy.exe.6474629.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
9.2.tj9KzQvUFy.exe.6474629.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
9.2.tj9KzQvUFy.exe.6474629.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.0.tj9KzQvUFy.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.0.tj9KzQvUFy.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
9.0.tj9KzQvUFy.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.0.tj9KzQvUFy.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
27.2.tj9KzQvUFy.exe.44e4c25.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24168:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x24195:$x2: IClientNetworkHost
27.2.tj9KzQvUFy.exe.44e4c25.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24168:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25243:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x24182:$s5: IClientLoggingHost
27.2.tj9KzQvUFy.exe.44e4c25.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.0.tj9KzQvUFy.exe.400000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.0.tj9KzQvUFy.exe.400000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
9.0.tj9KzQvUFy.exe.400000.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.0.tj9KzQvUFy.exe.400000.12.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.tj9KzQvUFy.exe.3d65078.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x168935:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x168972:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x16c4a5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.tj9KzQvUFy.exe.3d65078.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.tj9KzQvUFy.exe.3d65078.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x16869d:$a: NanoCore 0x1686ad:$a: NanoCore 0x1688e1:$a: NanoCore 0x1688f5:$a: NanoCore 0x168935:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1686fc:$b: ClientPlugin 0x1688fe:$b: ClientPlugin 0x16893e:$b: ClientPlugin 0x1007b:$c: ProjectData 0x9892e:$c: ProjectData 0x104b4e:$c: ProjectData 0x168823:$c: ProjectData 0x10a82:$d: DESCrypto
1.2.tj9KzQvUFy.exe.3d65078.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.tj9KzQvUFy.exe.3d65078.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.tj9KzQvUFy.exe.3d65078.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.tj9KzQvUFy.exe.3d65078.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.2.tj9KzQvUFy.exe.3d32458.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x19b555:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x19b592:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x19f0c5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.tj9KzQvUFy.exe.3d32458.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.tj9KzQvUFy.exe.3d32458.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0x19b2bd:$a: NanoCore 0x19b2cd:$a: NanoCore 0x19b501:$a: NanoCore 0x19b515:$a: NanoCore 0x19b555:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin
17.2.dhcpmon.exe.2ae18e4.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
14.2.tj9KzQvUFy.exe.41655e0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe83cd:$x1: NanoCore.ClientPluginHost 0xe840a:$x2: IClientNetworkHost 0xebf3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.tj9KzQvUFy.exe.41655e0.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.tj9KzQvUFy.exe.41655e0.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe8135:$a: NanoCore 0xe8145:$a: NanoCore 0xe8379:$a: NanoCore 0xe838d:$a: NanoCore 0xe83cd:$a: NanoCore 0xe8194:$b: ClientPlugin 0xe8396:$b: ClientPlugin 0xe83d6:$b: ClientPlugin 0x183c6:$c: ProjectData 0x845e6:$c: ProjectData 0xe82bb:$c: ProjectData 0xe8cc2:$d: DESCrypto 0xf068e:$e: KeepAlive 0xee67c:$g: LogClientMessage 0xea877:$i: get_Connected 0xe8ff8:$j: #=q 0xe9028:$j: #=q 0xe9044:$j: #=q 0xe9074:$j: #=q 0xe9090:$j: #=q 0xe90ac:$j: #=q
19.2.dhcpmon.exe.2ce18e4.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
14.2.tj9KzQvUFy.exe.40e5078.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x168935:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x168972:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x16c4a5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.tj9KzQvUFy.exe.40e5078.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.tj9KzQvUFy.exe.40e5078.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x16869d:$a: NanoCore 0x1686ad:$a: NanoCore 0x1688e1:$a: NanoCore 0x1688f5:$a: NanoCore 0x168935:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1686fc:$b: ClientPlugin 0x1688fe:$b: ClientPlugin 0x16893e:$b: ClientPlugin 0x1007b:$c: ProjectData 0x9892e:$c: ProjectData 0x104b4e:$c: ProjectData 0x168823:$c: ProjectData 0x10a82:$d: DESCrypto
14.2.tj9KzQvUFy.exe.40b2458.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x19b555:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x19b592:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x19f0c5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.tj9KzQvUFy.exe.40b2458.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.tj9KzQvUFy.exe.40b2458.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0x19b2bd:$a: NanoCore 0x19b2cd:$a: NanoCore 0x19b501:$a: NanoCore 0x19b515:$a: NanoCore 0x19b555:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin
Click to see the 122 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\tj9KzQvUFy.exe, ProcessId: 6192, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\tj9KzQvUFy.exe, ProcessId: 6192, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

System Summary:

Sigma detected: Suspicius Add Task From User AppData Temp

Show sources

Source: Process started

Author: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QWtzAVmnpKpJx" /XML "C:\Users\user\AppData\Local\Temp\tmp6B9E.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QWtzAVmnpKpJx" /XML "C:\Users\user\AppData\Local\Temp\tmp6B9E.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\tj9KzQvUFy.exe" , ParentImage: C:\Users\user\Desktop\tj9KzQvUFy.exe, ParentProcessId: 7016, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QWtzAVmnpKpJx" /XML "C:\Users\user\AppData\Local\Temp\tmp6B9E.tmp, ProcessId: 6320

Sigma detected: Powershell Defender Exclusion

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\tj9KzQvUFy.exe" , ParentImage: C:\Users\user\Desktop\tj9KzQvUFy.exe, ParentProcessId: 7016, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe, ProcessId: 6344

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\tj9KzQvUFy.exe" , ParentImage: C:\Users\user\Desktop\tj9KzQvUFy.exe, ParentProcessId: 7016, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe, ProcessId: 6344

Sigma detected: T1086 PowerShell Execution

Show sources

Source: Pipe created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132822454931587378.6344.DefaultAppDomain.powershell

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\tj9KzQvUFy.exe, ProcessId: 6192, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\tj9KzQvUFy.exe, ProcessId: 6192, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: tj9KzQvUFy.exe	Virustotal: Detection: 39%			Perma Link
Source: tj9KzQvUFy.exe	ReversingLabs: Detection: 56%

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe	ReversingLabs: Detection: 56%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.6470000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.tj9KzQvUFy.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.tj9KzQvUFy.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.3d405fc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.tj9KzQvUFy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.tj9KzQvUFy.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tj9KzQvUFy.exe.3d32458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.tj9KzQvUFy.exe.44e05fc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.tj9KzQvUFy.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.tj9KzQvUFy.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.tj9KzQvUFy.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.3d44c25.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.tj9KzQvUFy.exe.40b2458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.6470000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.tj9KzQvUFy.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.tj9KzQvUFy.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.tj9KzQvUFy.exe.44db7c6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.tj9KzQvUFy.exe.40e5078.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tj9KzQvUFy.exe.3de55e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.3d3b7c6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.tj9KzQvUFy.exe.44e05fc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.3d405fc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.6474629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.tj9KzQvUFy.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.tj9KzQvUFy.exe.44e4c25.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.tj9KzQvUFy.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tj9KzQvUFy.exe.3d65078.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tj9KzQvUFy.exe.3d65078.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tj9KzQvUFy.exe.3d32458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.tj9KzQvUFy.exe.41655e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.tj9KzQvUFy.exe.40e5078.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.tj9KzQvUFy.exe.40b2458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.448411736.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.377573313.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.428587320.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.610929952.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.430610675.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.449720348.0000000004499000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.449610369.0000000003491000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.607967437.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.370237715.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.437386781.0000000003FC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.382063003.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.378298727.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.429163974.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.613519812.0000000003CF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.376991452.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.429929302.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.616228293.0000000006470000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tj9KzQvUFy.exe PID: 7016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tj9KzQvUFy.exe PID: 6192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tj9KzQvUFy.exe PID: 5776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tj9KzQvUFy.exe PID: 4804, type: MEMORYSTR

Source: 27.2.tj9KzQvUFy.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.0.tj9KzQvUFy.exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 9.0.tj9KzQvUFy.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 9.2.tj9KzQvUFy.exe.6470000.8.unpack	Avira: Label: TR/NanoCore.fadte
Source: 27.0.tj9KzQvUFy.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.0.tj9KzQvUFy.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.0.tj9KzQvUFy.exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 9.0.tj9KzQvUFy.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 9.0.tj9KzQvUFy.exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 27.0.tj9KzQvUFy.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 9.0.tj9KzQvUFy.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 9.2.tj9KzQvUFy.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 9.0.tj9KzQvUFy.exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: tj9KzQvUFy.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: tj9KzQvUFy.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: tj9KzQvUFy.exe, 00000009.00000003.557589778.0000000001119000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: tj9KzQvUFy.exe, 00000009.00000002.609929993.00000000010E4000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbpH source: tj9KzQvUFy.exe, 00000009.00000002.609929993.00000000010E4000.00000004.00000020.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49757 -> 185.140.53.131:6262
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49758 -> 185.140.53.131:6262
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49759 -> 185.140.53.131:6262
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49762 -> 185.140.53.131:6262
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49766 -> 185.140.53.131:6262
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49772 -> 185.140.53.131:6262
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49775 -> 185.140.53.131:6262
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49795 -> 185.140.53.131:6262
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49811 -> 185.140.53.131:6262
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49816 -> 185.140.53.131:6262
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49819 -> 185.140.53.131:6262
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49844 -> 185.140.53.131:6262
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49845 -> 185.140.53.131:6262
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49847 -> 185.140.53.131:6262
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49848 -> 185.140.53.131:6262

Source: global traffic

TCP traffic: 192.168.2.6:49757 -> 185.140.53.131:6262

Source: tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: tj9KzQvUFy.exe, 00000001.00000002.380810422.0000000002C41000.00000004.00000001.sdmp, tj9KzQvUFy.exe, 0000000E.00000002.435389639.0000000002FC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: dhcpmon.exe, 00000013.00000002.428142089.0000000002CC1000.00000004.00000001.sdmp	String found in binary or memory: http://www.chinhdo.com
Source: tj9KzQvUFy.exe, 00000001.00000002.380523369.0000000001157000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: tj9KzQvUFy.exe	String found in binary or memory: http://www.rbadams.com/Automation/Configuration
Source: tj9KzQvUFy.exe	String found in binary or memory: http://www.rbadams.com/Automation/Configuration6
Source: tj9KzQvUFy.exe	String found in binary or memory: http://www.rbadams.com/Automation/ConfigurationT
Source: tj9KzQvUFy.exe	String found in binary or memory: http://www.rbadams.com/Automation/ISO
Source: tj9KzQvUFy.exe	String found in binary or memory: http://www.rbadams.com/Automation/ISOD
Source: tj9KzQvUFy.exe	String found in binary or memory: http://www.rbadams.com/Automation/ISOG
Source: tj9KzQvUFy.exe	String found in binary or memory: http://www.rbadams.com/Automation/ISOT
Source: dhcpmon.exe	String found in binary or memory: http://www.rbadams.com/Automation/Job
Source: dhcpmon.exe	String found in binary or memory: http://www.rbadams.com/Automation/JobCollection
Source: tj9KzQvUFy.exe	String found in binary or memory: http://www.rbadams.com/Automation/JobCollection#JobCollection.xsdKhttp://www.rbadams.com/Automation/
Source: tj9KzQvUFy.exe	String found in binary or memory: http://www.rbadams.com/Automation/JobCollectionK
Source: tj9KzQvUFy.exe	String found in binary or memory: http://www.rbadams.com/Automation/JobCollectionN
Source: tj9KzQvUFy.exe	String found in binary or memory: http://www.rbadams.com/Automation/JobCollectionT
Source: tj9KzQvUFy.exe	String found in binary or memory: http://www.rbadams.com/Automation/JobD
Source: tj9KzQvUFy.exe	String found in binary or memory: http://www.rbadams.com/Automation/JobQ
Source: tj9KzQvUFy.exe	String found in binary or memory: http://www.rbadams.com/Automation/JobT
Source: tj9KzQvUFy.exe	String found in binary or memory: http://www.rbadams.com/Automation/Package
Source: tj9KzQvUFy.exe	String found in binary or memory: http://www.rbadams.com/Automation/PackageA
Source: tj9KzQvUFy.exe	String found in binary or memory: http://www.rbadams.com/Automation/PackageH
Source: tj9KzQvUFy.exe	String found in binary or memory: http://www.rbadams.com/Automation/PackageT
Source: tj9KzQvUFy.exe	String found in binary or memory: http://www.rbadams.com/Automation/Sequence
Source: tj9KzQvUFy.exe	String found in binary or memory: http://www.rbadams.com/Automation/SequenceI
Source: tj9KzQvUFy.exe	String found in binary or memory: http://www.rbadams.com/Automation/SequenceT
Source: tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: 6262.hopto.org

Source: dhcpmon.exe, 00000011.00000002.404679729.0000000000DE8000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: tj9KzQvUFy.exe, 00000009.00000002.613519812.0000000003CF9000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.6470000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.tj9KzQvUFy.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.tj9KzQvUFy.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.3d405fc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.tj9KzQvUFy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.tj9KzQvUFy.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tj9KzQvUFy.exe.3d32458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.tj9KzQvUFy.exe.44e05fc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.tj9KzQvUFy.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.tj9KzQvUFy.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.tj9KzQvUFy.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.3d44c25.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.tj9KzQvUFy.exe.40b2458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.6470000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.tj9KzQvUFy.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.tj9KzQvUFy.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.tj9KzQvUFy.exe.44db7c6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.tj9KzQvUFy.exe.40e5078.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tj9KzQvUFy.exe.3de55e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.3d3b7c6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.tj9KzQvUFy.exe.44e05fc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.3d405fc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.6474629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.tj9KzQvUFy.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.tj9KzQvUFy.exe.44e4c25.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.tj9KzQvUFy.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tj9KzQvUFy.exe.3d65078.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tj9KzQvUFy.exe.3d65078.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tj9KzQvUFy.exe.3d32458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.tj9KzQvUFy.exe.41655e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.tj9KzQvUFy.exe.40e5078.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.tj9KzQvUFy.exe.40b2458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.448411736.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.377573313.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.428587320.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.610929952.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.430610675.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.449720348.0000000004499000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.449610369.0000000003491000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.607967437.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.370237715.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.437386781.0000000003FC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.382063003.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.378298727.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.429163974.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.613519812.0000000003CF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.376991452.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.429929302.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.616228293.0000000006470000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tj9KzQvUFy.exe PID: 7016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tj9KzQvUFy.exe PID: 6192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tj9KzQvUFy.exe PID: 5776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tj9KzQvUFy.exe PID: 4804, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 9.2.tj9KzQvUFy.exe.6470000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.0.tj9KzQvUFy.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.0.tj9KzQvUFy.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.0.tj9KzQvUFy.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.tj9KzQvUFy.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.tj9KzQvUFy.exe.3d405fc.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.tj9KzQvUFy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.tj9KzQvUFy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.0.tj9KzQvUFy.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.tj9KzQvUFy.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.tj9KzQvUFy.exe.34f958c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.tj9KzQvUFy.exe.3d32458.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.tj9KzQvUFy.exe.3d32458.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.tj9KzQvUFy.exe.44e05fc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.tj9KzQvUFy.exe.2d1db74.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.tj9KzQvUFy.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.tj9KzQvUFy.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.0.tj9KzQvUFy.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.tj9KzQvUFy.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.0.tj9KzQvUFy.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.0.tj9KzQvUFy.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.tj9KzQvUFy.exe.3d44c25.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.tj9KzQvUFy.exe.40b2458.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.tj9KzQvUFy.exe.40b2458.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.tj9KzQvUFy.exe.6470000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.0.tj9KzQvUFy.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.0.tj9KzQvUFy.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.0.tj9KzQvUFy.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.0.tj9KzQvUFy.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.tj9KzQvUFy.exe.44db7c6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.tj9KzQvUFy.exe.44db7c6.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.tj9KzQvUFy.exe.40e5078.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.tj9KzQvUFy.exe.40e5078.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.tj9KzQvUFy.exe.3de55e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.tj9KzQvUFy.exe.3de55e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.tj9KzQvUFy.exe.3d3b7c6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.tj9KzQvUFy.exe.3d3b7c6.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.tj9KzQvUFy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.tj9KzQvUFy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.tj9KzQvUFy.exe.55f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 27.2.tj9KzQvUFy.exe.44e05fc.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.tj9KzQvUFy.exe.3d405fc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.tj9KzQvUFy.exe.6474629.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.0.tj9KzQvUFy.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.0.tj9KzQvUFy.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.tj9KzQvUFy.exe.44e4c25.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.0.tj9KzQvUFy.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.0.tj9KzQvUFy.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.tj9KzQvUFy.exe.3d65078.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.tj9KzQvUFy.exe.3d65078.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.tj9KzQvUFy.exe.3d65078.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.tj9KzQvUFy.exe.3d65078.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.tj9KzQvUFy.exe.3d32458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.tj9KzQvUFy.exe.3d32458.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.tj9KzQvUFy.exe.41655e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.tj9KzQvUFy.exe.41655e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.tj9KzQvUFy.exe.40e5078.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.tj9KzQvUFy.exe.40e5078.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.tj9KzQvUFy.exe.40b2458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.tj9KzQvUFy.exe.40b2458.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.448411736.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000002.448411736.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000000.377573313.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000000.377573313.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000000.428587320.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000000.428587320.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000000.430610675.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000000.430610675.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.449720348.0000000004499000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.449610369.0000000003491000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.607967437.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.607967437.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000000.370237715.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000000.370237715.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.437386781.0000000003FC9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.437386781.0000000003FC9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.382063003.0000000003C49000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.382063003.0000000003C49000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000000.378298727.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000000.378298727.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000000.429163974.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000000.429163974.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.613519812.0000000003CF9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000000.376991452.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000000.376991452.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000000.429929302.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000000.429929302.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.615717844.00000000055F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.616228293.0000000006470000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: tj9KzQvUFy.exe PID: 7016, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: tj9KzQvUFy.exe PID: 7016, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: tj9KzQvUFy.exe PID: 6192, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: tj9KzQvUFy.exe PID: 6192, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: tj9KzQvUFy.exe PID: 5776, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: tj9KzQvUFy.exe PID: 5776, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: tj9KzQvUFy.exe PID: 4804, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: tj9KzQvUFy.exe PID: 4804, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: tj9KzQvUFy.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 9.2.tj9KzQvUFy.exe.6470000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.tj9KzQvUFy.exe.6470000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.0.tj9KzQvUFy.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.0.tj9KzQvUFy.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.0.tj9KzQvUFy.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.0.tj9KzQvUFy.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.0.tj9KzQvUFy.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.tj9KzQvUFy.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.tj9KzQvUFy.exe.3d405fc.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.tj9KzQvUFy.exe.3d405fc.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.2.tj9KzQvUFy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.tj9KzQvUFy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.2.tj9KzQvUFy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.0.tj9KzQvUFy.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.0.tj9KzQvUFy.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.tj9KzQvUFy.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.2.tj9KzQvUFy.exe.34f958c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.tj9KzQvUFy.exe.34f958c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.tj9KzQvUFy.exe.3d32458.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.tj9KzQvUFy.exe.3d32458.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.tj9KzQvUFy.exe.3d32458.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.2.tj9KzQvUFy.exe.44e05fc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.tj9KzQvUFy.exe.44e05fc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.tj9KzQvUFy.exe.2d1db74.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.tj9KzQvUFy.exe.2d1db74.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.tj9KzQvUFy.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.0.tj9KzQvUFy.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.tj9KzQvUFy.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.0.tj9KzQvUFy.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.0.tj9KzQvUFy.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.tj9KzQvUFy.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.0.tj9KzQvUFy.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.0.tj9KzQvUFy.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.0.tj9KzQvUFy.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.tj9KzQvUFy.exe.3d44c25.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.tj9KzQvUFy.exe.3d44c25.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.tj9KzQvUFy.exe.40b2458.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.tj9KzQvUFy.exe.40b2458.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.tj9KzQvUFy.exe.40b2458.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.tj9KzQvUFy.exe.6470000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.tj9KzQvUFy.exe.6470000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.0.tj9KzQvUFy.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.0.tj9KzQvUFy.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.0.tj9KzQvUFy.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.0.tj9KzQvUFy.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.0.tj9KzQvUFy.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.tj9KzQvUFy.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.2.tj9KzQvUFy.exe.44db7c6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.tj9KzQvUFy.exe.44db7c6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.2.tj9KzQvUFy.exe.44db7c6.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.tj9KzQvUFy.exe.40e5078.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.tj9KzQvUFy.exe.40e5078.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.tj9KzQvUFy.exe.40e5078.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.tj9KzQvUFy.exe.3de55e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.tj9KzQvUFy.exe.3de55e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.tj9KzQvUFy.exe.3d3b7c6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.tj9KzQvUFy.exe.3d3b7c6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.tj9KzQvUFy.exe.3d3b7c6.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.tj9KzQvUFy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.tj9KzQvUFy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.tj9KzQvUFy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.tj9KzQvUFy.exe.55f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.tj9KzQvUFy.exe.55f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.2.tj9KzQvUFy.exe.44e05fc.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.tj9KzQvUFy.exe.44e05fc.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.tj9KzQvUFy.exe.3d405fc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.tj9KzQvUFy.exe.3d405fc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.tj9KzQvUFy.exe.6474629.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.tj9KzQvUFy.exe.6474629.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.0.tj9KzQvUFy.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.0.tj9KzQvUFy.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.0.tj9KzQvUFy.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 27.2.tj9KzQvUFy.exe.44e4c25.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 27.2.tj9KzQvUFy.exe.44e4c25.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.0.tj9KzQvUFy.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.0.tj9KzQvUFy.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.0.tj9KzQvUFy.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.tj9KzQvUFy.exe.3d65078.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.tj9KzQvUFy.exe.3d65078.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.tj9KzQvUFy.exe.3d65078.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.tj9KzQvUFy.exe.3d65078.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.tj9KzQvUFy.exe.3d65078.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.tj9KzQvUFy.exe.3d32458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.tj9KzQvUFy.exe.3d32458.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.tj9KzQvUFy.exe.41655e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.tj9KzQvUFy.exe.41655e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.tj9KzQvUFy.exe.40e5078.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.tj9KzQvUFy.exe.40e5078.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.tj9KzQvUFy.exe.40b2458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.tj9KzQvUFy.exe.40b2458.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000002.448411736.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001B.00000002.448411736.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000000.377573313.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000000.377573313.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000000.428587320.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001B.00000000.428587320.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000000.430610675.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001B.00000000.430610675.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000002.449720348.0000000004499000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000002.449610369.0000000003491000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.607967437.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.607967437.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000000.370237715.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000000.370237715.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.437386781.0000000003FC9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.437386781.0000000003FC9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.382063003.0000000003C49000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.382063003.0000000003C49000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000000.378298727.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000000.378298727.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000000.429163974.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001B.00000000.429163974.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.613519812.0000000003CF9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000000.376991452.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000000.376991452.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001B.00000000.429929302.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001B.00000000.429929302.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.615717844.00000000055F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.615717844.00000000055F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000009.00000002.616228293.0000000006470000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.616228293.0000000006470000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: tj9KzQvUFy.exe PID: 7016, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: tj9KzQvUFy.exe PID: 7016, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: tj9KzQvUFy.exe PID: 6192, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: tj9KzQvUFy.exe PID: 6192, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: tj9KzQvUFy.exe PID: 5776, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: tj9KzQvUFy.exe PID: 5776, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: tj9KzQvUFy.exe PID: 4804, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: tj9KzQvUFy.exe PID: 4804, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 1_2_0113C034	1_2_0113C034
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 1_2_0113E633	1_2_0113E633
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 1_2_0113E638	1_2_0113E638
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 9_2_0124E471	9_2_0124E471
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 9_2_0124E480	9_2_0124E480
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 9_2_0124BBD4	9_2_0124BBD4
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 9_2_052CF5F8	9_2_052CF5F8
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 9_2_052C9788	9_2_052C9788
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 9_2_052CA5D0	9_2_052CA5D0
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 9_2_06940040	9_2_06940040
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 14_2_02D9C034	14_2_02D9C034
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 14_2_02D9E638	14_2_02D9E638
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 14_2_02D9E62A	14_2_02D9E62A
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 14_2_058C3448	14_2_058C3448
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 14_2_058C5758	14_2_058C5758
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 14_2_058C3770	14_2_058C3770
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 14_2_058C2088	14_2_058C2088
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 14_2_058C0007	14_2_058C0007
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 14_2_058C0040	14_2_058C0040
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 14_2_058C207E	14_2_058C207E
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 14_2_058C33A8	14_2_058C33A8
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 14_2_058C9FB8	14_2_058C9FB8
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 14_2_058C9FC8	14_2_058C9FC8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 17_2_00DBC034	17_2_00DBC034
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 17_2_00DBE638	17_2_00DBE638
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 17_2_00DBE62A	17_2_00DBE62A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 17_2_05010128	17_2_05010128
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 17_2_05010119	17_2_05010119
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_010BC034	19_2_010BC034
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_010BE638	19_2_010BE638
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_010BE635	19_2_010BE635
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_06CE3ABC	19_2_06CE3ABC

Source: tj9KzQvUFy.exe	Binary or memory string: OriginalFilename vs tj9KzQvUFy.exe
Source: tj9KzQvUFy.exe, 00000001.00000000.338234604.0000000000882000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameGregorianCalend.exeD vs tj9KzQvUFy.exe
Source: tj9KzQvUFy.exe, 00000001.00000002.380810422.0000000002C41000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTransactionalFileManager.dllf# vs tj9KzQvUFy.exe
Source: tj9KzQvUFy.exe, 00000001.00000002.382063003.0000000003C49000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dll@ vs tj9KzQvUFy.exe
Source: tj9KzQvUFy.exe	Binary or memory string: OriginalFilename vs tj9KzQvUFy.exe
Source: tj9KzQvUFy.exe, 00000009.00000002.610929952.0000000002CF1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs tj9KzQvUFy.exe
Source: tj9KzQvUFy.exe, 00000009.00000000.371504351.0000000000962000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameGregorianCalend.exeD vs tj9KzQvUFy.exe
Source: tj9KzQvUFy.exe, 00000009.00000002.613519812.0000000003CF9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs tj9KzQvUFy.exe
Source: tj9KzQvUFy.exe, 00000009.00000002.613519812.0000000003CF9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs tj9KzQvUFy.exe
Source: tj9KzQvUFy.exe, 00000009.00000002.609407868.0000000001039000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs tj9KzQvUFy.exe
Source: tj9KzQvUFy.exe	Binary or memory string: OriginalFilename vs tj9KzQvUFy.exe
Source: tj9KzQvUFy.exe, 0000000E.00000002.433144355.0000000000AA2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameGregorianCalend.exeD vs tj9KzQvUFy.exe
Source: tj9KzQvUFy.exe, 0000000E.00000002.437386781.0000000003FC9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dll@ vs tj9KzQvUFy.exe
Source: tj9KzQvUFy.exe, 0000000E.00000002.435389639.0000000002FC1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTransactionalFileManager.dllf# vs tj9KzQvUFy.exe
Source: tj9KzQvUFy.exe, 0000001A.00000000.423111771.0000000000282000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameGregorianCalend.exeD vs tj9KzQvUFy.exe
Source: tj9KzQvUFy.exe, 0000001B.00000000.425502834.0000000000F62000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameGregorianCalend.exeD vs tj9KzQvUFy.exe
Source: tj9KzQvUFy.exe, 0000001B.00000002.449610369.0000000003491000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs tj9KzQvUFy.exe
Source: tj9KzQvUFy.exe, 0000001B.00000002.449610369.0000000003491000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs tj9KzQvUFy.exe
Source: tj9KzQvUFy.exe, 0000001B.00000002.449720348.0000000004499000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs tj9KzQvUFy.exe
Source: tj9KzQvUFy.exe	Binary or memory string: OriginalFilenameGregorianCalend.exeD vs tj9KzQvUFy.exe

Source: tj9KzQvUFy.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: QWtzAVmnpKpJx.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dhcpmon.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: tj9KzQvUFy.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: QWtzAVmnpKpJx.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.9.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: tj9KzQvUFy.exe	Virustotal: Detection: 39%
Source: tj9KzQvUFy.exe	ReversingLabs: Detection: 56%

Source: C:\Users\user\Desktop\tj9KzQvUFy.exe

File read: C:\Users\user\Desktop\tj9KzQvUFy.exe

Jump to behavior

Source: tj9KzQvUFy.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\tj9KzQvUFy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\tj9KzQvUFy.exe "C:\Users\user\Desktop\tj9KzQvUFy.exe"
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QWtzAVmnpKpJx" /XML "C:\Users\user\AppData\Local\Temp\tmp6B9E.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Users\user\Desktop\tj9KzQvUFy.exe C:\Users\user\Desktop\tj9KzQvUFy.exe
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpC635.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\tj9KzQvUFy.exe C:\Users\user\Desktop\tj9KzQvUFy.exe 0
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpCF6D.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QWtzAVmnpKpJx" /XML "C:\Users\user\AppData\Local\Temp\tmpB52A.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Users\user\Desktop\tj9KzQvUFy.exe C:\Users\user\Desktop\tj9KzQvUFy.exe
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Users\user\Desktop\tj9KzQvUFy.exe C:\Users\user\Desktop\tj9KzQvUFy.exe
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QWtzAVmnpKpJx" /XML "C:\Users\user\AppData\Local\Temp\tmp6B9E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Users\user\Desktop\tj9KzQvUFy.exe C:\Users\user\Desktop\tj9KzQvUFy.exe	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpC635.tmp	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpCF6D.tmp	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QWtzAVmnpKpJx" /XML "C:\Users\user\AppData\Local\Temp\tmpB52A.tmp	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Users\user\Desktop\tj9KzQvUFy.exe C:\Users\user\Desktop\tj9KzQvUFy.exe	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Users\user\Desktop\tj9KzQvUFy.exe C:\Users\user\Desktop\tj9KzQvUFy.exe	Jump to behavior

Source: C:\Users\user\Desktop\tj9KzQvUFy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\tj9KzQvUFy.exe

File created: C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe

Jump to behavior

Source: C:\Users\user\Desktop\tj9KzQvUFy.exe

File created: C:\Users\user\AppData\Local\Temp\tmp6B9E.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@28/20@15/2

Source: C:\Users\user\Desktop\tj9KzQvUFy.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: 9.0.tj9KzQvUFy.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 9.0.tj9KzQvUFy.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 9.0.tj9KzQvUFy.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 9.0.tj9KzQvUFy.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 9.0.tj9KzQvUFy.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 9.0.tj9KzQvUFy.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 9.0.tj9KzQvUFy.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 9.0.tj9KzQvUFy.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5420:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6328:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4680:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_01
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Mutant created: \Sessions\1\BaseNamedObjects\TeAmFsWqmCCfnjSfmWtiAYwUDWR
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_01
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{7b578534-8b04-4a5d-9eb5-d375830cf45d}

Source: C:\Users\user\Desktop\tj9KzQvUFy.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 9.0.tj9KzQvUFy.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.0.tj9KzQvUFy.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.0.tj9KzQvUFy.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.0.tj9KzQvUFy.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.0.tj9KzQvUFy.exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.0.tj9KzQvUFy.exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.0.tj9KzQvUFy.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.0.tj9KzQvUFy.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.0.tj9KzQvUFy.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\tj9KzQvUFy.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: tj9KzQvUFy.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: tj9KzQvUFy.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: tj9KzQvUFy.exe, 00000009.00000003.557589778.0000000001119000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: tj9KzQvUFy.exe, 00000009.00000002.609929993.00000000010E4000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbpH source: tj9KzQvUFy.exe, 00000009.00000002.609929993.00000000010E4000.00000004.00000020.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 9.0.tj9KzQvUFy.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.tj9KzQvUFy.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.tj9KzQvUFy.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.tj9KzQvUFy.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.tj9KzQvUFy.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.tj9KzQvUFy.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.tj9KzQvUFy.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.tj9KzQvUFy.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 1_2_00889E29 push ss; ret	1_2_0088A15A
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 1_2_00889A32 push ds; ret	1_2_00889A4A
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 1_2_00883F55 push 0000006Fh; ret	1_2_00883F65
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 1_2_011341E0 push esp; retn 0002h	1_2_011341E2
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 1_2_01134219 push ebp; retn 0002h	1_2_0113421A
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 1_2_01134442 push edi; retn 0002h	1_2_0113444A
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 1_2_01134491 push edi; retn 0002h	1_2_01134492
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 1_2_0113B18F pushfd ; retn 0002h	1_2_0113B192
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 1_2_0113B1C1 pushfd ; retn 0002h	1_2_0113B1C2
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 1_2_0113B21F pushfd ; retn 0002h	1_2_0113B222
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 1_2_0113B24F pushfd ; retn 0002h	1_2_0113B252
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 1_2_0113B27F pushfd ; retn 0002h	1_2_0113B282
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 9_2_00969A32 push ds; ret	9_2_00969A4A
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 9_2_00969E29 push ss; ret	9_2_0096A15A
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 9_2_00963F55 push 0000006Fh; ret	9_2_00963F65
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 9_2_052CB5E0 push eax; retf	9_2_052CB5ED
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 9_2_052C69F8 pushad ; retf	9_2_052C69F9
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 14_2_00AA9E29 push ss; ret	14_2_00AAA15A
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 14_2_00AA9A32 push ds; ret	14_2_00AA9A4A
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 14_2_00AA3F55 push 0000006Fh; ret	14_2_00AA3F65
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Code function: 14_2_058C1368 push eax; iretd	14_2_058C1591
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 17_2_005C3F55 push 0000006Fh; ret	17_2_005C3F65
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 17_2_005C9A32 push ds; ret	17_2_005C9A4A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 17_2_005C9E29 push ss; ret	17_2_005CA15A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 17_2_00DB8032 pushfd ; iretd	17_2_00DB803D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_00809E29 push ss; ret	19_2_0080A15A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_00809A32 push ds; ret	19_2_00809A4A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_00803F55 push 0000006Fh; ret	19_2_00803F65
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_010B803C pushfd ; iretd	19_2_010B803D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_06CE2260 push es; iretd	19_2_06CE22B4

Source: initial sample	Static PE information: section name: .text entropy: 7.91653185027
Source: initial sample	Static PE information: section name: .text entropy: 7.91653185027
Source: initial sample	Static PE information: section name: .text entropy: 7.91653185027

Source: 9.0.tj9KzQvUFy.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 9.0.tj9KzQvUFy.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 9.0.tj9KzQvUFy.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 9.0.tj9KzQvUFy.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 9.0.tj9KzQvUFy.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 9.0.tj9KzQvUFy.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 9.0.tj9KzQvUFy.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 9.0.tj9KzQvUFy.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	File created: C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe			Jump to dropped file
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\tj9KzQvUFy.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QWtzAVmnpKpJx" /XML "C:\Users\user\AppData\Local\Temp\tmp6B9E.tmp

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\tj9KzQvUFy.exe

File opened: C:\Users\user\Desktop\tj9KzQvUFy.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 1.2.tj9KzQvUFy.exe.2c617a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.tj9KzQvUFy.exe.2fe17a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dhcpmon.exe.2ae18e4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.2ce18e4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.405648724.0000000002AC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.380810422.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.435389639.0000000002FC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.381024024.0000000002D5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.436014172.00000000030EB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.428142089.0000000002CC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tj9KzQvUFy.exe PID: 7016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tj9KzQvUFy.exe PID: 5776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 7072, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: tj9KzQvUFy.exe, 00000001.00000002.380810422.0000000002C41000.00000004.00000001.sdmp, tj9KzQvUFy.exe, 0000000E.00000002.435389639.0000000002FC1000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.405648724.0000000002AC1000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.428142089.0000000002CC1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: tj9KzQvUFy.exe, 00000001.00000002.380810422.0000000002C41000.00000004.00000001.sdmp, tj9KzQvUFy.exe, 0000000E.00000002.435389639.0000000002FC1000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000002.405648724.0000000002AC1000.00000004.00000001.sdmp, dhcpmon.exe, 00000013.00000002.428142089.0000000002CC1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\tj9KzQvUFy.exe TID: 7020	Thread sleep time: -38520s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe TID: 7092	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 604	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe TID: 6760	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe TID: 5764	Thread sleep time: -36062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe TID: 6564	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6820	Thread sleep time: -34085s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6736	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7068	Thread sleep time: -36772s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 3180	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3532	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe TID: 4540	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6581	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2060	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Window / User API: threadDelayed 5045	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Window / User API: threadDelayed 4443	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Window / User API: foregroundWindowGot 762	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6128
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2616

Source: C:\Users\user\Desktop\tj9KzQvUFy.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Thread delayed: delay time: 38520	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Thread delayed: delay time: 36062	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 34085
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 36772
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Thread delayed: delay time: 922337203685477

Source: dhcpmon.exe, 00000013.00000002.428142089.0000000002CC1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: tj9KzQvUFy.exe, 00000009.00000002.609929993.00000000010E4000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
Source: tj9KzQvUFy.exe, 0000000E.00000002.440717720.0000000007DC0000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: dhcpmon.exe, 00000013.00000002.428142089.0000000002CC1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000013.00000002.428142089.0000000002CC1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: dhcpmon.exe, 00000013.00000002.428142089.0000000002CC1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\tj9KzQvUFy.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Adds a directory exclusion to Windows Defender

Show sources

Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe	Jump to behavior

Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QWtzAVmnpKpJx" /XML "C:\Users\user\AppData\Local\Temp\tmp6B9E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Users\user\Desktop\tj9KzQvUFy.exe C:\Users\user\Desktop\tj9KzQvUFy.exe	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpC635.tmp	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpCF6D.tmp	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QWtzAVmnpKpJx" /XML "C:\Users\user\AppData\Local\Temp\tmpB52A.tmp	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Users\user\Desktop\tj9KzQvUFy.exe C:\Users\user\Desktop\tj9KzQvUFy.exe	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Process created: C:\Users\user\Desktop\tj9KzQvUFy.exe C:\Users\user\Desktop\tj9KzQvUFy.exe	Jump to behavior

Source: tj9KzQvUFy.exe, 00000009.00000002.611406118.0000000002DED000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: tj9KzQvUFy.exe, 00000009.00000002.610483288.00000000016F0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: tj9KzQvUFy.exe, 00000009.00000002.610483288.00000000016F0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: tj9KzQvUFy.exe, 00000009.00000002.610483288.00000000016F0000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: tj9KzQvUFy.exe, 00000009.00000002.610483288.00000000016F0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: tj9KzQvUFy.exe, 00000009.00000002.611965077.0000000002ED8000.00000004.00000001.sdmp	Binary or memory string: Program Manager0g

Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Users\user\Desktop\tj9KzQvUFy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Users\user\Desktop\tj9KzQvUFy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Users\user\Desktop\tj9KzQvUFy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Users\user\Desktop\tj9KzQvUFy.exe VolumeInformation
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\tj9KzQvUFy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\tj9KzQvUFy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.6470000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.tj9KzQvUFy.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.tj9KzQvUFy.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.3d405fc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.tj9KzQvUFy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.tj9KzQvUFy.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tj9KzQvUFy.exe.3d32458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.tj9KzQvUFy.exe.44e05fc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.tj9KzQvUFy.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.tj9KzQvUFy.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.tj9KzQvUFy.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.3d44c25.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.tj9KzQvUFy.exe.40b2458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.6470000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.tj9KzQvUFy.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.tj9KzQvUFy.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.tj9KzQvUFy.exe.44db7c6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.tj9KzQvUFy.exe.40e5078.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tj9KzQvUFy.exe.3de55e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.3d3b7c6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.tj9KzQvUFy.exe.44e05fc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.3d405fc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.6474629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.tj9KzQvUFy.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.tj9KzQvUFy.exe.44e4c25.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.tj9KzQvUFy.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tj9KzQvUFy.exe.3d65078.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tj9KzQvUFy.exe.3d65078.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tj9KzQvUFy.exe.3d32458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.tj9KzQvUFy.exe.41655e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.tj9KzQvUFy.exe.40e5078.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.tj9KzQvUFy.exe.40b2458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.448411736.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.377573313.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.428587320.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.610929952.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.430610675.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.449720348.0000000004499000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.449610369.0000000003491000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.607967437.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.370237715.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.437386781.0000000003FC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.382063003.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.378298727.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.429163974.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.613519812.0000000003CF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.376991452.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.429929302.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.616228293.0000000006470000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tj9KzQvUFy.exe PID: 7016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tj9KzQvUFy.exe PID: 6192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tj9KzQvUFy.exe PID: 5776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tj9KzQvUFy.exe PID: 4804, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: tj9KzQvUFy.exe, 00000001.00000002.382063003.0000000003C49000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: tj9KzQvUFy.exe, 00000009.00000002.610929952.0000000002CF1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: tj9KzQvUFy.exe, 00000009.00000002.610929952.0000000002CF1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: tj9KzQvUFy.exe, 0000000E.00000002.437386781.0000000003FC9000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: tj9KzQvUFy.exe, 0000001B.00000002.448411736.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: tj9KzQvUFy.exe, 0000001B.00000002.449610369.0000000003491000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.6470000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.tj9KzQvUFy.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.tj9KzQvUFy.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.3d405fc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.tj9KzQvUFy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.tj9KzQvUFy.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tj9KzQvUFy.exe.3d32458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.tj9KzQvUFy.exe.44e05fc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.tj9KzQvUFy.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.tj9KzQvUFy.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.tj9KzQvUFy.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.3d44c25.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.tj9KzQvUFy.exe.40b2458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.6470000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.tj9KzQvUFy.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.tj9KzQvUFy.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.tj9KzQvUFy.exe.44db7c6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.tj9KzQvUFy.exe.40e5078.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tj9KzQvUFy.exe.3de55e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.3d3b7c6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.tj9KzQvUFy.exe.44e05fc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.3d405fc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tj9KzQvUFy.exe.6474629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.tj9KzQvUFy.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.tj9KzQvUFy.exe.44e4c25.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.tj9KzQvUFy.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tj9KzQvUFy.exe.3d65078.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tj9KzQvUFy.exe.3d65078.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tj9KzQvUFy.exe.3d32458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.tj9KzQvUFy.exe.41655e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.tj9KzQvUFy.exe.40e5078.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.tj9KzQvUFy.exe.40b2458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.448411736.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.377573313.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.428587320.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.610929952.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.430610675.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.449720348.0000000004499000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.449610369.0000000003491000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.607967437.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.370237715.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.437386781.0000000003FC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.382063003.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.378298727.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.429163974.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.613519812.0000000003CF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.376991452.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.429929302.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.616228293.0000000006470000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tj9KzQvUFy.exe PID: 7016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tj9KzQvUFy.exe PID: 6192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tj9KzQvUFy.exe PID: 5776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tj9KzQvUFy.exe PID: 4804, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection12	Masquerading2	Input Capture21	Security Software Discovery21	Remote Services	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools11	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection12	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing13	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
tj9KzQvUFy.exe	40%	Virustotal		Browse
tj9KzQvUFy.exe	57%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	57%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe	57%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
27.2.tj9KzQvUFy.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
27.0.tj9KzQvUFy.exe.400000.10.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
9.0.tj9KzQvUFy.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
9.2.tj9KzQvUFy.exe.6470000.8.unpack	100%	Avira	TR/NanoCore.fadte	Download File
27.0.tj9KzQvUFy.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
27.0.tj9KzQvUFy.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
27.0.tj9KzQvUFy.exe.400000.12.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
9.0.tj9KzQvUFy.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
9.0.tj9KzQvUFy.exe.400000.10.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
27.0.tj9KzQvUFy.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
9.0.tj9KzQvUFy.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
9.2.tj9KzQvUFy.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
9.0.tj9KzQvUFy.exe.400000.12.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.rbadams.com/Automation/Sequence	0%	Avira URL Cloud	safe
http://www.rbadams.com/Automation/JobCollectionT	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.rbadams.com/Automation/ConfigurationT	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.rbadams.com/Automation/Job	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.rbadams.com/Automation/JobQ	0%	Avira URL Cloud	safe
http://www.rbadams.com/Automation/JobT	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.rbadams.com/Automation/JobCollectionN	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.chinhdo.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.rbadams.com/Automation/JobCollectionK	0%	Avira URL Cloud	safe
http://www.rbadams.com/Automation/JobD	0%	Avira URL Cloud	safe
http://www.rbadams.com/Automation/PackageT	0%	Avira URL Cloud	safe
http://www.rbadams.com/Automation/SequenceT	0%	Avira URL Cloud	safe
http://www.rbadams.com/Automation/SequenceI	0%	Avira URL Cloud	safe
http://www.rbadams.com/Automation/JobCollection	0%	Avira URL Cloud	safe
http://www.rbadams.com/Automation/ISO	0%	Avira URL Cloud	safe
http://www.rbadams.com/Automation/Configuration	0%	Avira URL Cloud	safe
http://www.rbadams.com/Automation/PackageA	0%	Avira URL Cloud	safe
http://www.rbadams.com/Automation/PackageH	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.rbadams.com/Automation/ISOT	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.rbadams.com/Automation/Configuration6	0%	Avira URL Cloud	safe
http://www.rbadams.com/Automation/JobCollection#JobCollection.xsdKhttp://www.rbadams.com/Automation/	0%	Avira URL Cloud	safe
http://www.rbadams.com/Automation/ISOD	0%	Avira URL Cloud	safe
http://www.rbadams.com/Automation/Package	0%	Avira URL Cloud	safe
http://www.rbadams.com/Automation/ISOG	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
6262.hopto.org	185.140.53.131	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.rbadams.com/Automation/Sequence	tj9KzQvUFy.exe	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	false		high
http://www.rbadams.com/Automation/JobCollectionT	tj9KzQvUFy.exe	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.rbadams.com/Automation/ConfigurationT	tj9KzQvUFy.exe	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.rbadams.com/Automation/Job	dhcpmon.exe	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.rbadams.com/Automation/JobQ	tj9KzQvUFy.exe	false	Avira URL Cloud: safe	unknown
http://www.rbadams.com/Automation/JobT	tj9KzQvUFy.exe	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.rbadams.com/Automation/JobCollectionN	tj9KzQvUFy.exe	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.chinhdo.com	dhcpmon.exe, 00000013.00000002.428142089.0000000002CC1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	tj9KzQvUFy.exe, 00000001.00000002.380810422.0000000002C41000.00000004.00000001.sdmp, tj9KzQvUFy.exe, 0000000E.00000002.435389639.0000000002FC1000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.rbadams.com/Automation/JobCollectionK	tj9KzQvUFy.exe	false	Avira URL Cloud: safe	unknown
http://www.rbadams.com/Automation/JobD	tj9KzQvUFy.exe	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	tj9KzQvUFy.exe, 00000001.00000002.380523369.0000000001157000.00000004.00000040.sdmp	false		high
http://www.rbadams.com/Automation/PackageT	tj9KzQvUFy.exe	false	Avira URL Cloud: safe	unknown
http://www.rbadams.com/Automation/SequenceT	tj9KzQvUFy.exe	false	Avira URL Cloud: safe	unknown
http://www.rbadams.com/Automation/SequenceI	tj9KzQvUFy.exe	false	Avira URL Cloud: safe	unknown
http://www.rbadams.com/Automation/JobCollection	dhcpmon.exe	false	Avira URL Cloud: safe	unknown
http://www.rbadams.com/Automation/ISO	tj9KzQvUFy.exe	false	Avira URL Cloud: safe	unknown
http://www.rbadams.com/Automation/Configuration	tj9KzQvUFy.exe	false	Avira URL Cloud: safe	unknown
http://www.rbadams.com/Automation/PackageA	tj9KzQvUFy.exe	false	Avira URL Cloud: safe	unknown
http://www.rbadams.com/Automation/PackageH	tj9KzQvUFy.exe	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn	tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	false		high
http://www.rbadams.com/Automation/ISOT	tj9KzQvUFy.exe	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	tj9KzQvUFy.exe, 00000001.00000002.384599954.0000000006DA2000.00000004.00000001.sdmp	false		high
http://www.rbadams.com/Automation/Configuration6	tj9KzQvUFy.exe	false	Avira URL Cloud: safe	unknown
http://www.rbadams.com/Automation/JobCollection#JobCollection.xsdKhttp://www.rbadams.com/Automation/	tj9KzQvUFy.exe	false	Avira URL Cloud: safe	unknown
http://www.rbadams.com/Automation/ISOD	tj9KzQvUFy.exe	false	Avira URL Cloud: safe	unknown
http://www.rbadams.com/Automation/Package	tj9KzQvUFy.exe	false	Avira URL Cloud: safe	unknown
http://www.rbadams.com/Automation/ISOG	tj9KzQvUFy.exe	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.140.53.131	6262.hopto.org	Sweden		209623	DAVID_CRAIGGG	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	527671
Start date:	24.11.2021
Start time:	08:37:06
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	tj9KzQvUFy.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@28/20@15/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 109 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:38:10	API Interceptor	819x Sleep call for process: tj9KzQvUFy.exe modified
08:38:15	API Interceptor	67x Sleep call for process: powershell.exe modified
08:38:26	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\tj9KzQvUFy.exe" s>$(Arg0)
08:38:26	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
08:38:28	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
08:38:31	API Interceptor	2x Sleep call for process: dhcpmon.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Users\user\Desktop\tj9KzQvUFy.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	656384
Entropy (8bit):	7.557907415976326
Encrypted:	false
SSDEEP:	12288:CBC1JfxsMZulg8mcbX9ON+iKFLfRcEvFU/vuRPAaQ:fxsMI2HN+LDGAFOuR
MD5:	E8AE42CFAAFD650A14285AAF700D1F2B
SHA1:	D4DA7FB39E1EF6AA56B01173EBB48FBD80ACB416
SHA-256:	C398EC8923C9DE2FE4FF2B9804F41663B1E929B22B3EE848576014F89663618A
SHA-512:	F035210CE60458C44925E88710D06EA51008A1174AD9B9C5D5FE39CD6875FC3662E537986D2487E91E8F17B9999F54C782D5EA6CB0A3E7561B03C7FEF5EFB724
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 57%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.a..............0..8...........V... ...`....@.. .......................`............@.................................pV..O....`..L....................@....................................................... ............... ..H............text....6... ...8.................. ..`.rsrc...L....`.......:..............@..@.reloc.......@......................@..B.................V......H.......dq..d....... ........Y............................................{...."..}......{...."..}......{...."..}......{...."..}.....0../........(.......(!............o"...(......(#...(.....F.(........(.....F.(........(.....J..(........(.....N...(........(.....".(.......{...."..}....&.(......F.(........(.......{...."..}....F.(........(.....^.(........}......}......($......s%...}.....s&...}......}......}......}....*.0.. ........(............,...{.....o'..

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\tj9KzQvUFy.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.345651901398759
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
MD5:	D918C6A765EDB90D2A227FE23A3FEC98
SHA1:	8BA802AD8D740F114783F0DADC407CBFD2A209B3
SHA-256:	AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
SHA-512:	A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tj9KzQvUFy.exe.log Download File
Process:	C:\Users\user\Desktop\tj9KzQvUFy.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1310
Entropy (8bit):	5.345651901398759
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
MD5:	D918C6A765EDB90D2A227FE23A3FEC98
SHA1:	8BA802AD8D740F114783F0DADC407CBFD2A209B3
SHA-256:	AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
SHA-512:	A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
Malicious:	true
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	22368
Entropy (8bit):	5.601656421547212
Encrypted:	false
SSDEEP:	384:VtCDCN0dVe3zsdNg90C+cVS0nEjultIiDpaeQ99gtv7cxST1MaDZlbAV7nO6bS5M:n3zaNcjTECltdFat8xZCSfwYVk
MD5:	908EAC3BC9797FAA28DBB0402D7EBAB1
SHA1:	E2282CFA40FD83CAE6EC4B338F102A1F23B53B9C
SHA-256:	BBA6257BA15067DF4E23C9BAB8294CF37A471C195525C5BDCFDFC25563B1E7B2
SHA-512:	F22C3A986102873C9028FD7230F92A4B648A0B748849547A0EF9CBB9A89274711F7D1F0E4B26ABF93A0A8C4371A5CCC5A6DD2FCBA91435A294FA455D503F0ED0
Malicious:	false
Reputation:	unknown
Preview:	@...e...............................\...E.j..........@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ahb5yvq.3r5.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nodjwuc1.fnh.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nuajyn5n.loo.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tgnudcr1.dt0.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\tmp6B9E.tmp Download File
Process:	C:\Users\user\Desktop\tj9KzQvUFy.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1612
Entropy (8bit):	5.131364452417027
Encrypted:	false
SSDEEP:	24:2di4+S2qh/S1K2ky1mo2dUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLi+xvn:cgea6YrFdOFzOzN33ODOiDdKrsuT+yv
MD5:	925190C2D78ECC86CF5154CCE6EBD9D4
SHA1:	EA86B51097422034A90129288EFCB2ACA009DFC3
SHA-256:	A55E12F841E438D6ABD5D348618D2322EE0CE5B533D570CBDDA2FA039ED1966E
SHA-512:	D1405C005192FF823537AC13BD48C4D942748B3B084E2638D37232555188B6EDAFD35A3F65946A1B8268D54152E69DC65DFAFB458708A48C581040C65FFDB34B
Malicious:	true
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailab

C:\Users\user\AppData\Local\Temp\tmpB52A.tmp Download File
Process:	C:\Users\user\Desktop\tj9KzQvUFy.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1612
Entropy (8bit):	5.131364452417027
Encrypted:	false
SSDEEP:	24:2di4+S2qh/S1K2ky1mo2dUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLi+xvn:cgea6YrFdOFzOzN33ODOiDdKrsuT+yv
MD5:	925190C2D78ECC86CF5154CCE6EBD9D4
SHA1:	EA86B51097422034A90129288EFCB2ACA009DFC3
SHA-256:	A55E12F841E438D6ABD5D348618D2322EE0CE5B533D570CBDDA2FA039ED1966E
SHA-512:	D1405C005192FF823537AC13BD48C4D942748B3B084E2638D37232555188B6EDAFD35A3F65946A1B8268D54152E69DC65DFAFB458708A48C581040C65FFDB34B
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailab

C:\Users\user\AppData\Local\Temp\tmpC635.tmp Download File
Process:	C:\Users\user\Desktop\tj9KzQvUFy.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1303
Entropy (8bit):	5.118393522725328
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Vk8xtn:cbk4oL600QydbQxIYODOLedq398j
MD5:	6EC593E46F7BEE4B30DD57AE5BAB2952
SHA1:	1BB562C3F8C681255432DE611B861228B452D592
SHA-256:	FA4649283C310D4CB5B284F9A502926920FBDC809D2779B61F0EC210C614A76B
SHA-512:	80E15A3185FEE61670524055910544BA7A51A350F97E5D9B542BE12E277B8023BFF80E77433C3036C899FFD39CB850BD5FBF1CF2C8CC2DDBAE7E3A389B448EC7
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpCF6D.tmp Download File
Process:	C:\Users\user\Desktop\tj9KzQvUFy.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\tj9KzQvUFy.exe
File Type:	data
Category:	modified
Size (bytes):	232
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
MD5:	32D0AAE13696FF7F8AF33B2D22451028
SHA1:	EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
SHA-256:	5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
SHA-512:	1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
Malicious:	false
Reputation:	unknown
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\tj9KzQvUFy.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:fL:D
MD5:	21450A64CFEC3970CF69AE13E3D9E3A4
SHA1:	BBDFE38F21DDC5BD006B95DA332449514DDFD9CB
SHA-256:	59835E723F60578EBDAF479249B29E20BB1EE34E38051A97316B2DE28D8C7E60
SHA-512:	10543C186E8209618F66CBA6C624B3FFB4DFCA746CD19660961A9EDB1DC1605A48BB2AC2265B3D246F1AC8D84FD95F1C9EEE5C15D0D4662D4A9E4D962FD0D7AC
Malicious:	true
Reputation:	unknown
Preview:	.<..h..H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Users\user\Desktop\tj9KzQvUFy.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.311768795973195
Encrypted:	false
SSDEEP:	3:oNN2+WRP30z4An:oNN2R9K4An
MD5:	CF30FCEA281280CCA6A52A926336FCFD
SHA1:	20FD692C9E954DC6BEC262E4EB0D99BB02368CA2
SHA-256:	D9A538B7F915D5533151EF2E6E4ACADF4500FFE242CBA4991582E1F5B5441898
SHA-512:	C60027433E01198116F6C4A69A2AAD3897A4627645C12E9520D221386AC6988C4EED7BBEFAFA864AA54AB92BF114005B925B7899CD55C6D10315BA221B22F9C3
Malicious:	false
Reputation:	unknown
Preview:	C:\Users\user\Desktop\tj9KzQvUFy.exe

C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe Download File
Process:	C:\Users\user\Desktop\tj9KzQvUFy.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	656384
Entropy (8bit):	7.557907415976326
Encrypted:	false
SSDEEP:	12288:CBC1JfxsMZulg8mcbX9ON+iKFLfRcEvFU/vuRPAaQ:fxsMI2HN+LDGAFOuR
MD5:	E8AE42CFAAFD650A14285AAF700D1F2B
SHA1:	D4DA7FB39E1EF6AA56B01173EBB48FBD80ACB416
SHA-256:	C398EC8923C9DE2FE4FF2B9804F41663B1E929B22B3EE848576014F89663618A
SHA-512:	F035210CE60458C44925E88710D06EA51008A1174AD9B9C5D5FE39CD6875FC3662E537986D2487E91E8F17B9999F54C782D5EA6CB0A3E7561B03C7FEF5EFB724
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 57%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.a..............0..8...........V... ...`....@.. .......................`............@.................................pV..O....`..L....................@....................................................... ............... ..H............text....6... ...8.................. ..`.rsrc...L....`.......:..............@..@.reloc.......@......................@..B.................V......H.......dq..d....... ........Y............................................{...."..}......{...."..}......{...."..}......{...."..}.....0../........(.......(!............o"...(......(#...(.....F.(........(.....F.(........(.....J..(........(.....N...(........(.....".(.......{...."..}....&.(......F.(........(.......{...."..}....F.(........(.....^.(........}......}......($......s%...}.....s&...}......}......}......}....*.0.. ........(............,...{.....o'..

C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\tj9KzQvUFy.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Documents\20211124\PowerShell_transcript.364339.QLt3jixE.20211124083814.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5831
Entropy (8bit):	5.381220662105565
Encrypted:	false
SSDEEP:	96:BZQTL6NyqDo1ZbZVTL6NyqDo1ZbzN7jZ2TL6NyqDo1ZkOrriZ5:m
MD5:	8A0E01BBF093912B164C9DC567CA73DB
SHA1:	E1CF369CEE596486CB3CD86C99DF372E37697402
SHA-256:	B73C0BF752A153BC02FCDE4BA57B6E50F56B48510DFC631254B0DD57FB23BB72
SHA-512:	F98FE2A6ED252B26C4DF6DF71C08A7AEF03BC6EB60B55A6CD8E1D0EA661075C0058F37BF4CCB8CB56254C1BC33C619010581570B1F1AE4EE06823A18CA3BAB4C
Malicious:	false
Reputation:	unknown
Preview:	.********************..Windows PowerShell transcript start..Start time: 20211124083815..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 364339 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe..Process ID: 6344..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20211124083815..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe..********************..Windows PowerShell transcript start..Start time: 20211124084134..Username: computer\user..RunAs User:

C:\Users\user\Documents\20211124\PowerShell_transcript.364339.eUfTHFx+.20211124083835.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5831
Entropy (8bit):	5.381836446497762
Encrypted:	false
SSDEEP:	96:BZyTL6NAqDo1Z9Z+pTL6NAqDo1ZnzN7jZ8TL6NAqDo1ZZOrrGZJ:pW
MD5:	A7B74313CCFD915447AACDDABD94D045
SHA1:	AC28C49C99D693D7EC07ACAC629CBA7906905D38
SHA-256:	57DB0B95119111E11B318DFA2082B7CF2C3B14675165CA617BEC6C55C5775EE7
SHA-512:	A0A0A3635F6A398DCDA8435F029B08C25AE23094632F8D2CD1C794701F969994735B87ED05E608EAA7EEAECDA2FA27E75EBCF60928B97DE5D4FED27071D382A0
Malicious:	false
Reputation:	unknown
Preview:	.********************..Windows PowerShell transcript start..Start time: 20211124083840..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 364339 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe..Process ID: 7064..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20211124083840..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe..********************..Windows PowerShell transcript start..Start time: 20211124084256..Username: computer\user..RunAs User:

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.557907415976326
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	tj9KzQvUFy.exe
File size:	656384
MD5:	e8ae42cfaafd650a14285aaf700d1f2b
SHA1:	d4da7fb39e1ef6aa56b01173ebb48fbd80acb416
SHA256:	c398ec8923c9de2fe4ff2b9804f41663b1e929b22b3ee848576014f89663618a
SHA512:	f035210ce60458c44925e88710d06ea51008a1174ad9b9c5d5fe39cd6875fc3662e537986d2487e91e8f17b9999f54c782d5ea6cb0a3e7561b03c7fef5efb724
SSDEEP:	12288:CBC1JfxsMZulg8mcbX9ON+iKFLfRcEvFU/vuRPAaQ:fxsMI2HN+LDGAFOuR
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.a..............0..8...........V... ...`....@.. .......................`............@................................

File Icon


Icon Hash:	e8868692b296f030

Static PE Info

General
Entrypoint:	0x4756c2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6197519F [Fri Nov 19 07:26:23 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [esi+00h], ah
add byte ptr [eax], al
push ebp
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x75670	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x76000	0x2c64c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x736d8	0x73800	False	0.932974414908	data	7.91653185027	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x76000	0x2c64c	0x2c800	False	0.270985121138	data	5.66808975489	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa4000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x762e0	0x452d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x7a810	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
RT_ICON	0x8b038	0x94a8	data
RT_ICON	0x944e0	0x5488	data
RT_ICON	0x99968	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 57599, next used block 4278648832
RT_ICON	0x9db90	0x25a8	data
RT_ICON	0xa0138	0x10a8	data
RT_ICON	0xa11e0	0x988	data
RT_ICON	0xa1b68	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xa1fd0	0x84	data
RT_GROUP_ICON	0xa2054	0x84	data
RT_VERSION	0xa20d8	0x386	data
RT_MANIFEST	0xa2460	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2010 Ryan Adams
Assembly Version	0.7.12.3
InternalName	GregorianCalend.exe
FileVersion	0.7.12.0
CompanyName	Ryan Adams
LegalTrademarks
Comments
ProductName	JobManagerMonitor
ProductVersion	0.7.12.0
FileDescription	JobManagerMonitor
OriginalFilename	GregorianCalend.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/24/21-08:38:29.508269	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49757	6262	192.168.2.6	185.140.53.131
11/24/21-08:38:36.025646	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49758	6262	192.168.2.6	185.140.53.131
11/24/21-08:38:45.099934	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	60342	8.8.8.8	192.168.2.6
11/24/21-08:38:45.380386	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49759	6262	192.168.2.6	185.140.53.131
11/24/21-08:38:52.040276	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	56023	8.8.8.8	192.168.2.6
11/24/21-08:38:52.292564	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49762	6262	192.168.2.6	185.140.53.131
11/24/21-08:38:59.173830	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	60261	8.8.8.8	192.168.2.6
11/24/21-08:38:59.415917	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49766	6262	192.168.2.6	185.140.53.131
11/24/21-08:39:05.760961	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	58336	8.8.8.8	192.168.2.6
11/24/21-08:39:05.972486	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49772	6262	192.168.2.6	185.140.53.131
11/24/21-08:39:13.011030	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49775	6262	192.168.2.6	185.140.53.131
11/24/21-08:39:19.940148	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	49694	8.8.8.8	192.168.2.6
11/24/21-08:39:20.153679	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49795	6262	192.168.2.6	185.140.53.131
11/24/21-08:39:26.974417	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	63718	8.8.8.8	192.168.2.6
11/24/21-08:39:27.210586	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49811	6262	192.168.2.6	185.140.53.131
11/24/21-08:39:34.151963	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49816	6262	192.168.2.6	185.140.53.131
11/24/21-08:39:42.384893	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49819	6262	192.168.2.6	185.140.53.131
11/24/21-08:39:49.673241	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49844	6262	192.168.2.6	185.140.53.131
11/24/21-08:39:56.347222	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	51818	8.8.8.8	192.168.2.6
11/24/21-08:39:56.652893	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49845	6262	192.168.2.6	185.140.53.131
11/24/21-08:40:03.510735	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49847	6262	192.168.2.6	185.140.53.131
11/24/21-08:40:10.253712	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	53799	8.8.8.8	192.168.2.6
11/24/21-08:40:11.184129	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49848	6262	192.168.2.6	185.140.53.131

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2021 08:38:29.222148895 CET	49757	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:29.431402922 CET	6262	49757	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:29.431705952 CET	49757	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:29.508269072 CET	49757	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:29.810460091 CET	6262	49757	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:29.812140942 CET	49757	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:30.204483032 CET	6262	49757	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:30.206371069 CET	49757	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:30.433084965 CET	6262	49757	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:30.547096968 CET	49757	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:30.578217983 CET	49757	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:30.997946024 CET	6262	49757	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:31.022892952 CET	49757	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:31.323649883 CET	6262	49757	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:31.326693058 CET	6262	49757	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:31.326801062 CET	49757	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:31.528883934 CET	6262	49757	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:31.529509068 CET	6262	49757	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:31.533266068 CET	49757	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:31.533677101 CET	6262	49757	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:31.537024021 CET	6262	49757	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:31.537302017 CET	49757	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:31.631156921 CET	49757	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:31.949712992 CET	6262	49757	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:31.950995922 CET	49757	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:31.953058004 CET	6262	49757	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:31.953854084 CET	49757	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:31.956219912 CET	6262	49757	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:31.958234072 CET	49757	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:31.960278988 CET	6262	49757	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:31.962898970 CET	49757	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:31.964411974 CET	6262	49757	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:31.964879036 CET	49757	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:31.982530117 CET	6262	49757	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:31.982860088 CET	49757	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:31.983300924 CET	6262	49757	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:31.983359098 CET	6262	49757	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:31.985054016 CET	49757	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:35.800661087 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:36.009423018 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:36.009541035 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:36.025645971 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:36.609468937 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:36.645482063 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:36.647568941 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:36.811260939 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:36.955769062 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:36.957556009 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:37.363500118 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:39.738795996 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:39.987518072 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:39.987642050 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:39.996449947 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:39.996512890 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:40.197299004 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.205388069 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.205442905 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:40.229149103 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.234963894 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.235090017 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:40.408555031 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.415054083 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.415155888 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:40.454376936 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.454423904 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.454534054 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:40.506983995 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.508802891 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.508889914 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:40.531565905 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.540615082 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.540689945 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:40.624398947 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.633543015 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.633630991 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:40.641038895 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.661613941 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.661704063 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:40.675398111 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.685223103 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.685319901 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:40.744438887 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.753174067 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.753227949 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:40.876444101 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.876513004 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.876578093 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:40.900340080 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.920025110 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.920101881 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:40.939883947 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.939928055 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.939964056 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:40.940450907 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.943018913 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:40.945420980 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.945483923 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:40.949542999 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.949605942 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:40.967629910 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.967673063 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.967705965 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:40.967741013 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:40.968827009 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.968890905 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:40.985605001 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.985712051 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:40.990437031 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.990525961 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:40.991266966 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.991303921 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.991343021 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:40.991363049 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:40.991390944 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:40.991413116 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:41.011787891 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:41.011858940 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:41.012470961 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:41.012533903 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:41.017465115 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:41.017576933 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:41.055375099 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:41.055440903 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:41.069184065 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:41.069219112 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:41.069242001 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:41.069252968 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:41.069288969 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:41.115235090 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:41.115274906 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:41.115298986 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:41.115305901 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:41.115329027 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:41.115345001 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:41.117465973 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:41.117542028 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:41.120057106 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:41.120126963 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:41.144649982 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:41.145078897 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:41.149410963 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:41.149496078 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:41.150643110 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:41.151596069 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:41.154558897 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:41.157809973 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:41.157922029 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:41.162436008 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:41.162791014 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:41.165695906 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:41.167409897 CET	6262	49758	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:41.167490005 CET	49758	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:45.101769924 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:45.379494905 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:45.379623890 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:45.380386114 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:45.733392954 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:45.733769894 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:46.009975910 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:46.010157108 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:46.409724951 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:46.409917116 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:46.652611971 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:46.655623913 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:46.656378031 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:46.871355057 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:46.875371933 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:46.875468969 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:46.879358053 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:46.884324074 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:46.886610031 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:46.955054998 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.079031944 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.079113007 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.083081007 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.083182096 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.087167025 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.087215900 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.091226101 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.091284037 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.145392895 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.145482063 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.150969982 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.151024103 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.155081987 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.155307055 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.159265041 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.159396887 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.291327953 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.291356087 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.291371107 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.291414022 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.292834044 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.293220997 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.296202898 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.317478895 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.317581892 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.321773052 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.322453022 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.322508097 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.363567114 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.364243031 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.365576982 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.401366949 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.401949883 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.402004957 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.402823925 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.407027006 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.407124043 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.411123037 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.415467978 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.415528059 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.503387928 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.507365942 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.508445978 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.511620045 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.515726089 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.516617060 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.535501957 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.539813995 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.539848089 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.539881945 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.540488958 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.540572882 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.545557976 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.564443111 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.564573050 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.568614960 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.570883036 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.571243048 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.573406935 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.577555895 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.577641964 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.597424984 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.602411985 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.602493048 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.607260942 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.620469093 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.622313976 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.626919985 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.631086111 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.631114006 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.631181002 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.632554054 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.632620096 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.635078907 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.657298088 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.657357931 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.661453009 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.665451050 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.667143106 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.667196035 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.669609070 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.669701099 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.687207937 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.687244892 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.687262058 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.687325001 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.689426899 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.692318916 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.693538904 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.723162889 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.723220110 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.727188110 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.731410980 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.731488943 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.805639029 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.811301947 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.812110901 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.815442085 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.820528984 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.820616961 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.839349031 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.843265057 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.845479012 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.847408056 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.856389999 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.856421947 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.856518030 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.859612942 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.859793901 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.877681017 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.877717018 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.877733946 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.877794027 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.930816889 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.930938005 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.937381029 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.954898119 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.960623026 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.960645914 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.960661888 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.960727930 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.965538025 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.965631962 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.969603062 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.969877005 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.975301981 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.975420952 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.979605913 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.979669094 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.983616114 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.983705044 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.987613916 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.987693071 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.992183924 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.992255926 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:47.997503996 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:47.998325109 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.001458883 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.003513098 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.005506992 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.005577087 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.009502888 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.012407064 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.013562918 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.013698101 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.035068989 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.036782026 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.038942099 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.038974047 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.041966915 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.047059059 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.047497988 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.056348085 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.056377888 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.056457043 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.058391094 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.067074060 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.067105055 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.067157984 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.067167997 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.067219019 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.119179964 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.119201899 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.119863987 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.119985104 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.121608019 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.121665955 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.122575998 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.123131990 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.123157978 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.123224020 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.123284101 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.127259970 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.127403021 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.128990889 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.132313967 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.132368088 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.132380962 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.151226997 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.151376009 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.155267000 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.155414104 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.159305096 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.159394979 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.159421921 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.159450054 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.159475088 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.159492970 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.164990902 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.165011883 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.166213989 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.180476904 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.181447029 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.183032036 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.183614016 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.185420036 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.185756922 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.190366983 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.190458059 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.191164970 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.191243887 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.194372892 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.199366093 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.200038910 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:48.209428072 CET	6262	49759	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:48.210685015 CET	49759	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:52.041347027 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:52.288606882 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:52.292083979 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:52.292563915 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:52.624872923 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:52.627099037 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:52.993434906 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:53.048363924 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:53.080440044 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:53.563896894 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:53.564042091 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:53.803684950 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:53.812144995 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:53.812238932 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:54.030910969 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.048976898 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.049015045 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.049073935 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:54.066186905 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.066528082 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:54.080060005 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:54.291057110 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.291161060 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:54.299583912 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.299668074 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:54.307544947 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.307765007 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:54.333013058 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.333493948 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:54.338839054 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.343696117 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:54.345474005 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.345611095 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:54.350835085 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.351000071 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:54.359000921 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.363420963 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:54.487792015 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.504695892 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.508497953 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.510827065 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:54.519143105 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.528009892 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.528475046 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:54.551227093 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.555203915 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.555377960 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:54.573035002 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.587196112 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.590962887 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.591298103 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:54.596601963 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.598881006 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:54.605216026 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.609699965 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.609780073 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:54.622859955 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.644937038 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.644963980 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.645085096 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:54.647520065 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.647622108 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:54.729640007 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.737957954 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.738078117 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:54.762114048 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.769939899 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.770036936 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.770119905 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:54.845513105 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.853276968 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.853400946 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:54.875654936 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.923459053 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:54.941019058 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.948107004 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.948286057 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:54.968692064 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.968729019 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:54.968831062 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.029565096 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.042463064 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.042538881 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.043689966 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.049871922 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.050000906 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.054430962 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.067790985 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.070010900 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.071329117 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.073348999 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.073411942 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.076543093 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.076571941 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.076663017 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.077049017 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.099826097 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.100969076 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.101731062 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.102554083 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.102582932 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.102607012 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.102616072 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.102652073 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.104929924 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.106461048 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.110927105 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.111042976 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.122097969 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.122390985 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.122426987 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.122456074 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.131495953 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.131525993 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.131542921 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.132251978 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.132909060 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.135025024 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.356373072 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.356410980 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.357724905 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.357754946 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.357779980 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.357850075 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.357889891 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.359004021 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.359028101 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.360049963 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.360085964 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.360105038 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.360121965 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.360167027 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.361000061 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.362993002 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.364233017 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.364264965 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.364289999 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.364357948 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.365629911 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.365654945 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.366939068 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.366941929 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.366971970 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.367470026 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.367496014 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.367518902 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.367539883 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.411325932 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.411359072 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.411377907 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.411400080 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.411497116 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.411927938 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.413135052 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.413162947 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.413223982 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.414505959 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.415172100 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.415179968 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.415237904 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.415983915 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.416045904 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.416776896 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.416837931 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.418747902 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.418782949 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.418829918 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.418850899 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.583163977 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.583189964 CET	6262	49762	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:55.583317995 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:55.583569050 CET	49762	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:59.175496101 CET	49766	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:59.403208017 CET	6262	49766	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:59.403333902 CET	49766	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:59.415916920 CET	49766	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:38:59.765609026 CET	6262	49766	185.140.53.131	192.168.2.6
Nov 24, 2021 08:38:59.766479969 CET	49766	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:00.222080946 CET	6262	49766	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:00.222209930 CET	49766	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:00.429136992 CET	6262	49766	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:00.580873013 CET	49766	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:00.980082035 CET	6262	49766	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:00.980195999 CET	49766	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:01.259607077 CET	6262	49766	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:01.259676933 CET	6262	49766	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:01.259763002 CET	49766	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:01.461229086 CET	6262	49766	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:01.463717937 CET	6262	49766	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:01.463802099 CET	49766	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:01.467230082 CET	6262	49766	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:01.470973969 CET	6262	49766	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:01.471086025 CET	49766	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:01.580935001 CET	49766	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:01.675312042 CET	6262	49766	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:01.675343037 CET	6262	49766	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:01.675448895 CET	49766	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:01.677391052 CET	6262	49766	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:01.677546978 CET	49766	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:01.680716991 CET	6262	49766	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:01.680947065 CET	49766	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:01.700963020 CET	6262	49766	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:01.701132059 CET	49766	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:01.703141928 CET	6262	49766	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:01.703334093 CET	49766	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:01.706393957 CET	6262	49766	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:01.706501961 CET	49766	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:01.711319923 CET	6262	49766	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:01.711493969 CET	49766	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:05.762523890 CET	49772	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:05.971832991 CET	6262	49772	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:05.971978903 CET	49772	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:05.972486019 CET	49772	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:06.380544901 CET	6262	49772	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:06.396749973 CET	49772	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:06.611196995 CET	6262	49772	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:06.628917933 CET	49772	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:07.041002989 CET	6262	49772	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:07.612608910 CET	49772	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:08.022378922 CET	6262	49772	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:08.022464991 CET	49772	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:08.431224108 CET	6262	49772	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:08.471474886 CET	49772	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:08.481039047 CET	6262	49772	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:08.533958912 CET	49772	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:08.612720966 CET	49772	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:08.792896986 CET	6262	49772	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:08.792968988 CET	6262	49772	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:08.793040037 CET	49772	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:08.793075085 CET	49772	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:09.001667976 CET	6262	49772	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:09.001727104 CET	6262	49772	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:09.001770973 CET	49772	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:09.001818895 CET	49772	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:12.803957939 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:13.010237932 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:13.010392904 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:13.011029959 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:13.391304970 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:13.391628027 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:13.621548891 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:13.706291914 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:13.769586086 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:14.181919098 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:14.182029963 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:14.464725018 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:14.473995924 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:14.474065065 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:14.801208973 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:14.811733961 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:14.811825991 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:14.820966005 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:14.832770109 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:14.832855940 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:14.839420080 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.033014059 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.033164978 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.043461084 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.043570995 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.052411079 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.052494049 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.064373016 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.064480066 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.071355104 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.071434975 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.082679987 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.082786083 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.093127966 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.093235016 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.105066061 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.105506897 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.251408100 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.342942953 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.346766949 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.353060007 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.401103020 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.401173115 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.401212931 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.401273966 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.401318073 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.451241016 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.501523972 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.501595020 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.501723051 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.502084017 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.502680063 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.502873898 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.511394024 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.513022900 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.521136999 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.531089067 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.532793999 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.542798996 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.551616907 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.554646969 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.571436882 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.581348896 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.581924915 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.632417917 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.692301989 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.692334890 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.692348957 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.692414999 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.692965031 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.702977896 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.703011990 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.703113079 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.752373934 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.752465963 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.762300014 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.762331963 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.762348890 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.762379885 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.762950897 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.763004065 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.772151947 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.772187948 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.772269011 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.781932116 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.791944981 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.791975975 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.792032003 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.802861929 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.802922964 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.802979946 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.872525930 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.892355919 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.892425060 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.892463923 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.892538071 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.892576933 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.893037081 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.898559093 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.962517023 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.962627888 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.962745905 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.972255945 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.973584890 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.983669043 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.983730078 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.983778954 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.983830929 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.991909027 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.991956949 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:15.992018938 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:15.992074013 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.002672911 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.003568888 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.012660027 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.012753963 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.012767076 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.012821913 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.022296906 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.022377968 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.032481909 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.032542944 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.032572031 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.032624960 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.042435884 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.042557001 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.042681932 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.052043915 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.052983046 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.061889887 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.061948061 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.062016010 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.062062025 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.072527885 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.072633982 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.082268953 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.082300901 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.082353115 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.082386971 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.092231989 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.092255116 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.092330933 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.092374086 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.101996899 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.102072954 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.111917019 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.111967087 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.112046003 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.122008085 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.122212887 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.132477045 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.132515907 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.132646084 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.143127918 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.143167019 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.143285990 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.152429104 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.154788971 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.162122011 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.162185907 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.162300110 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.171964884 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.174761057 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.182621002 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.182682037 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.182790995 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.194535017 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.194561005 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.194642067 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.242662907 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.242697954 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.242714882 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.242774963 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.242816925 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.243026972 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.243979931 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.244059086 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:16.244760990 CET	6262	49775	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:16.246108055 CET	49775	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:19.941314936 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:20.151555061 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:20.153126001 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:20.153678894 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:20.500344992 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:20.500678062 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:20.710747957 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:20.753761053 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:20.864522934 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:21.310126066 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:21.310205936 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:21.572551012 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:21.581408978 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:21.581491947 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:21.792676926 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:21.812279940 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:21.812558889 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:21.812982082 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:21.813136101 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:21.813359976 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:21.879496098 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.031411886 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.031564951 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.041028023 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.043286085 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.050990105 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.051083088 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.062623978 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.062727928 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.111078024 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.111187935 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.122587919 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.122716904 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.122710943 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.122780085 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.122811079 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.122867107 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.251167059 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.261126041 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.261225939 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.270817995 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.282444000 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.282624960 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.292207956 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.347683907 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.382637024 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.392257929 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.392441034 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.401458025 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.441378117 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.541198969 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.541872025 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.541941881 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.543514013 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.550888062 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.551028013 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.562618971 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.572448015 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.572545052 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.582228899 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.592411041 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.592463970 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.592576027 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.642344952 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.642399073 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.642534971 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.643052101 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.643748999 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.643862963 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.645380020 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.646220922 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.646311045 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.652050018 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.661967039 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.662024021 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.662071943 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.707087040 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.712140083 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.721976995 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.722028017 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.722073078 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.723630905 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.724303961 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.724375963 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.724787951 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.724891901 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.770349979 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.802464008 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.802525043 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.802558899 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.802694082 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.802988052 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.803903103 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.804116964 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.852431059 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.852485895 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.852528095 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.852581024 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.852986097 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.853070021 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.853888035 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.853929043 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.853996038 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.855567932 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.861282110 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.861355066 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.864414930 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.871499062 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.871551991 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.871586084 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.871622086 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.881009102 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.881061077 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.881365061 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.932177067 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.932279110 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.932326078 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.932372093 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.932398081 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.932424068 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.932955980 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.933011055 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.934456110 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.934533119 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:22.935187101 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:22.935286999 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.022418022 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.022475958 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.022504091 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.022541046 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.072707891 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.072770119 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.072810888 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.072830915 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.072906971 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.073328972 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.073371887 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.073407888 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.073421001 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.073498011 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.082482100 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.082580090 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.082642078 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.082767010 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.132253885 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.132379055 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.151982069 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.152036905 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.152097940 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.152134895 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.161741972 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.161880016 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.172509909 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.172555923 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.172601938 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.172647953 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.182324886 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.182415009 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.233346939 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.233396053 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.233434916 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.233448982 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.233470917 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.233495951 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.234013081 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.234078884 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.234781027 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.234878063 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.236366987 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.236406088 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.236443043 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.236500978 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.282593966 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.282699108 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.283242941 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.283323050 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.284034014 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.284111977 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.284801006 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.284965992 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.286318064 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.286362886 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.286429882 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.286459923 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.331125021 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.331167936 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.331216097 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.331314087 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.331631899 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.331691027 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.333825111 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.333914995 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.333914042 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.333956003 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.334011078 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.334050894 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.381303072 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.381381035 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.382035017 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.382090092 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.401079893 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.401114941 CET	6262	49795	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:23.401169062 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:23.401217937 CET	49795	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:26.975405931 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:27.200272083 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:27.200393915 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:27.210586071 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:27.541640043 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:27.562799931 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:27.770559072 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:27.816889048 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:27.864448071 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:28.281263113 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:28.281410933 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:28.562745094 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:28.572215080 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:28.572516918 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:28.880011082 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:28.902062893 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:28.902158976 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:28.911930084 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:28.911961079 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:28.912060022 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:28.920883894 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:28.920979023 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.121305943 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.131361961 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.131510973 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.140878916 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.152453899 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.152523994 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.202518940 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.202615976 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.202673912 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.221349001 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.221410036 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.221503019 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.451101065 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.462717056 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.462800980 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.470999956 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.481564045 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.481667042 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.533090115 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.542448044 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.542516947 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.552841902 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.561539888 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.561640024 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.572072029 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.584074974 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.584136963 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.591372967 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.601031065 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.601103067 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.612875938 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.660738945 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.662029982 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.662054062 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.662070036 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.662184000 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.673042059 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.673165083 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.682703018 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.723244905 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.732388020 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.732418060 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.732469082 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.753592968 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.765038967 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.765096903 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.765120029 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.772633076 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.772697926 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.825016975 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.832357883 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.832386017 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.832401991 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.832503080 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.852157116 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.852181911 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.852197886 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.852253914 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.862020016 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.862045050 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.862149000 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.864638090 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.873025894 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.873101950 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.882303953 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.882327080 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.882369041 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.882391930 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.892666101 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.892693996 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.892726898 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.892750978 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.903561115 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.903752089 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.912009954 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.912091017 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.921865940 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.921895981 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.921941996 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.921962976 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.934015036 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.934043884 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.934087038 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.934108973 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.944041014 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.944106102 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.952992916 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.953018904 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.953068018 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.953092098 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.962006092 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.962078094 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.963742971 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.963823080 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:29.974493027 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:29.974550962 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:30.065074921 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.065104008 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.065140963 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:30.065171957 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:30.073096037 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.073191881 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:30.084038973 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.084069967 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.084247112 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:30.084331036 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:30.092021942 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.092077017 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.092211008 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:30.102596998 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.102705002 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:30.112555981 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.112605095 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.112664938 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:30.112744093 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:30.122205973 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.122282028 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:30.132040024 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.132086992 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.132117033 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:30.132148027 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:30.144074917 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.144105911 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.146457911 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:30.152975082 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.155956030 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:30.163989067 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.164030075 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.164124012 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:30.172338963 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.174015999 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:30.183123112 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.183206081 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.186049938 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:30.193106890 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.193276882 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.193371058 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:30.203051090 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.203152895 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:30.213057041 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.213119984 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.215465069 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:30.265145063 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.265244961 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:30.272592068 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.272646904 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.272685051 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.272773027 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:30.276482105 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.276525021 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.276575089 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:30.284671068 CET	6262	49811	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:30.284779072 CET	49811	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:33.934920073 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:34.150665045 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:34.150813103 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:34.151962996 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:34.541146040 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:34.583089113 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:34.948534012 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:35.172653913 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:35.172761917 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:35.581357956 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:35.581480026 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:35.862607002 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:35.871403933 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:35.871630907 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:36.102035046 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.111934900 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.111968040 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.112112045 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:36.120903969 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.121072054 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:36.322226048 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.333058119 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.333249092 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:36.342451096 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.342490911 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.342700958 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:36.352333069 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.395708084 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:36.442531109 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.442590952 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.442626953 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.442724943 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:36.553006887 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.598843098 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:36.602587938 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.613058090 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.613203049 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:36.613486052 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.622597933 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.622725010 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:36.632304907 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.632360935 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.632442951 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:36.642767906 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.651875019 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.651933908 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.652045012 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:36.663036108 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.663182020 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:36.712007999 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.712039948 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.712198019 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:36.713377953 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.714257956 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.714346886 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.714370966 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:36.833089113 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.833239079 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:36.843090057 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.852428913 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.852458954 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.852529049 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:36.864588022 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.864690065 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:36.872109890 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.872137070 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.872231960 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:36.882711887 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.892510891 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.892558098 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.892648935 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:36.942914009 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.942965031 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.942986012 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.943058014 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:36.943108082 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:36.943481922 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.943504095 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.943545103 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:36.952651024 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.952797890 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.952867031 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:36.962357998 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.962390900 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.962516069 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:36.974869013 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.982321024 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.982378960 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.982477903 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:36.992310047 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:36.992449999 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.002036095 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.002089024 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.002201080 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.013058901 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.013972998 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.014070988 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.102683067 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.149257898 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.171876907 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.171930075 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.172019958 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.172065973 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.222676039 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.222742081 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.233072996 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.233103037 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.233198881 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.243345976 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.243427992 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.252317905 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.252340078 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.252444029 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.262554884 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.262626886 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.263176918 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.263226986 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.272080898 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.272166967 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.281938076 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.281971931 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.282033920 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.282056093 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.294219017 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.294277906 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.303869009 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.303903103 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.303958893 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.303978920 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.340420008 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.340446949 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.340480089 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.340511084 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.400602102 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.400734901 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.451555014 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.451603889 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.451646090 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.451669931 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.451682091 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.451710939 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.467082977 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.467129946 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.467149973 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.467191935 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.470685959 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.471074104 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.471213102 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.471286058 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.472093105 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.472150087 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.480087042 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.480128050 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.480149031 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.480175972 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.486638069 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.486680984 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.486717939 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.486753941 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.492835999 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.492923021 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.497391939 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.497438908 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.497453928 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.497484922 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.501013994 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.501091957 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.502370119 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.502418041 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.502440929 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.502455950 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.503074884 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.503149033 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.503160000 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.503215075 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.505551100 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.505618095 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.511461973 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.511503935 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.511531115 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.511559010 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.562638998 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.562690020 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.562726974 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.562763929 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.562793970 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.563015938 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.563061953 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.564045906 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.564105988 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.565776110 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.565818071 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.565838099 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.565864086 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.571347952 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.571403980 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.582029104 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.582062006 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.582140923 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.591207981 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.602528095 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.602551937 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.602636099 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.612565041 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.612668037 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.742129087 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.742153883 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.742172956 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.742245913 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.742829084 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.742901087 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.744388103 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.745124102 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.745141983 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.745227098 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.792057037 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.792107105 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.792156935 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.792222977 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.792299032 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.792823076 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.794517994 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.794595957 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.810981035 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.811003923 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.811079025 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.813374996 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.822449923 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.822554111 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.862961054 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.872643948 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.872725010 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.882320881 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.882412910 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.882472038 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.892307043 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.902249098 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.902292013 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.902321100 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.911994934 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.912064075 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.922501087 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.922578096 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.922646999 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.932377100 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.942518950 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.942547083 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.942621946 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.952292919 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.952364922 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.970412016 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.970437050 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.970499039 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.972031116 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.972055912 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.972120047 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:37.981856108 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.992619991 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.992651939 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:37.992716074 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.002500057 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.002532959 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.002598047 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.012342930 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.012379885 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.012449026 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.022748947 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.022885084 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.032099962 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.032146931 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.032224894 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.082351923 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.082396984 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.082415104 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.082459927 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.082983017 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.083040953 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.084639072 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.085392952 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.085455894 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.091912985 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.091933966 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.091993093 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.101888895 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.114974976 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.152654886 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.152707100 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.152726889 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.152748108 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.152761936 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.152791023 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.153358936 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.153403997 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.153934002 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.153973103 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.154740095 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.154831886 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.154881001 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.162317038 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.162385941 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.172163963 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.172204971 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.172281027 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.182008028 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.182050943 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.182080030 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.182112932 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.192604065 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.192706108 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.202574968 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.202678919 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.202680111 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.202775002 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.252660036 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.252710104 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.252727032 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.252784014 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.252836943 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.253321886 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.254136086 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.254242897 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.254298925 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.254342079 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.262454987 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.262481928 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.262515068 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.262553930 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.272344112 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.272481918 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.282203913 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.282263041 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.282284975 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.282326937 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.291968107 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.292016983 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.382457972 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.382487059 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.382543087 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.382563114 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.411967039 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.411992073 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.412086964 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.422003031 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.422122955 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.432743073 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.432781935 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.432868004 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.442413092 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.442511082 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.452547073 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.452589989 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.452639103 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.452687025 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.462507010 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.462558031 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.462601900 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.462652922 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.512345076 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.512392044 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.512535095 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.512928009 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.513873100 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.513897896 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.513972998 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.514018059 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.515635967 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.516094923 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.522099018 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.522125959 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.522211075 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.531982899 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.532694101 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:38.541022062 CET	6262	49816	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:38.543204069 CET	49816	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:42.171245098 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:42.380131960 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:42.384283066 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:42.384892941 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:42.750996113 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:42.759514093 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:42.991544008 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:43.040085077 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:43.122529030 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:43.531498909 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:43.532819986 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:43.851466894 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:43.861378908 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:43.863466024 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:44.121356010 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.130974054 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.137841940 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:44.142863035 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.152364969 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.162416935 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:44.175633907 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:44.362354994 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.362884998 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:44.373066902 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.373272896 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:44.381325006 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.381874084 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:44.431703091 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.431726933 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.431906939 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:44.452656984 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.452689886 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.452702999 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.453130960 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:44.592614889 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.602154016 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.602188110 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.602320910 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:44.612541914 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.612618923 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:44.621434927 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.621481895 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.621607065 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:44.653264046 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.662487984 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.662525892 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.662672997 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:44.673096895 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.673239946 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:44.802961111 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.802990913 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.803080082 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:44.821906090 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.821928978 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.821940899 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.822053909 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:44.872078896 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.872096062 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.878998995 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:44.881947994 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.892519951 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.892543077 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.892565966 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.892653942 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:44.942047119 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.942109108 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.942162037 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.942255020 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:44.943599939 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.943634987 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.943672895 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.943742037 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:44.943772078 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:44.953233004 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.963005066 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.963213921 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:44.972676039 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.972713947 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.972914934 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:44.984019041 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.992487907 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.992585897 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:44.992633104 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.005048990 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.005234957 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.010958910 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.010988951 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.011374950 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.024310112 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.033015013 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.033205032 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.033273935 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.042309046 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.042499065 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.052531004 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.052553892 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.052710056 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.062092066 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.062127113 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.062289953 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.072828054 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.081134081 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.081784010 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.092691898 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.102089882 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.102121115 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.102197886 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.112087011 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.112226963 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.122698069 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.122735977 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.122869968 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.132859945 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.142354012 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.142388105 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.143135071 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.152143955 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.152175903 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.152949095 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.161978960 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.162075996 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.172717094 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.172761917 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.173202991 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.182673931 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.182708025 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.182774067 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.192584991 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.202192068 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.202229977 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.202342987 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.215856075 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.216016054 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.222050905 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.222074986 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.222210884 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.231178045 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.232022047 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.232054949 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.232136011 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.243041992 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.243388891 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.257534027 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.257555962 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.257747889 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.262609959 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.262675047 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.272095919 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.272155046 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.272244930 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.272263050 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.282711983 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.282764912 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.282890081 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.292958021 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.293176889 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.302484035 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.302557945 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.303081036 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.303172112 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.312423944 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.312459946 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.312540054 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.312561035 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.402162075 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.402268887 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.403074026 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.403110027 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.403160095 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.403204918 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.423383951 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.423532963 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.432404041 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.432451963 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.432511091 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.432529926 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.442378044 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.442418098 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.443706989 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.453218937 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.453416109 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.462821960 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.462865114 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.463015079 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.473334074 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.473491907 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.482573032 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.482605934 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.482757092 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.492561102 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.492592096 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.492985964 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.504786968 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.504976034 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.512425900 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.512470961 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.512646914 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.512662888 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.522298098 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.524746895 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.532015085 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.532053947 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.533327103 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.542922020 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.542957067 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.543042898 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.543057919 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.553077936 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.553153038 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.564965010 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.564996004 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.565141916 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.611115932 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.611141920 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.611171961 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.611243963 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.611258984 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:45.612205982 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.612231970 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.612256050 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.622657061 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.622817993 CET	6262	49819	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:45.623320103 CET	49819	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:49.330873966 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:49.671968937 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:49.672580004 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:49.673240900 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:50.231564045 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:50.232897997 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:50.441422939 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:50.442107916 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:50.850322962 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:50.850466967 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:51.183027029 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:51.191077948 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:51.191288948 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:51.278043985 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:51.402303934 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:51.402450085 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:51.411919117 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:51.412013054 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:51.421524048 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:51.421559095 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:51.421616077 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:51.421642065 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:51.623295069 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:51.632430077 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:51.632992029 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:51.642261028 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:51.642316103 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:51.642405033 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:51.652219057 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:51.662112951 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:51.662175894 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:51.662208080 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:51.671021938 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:51.671123028 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.002696037 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.002724886 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.002793074 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.022378922 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.031980038 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.032005072 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.032021046 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.032040119 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.032083035 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.082015991 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.082042933 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.082118034 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.091905117 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.093385935 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.093405008 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.093441963 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.094302893 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.094371080 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.102416992 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.112338066 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.112364054 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.112400055 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.162563086 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.162691116 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.232383013 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.232554913 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.232625008 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.242367983 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.252402067 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.252480030 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.252485037 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.277543068 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.302365065 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.302423954 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.302460909 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.302510977 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.302570105 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.302577972 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.304004908 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.304136038 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.304692984 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.304733992 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.304760933 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.304781914 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.312184095 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.312258005 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.322072029 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.322195053 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.331919909 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.331963062 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.332020998 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.332042933 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.342588902 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.342719078 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.352291107 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.352323055 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.352427006 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.362308025 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.362371922 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.372070074 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.372104883 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.372200966 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.372225046 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.462400913 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.462475061 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.463164091 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.463207960 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.491903067 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.491929054 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.491955996 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.492006063 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.501981974 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.502037048 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.512247086 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.512289047 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.512356997 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.512392044 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.562170029 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.562413931 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.562819004 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.562890053 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.564580917 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.564639091 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.564656019 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.564692974 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.565233946 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.565314054 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.641777992 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.641858101 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.652384043 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.652412891 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.652447939 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.652473927 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.662405968 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.662523985 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.672261953 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.672291040 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.672389984 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.682338953 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.682503939 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:52.691190004 CET	6262	49844	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:52.691293955 CET	49844	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:56.408540964 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:56.650641918 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:56.650763035 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:56.652893066 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:56.971144915 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:56.971616983 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:57.181026936 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:57.216444969 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:57.640444994 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:57.641185045 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:57.912486076 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:57.912544966 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:57.912692070 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:58.123584032 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.132671118 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.132772923 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.132808924 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:58.183922052 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:58.216411114 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:58.221201897 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.221359015 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:58.353051901 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.353158951 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:58.362333059 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.362379074 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.362502098 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:58.372013092 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.372546911 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:58.393507957 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.393654108 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:58.402479887 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.403920889 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:58.434166908 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.434470892 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:58.442513943 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.562433004 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.564450026 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:58.570323944 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.580993891 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.581094027 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:58.592432976 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.592479944 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.592566967 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:58.602488995 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.651316881 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.651426077 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.651436090 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:58.662463903 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.662617922 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:58.672457933 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.682586908 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.682677984 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.682801962 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:58.691322088 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.691425085 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:58.700335026 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.746471882 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:58.912431955 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.921318054 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.921344042 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.921413898 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:58.931914091 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.932029963 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:58.942598104 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.942642927 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.942766905 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:58.952428102 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.962383032 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.962523937 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:58.972151995 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.972197056 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.972279072 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:58.981205940 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.981249094 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:58.981388092 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:58.992305040 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.001949072 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.002005100 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.002163887 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.012538910 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.012713909 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.022475004 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.022535086 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.022665024 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.032280922 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.042273998 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.042448044 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.042458057 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.051986933 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.052155018 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.061923981 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.061966896 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.062175035 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.072649956 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.072695017 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.072814941 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.082974911 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.093312025 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.093463898 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.102183104 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.110428095 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.110524893 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.132668018 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.142260075 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.142381907 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.153364897 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.153415918 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.153525114 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.161880970 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.161942005 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.162091017 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.172776937 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.182336092 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.182394028 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.182559967 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.192179918 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.192305088 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.202094078 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.202145100 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.202274084 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.213521957 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.216362953 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.225373030 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.225528002 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.225538969 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.225627899 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.233477116 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.233630896 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.242147923 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.242229939 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.242286921 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.242331982 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.251971960 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.252018929 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.252182961 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.252213955 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.262700081 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.262835979 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.273893118 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.273951054 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.274048090 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.274097919 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.282636881 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.282800913 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.293493032 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.293651104 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.302062988 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.302112103 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.302232027 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.302290916 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.312048912 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.312094927 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.312167883 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.312215090 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.322591066 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.322732925 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.333781958 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.333844900 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.333913088 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.333966017 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.343729019 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.343815088 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.352009058 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.352085114 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.352202892 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.352240086 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.402153969 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.402323961 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.402798891 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.402825117 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.402900934 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.402964115 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.404445887 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.404537916 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.405256987 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.405284882 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.405364037 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.405421972 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.411858082 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.411878109 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.412008047 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.412249088 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.502285957 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.502335072 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.502417088 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.502460957 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.512645960 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.512839079 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.521934986 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.522068977 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.523713112 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.523806095 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.532728910 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.532821894 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.542515993 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.542567015 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.542795897 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.542829990 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.552577019 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.552684069 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.562249899 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.562298059 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.562377930 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.571927071 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.571970940 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.572069883 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.582003117 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.582123995 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.592741966 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.592780113 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.592832088 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.592868090 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.602602005 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.602686882 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.612473011 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.612524033 CET	6262	49845	185.140.53.131	192.168.2.6
Nov 24, 2021 08:39:59.612565041 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:39:59.612603903 CET	49845	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:03.304295063 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:03.509991884 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:03.510149956 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:03.510735035 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:03.800273895 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:03.800798893 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:04.133071899 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:04.184288979 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:04.216470003 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:04.661235094 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:04.661489964 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:04.963215113 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:04.975064993 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:04.979077101 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:05.216655970 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:05.332123995 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:05.332386971 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:05.342808008 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:05.342928886 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:05.352458954 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:05.352503061 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:05.352674961 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:05.542737007 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:05.552886009 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:05.553061008 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:05.602891922 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:05.602957964 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:05.603193998 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:05.612667084 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:05.612720966 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:05.612900019 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:05.613384962 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:05.615047932 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:05.615155935 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:05.773557901 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:05.784261942 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:05.784317970 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:05.784452915 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:05.793088913 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:05.793203115 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:05.884191036 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:05.893415928 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:05.893620014 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:05.902112961 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:05.902169943 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:05.902367115 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:05.952259064 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:05.961966991 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:05.962069988 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:05.972702980 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:05.972759008 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:05.972820997 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.022454023 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.023199081 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.023272991 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.023329020 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.023981094 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.024049997 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.114659071 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.123950005 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.124067068 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.132838964 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.132945061 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.133049965 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.145081043 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.151969910 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.152029991 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.152055025 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.200098038 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.204134941 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.204184055 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.204291105 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.204705000 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.204744101 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.204813004 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.205529928 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.213841915 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.213926077 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.214061975 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.216365099 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.224637985 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.225089073 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.273910999 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.273972034 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.274013042 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.274035931 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.274101973 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.275273085 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.275316000 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.275335073 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.275366068 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.276124954 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.276182890 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.282742023 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.282819033 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.294398069 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.294459105 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.294491053 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.294548988 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.302418947 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.304121971 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.312057018 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.312114954 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.312140942 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.312182903 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.362189054 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.362248898 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.362287998 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.362329006 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.362381935 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.392528057 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.392589092 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.392631054 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.392662048 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.392718077 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.421890020 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.422034025 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.423369884 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.423471928 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.424169064 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.424226046 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.424295902 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.425060987 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.427035093 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.432595968 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.432648897 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.432702065 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.442440033 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.442892075 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.452416897 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.452474117 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.452553034 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.542392969 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.542483091 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.552628040 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.552673101 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.552717924 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.552772045 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.561882973 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.561979055 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.571691990 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.571804047 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.571866035 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.582410097 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.582448006 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.582521915 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.582619905 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.592343092 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.592431068 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.602066994 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.602092028 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.602186918 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:06.611967087 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.611998081 CET	6262	49847	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:06.612096071 CET	49847	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:10.254312992 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:11.181520939 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:11.183655977 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:11.184129000 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:11.570564985 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:11.570909977 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:11.891264915 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:11.892059088 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:12.161149979 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:12.172525883 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:12.172725916 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:12.461250067 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:12.472582102 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:12.472664118 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:12.481672049 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:12.491487980 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:12.491571903 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:12.700423002 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:12.711121082 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:12.711261034 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:12.722033978 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:12.731612921 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:12.731703043 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:12.741399050 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:12.751230001 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:12.751583099 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:12.760346889 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:12.772277117 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:12.775641918 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.121457100 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.130979061 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.133919001 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.141191006 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.150990009 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.151711941 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.161884069 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.171459913 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.175489902 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.182145119 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.232003927 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.232312918 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.232373953 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.232412100 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.232453108 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.254441977 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.254494905 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.254528046 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.254796982 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.255067110 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.255106926 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.255187035 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.264323950 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.310201883 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.372873068 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.372952938 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.373199940 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.374042988 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.383878946 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.387855053 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.394562006 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.394619942 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.394799948 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.404655933 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.414624929 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.414686918 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.414829016 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.462069035 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.463896036 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.464354992 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.464550018 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.465172052 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.465215921 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.465251923 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.466177940 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.467783928 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.473588943 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.528844118 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.562316895 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.562345982 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.562448025 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.563014984 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.585099936 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.585256100 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.585413933 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.594506979 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.594590902 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.602680922 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.602722883 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.602809906 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.613513947 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.613571882 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.613948107 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.628679037 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.669624090 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.674081087 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.674132109 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.674170017 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.674284935 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.676419020 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.676459074 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.676543951 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.716352940 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.795526981 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.795593023 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.795727015 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.815931082 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.824204922 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.824268103 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.824353933 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.834219933 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.834264994 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.834419012 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.845067024 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.845242023 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.852025986 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.852071047 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.852257967 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.864433050 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.864491940 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.864635944 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.874106884 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.883970022 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.884031057 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.884196043 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.894598007 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.895035982 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.904455900 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.904498100 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.904592991 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.914295912 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.914354086 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.914450884 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.924504995 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.934760094 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.934848070 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.934978008 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.943797112 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.947791100 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.952581882 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.952626944 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.952800035 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.963367939 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.972244024 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.972286940 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.972451925 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:13.982245922 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:13.982350111 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.032535076 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.032599926 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.032747984 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.042146921 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.042869091 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.042889118 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.043009043 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.044703960 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.045798063 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.045890093 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.051384926 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.055768013 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.062890053 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.072403908 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.072422981 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.072509050 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.082369089 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.084965944 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.085047960 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.093095064 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.095766068 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.102653980 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.102694035 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.102799892 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.113197088 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.122505903 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.123508930 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.132015944 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.132081985 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.132154942 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.222990036 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.233947992 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.234123945 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.245567083 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.245615005 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.245733976 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.251960039 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.252002001 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.252101898 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.263870001 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.273471117 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.273535013 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.273649931 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.283391953 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.283447027 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.283612013 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.295665026 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.295836926 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.304629087 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.304687977 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.304821968 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.314582109 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.323488951 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.323551893 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.323662043 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.334090948 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.334177971 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.334301949 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.345053911 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.345230103 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.354788065 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.363496065 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.363559008 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.363732100 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.403942108 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.412045956 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.412107944 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.412158966 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.412270069 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.413609028 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.413665056 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.413780928 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.413804054 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.413839102 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.423499107 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.436140060 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.436317921 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.444123983 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.444160938 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.444340944 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.456578970 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.464723110 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.464771986 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.464843035 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.474351883 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.474505901 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.484186888 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.484232903 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.484354019 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.493959904 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.494007111 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.494169950 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.505085945 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.514544964 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.514590979 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.514683962 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.525722027 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.525924921 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.534231901 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.534276009 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.534410954 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.548048019 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.554786921 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.554828882 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.554943085 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.565850973 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.565970898 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.577048063 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.584312916 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.584345102 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.584436893 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.593457937 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.593657970 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.604053020 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.604101896 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.604300976 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.614151001 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.614197969 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.614330053 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.624618053 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.634407997 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.634465933 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.634576082 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.643567085 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.643625021 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.643764973 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.685257912 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.692698002 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.692775011 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.692919016 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.693386078 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.693449974 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.693505049 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.694117069 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.703974009 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.704118013 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.713943958 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.713989973 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.714181900 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.724575996 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.734535933 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.734838963 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.864192963 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.864257097 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.864295006 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.864408970 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.864418030 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.864449978 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.864470005 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.872459888 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.872556925 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.884109974 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.884156942 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.884268045 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.932651043 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.932713985 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.932753086 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.932913065 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.933211088 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.933317900 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.934271097 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.934856892 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.934942961 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.944165945 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.944221020 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.944348097 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.955502987 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.955544949 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.955662966 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.964462042 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.974519968 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.974581003 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.974670887 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.984206915 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.984373093 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:14.994030952 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.994092941 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:14.994203091 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.003964901 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.014755964 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.014893055 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.024380922 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.024430990 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.024534941 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.034396887 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.042711973 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.042881966 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.043277025 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.053890944 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.054065943 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.064651966 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.074392080 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.074418068 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.074527025 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.084238052 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.084327936 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.093334913 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.093365908 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.093542099 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.103087902 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.115762949 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.115984917 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.124469042 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.124514103 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.124620914 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.133351088 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.133409977 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.133495092 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.144217968 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.155533075 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.155594110 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.155675888 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.164547920 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.164720058 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.174396038 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.174453020 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.174654961 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.184258938 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.193979025 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.194042921 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.194206953 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.205610037 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.205826998 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.214473963 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.214534998 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.214690924 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.224490881 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.224567890 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.224755049 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.234534025 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.244057894 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.244554043 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.255547047 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.255594969 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.255779982 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.264645100 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.310244083 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.315433979 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.315490961 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.315530062 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.315640926 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.316090107 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.316170931 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.394663095 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.643738985 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.652719975 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.652800083 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.652939081 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.662585020 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.662748098 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.672111034 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.672158957 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.672269106 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.682266951 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.692122936 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.692173004 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.692277908 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.702016115 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.702078104 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.702183008 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.711885929 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.712052107 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.762106895 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.762154102 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.762310982 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.762478113 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.762818098 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.762907028 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.764610052 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.792655945 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.792720079 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.792846918 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.793359995 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.793401003 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.793406010 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.794246912 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.794289112 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.803078890 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:15.857223034 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:15.988529921 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:16.520076036 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:16.576118946 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:16.800499916 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:16.930394888 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:16.954185963 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:17.482362032 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:17.482616901 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:17.744208097 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:17.746709108 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:18.065160036 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:18.065854073 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:18.542151928 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:19.185915947 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:19.232564926 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:19.791224003 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:19.791373014 CET	49848	6262	192.168.2.6	185.140.53.131
Nov 24, 2021 08:40:21.650317907 CET	6262	49848	185.140.53.131	192.168.2.6
Nov 24, 2021 08:40:21.701400995 CET	49848	6262	192.168.2.6	185.140.53.131

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2021 08:38:29.175595999 CET	64267	53	192.168.2.6	8.8.8.8
Nov 24, 2021 08:38:29.193285942 CET	53	64267	8.8.8.8	192.168.2.6
Nov 24, 2021 08:38:35.749134064 CET	49448	53	192.168.2.6	8.8.8.8
Nov 24, 2021 08:38:35.768896103 CET	53	49448	8.8.8.8	192.168.2.6
Nov 24, 2021 08:38:45.078562975 CET	60342	53	192.168.2.6	8.8.8.8
Nov 24, 2021 08:38:45.099934101 CET	53	60342	8.8.8.8	192.168.2.6
Nov 24, 2021 08:38:52.018465996 CET	56023	53	192.168.2.6	8.8.8.8
Nov 24, 2021 08:38:52.040276051 CET	53	56023	8.8.8.8	192.168.2.6
Nov 24, 2021 08:38:59.152193069 CET	60261	53	192.168.2.6	8.8.8.8
Nov 24, 2021 08:38:59.173830032 CET	53	60261	8.8.8.8	192.168.2.6
Nov 24, 2021 08:39:05.738451004 CET	58336	53	192.168.2.6	8.8.8.8
Nov 24, 2021 08:39:05.760961056 CET	53	58336	8.8.8.8	192.168.2.6
Nov 24, 2021 08:39:12.781300068 CET	54064	53	192.168.2.6	8.8.8.8
Nov 24, 2021 08:39:12.802176952 CET	53	54064	8.8.8.8	192.168.2.6
Nov 24, 2021 08:39:19.918241978 CET	49694	53	192.168.2.6	8.8.8.8
Nov 24, 2021 08:39:19.940148115 CET	53	49694	8.8.8.8	192.168.2.6
Nov 24, 2021 08:39:26.954230070 CET	63718	53	192.168.2.6	8.8.8.8
Nov 24, 2021 08:39:26.974416971 CET	53	63718	8.8.8.8	192.168.2.6
Nov 24, 2021 08:39:33.915369034 CET	63816	53	192.168.2.6	8.8.8.8
Nov 24, 2021 08:39:33.933423042 CET	53	63816	8.8.8.8	192.168.2.6
Nov 24, 2021 08:39:42.152251959 CET	62208	53	192.168.2.6	8.8.8.8
Nov 24, 2021 08:39:42.169732094 CET	53	62208	8.8.8.8	192.168.2.6
Nov 24, 2021 08:39:49.306451082 CET	57574	53	192.168.2.6	8.8.8.8
Nov 24, 2021 08:39:49.329001904 CET	53	57574	8.8.8.8	192.168.2.6
Nov 24, 2021 08:39:56.327341080 CET	51818	53	192.168.2.6	8.8.8.8
Nov 24, 2021 08:39:56.347222090 CET	53	51818	8.8.8.8	192.168.2.6
Nov 24, 2021 08:40:03.282618046 CET	60778	53	192.168.2.6	8.8.8.8
Nov 24, 2021 08:40:03.302814007 CET	53	60778	8.8.8.8	192.168.2.6
Nov 24, 2021 08:40:10.232549906 CET	53799	53	192.168.2.6	8.8.8.8
Nov 24, 2021 08:40:10.253711939 CET	53	53799	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 24, 2021 08:38:29.175595999 CET	192.168.2.6	8.8.8.8	0xac6c	Standard query (0)	6262.hopto.org	A (IP address)	IN (0x0001)
Nov 24, 2021 08:38:35.749134064 CET	192.168.2.6	8.8.8.8	0x88c4	Standard query (0)	6262.hopto.org	A (IP address)	IN (0x0001)
Nov 24, 2021 08:38:45.078562975 CET	192.168.2.6	8.8.8.8	0xa4f2	Standard query (0)	6262.hopto.org	A (IP address)	IN (0x0001)
Nov 24, 2021 08:38:52.018465996 CET	192.168.2.6	8.8.8.8	0xae6d	Standard query (0)	6262.hopto.org	A (IP address)	IN (0x0001)
Nov 24, 2021 08:38:59.152193069 CET	192.168.2.6	8.8.8.8	0xe677	Standard query (0)	6262.hopto.org	A (IP address)	IN (0x0001)
Nov 24, 2021 08:39:05.738451004 CET	192.168.2.6	8.8.8.8	0x81df	Standard query (0)	6262.hopto.org	A (IP address)	IN (0x0001)
Nov 24, 2021 08:39:12.781300068 CET	192.168.2.6	8.8.8.8	0x81cc	Standard query (0)	6262.hopto.org	A (IP address)	IN (0x0001)
Nov 24, 2021 08:39:19.918241978 CET	192.168.2.6	8.8.8.8	0xd31f	Standard query (0)	6262.hopto.org	A (IP address)	IN (0x0001)
Nov 24, 2021 08:39:26.954230070 CET	192.168.2.6	8.8.8.8	0x2f18	Standard query (0)	6262.hopto.org	A (IP address)	IN (0x0001)
Nov 24, 2021 08:39:33.915369034 CET	192.168.2.6	8.8.8.8	0x5a22	Standard query (0)	6262.hopto.org	A (IP address)	IN (0x0001)
Nov 24, 2021 08:39:42.152251959 CET	192.168.2.6	8.8.8.8	0x23ce	Standard query (0)	6262.hopto.org	A (IP address)	IN (0x0001)
Nov 24, 2021 08:39:49.306451082 CET	192.168.2.6	8.8.8.8	0x8d88	Standard query (0)	6262.hopto.org	A (IP address)	IN (0x0001)
Nov 24, 2021 08:39:56.327341080 CET	192.168.2.6	8.8.8.8	0x28b9	Standard query (0)	6262.hopto.org	A (IP address)	IN (0x0001)
Nov 24, 2021 08:40:03.282618046 CET	192.168.2.6	8.8.8.8	0x7f35	Standard query (0)	6262.hopto.org	A (IP address)	IN (0x0001)
Nov 24, 2021 08:40:10.232549906 CET	192.168.2.6	8.8.8.8	0x8f60	Standard query (0)	6262.hopto.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Nov 24, 2021 08:38:29.193285942 CET	8.8.8.8	192.168.2.6	0xac6c	No error (0)	6262.hopto.org	185.140.53.131	A (IP address)	IN (0x0001)
Nov 24, 2021 08:38:35.768896103 CET	8.8.8.8	192.168.2.6	0x88c4	No error (0)	6262.hopto.org	185.140.53.131	A (IP address)	IN (0x0001)
Nov 24, 2021 08:38:45.099934101 CET	8.8.8.8	192.168.2.6	0xa4f2	No error (0)	6262.hopto.org	185.140.53.131	A (IP address)	IN (0x0001)
Nov 24, 2021 08:38:52.040276051 CET	8.8.8.8	192.168.2.6	0xae6d	No error (0)	6262.hopto.org	185.140.53.131	A (IP address)	IN (0x0001)
Nov 24, 2021 08:38:59.173830032 CET	8.8.8.8	192.168.2.6	0xe677	No error (0)	6262.hopto.org	185.140.53.131	A (IP address)	IN (0x0001)
Nov 24, 2021 08:39:05.760961056 CET	8.8.8.8	192.168.2.6	0x81df	No error (0)	6262.hopto.org	185.140.53.131	A (IP address)	IN (0x0001)
Nov 24, 2021 08:39:12.802176952 CET	8.8.8.8	192.168.2.6	0x81cc	No error (0)	6262.hopto.org	185.140.53.131	A (IP address)	IN (0x0001)
Nov 24, 2021 08:39:19.940148115 CET	8.8.8.8	192.168.2.6	0xd31f	No error (0)	6262.hopto.org	185.140.53.131	A (IP address)	IN (0x0001)
Nov 24, 2021 08:39:26.974416971 CET	8.8.8.8	192.168.2.6	0x2f18	No error (0)	6262.hopto.org	185.140.53.131	A (IP address)	IN (0x0001)
Nov 24, 2021 08:39:33.933423042 CET	8.8.8.8	192.168.2.6	0x5a22	No error (0)	6262.hopto.org	185.140.53.131	A (IP address)	IN (0x0001)
Nov 24, 2021 08:39:42.169732094 CET	8.8.8.8	192.168.2.6	0x23ce	No error (0)	6262.hopto.org	185.140.53.131	A (IP address)	IN (0x0001)
Nov 24, 2021 08:39:49.329001904 CET	8.8.8.8	192.168.2.6	0x8d88	No error (0)	6262.hopto.org	185.140.53.131	A (IP address)	IN (0x0001)
Nov 24, 2021 08:39:56.347222090 CET	8.8.8.8	192.168.2.6	0x28b9	No error (0)	6262.hopto.org	185.140.53.131	A (IP address)	IN (0x0001)
Nov 24, 2021 08:40:03.302814007 CET	8.8.8.8	192.168.2.6	0x7f35	No error (0)	6262.hopto.org	185.140.53.131	A (IP address)	IN (0x0001)
Nov 24, 2021 08:40:10.253711939 CET	8.8.8.8	192.168.2.6	0x8f60	No error (0)	6262.hopto.org	185.140.53.131	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: tj9KzQvUFy.exe PID: 7016 Parent PID: 2076

General

Start time:	08:38:02
Start date:	24/11/2021
Path:	C:\Users\user\Desktop\tj9KzQvUFy.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\tj9KzQvUFy.exe"
Imagebase:	0x880000
File size:	656384 bytes
MD5 hash:	E8AE42CFAAFD650A14285AAF700D1F2B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.380810422.0000000002C41000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.381024024.0000000002D5E000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.382063003.0000000003C49000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.382063003.0000000003C49000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.382063003.0000000003C49000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 6344 Parent PID: 7016

General

Start time:	08:38:13
Start date:	24/11/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe
Imagebase:	0xd30000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6324 Parent PID: 6344

General

Start time:	08:38:13
Start date:	24/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 6320 Parent PID: 7016

General

Start time:	08:38:13
Start date:	24/11/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QWtzAVmnpKpJx" /XML "C:\Users\user\AppData\Local\Temp\tmp6B9E.tmp
Imagebase:	0x810000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4680 Parent PID: 6320

General

Start time:	08:38:14
Start date:	24/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: tj9KzQvUFy.exe PID: 6192 Parent PID: 7016

General

Start time:	08:38:15
Start date:	24/11/2021
Path:	C:\Users\user\Desktop\tj9KzQvUFy.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\tj9KzQvUFy.exe
Imagebase:	0x960000
File size:	656384 bytes
MD5 hash:	E8AE42CFAAFD650A14285AAF700D1F2B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.377573313.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.377573313.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000009.00000000.377573313.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.610929952.0000000002CF1000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.607967437.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.607967437.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000009.00000002.607967437.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.370237715.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.370237715.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000009.00000000.370237715.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.378298727.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.378298727.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000009.00000000.378298727.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.613519812.0000000003CF9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000009.00000002.613519812.0000000003CF9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.376991452.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.376991452.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000009.00000000.376991452.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.615717844.00000000055F0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.615717844.00000000055F0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.616228293.0000000006470000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.616228293.0000000006470000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.616228293.0000000006470000.00000004.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6548 Parent PID: 6192

General

Start time:	08:38:24
Start date:	24/11/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpC635.tmp
Imagebase:	0x810000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6048 Parent PID: 6548

General

Start time:	08:38:25
Start date:	24/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: tj9KzQvUFy.exe PID: 5776 Parent PID: 936

General

Start time:	08:38:26
Start date:	24/11/2021
Path:	C:\Users\user\Desktop\tj9KzQvUFy.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\tj9KzQvUFy.exe 0
Imagebase:	0xaa0000
File size:	656384 bytes
MD5 hash:	E8AE42CFAAFD650A14285AAF700D1F2B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000E.00000002.435389639.0000000002FC1000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.437386781.0000000003FC9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.437386781.0000000003FC9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.437386781.0000000003FC9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000E.00000002.436014172.00000000030EB000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6572 Parent PID: 6192

General

Start time:	08:38:26
Start date:	24/11/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpCF6D.tmp
Imagebase:	0x810000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6644 Parent PID: 6572

General

Start time:	08:38:27
Start date:	24/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6732 Parent PID: 936

General

Start time:	08:38:29
Start date:	24/11/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Imagebase:	0x5c0000
File size:	656384 bytes
MD5 hash:	E8AE42CFAAFD650A14285AAF700D1F2B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000011.00000002.405648724.0000000002AC1000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 57%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 7072 Parent PID: 3440

General

Start time:	08:38:34
Start date:	24/11/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Imagebase:	0x800000
File size:	656384 bytes
MD5 hash:	E8AE42CFAAFD650A14285AAF700D1F2B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000013.00000002.428142089.0000000002CC1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 7064 Parent PID: 5776

General

Start time:	08:38:34
Start date:	24/11/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QWtzAVmnpKpJx.exe
Imagebase:	0xd30000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5420 Parent PID: 7064

General

Start time:	08:38:34
Start date:	24/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 5724 Parent PID: 5776

General

Start time:	08:38:35
Start date:	24/11/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QWtzAVmnpKpJx" /XML "C:\Users\user\AppData\Local\Temp\tmpB52A.tmp
Imagebase:	0x810000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6328 Parent PID: 5724

General

Start time:	08:38:39
Start date:	24/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: tj9KzQvUFy.exe PID: 1992 Parent PID: 5776

General

Start time:	08:38:41
Start date:	24/11/2021
Path:	C:\Users\user\Desktop\tj9KzQvUFy.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\tj9KzQvUFy.exe
Imagebase:	0x280000
File size:	656384 bytes
MD5 hash:	E8AE42CFAAFD650A14285AAF700D1F2B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: tj9KzQvUFy.exe PID: 4804 Parent PID: 5776

General

Start time:	08:38:42
Start date:	24/11/2021
Path:	C:\Users\user\Desktop\tj9KzQvUFy.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\tj9KzQvUFy.exe
Imagebase:	0xf60000
File size:	656384 bytes
MD5 hash:	E8AE42CFAAFD650A14285AAF700D1F2B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000002.448411736.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.448411736.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.448411736.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000000.428587320.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000000.428587320.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001B.00000000.428587320.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000000.430610675.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000000.430610675.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001B.00000000.430610675.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.449720348.0000000004499000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.449720348.0000000004499000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000002.449610369.0000000003491000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001B.00000002.449610369.0000000003491000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000000.429163974.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000000.429163974.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001B.00000000.429163974.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001B.00000000.429929302.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001B.00000000.429929302.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001B.00000000.429929302.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: tj9KzQvUFy.exe PID: 7016 Parent PID: 2076 tj9KzQvUFy.exeCOMMON

Executed Functions

Function 0113D9EC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0113FECA

Memory Dump Source

Source File: 00000001.00000002.380467117.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 39bb0d9db67a3a2cc2df40cb43f9366488d7095cbf8f896deb47cc5cc8fbc499
Instruction ID: fa1aa77e1ececf00a78a96858ab16d0a0694900411aec9ba6c577ec097bbcefb
Opcode Fuzzy Hash: 39bb0d9db67a3a2cc2df40cb43f9366488d7095cbf8f896deb47cc5cc8fbc499
Instruction Fuzzy Hash: FD51D1B1D00319EFDB14CF99D984ADEBBB5FF88314F24812AE819AB214D7749885CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0113FDB1, Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0113FECA

Memory Dump Source

Source File: 00000001.00000002.380467117.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 25f04d12c1eb1983fbefa06b30005339e2bebc0ceacc15e677ecbb88fffeb64f
Instruction ID: aad2c0f304ecda71e033445b3fc1a8c9d4247b973b13acc2667c5e578fce83ae
Opcode Fuzzy Hash: 25f04d12c1eb1983fbefa06b30005339e2bebc0ceacc15e677ecbb88fffeb64f
Instruction Fuzzy Hash: C251D1B1D00319EFDB14CFA9D884ADEBFB5BF88314F24812AE819AB214D7749845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01133E20, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01135421

Memory Dump Source

Source File: 00000001.00000002.380467117.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e579c9800a62647408f48c4b13825114b5eeb3c45c239a7e0232679207e0258a
Instruction ID: 037ed89b4c4584cacca97ff541cbaa564c139d57dd19986d271dbbb8b46cc0a5
Opcode Fuzzy Hash: e579c9800a62647408f48c4b13825114b5eeb3c45c239a7e0232679207e0258a
Instruction Fuzzy Hash: 4341E371D00618CFDB28CFA9C984BCEBBB5BF48718F24806AD408BB255EB755945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01135367, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01135421

Memory Dump Source

Source File: 00000001.00000002.380467117.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a56c633d08fac7778b5db7cbbf6c3b85d7b25d9c7cc5527056674d34640c270b
Instruction ID: f593c57534788313795e8396d8a12abec2c649bad7368de023b026c2c1edeb56
Opcode Fuzzy Hash: a56c633d08fac7778b5db7cbbf6c3b85d7b25d9c7cc5527056674d34640c270b
Instruction Fuzzy Hash: FD41E2B1D00218CFDB28CFA9C984BCEBBB5BF49318F24806AD408AB255EB755946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0113A1C4, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0113B93E,?,?,?,?,?), ref: 0113B9FF

Memory Dump Source

Source File: 00000001.00000002.380467117.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6c206a8cf345fdc60c667c52c5df6090769984aee0221edf465b7c06e41238a9
Instruction ID: a943ae74f3b614a7208340d3b43762067faa784e2c7ecb90ce4dee99441c6dbf
Opcode Fuzzy Hash: 6c206a8cf345fdc60c667c52c5df6090769984aee0221edf465b7c06e41238a9
Instruction Fuzzy Hash: FD21E6B59002089FDB10CF9AD584ADEBBF8EB48324F14841AE914B3310D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 011387A8, Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01139729,00000800,00000000,00000000), ref: 0113993A

Memory Dump Source

Source File: 00000001.00000002.380467117.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2ffe788844c71a309d823aae537395c4df092c88877c236e21f7c746316c1b3b
Instruction ID: e223f2f26b5c9d3a9c7da640a4760c6eaacd29c1d14a90d96c69d5d92d8e9252
Opcode Fuzzy Hash: 2ffe788844c71a309d823aae537395c4df092c88877c236e21f7c746316c1b3b
Instruction Fuzzy Hash: DC2144B6D003099FCB14CF9AD844BDEBBF4AB88324F14846AE55AB7310D7B4A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0113B973, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0113B93E,?,?,?,?,?), ref: 0113B9FF

Memory Dump Source

Source File: 00000001.00000002.380467117.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 80d33f054b1cab27077d9f62849d510111447da58078f9ea91b10b84d6a115ac
Instruction ID: 5de5bdbcd01b058d64268d967bd8987d7296d4b0843d2033de3e3607ec4b9f9d
Opcode Fuzzy Hash: 80d33f054b1cab27077d9f62849d510111447da58078f9ea91b10b84d6a115ac
Instruction Fuzzy Hash: 0C21E2B5D002489FDB10CFA9D984ADEBBF8EF48324F14841AE954B3310D378A954CF60

Uniqueness

Uniqueness Score: -1.00%

Function 011387C0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01139729,00000800,00000000,00000000), ref: 0113993A

Memory Dump Source

Source File: 00000001.00000002.380467117.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 86e2a5f319ba3231f4d06a4a8eba17e2ded0df3b5b7eeb9dd8d8e6d2eb2913a5
Instruction ID: 21a8e0039ea9606d023ffa91405a3e37a182e0d41c4f8163f2b94807879a0e81
Opcode Fuzzy Hash: 86e2a5f319ba3231f4d06a4a8eba17e2ded0df3b5b7eeb9dd8d8e6d2eb2913a5
Instruction Fuzzy Hash: 7F1117B69002099FDB14CF9AD484BDEFBF4EB88324F14842ED555B7200D7B4A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 011398CB, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01139729,00000800,00000000,00000000), ref: 0113993A

Memory Dump Source

Source File: 00000001.00000002.380467117.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 785292f2f451b833d952c0a4fc91f6cbce6eab7b0efd288b4d4439004a076798
Instruction ID: 7a333807a40e11bc69bc8bced7c6eaf40f056d430d8fedab762a510a8cc4704d
Opcode Fuzzy Hash: 785292f2f451b833d952c0a4fc91f6cbce6eab7b0efd288b4d4439004a076798
Instruction Fuzzy Hash: 2411F3B6D002498FDB14CFAAD484AEEFBF4EB88324F14842ED559B7600D774A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 01139648, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 011396AE

Memory Dump Source

Source File: 00000001.00000002.380467117.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e14bff5fd88a39990dcf062debea424339c178dc11f5de75d6917b783779544d
Instruction ID: 2e7c4c6bb72f2667f07524daaa7cb2f620b6f74798b185f1fcae6ca8091234c9
Opcode Fuzzy Hash: e14bff5fd88a39990dcf062debea424339c178dc11f5de75d6917b783779544d
Instruction Fuzzy Hash: 0C1110B6D006498FDB14CF9AC444BDEFBF4AB88328F14842AD519A7200C3B4A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01139646, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 011396AE

Memory Dump Source

Source File: 00000001.00000002.380467117.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c2fa18b98800679703efdf3c9aa1eb73aac9a7ecd792c525da4300877f6c48ee
Instruction ID: 8ca6028cd825bb117ee80f2d26bc6bc18b1805a5b76850823eed55cde0dfa7ef
Opcode Fuzzy Hash: c2fa18b98800679703efdf3c9aa1eb73aac9a7ecd792c525da4300877f6c48ee
Instruction Fuzzy Hash: 3A1122B6D006498FDB14CF9AC544BDEFBF4AF88328F14842AD559B7200C378A545CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 010DD4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.380319000.00000000010DD000.00000040.00000001.sdmp, Offset: 010DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c06852b8b6000432844d2e412de1b5095662b31502c45a27ac1b6c9dc47b26
Instruction ID: 36ea1f875a8ad22437e388f89bf41f7c21bbe940f6443a215b0a2bd994976dfe
Opcode Fuzzy Hash: 91c06852b8b6000432844d2e412de1b5095662b31502c45a27ac1b6c9dc47b26
Instruction Fuzzy Hash: A6212871504340DFDB01DF94D9C0B2BBFA5FB88328F6485A9E8450B28AC336D455CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 010ED01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.380338360.00000000010ED000.00000040.00000001.sdmp, Offset: 010ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04857420f95b7618f41d20ae93266d4b0a4cfb13211cd062b2a58c154f9404ab
Instruction ID: 10d4e1c22adaa91f0eecd1d3d5027eb55c782b320121adb794f43458b75e22cf
Opcode Fuzzy Hash: 04857420f95b7618f41d20ae93266d4b0a4cfb13211cd062b2a58c154f9404ab
Instruction Fuzzy Hash: B2210371504340DFCB11CF94D8C8B16BFE5FB84254F28C9ADE8890B246C336D806CB61

Uniqueness

Uniqueness Score: -1.00%

Function 010ED006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.380338360.00000000010ED000.00000040.00000001.sdmp, Offset: 010ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418c7265d258ec2277bbeee6ce423a9604278220fcc6558a698f488ae1babe75
Instruction ID: 0ae645d0e02d652de4e15a90ef5925923eb6741dd962720400b718fab7b7b53c
Opcode Fuzzy Hash: 418c7265d258ec2277bbeee6ce423a9604278220fcc6558a698f488ae1babe75
Instruction Fuzzy Hash: 4C2192755093C08FCB13CF24D994B15BFB1EB46214F28C5DAD8898B657C33A981ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 010DD4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.380319000.00000000010DD000.00000040.00000001.sdmp, Offset: 010DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8327e2e64201f7ff5ec3366efc7fa298251661c1b1bcdfba362d642d30d07f4
Instruction ID: aadd2c32adf36feaa4cdce90d3fd99f31d0e5bf76dcd75fbdda046129770d834
Opcode Fuzzy Hash: e8327e2e64201f7ff5ec3366efc7fa298251661c1b1bcdfba362d642d30d07f4
Instruction Fuzzy Hash: C111D376404380DFCB12CF54D5C4B16BFB1FB84324F24C6A9D8450B65AC336D456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 010DD731, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.380319000.00000000010DD000.00000040.00000001.sdmp, Offset: 010DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb071c78df64c12b736be6a56b89a01cd5c5ddd070bcdb7a174840637e16d143
Instruction ID: 1fdfc28df48d62fc2ea1b71bb871de6e04b802e4a324dd12c5973cf119d6c1e7
Opcode Fuzzy Hash: cb071c78df64c12b736be6a56b89a01cd5c5ddd070bcdb7a174840637e16d143
Instruction Fuzzy Hash: 2101F771408384ABE7504AA5CC847ABFBD8FF41238F18C4DAED845B2C2E7799844CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 010DD730, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.380319000.00000000010DD000.00000040.00000001.sdmp, Offset: 010DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e2edb5802fd2eb43deb6897fb8e27c34bd3361c7b612b71e9d5de97b118196
Instruction ID: b529e17a12345b48d238f452ce87c17ce63fc2619a9c976718be1cab725b3276
Opcode Fuzzy Hash: a8e2edb5802fd2eb43deb6897fb8e27c34bd3361c7b612b71e9d5de97b118196
Instruction Fuzzy Hash: A9F0C271404384AFE7518A19CC84BA6FFD8EB81234F18C49AED484F282D3799844CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0113E638, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.380467117.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b0b22d49a87b360b73c94f9221390912012ac4c535688f0e190e61cfa038513
Instruction ID: ffb306099a369c87d16361be7852a39234b0a6f797cc49ac9a1bb95ddd158f3e
Opcode Fuzzy Hash: 8b0b22d49a87b360b73c94f9221390912012ac4c535688f0e190e61cfa038513
Instruction Fuzzy Hash: B112D5F16197468BD3B8CF65E8A82893FA3B741328FD04228D2715EAD9D7B411CACF44

Uniqueness

Uniqueness Score: -1.00%

Function 0113C034, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.380467117.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e11f3836e5e641d6e4110e7dde56ab8a459b5796f965676942060b4858a405
Instruction ID: dd92b92502ec268ce9f607ef844b98e6d6ae9a4413dc8efac7ee25cb4f68087a
Opcode Fuzzy Hash: d7e11f3836e5e641d6e4110e7dde56ab8a459b5796f965676942060b4858a405
Instruction Fuzzy Hash: 04A18C36E0021ACFCF09DFA5D8445DEBBB2FFC5304B15856AE905BB264EB31A955CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0113E633, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.380467117.0000000001130000.00000040.00000001.sdmp, Offset: 01130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 223ba931533b1b3df136014182998212e11077fdc4754460dc2ccacae929dcd3
Instruction ID: dc63f0c6aad57da0756f4e8c88f8762845508b259ea2faed757be73097c4b8f8
Opcode Fuzzy Hash: 223ba931533b1b3df136014182998212e11077fdc4754460dc2ccacae929dcd3
Instruction Fuzzy Hash: 85C13BB16197468BD7A8CF64E8A81893FB3BB85328F904328D1716F6D9D7B414CACF44

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: tj9KzQvUFy.exe PID: 6192 Parent PID: 7016 tj9KzQvUFy.exeCOMMON

Executed Functions

Function 052CF5F8, Relevance: 1.9, APIs: 1, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.614964595.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac06997337f7207c82621a8839975902a6dcd342e5d28e835a95307a47be5a8
Instruction ID: 857bf28c158936c604178c8c538a5f16fd9b525afd898b744408fbcfe2044906
Opcode Fuzzy Hash: 3ac06997337f7207c82621a8839975902a6dcd342e5d28e835a95307a47be5a8
Instruction Fuzzy Hash: E5F16031A10209DFDB14DFA5C954B9DBBF2FF88304F5586A9E409AF362DBB0A945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0124B6C0, Relevance: 6.1, APIs: 4, Instructions: 127threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0124B730
GetCurrentThread.KERNEL32 ref: 0124B76D
GetCurrentProcess.KERNEL32 ref: 0124B7AA
GetCurrentThreadId.KERNEL32 ref: 0124B803

Memory Dump Source

Source File: 00000009.00000002.610296748.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c33212059bba332cad25f26ace765ecd25ab4ba339f53a014d5620c6a5dd2975
Instruction ID: 5c97f00f6ac59513c9ede933777d4a73a05c13a47b2078d341cbdd2783dfeec7
Opcode Fuzzy Hash: c33212059bba332cad25f26ace765ecd25ab4ba339f53a014d5620c6a5dd2975
Instruction Fuzzy Hash: 4D5176B1E012498FDB18CFAAD6887DEBFF0AF48314F24885AE159A7350C774A845CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0124B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0124B730
GetCurrentThread.KERNEL32 ref: 0124B76D
GetCurrentProcess.KERNEL32 ref: 0124B7AA
GetCurrentThreadId.KERNEL32 ref: 0124B803

Memory Dump Source

Source File: 00000009.00000002.610296748.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 798feff244f9137ba8f15ee22027f86a6b4d021f414847b71d1e4406e236387c
Instruction ID: 5ec4a768045420b3b3ba863fec95e9e620a05683d956d497611f581cc1b2a2e1
Opcode Fuzzy Hash: 798feff244f9137ba8f15ee22027f86a6b4d021f414847b71d1e4406e236387c
Instruction Fuzzy Hash: E35175B1E012498FDB18CFAAD588BDEBBF0BF48314F24845AE119A3350C774A844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 052C17E0, Relevance: 2.0, APIs: 1, Instructions: 517COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.614964595.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f40f064d176a25a9be959105dc36fe21ffdacf33c05f857b679ae0a9b5d55e8
Instruction ID: 5be6fb25785c85f137b92f11d5244b56f7858fe30189d646525aa64735c319b6
Opcode Fuzzy Hash: 4f40f064d176a25a9be959105dc36fe21ffdacf33c05f857b679ae0a9b5d55e8
Instruction Fuzzy Hash: 64228078A24606CFDB14CB94D489ABEBFB2FF49310F24839AD44667357CB74A841CB52

Uniqueness

Uniqueness Score: -1.00%

Function 052CE190, Relevance: 1.7, APIs: 1, Instructions: 217threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 052CE289

Memory Dump Source

Source File: 00000009.00000002.614964595.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 6a22801074330d846b6f013108e231f3c6553dbf3b9d2f5f22b5e69a788ec0b7
Instruction ID: 90260ad1a5158f3bc9f8d85747363a5ea748ce4ec41ac499c506f6eec53973d2
Opcode Fuzzy Hash: 6a22801074330d846b6f013108e231f3c6553dbf3b9d2f5f22b5e69a788ec0b7
Instruction Fuzzy Hash: 9581BA70E102088FCB15DFA5C854BEEBFF9BF48314F14856AD40AAB251CB74A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06943558, Relevance: 1.7, APIs: 1, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.616534021.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04f86fb8905d56c59d99a0d0bf6e0687f8768fa78e3cabd88cfdf63f1eef34d
Instruction ID: 1ad548c4f895acbc7932468ec703b237daf1bef3253ebdcce342e7e56f4e6b19
Opcode Fuzzy Hash: b04f86fb8905d56c59d99a0d0bf6e0687f8768fa78e3cabd88cfdf63f1eef34d
Instruction Fuzzy Hash: 128177B1D00209DFDF10EFAAC880ADEBBB5FF48314F20852AD419AB640DB719945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 012493E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0124962E

Memory Dump Source

Source File: 00000009.00000002.610296748.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d39a86801d3c797850caa59dbda3f5273892409c272b5ffad79bafff1e338f11
Instruction ID: 550ba4582a6138af6ca0308db7f28435d3c5715b0731b9103602e95fef365e0d
Opcode Fuzzy Hash: d39a86801d3c797850caa59dbda3f5273892409c272b5ffad79bafff1e338f11
Instruction Fuzzy Hash: FF712470A20B068FDB28DF69D45179BBBF1FF88218F008A29D586D7A40D734E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06943E18, Relevance: 1.7, APIs: 1, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.616534021.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6777eb73a3eab98393e9a58db0cb6884eccdbf81d55bcb4727b0eb1bbd729e12
Instruction ID: 2d9c884aaa4ff7360fc32d9189eec3045ad5828605bbf7f3c8087e9ae2890763
Opcode Fuzzy Hash: 6777eb73a3eab98393e9a58db0cb6884eccdbf81d55bcb4727b0eb1bbd729e12
Instruction Fuzzy Hash: 61716B30A00204CFEB94EB65D594FAAB7F2FF88314F208999D406A7B50DB72ED55DB90

Uniqueness

Uniqueness Score: -1.00%

Function 052CE179, Relevance: 1.6, APIs: 1, Instructions: 144threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 052CE289

Memory Dump Source

Source File: 00000009.00000002.614964595.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 0de8d804af2e4b4c9148dfe2caeb5906cfa48d6bc82a4c129519a808bc88fa30
Instruction ID: 0821c7f5c730389c53f4c61154eb3df9f842c105d729f03f4f95af058fe7ba6f
Opcode Fuzzy Hash: 0de8d804af2e4b4c9148dfe2caeb5906cfa48d6bc82a4c129519a808bc88fa30
Instruction Fuzzy Hash: 8351AB70D202588FDF15DFA4C854BEEBFFABF44304F1586AAE406AB251DB70A845CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06943604, Relevance: 1.6, APIs: 1, Instructions: 141networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06943738

Memory Dump Source

Source File: 00000009.00000002.616534021.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 3197b14b192fedc04436101c89b72491bda8d414fe914642ed63f25772b6643c
Instruction ID: a46049790ebdc380c8cbf3cf85a853a94ed6e04c1468aa5fcb3817751bbd253f
Opcode Fuzzy Hash: 3197b14b192fedc04436101c89b72491bda8d414fe914642ed63f25772b6643c
Instruction Fuzzy Hash: F05120B1D002199FDF50DFAAC885BDEBBB5BF48314F24852AE815AB650DB719846CF80

Uniqueness

Uniqueness Score: -1.00%

Function 06941914, Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06943738

Memory Dump Source

Source File: 00000009.00000002.616534021.0000000006940000.00000040.00000001.sdmp, Offset: 06940000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 9b9065bb2a45aa14c69fda90bee8e90f413b7494c09bde1c6c27e333a04b1bd9
Instruction ID: fe4bf38faaed1a9b38e88a978f09732c9d1992385b90e21d74ad841312bc2dc7
Opcode Fuzzy Hash: 9b9065bb2a45aa14c69fda90bee8e90f413b7494c09bde1c6c27e333a04b1bd9
Instruction Fuzzy Hash: 915120B1D002199FDF50DFAAC885BDEBBB5FF48314F20852AE815AB650DB71A845CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0124FBEC, Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0124FD0A

Memory Dump Source

Source File: 00000009.00000002.610296748.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 219765c2f93a99e9a0f62e74427f64110f9fa08c05792747320e38be1d86f26b
Instruction ID: cc927c1cb003ced4bdec598fc25b5fecf2cefa749e57bc0569446419a1edd07d
Opcode Fuzzy Hash: 219765c2f93a99e9a0f62e74427f64110f9fa08c05792747320e38be1d86f26b
Instruction Fuzzy Hash: 6C51D0B1D10309DFDF14CFA9C984ADEBBB5BF88314F24852AE919AB210D7759885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0124FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0124FD0A

Memory Dump Source

Source File: 00000009.00000002.610296748.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ce8eb0ecd7c13df35b4ce20c6a1ff19fd00cde5fdfca789bcd5880c54878d245
Instruction ID: 2391ba61be1d7f24f3de4b242b2d82ee056c79e889e39015c3d3b2af2500b4c8
Opcode Fuzzy Hash: ce8eb0ecd7c13df35b4ce20c6a1ff19fd00cde5fdfca789bcd5880c54878d245
Instruction Fuzzy Hash: BE41C0B1D10309DFDF14CF9AC984ADEBBB5BF88314F24852AE919AB210D7759885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 052C3474, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 052C46B1

Memory Dump Source

Source File: 00000009.00000002.614964595.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 798f66732fa9f3862f7e5fb48110f6cce218a5ad25d0a45612ece79267f417b1
Instruction ID: bd1ba94373f9542c83743c68b2a95b44d5ff3896230d17573fa832bf9c0f81b7
Opcode Fuzzy Hash: 798f66732fa9f3862f7e5fb48110f6cce218a5ad25d0a45612ece79267f417b1
Instruction Fuzzy Hash: ED41EF70C1061DCBDF24DFA9C894BCEBBB5BF49308F20856AD409AB251DBB16949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 052C45F4, Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 052C46B1

Memory Dump Source

Source File: 00000009.00000002.614964595.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c5924adca6c8ea70562df60907d076c9b887088f4b88215e8b32d425c7bf74f4
Instruction ID: 6a1e2d51ce22efc4bce8157187c7645d4d71b2efcb7ffddb1c9518dc62e059dc
Opcode Fuzzy Hash: c5924adca6c8ea70562df60907d076c9b887088f4b88215e8b32d425c7bf74f4
Instruction Fuzzy Hash: 664101B0C0021DCBDF24DFA5C894BCEBBB5BF49308F20856AD408AB251DBB1594ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 052C2470, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 052C2531

Memory Dump Source

Source File: 00000009.00000002.614964595.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: d6b30bd172d57eb57aa9ba9f16923b496cc3e266ec6e233cbdc9dc7a5c0e9fdb
Instruction ID: 2eab0430c907c2707037eaa9c001eb73cecb0f8a68e1c18023cd4909d8e1873c
Opcode Fuzzy Hash: d6b30bd172d57eb57aa9ba9f16923b496cc3e266ec6e233cbdc9dc7a5c0e9fdb
Instruction Fuzzy Hash: 054119B9A10205CFCB14CF99C448AAABBF6FF88314F24859DD559AB321D775A841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0124BDC1, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0124BD87

Memory Dump Source

Source File: 00000009.00000002.610296748.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6225a6def5197d8171a1cde40733a6281703741e741fc65bc3bc8af95f89d40f
Instruction ID: 6e618cb72a64102cd835ed2277035bbbcb63ebc0d941b5033af40585e3505aca
Opcode Fuzzy Hash: 6225a6def5197d8171a1cde40733a6281703741e741fc65bc3bc8af95f89d40f
Instruction Fuzzy Hash: 62314878640685CFE716DF70F5497A93BAAEF89300F24462AE9818B3C9CB765905DF10

Uniqueness

Uniqueness Score: -1.00%

Function 052CB898, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.614964595.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 31d686d48efe134864810df736c8edcf6fa0e75de3ae59fe27659fb5155fc601
Instruction ID: 1327b1caf03b940af33190eabe3febd05a34e8ec7469a47ae6d9826639c75d9e
Opcode Fuzzy Hash: 31d686d48efe134864810df736c8edcf6fa0e75de3ae59fe27659fb5155fc601
Instruction Fuzzy Hash: 4F318B729003499FCB01CFA9D845ADEBFF8EF09320F14845AE954A7221C3359954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0124BCF9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0124BD87

Memory Dump Source

Source File: 00000009.00000002.610296748.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 78ab0e5215033d972d7300374895f666a7ff71319ef71ad411925f5638c111ac
Instruction ID: 5144daef5f0bd70d4f7f093be3a1cef026f46edd1df85e37b737f2dc3555caa2
Opcode Fuzzy Hash: 78ab0e5215033d972d7300374895f666a7ff71319ef71ad411925f5638c111ac
Instruction Fuzzy Hash: AB21E3B5D01219DFDF10CFA9D984AEEBBF4AB48324F14841AE955A7310D378A944CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0124BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0124BD87

Memory Dump Source

Source File: 00000009.00000002.610296748.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7a3c5ea471ba422f03cae726c3165bac511bec2666173bfdf219bd8dbf379006
Instruction ID: dc0692a4bc7b97bc5900327d6b4bc9f4c7f5caace4f008bb4072f23a57fb3ffc
Opcode Fuzzy Hash: 7a3c5ea471ba422f03cae726c3165bac511bec2666173bfdf219bd8dbf379006
Instruction Fuzzy Hash: FE21C2B5901209DFDB10CFAAD984ADEBBF8FB48324F14841AE955A3310D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 052CA504, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,052CB8B2,?,?,?,?,?), ref: 052CB957

Memory Dump Source

Source File: 00000009.00000002.614964595.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 69c5367ae968b7675750a3ed2f415d79d264d3f58f27ac964e05fe92db6bb9d4
Instruction ID: 7c22436f68e984cdedce3d63a4aacd9c8c2a6440249cc78121f812059503bbb4
Opcode Fuzzy Hash: 69c5367ae968b7675750a3ed2f415d79d264d3f58f27ac964e05fe92db6bb9d4
Instruction Fuzzy Hash: 571167B19002499FDB10CFAAC885BDEBFF8EF48320F54841AE555B7210C375A954DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01248768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012496A9,00000800,00000000,00000000), ref: 012498BA

Memory Dump Source

Source File: 00000009.00000002.610296748.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 026ee3f641dfcfc08da18e0649eda0654ffb77bb4e1381a8fa17e466e68feb97
Instruction ID: ba8b48ddb269dbe43a46365d54b0256f32e61242fcf2c2f15b24ed72ccd31238
Opcode Fuzzy Hash: 026ee3f641dfcfc08da18e0649eda0654ffb77bb4e1381a8fa17e466e68feb97
Instruction Fuzzy Hash: A611C2B69002099FEB14CF9AD444ADEBBF4AB48324F14842AE515A7600C775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01249849, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012496A9,00000800,00000000,00000000), ref: 012498BA

Memory Dump Source

Source File: 00000009.00000002.610296748.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d75a39f371c26ea9fb65f9ba4b82c449c50a29946148febd8f6dcf93c36c9671
Instruction ID: 419d0f60a77342a3aab28999c06887a9f5e6860a38790bfc65ca3e72c2437c72
Opcode Fuzzy Hash: d75a39f371c26ea9fb65f9ba4b82c449c50a29946148febd8f6dcf93c36c9671
Instruction Fuzzy Hash: BF1100B6D002098FEB14CFAAD445BDEFBF4AB48324F14882ED565A7600C375A545CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 052CE6D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,010253E8,00000000,?), ref: 052CE73D

Memory Dump Source

Source File: 00000009.00000002.614964595.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5704421e86fda6324c84c7f3533f7a90be0a14ec23d67863ebf94b525b93e280
Instruction ID: a80a765da657239bab1e7537cd67c7ae06a60ddc830dc8441c4ebaf12976ff03
Opcode Fuzzy Hash: 5704421e86fda6324c84c7f3533f7a90be0a14ec23d67863ebf94b525b93e280
Instruction Fuzzy Hash: E51128B18003099FDB10CF9AC885BDEBBF8FF48324F148459E554A3610D374A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 052C32D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,010253E8,00000000,?), ref: 052CE73D

Memory Dump Source

Source File: 00000009.00000002.614964595.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 00803c0828913ae22af291b0476a6ac58082f566846a19a94e654f8896eecf8c
Instruction ID: 8b4cd844fa9458b9646f0ca7c8f4ffbac1b072a8b1040c235978c118769c071c
Opcode Fuzzy Hash: 00803c0828913ae22af291b0476a6ac58082f566846a19a94e654f8896eecf8c
Instruction Fuzzy Hash: BC1158B18003099FDB10CF9AC485BEEBBF8FB08320F10846AE554A3201C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 052CD238, Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000018,00000001,?), ref: 052CD29D

Memory Dump Source

Source File: 00000009.00000002.614964595.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2ca9b73428e6a15efc0bfedcfb845b7d2e4f0dbf957d2d36de14f79a60b3f2e6
Instruction ID: b63a9b1ca02f8d351b1b4d994c23cf1c0308e0df4a0d110e0353266cc7ebb3e7
Opcode Fuzzy Hash: 2ca9b73428e6a15efc0bfedcfb845b7d2e4f0dbf957d2d36de14f79a60b3f2e6
Instruction Fuzzy Hash: 5911F2B58002499FDB50CF9AD889BDEBFF8FB48324F14881AE915A3601C3B5A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012495C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0124962E

Memory Dump Source

Source File: 00000009.00000002.610296748.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9503da0517bc2b742d545b730ab13045fe97889badc8587272cf837d8efcb673
Instruction ID: 75113f7a6a8e881b25b87f89ac5e9f91cf3945067af530fec295ea9d50b24611
Opcode Fuzzy Hash: 9503da0517bc2b742d545b730ab13045fe97889badc8587272cf837d8efcb673
Instruction Fuzzy Hash: E011E0B6D006498FDB24CF9AD444BDFFBF4AB88228F14842AD929A7600C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 052CA548, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,00000000), ref: 052CBCBD

Memory Dump Source

Source File: 00000009.00000002.614964595.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a55dd1741965859380a1abdafa6c2c5a9d83f47fd5462b205b079749daae0c3b
Instruction ID: 45e8741b89cf83e76db7e0b9d2c57d20147fb6ac7c9038e40f9c31085e8de5b8
Opcode Fuzzy Hash: a55dd1741965859380a1abdafa6c2c5a9d83f47fd5462b205b079749daae0c3b
Instruction Fuzzy Hash: 111110B69002089FCB10CF9AC489BDFBBF8EB48320F10845AE515A3200C3B5AA40CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 052C1540, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,052C226A,?,00000000,?), ref: 052CC435

Memory Dump Source

Source File: 00000009.00000002.614964595.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 86b52d70838314c6674e9fe40529cee7a5b121dde764d475b1c7813ce00f28a2
Instruction ID: a7643523fdb80bcf88b584c5b817d07043ccf649831d0d4fc4d74d223c4aefb2
Opcode Fuzzy Hash: 86b52d70838314c6674e9fe40529cee7a5b121dde764d475b1c7813ce00f28a2
Instruction Fuzzy Hash: D411F5B59003499FDB20CF99D484BDEBFF8EB48324F148559E559B7600C3B5A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 052C50D4, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000018,00000001,?), ref: 052CD29D

Memory Dump Source

Source File: 00000009.00000002.614964595.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: abc316751e2f5207f2032ffefb208179c2b1d3e8cb3b944b077e3c4c5098886c
Instruction ID: 981a0642c15934445e9c84423d0c6e688a672a9d718890e5505df369b6773fc5
Opcode Fuzzy Hash: abc316751e2f5207f2032ffefb208179c2b1d3e8cb3b944b077e3c4c5098886c
Instruction Fuzzy Hash: 2011F5B59002499FDB50CF9AD588BDEBBF8EB48324F108459E915A7201C3B5A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 052CC3D0, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,052C226A,?,00000000,?), ref: 052CC435

Memory Dump Source

Source File: 00000009.00000002.614964595.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d1869b783636bbe4a115e886eec4662291df69dc83433ebb8ece44cd9cfbea77
Instruction ID: 91ac4653d4a5682f132e89a4cba8a7baa4339912608a553d5c7f1adc847e5d11
Opcode Fuzzy Hash: d1869b783636bbe4a115e886eec4662291df69dc83433ebb8ece44cd9cfbea77
Instruction Fuzzy Hash: D611F5B58002499FDB10CF99D889BDEBFF8EB48324F148459E559A3601C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0124FE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0124FE9D

Memory Dump Source

Source File: 00000009.00000002.610296748.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: d5fa9f44e43f0d242e776a72153e899e7f2bea593923fe1a181def13890dbb2c
Instruction ID: 18e3c05602f138ccc7a0f7e7bbc7443cacf2e2234674de370c2315967c775d61
Opcode Fuzzy Hash: d5fa9f44e43f0d242e776a72153e899e7f2bea593923fe1a181def13890dbb2c
Instruction Fuzzy Hash: 081145B5900249CFDB20CF99D589BDEFBF8EB48324F24881AE955A3301C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 052CDC60, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 052CF435

Memory Dump Source

Source File: 00000009.00000002.614964595.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 18c24f091ee8c2ef02e8ad11eb0a56aaaf438da75683b63aaae6dcb7b2d89bba
Instruction ID: 2e0771f8e9993f5dab79b9160edabc3612103fc3cf726ce35835c0e0c7bd7bc2
Opcode Fuzzy Hash: 18c24f091ee8c2ef02e8ad11eb0a56aaaf438da75683b63aaae6dcb7b2d89bba
Instruction Fuzzy Hash: 811115B19002488FCB20CF9AD588BDEBFF8EF48324F14855AE559A7700D3B4A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 052CF3D8, Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 052CF435

Memory Dump Source

Source File: 00000009.00000002.614964595.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 465840193c414b68feb9030a670325967fd54a630e0d1768e9fa663626a38df3
Instruction ID: e2748d624def0706a104f16f3543e92207ed0ff7e7fcbf0f95d26c836b63d339
Opcode Fuzzy Hash: 465840193c414b68feb9030a670325967fd54a630e0d1768e9fa663626a38df3
Instruction Fuzzy Hash: 451112B59002098FCB20CFE9D589BDEBFF8AF48324F24895AD559B7600C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0124FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0124FE9D

Memory Dump Source

Source File: 00000009.00000002.610296748.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 1eae037d8aad3628e0e121c2325fe57e709193989f2ae868e614b212cc9e63db
Instruction ID: e1b77981069a2d8c81aa428261d35d4fa9a2ade71cf8334281c9fef803c43d23
Opcode Fuzzy Hash: 1eae037d8aad3628e0e121c2325fe57e709193989f2ae868e614b212cc9e63db
Instruction Fuzzy Hash: FD1115B59002098FDB20CF9AD585BDFFBF8EB48324F10841AD915A3300C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 052CBC59, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,00000000), ref: 052CBCBD

Memory Dump Source

Source File: 00000009.00000002.614964595.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a481e0892e5e9a238c0eba99542b2324ee536d6201847bde90966695f1a5c247
Instruction ID: 5be9ae27f47442250bd7719f56eadc9ddf8f1d90154320d61c9814e0889987e8
Opcode Fuzzy Hash: a481e0892e5e9a238c0eba99542b2324ee536d6201847bde90966695f1a5c247
Instruction Fuzzy Hash: 3811F2B68006498FDB10CF99D585BDEBBF8FB48324F14881AD555A7600C374A5448FA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: tj9KzQvUFy.exe PID: 5776 Parent PID: 936 tj9KzQvUFy.exeCOMMON

Executed Functions

Function 02D9B740, Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02D9B7B0
GetCurrentThread.KERNEL32 ref: 02D9B7ED
GetCurrentProcess.KERNEL32 ref: 02D9B82A
GetCurrentThreadId.KERNEL32 ref: 02D9B883

Memory Dump Source

Source File: 0000000E.00000002.434965188.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 71828ef90ff828822db03daedb7d236f25c770a4bf0081f0a0ab6490fe98b671
Instruction ID: 0e18d6f8b696a59aebf9df40c409a1717d5f96ce874ffda6c265225f0b4baf73
Opcode Fuzzy Hash: 71828ef90ff828822db03daedb7d236f25c770a4bf0081f0a0ab6490fe98b671
Instruction Fuzzy Hash: 2D5157B0A007488FDB10CFAAD688BDEBBF0EF49318F24899AE059A7350C7355844CB65

Uniqueness

Uniqueness Score: -1.00%

Function 02D9B750, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02D9B7B0
GetCurrentThread.KERNEL32 ref: 02D9B7ED
GetCurrentProcess.KERNEL32 ref: 02D9B82A
GetCurrentThreadId.KERNEL32 ref: 02D9B883

Memory Dump Source

Source File: 0000000E.00000002.434965188.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 83456c8dd79dbc10e7029af4f18869b7feb600ef7572c6b498eb22d6ef49ea9d
Instruction ID: 8b281fc707fdb55d553f6d439293f0620e14223fd1e21d0573a68c69486ebbe2
Opcode Fuzzy Hash: 83456c8dd79dbc10e7029af4f18869b7feb600ef7572c6b498eb22d6ef49ea9d
Instruction Fuzzy Hash: A05144B0A007488FDB14CFAAD648BDEBBF4EF49318F20896AE419A7350C7756944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02D99468, Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02D996AE

Memory Dump Source

Source File: 0000000E.00000002.434965188.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 52a9acc5efc50f245eadde2781db67f085fda440eddb649a8cf7cdaebb4df099
Instruction ID: 8c1b1cee73c225ddf91afc28d048b7814fd322a59aa2987934e9113ee411ef8e
Opcode Fuzzy Hash: 52a9acc5efc50f245eadde2781db67f085fda440eddb649a8cf7cdaebb4df099
Instruction Fuzzy Hash: 8E7103B0A00B058FDB64DF69D06079ABBF5BF89214F00892EE586D7B40D735E849CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02D9FDAC, Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02D9FECA

Memory Dump Source

Source File: 0000000E.00000002.434965188.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2406446ff644265161384f70137905eeae96fc2478ee7ac28af2c959613f4c62
Instruction ID: 1db0f5dff9a32212e02e36b8ad44b6e8b232a98d06d2408b51c50218b0a9bcfc
Opcode Fuzzy Hash: 2406446ff644265161384f70137905eeae96fc2478ee7ac28af2c959613f4c62
Instruction Fuzzy Hash: FB51CFB1D003499FDF14CFA9D984ADEBFB5BF48314F24862AE819AB250D7749885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D9FDB8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02D9FECA

Memory Dump Source

Source File: 0000000E.00000002.434965188.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d794f1f97a295ff83404c7d9b30a685891ff73dff68d8f51361853717f819f4f
Instruction ID: 5041c03112573a9f4e050a156180b53ee0133f4c821817de0ecf4105295ebcfa
Opcode Fuzzy Hash: d794f1f97a295ff83404c7d9b30a685891ff73dff68d8f51361853717f819f4f
Instruction Fuzzy Hash: DF41BEB1D00349DFDF14CFAAD984ADEBBB5BF48314F24852AE819AB250D7749885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D95365, Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02D95421

Memory Dump Source

Source File: 0000000E.00000002.434965188.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: de343285689759f500eca97d02992c0ecc5d13a24f04fbd0ab4b92590f6a08ab
Instruction ID: 1d26572bd41554808cc1d7c108e68e7f24aee256e9765e050899d6d2f6ab91e2
Opcode Fuzzy Hash: de343285689759f500eca97d02992c0ecc5d13a24f04fbd0ab4b92590f6a08ab
Instruction Fuzzy Hash: 1241F171C00218CFEF24CFA9C884BDEBBB5BF49318F64806AD419AB251DB76594ACF50

Uniqueness

Uniqueness Score: -1.00%

Function 02D93E20, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02D95421

Memory Dump Source

Source File: 0000000E.00000002.434965188.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: cb4332724b996f1d7705045adde4d5bc34a87cd97361dbe025afa0ca677ed9da
Instruction ID: df181a4b2d15951f2758a6d961073ece3669df658d68655f34a903302cbd69a7
Opcode Fuzzy Hash: cb4332724b996f1d7705045adde4d5bc34a87cd97361dbe025afa0ca677ed9da
Instruction Fuzzy Hash: 7041D271C00618CBDF24CFA9C844BCEBBB5BF49318F64846AD419AB251DB765945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D9B972, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D9B9FF

Memory Dump Source

Source File: 0000000E.00000002.434965188.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3b5855522fe4b0a4ad7bfbb7c112d9acd772adbcdb5f3b87112ddc47f70c1296
Instruction ID: 734c09c14f673760c595fa20e3d302298f547607f0d06d6d9454a99b21b434e1
Opcode Fuzzy Hash: 3b5855522fe4b0a4ad7bfbb7c112d9acd772adbcdb5f3b87112ddc47f70c1296
Instruction Fuzzy Hash: 5D21E4B59002489FDF10CFAAD984AEEBBF4EF48324F14845AE955B3310C374A955CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02D9B978, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D9B9FF

Memory Dump Source

Source File: 0000000E.00000002.434965188.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0bc7869213c87ee6b18e6a46d8ea919a5e53b1ddf703d0125c384efab61ba0e1
Instruction ID: 6fdf44c51865461ca2c032245b62b21747994a9a323f2d6249548224c5edd6fd
Opcode Fuzzy Hash: 0bc7869213c87ee6b18e6a46d8ea919a5e53b1ddf703d0125c384efab61ba0e1
Instruction Fuzzy Hash: 4321D3B59002489FDF10CFAAD984ADEFBF8FB48324F14841AE954A3310D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02D987C0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02D99729,00000800,00000000,00000000), ref: 02D9993A

Memory Dump Source

Source File: 0000000E.00000002.434965188.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2d51f5613125a5aca66d4dc710edc3b9e3e2046bd0c28a71c62fc0431732fdb1
Instruction ID: 840860c0b51260a8c733c9f393dad4d8392c2f8d4fed291023a96e23658b567e
Opcode Fuzzy Hash: 2d51f5613125a5aca66d4dc710edc3b9e3e2046bd0c28a71c62fc0431732fdb1
Instruction Fuzzy Hash: 3D1100B29002099FDF10CF9AC444BDEFBF8AB48324F14842EE959A7300C374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02D998CA, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02D99729,00000800,00000000,00000000), ref: 02D9993A

Memory Dump Source

Source File: 0000000E.00000002.434965188.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a9fcd53547f5a454bc4140a666797010c27b4b11062439aa7605f417e5da0951
Instruction ID: 46bad59de5fea8cd33fd72cf0684cf0307fb903bd7afdd2663feb996e5c00156
Opcode Fuzzy Hash: a9fcd53547f5a454bc4140a666797010c27b4b11062439aa7605f417e5da0951
Instruction Fuzzy Hash: 8411E4B69002499FDF10CFAAD444ADEFBF4AB48324F14842EE455A7700C775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02D99648, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02D996AE

Memory Dump Source

Source File: 0000000E.00000002.434965188.0000000002D90000.00000040.00000001.sdmp, Offset: 02D90000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 67b708837f82b2dc1d4c0e2e269fb2929cb65190b743e7d48ee5bea65abcdaaf
Instruction ID: 62a88a2fe91859743a71a0d12dec60898531299dda9cdb4c745467f86333b17f
Opcode Fuzzy Hash: 67b708837f82b2dc1d4c0e2e269fb2929cb65190b743e7d48ee5bea65abcdaaf
Instruction Fuzzy Hash: FF1110B2D002898FCB10DF9AC444BDEFBF8AF88324F14842AE419A7300D374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012FD4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.434364860.00000000012FD000.00000040.00000001.sdmp, Offset: 012FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dd069a723ed98b43e935aeb5d756abbdfcc96babfe103e5b2ec28689d10a00e
Instruction ID: 0c14829b3af30762a5b6ced2d0987c9be0b29bb58a4ed53bc88e91b390da4d82
Opcode Fuzzy Hash: 6dd069a723ed98b43e935aeb5d756abbdfcc96babfe103e5b2ec28689d10a00e
Instruction Fuzzy Hash: CE2125B1514248DFDB01DF94E9C4B26FF65FB88328F24857DEA050B246C336E456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0130D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.434425188.000000000130D000.00000040.00000001.sdmp, Offset: 0130D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b98e172286321fedc2f3f4dedaa483d137f26c1d8c9aaedbf198bb79da9574
Instruction ID: ac8b4a0d9e3963300170194b05008140adf8c1f33752aa33b3d15d94fc341016
Opcode Fuzzy Hash: 41b98e172286321fedc2f3f4dedaa483d137f26c1d8c9aaedbf198bb79da9574
Instruction Fuzzy Hash: 4B210371504344DFDB12CF94D8D0B16BBE5FB84368F20C96DE80E4B686C336D806CA61

Uniqueness

Uniqueness Score: -1.00%

Function 012FD4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.434364860.00000000012FD000.00000040.00000001.sdmp, Offset: 012FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8327e2e64201f7ff5ec3366efc7fa298251661c1b1bcdfba362d642d30d07f4
Instruction ID: 6b0cbface8b7704b46abe3e2069fc6521bf51401eb98ff7c9ffa463a17e33147
Opcode Fuzzy Hash: e8327e2e64201f7ff5ec3366efc7fa298251661c1b1bcdfba362d642d30d07f4
Instruction Fuzzy Hash: 7811AF76404284DFCB12CF54D5C4B16FF71FB84324F2486ADDA450B656C336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0130D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.434425188.000000000130D000.00000040.00000001.sdmp, Offset: 0130D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ebe7b2157fb8d966aa4ce163667c6cb7f8501b33127e7b45bbdde00a440ac8
Instruction ID: af761584ab3a1632e46825b46e9305dc7277e1155e29770e432aa55b004c6fae
Opcode Fuzzy Hash: 99ebe7b2157fb8d966aa4ce163667c6cb7f8501b33127e7b45bbdde00a440ac8
Instruction Fuzzy Hash: EC11BB75504280DFCB12CF54D9D4B15BFA1FB84328F28C6AAD8494B696C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 012FD731, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.434364860.00000000012FD000.00000040.00000001.sdmp, Offset: 012FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b587e738991f0977d8ad72f448d28939af7a8745e0dd914d6bd802b59b256d6
Instruction ID: e0fd47914da1c27f0032553abbe17e990e7ec5ac8a052a0af82ec2614cd38579
Opcode Fuzzy Hash: 0b587e738991f0977d8ad72f448d28939af7a8745e0dd914d6bd802b59b256d6
Instruction Fuzzy Hash: 7301F7724183C89BE7144AA5CC80B67FBDCEF44238F18846EEF045F282C3799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 012FD730, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.434364860.00000000012FD000.00000040.00000001.sdmp, Offset: 012FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 597797839e4db303e447307133f759c1551a303d50c4e4fa8a34b3e35a56f188
Instruction ID: 5458a8f5820d415987ee068abfc94b59c13fad21f8db029f3d2f926430b31b85
Opcode Fuzzy Hash: 597797839e4db303e447307133f759c1551a303d50c4e4fa8a34b3e35a56f188
Instruction Fuzzy Hash: 22F062724043C89BE7158A19CD84B66FFD8EF81734F18C56EEE485F286C3799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 6732 Parent PID: 936 dhcpmon.exeCOMMON

Executed Functions

Function 00DBB740, Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00DBB7B0
GetCurrentThread.KERNEL32 ref: 00DBB7ED
GetCurrentProcess.KERNEL32 ref: 00DBB82A
GetCurrentThreadId.KERNEL32 ref: 00DBB883

Memory Dump Source

Source File: 00000011.00000002.404519536.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 01acc7e9ed9490d6fec2e95f83ef00f89406ff59d9bda073831c309851eb4965
Instruction ID: 3662222676d055f1a65bde3a90b2ff563bd56b38bd06c4b3dbd3b3ed11e0092c
Opcode Fuzzy Hash: 01acc7e9ed9490d6fec2e95f83ef00f89406ff59d9bda073831c309851eb4965
Instruction Fuzzy Hash: EE5164B09002488FDB14CFAAC948BDEBBF4EB49314F24885AE45AA7360DB759944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00DBB750, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00DBB7B0
GetCurrentThread.KERNEL32 ref: 00DBB7ED
GetCurrentProcess.KERNEL32 ref: 00DBB82A
GetCurrentThreadId.KERNEL32 ref: 00DBB883

Memory Dump Source

Source File: 00000011.00000002.404519536.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a6ac230b0d1c18a99ced4139210823a22ce2c840298ed2b173d034cf7a801990
Instruction ID: 1fb04dbf02bcff57baa8e63af88fd88f1fab8db5c5b373da320282aac7a0a752
Opcode Fuzzy Hash: a6ac230b0d1c18a99ced4139210823a22ce2c840298ed2b173d034cf7a801990
Instruction Fuzzy Hash: 1F5154B49002488FDB14CFAAC548BDEBBF4FB48314F24845AE45AA3350DB749944CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00DB9468, Relevance: 1.7, APIs: 1, Instructions: 197COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00DB96AE

Memory Dump Source

Source File: 00000011.00000002.404519536.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 54ab58a16b6edd570e2dbabfd868129422a6d5623b977094fb80729d77313dd2
Instruction ID: 753b0f56aebb689970723b21f2e333524b11c9aed8a6a9f8d8d5dc3bc071cb50
Opcode Fuzzy Hash: 54ab58a16b6edd570e2dbabfd868129422a6d5623b977094fb80729d77313dd2
Instruction Fuzzy Hash: DF712370A00B048FDB24DF69D05079ABBF5FB88314F14892AE58AD7A40DB75E846CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DB87A8, Relevance: 1.7, APIs: 1, Instructions: 159libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00DB9729,00000800,00000000,00000000), ref: 00DB993A

Memory Dump Source

Source File: 00000011.00000002.404519536.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c4a80290b83335cf318398a858d4ecfcb8abfb58e78d267422ad6d65ed185ace
Instruction ID: 95a8f094f558748bbffd30b2d953ae2f766d0477c84e2fca4fabcf9d8fe5bcc3
Opcode Fuzzy Hash: c4a80290b83335cf318398a858d4ecfcb8abfb58e78d267422ad6d65ed185ace
Instruction Fuzzy Hash: 3B5133B5D00248DFDB10CFAAC894BDEFBF5EB49314F14802AE95AAB240D7749845CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DBFDAC, Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00DBFECA

Memory Dump Source

Source File: 00000011.00000002.404519536.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ad8ba99c6bf9f07b372a17cf5b9f66e89d2fbd80aaef42646464a1888546d330
Instruction ID: 21a23f0dfc703f84f3002d9864eee83ad6f6fb199ea7b948511056a1bd5c84e2
Opcode Fuzzy Hash: ad8ba99c6bf9f07b372a17cf5b9f66e89d2fbd80aaef42646464a1888546d330
Instruction Fuzzy Hash: 9051C0B1D00208DFDB14CFA9C984ADEBBB1FF48314F24852AE419AB210D7759985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00DBFDB8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00DBFECA

Memory Dump Source

Source File: 00000011.00000002.404519536.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9ff8ecad8f91285aebe821e992034ff79402a464d459600145b4c0def01b9ce9
Instruction ID: 40329b248c154d207a3d46d2a48b0077922028c330e78feb154c1adbb9824dc2
Opcode Fuzzy Hash: 9ff8ecad8f91285aebe821e992034ff79402a464d459600145b4c0def01b9ce9
Instruction Fuzzy Hash: 2F41B0B1D00309DFDB14CFAAD884ADEBBB5FF48314F24852AE819AB210D7759985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00DB5365, Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00DB5421

Memory Dump Source

Source File: 00000011.00000002.404519536.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c4387ada5688731d9d7d2014bb4a6ee2ecd44bafb1cf66657af47ec0eb59bb9a
Instruction ID: 66cb2539f89973287578b657527ca12575de5b3b283471f92f835a0e483a720b
Opcode Fuzzy Hash: c4387ada5688731d9d7d2014bb4a6ee2ecd44bafb1cf66657af47ec0eb59bb9a
Instruction Fuzzy Hash: E841E371C00718CFDB24CFA5C884BCEBBB5BF49308F24846AD409AB255DB765949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00DB3E20, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00DB5421

Memory Dump Source

Source File: 00000011.00000002.404519536.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8c9037253c915ad840b14122d2375745e8a43bbfeac89291819be99d85ed6e0c
Instruction ID: b3ae2ccf2143d64097e3dbbc5d52c9a1e0ac8d98ebc6cc7876326be7b6689377
Opcode Fuzzy Hash: 8c9037253c915ad840b14122d2375745e8a43bbfeac89291819be99d85ed6e0c
Instruction Fuzzy Hash: 0941D271C00618CFDB24CFA9C844BDEBBB5BF48308F24806AD409AB255DB765989CF90

Uniqueness

Uniqueness Score: -1.00%

Function 050123E0, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 050124A1

Memory Dump Source

Source File: 00000011.00000002.419326666.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 125600af24a21801e6b3ce902199e93630d9316a73a926019a0dbb3ec13ec26a
Instruction ID: 35ec3fb7479701be452f4a35eca6b8e749cc2773b68a98dbcdb385f56ec5596d
Opcode Fuzzy Hash: 125600af24a21801e6b3ce902199e93630d9316a73a926019a0dbb3ec13ec26a
Instruction Fuzzy Hash: 14412BB8A002058FCB14CF9AC448AAEBBF5FB88314F25C459D959A7321D775A841CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DBB972, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DBB9FF

Memory Dump Source

Source File: 00000011.00000002.404519536.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 80a03574eee676279e763c66251bf1cf125dc32ed2257087027212e68b25032f
Instruction ID: 90e7792f4571dac3dede583d899f08ab015186a8283256c13da4af52ab90ce23
Opcode Fuzzy Hash: 80a03574eee676279e763c66251bf1cf125dc32ed2257087027212e68b25032f
Instruction Fuzzy Hash: 9D21E0B5900208AFDB10CFAAD884ADEBFF8EB49324F14841AE955A3310D375A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DBB978, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DBB9FF

Memory Dump Source

Source File: 00000011.00000002.404519536.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b17d8c80ee778d4b541a2f5827b9fc9d9e3dbe41796c61cfec83837a49982980
Instruction ID: 671a760b2f9136a2792bf0eb3dc41d8f7cd3f8a0e8173177fbfe5729a432c8e2
Opcode Fuzzy Hash: b17d8c80ee778d4b541a2f5827b9fc9d9e3dbe41796c61cfec83837a49982980
Instruction Fuzzy Hash: 0D21C2B5D012489FDB10CFAAD984ADEBBF8EB48324F14841AE955A3310D375A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DB87C0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00DB9729,00000800,00000000,00000000), ref: 00DB993A

Memory Dump Source

Source File: 00000011.00000002.404519536.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ff62f669f3464d5e91376b389c314a79a3acad6328962e3642104dece5c78aee
Instruction ID: 0cab09ae1c0512fdec557a6b90e09af756b2489c494846ecab8c71df1014500c
Opcode Fuzzy Hash: ff62f669f3464d5e91376b389c314a79a3acad6328962e3642104dece5c78aee
Instruction Fuzzy Hash: EC1103B69002499FDB10CF9AC454ADEFBF4EB49324F14842EE55AA7700C375A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00DB98CA, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00DB9729,00000800,00000000,00000000), ref: 00DB993A

Memory Dump Source

Source File: 00000011.00000002.404519536.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9be3b689c0ce987cfaae2039f886429315f12df1ea0c4c10474532d30b5c8ed7
Instruction ID: 482492177dc2cef648c64b2b55f3ecc6143822155a1e7d5cc3a8d536017356d4
Opcode Fuzzy Hash: 9be3b689c0ce987cfaae2039f886429315f12df1ea0c4c10474532d30b5c8ed7
Instruction Fuzzy Hash: CB1103B69002499FDB10CFAAC484ADEFBF4EB49324F14842EE559A7200C775A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00DB9648, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00DB96AE

Memory Dump Source

Source File: 00000011.00000002.404519536.0000000000DB0000.00000040.00000001.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f677c0f6f021be34d96371ae4d14fcd3eda9e097920e43cd2c2bb72fb30ef37d
Instruction ID: e61fcbcc97f8e3e3993215e7308ef83da92f09ab36ff3c67da66b4751cfa8875
Opcode Fuzzy Hash: f677c0f6f021be34d96371ae4d14fcd3eda9e097920e43cd2c2bb72fb30ef37d
Instruction Fuzzy Hash: 5A11E0B6D006498FCB10DF9AC844BDEFBF4EB89324F14842AD52AA7700D775A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05010070, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 050100CD

Memory Dump Source

Source File: 00000011.00000002.419326666.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: f3bfcbacaa6d5dccbe227c8c530bd798c750ef0f0a1796f51448ff821fbffc07
Instruction ID: 9842df5436b5883cd88790161842e2efe111d5ce5dd0be0fac51ac1db4aefe63
Opcode Fuzzy Hash: f3bfcbacaa6d5dccbe227c8c530bd798c750ef0f0a1796f51448ff821fbffc07
Instruction Fuzzy Hash: 641115B59002088FDB10CF9AD588BDEBBF8EB48324F20851AE955A3300D375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05010068, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 050100CD

Memory Dump Source

Source File: 00000011.00000002.419326666.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: b1e578117a1980ca692a140f8da807bb13cbe67a33a5a38791c6b9d54e59dd77
Instruction ID: 748f4507d7dd4fbd05dc68530fe37bf69162b3cc4f40fdcc32c64796063ca2b8
Opcode Fuzzy Hash: b1e578117a1980ca692a140f8da807bb13cbe67a33a5a38791c6b9d54e59dd77
Instruction Fuzzy Hash: C21115B59002098FDB10CF99D589BDEBBF4FB48324F20851AE959B7300D375A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D5D4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.404342483.0000000000D5D000.00000040.00000001.sdmp, Offset: 00D5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e899addcc3decd4b9cf79e1541186060765d37b319102b7e0ab613e166c8b8e
Instruction ID: 4b62bb2a5557727ac340070c5324b3669a5db33e5996b2ac73acc9bad78cfc6d
Opcode Fuzzy Hash: 4e899addcc3decd4b9cf79e1541186060765d37b319102b7e0ab613e166c8b8e
Instruction Fuzzy Hash: D2210371504244DFCF21DF10D9C0B26BF66FB88329F348569EC450B246D336D85ADAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D6D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.404381574.0000000000D6D000.00000040.00000001.sdmp, Offset: 00D6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 089e6c95fc2262767ca5071ece378cfa70eeba2ed7bdcaf9a4c2d14a776b47e7
Instruction ID: fda8b661ab4976baec7673e72cc7c2b9039f3d11ff97fb9643e658c42f2fd210
Opcode Fuzzy Hash: 089e6c95fc2262767ca5071ece378cfa70eeba2ed7bdcaf9a4c2d14a776b47e7
Instruction Fuzzy Hash: 5621C575A04344DFDB14DF14E9C4B16BB66FB88314F24C96DE8494B246C737D846CA71

Uniqueness

Uniqueness Score: -1.00%

Function 00D6D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.404381574.0000000000D6D000.00000040.00000001.sdmp, Offset: 00D6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2ffb4b26cfc8f19e65f6399f85eb27837d8145271dff7d12afd26811cf52240
Instruction ID: f4ac48adf9d313ac350b6ead0cb8c8813c61ce1b0e379c3566c206ac70617d91
Opcode Fuzzy Hash: c2ffb4b26cfc8f19e65f6399f85eb27837d8145271dff7d12afd26811cf52240
Instruction Fuzzy Hash: 4D2192755093C08FCB02CF20D994B15BF72EB46314F28C5EBD8498B697C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D5D4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.404342483.0000000000D5D000.00000040.00000001.sdmp, Offset: 00D5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8327e2e64201f7ff5ec3366efc7fa298251661c1b1bcdfba362d642d30d07f4
Instruction ID: 0a92c439285c19c46ae60735aa1ee81a4e62af51894236dd61ffce304bf0c0af
Opcode Fuzzy Hash: e8327e2e64201f7ff5ec3366efc7fa298251661c1b1bcdfba362d642d30d07f4
Instruction Fuzzy Hash: 3111AF76404280DFCF11CF10D5C4B16BF72FB95324F2886A9DC450B656C336D85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D5D731, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.404342483.0000000000D5D000.00000040.00000001.sdmp, Offset: 00D5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8939138e09d01c1dbf2f06a1ba6fad0a93cdd19bbe4ca0d989345c4e717cda84
Instruction ID: ec2127688bb48147aefe6e02017f0b1c391a2d89706f658081fa5f64389419c6
Opcode Fuzzy Hash: 8939138e09d01c1dbf2f06a1ba6fad0a93cdd19bbe4ca0d989345c4e717cda84
Instruction Fuzzy Hash: 2201F7714083449BEB204A21CCC07A7FB98EF48339F28845AED465B282D779D848C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00D5D730, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.404342483.0000000000D5D000.00000040.00000001.sdmp, Offset: 00D5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 639139a4bbd9f272e395ac44aab73ceefb9fbb5460e1d10448671b0f7ba3e6ee
Instruction ID: 2e603d42ed40ed7f07eb7ad1ee0f18a8de197843e9e293bda7c4479e4a4e3310
Opcode Fuzzy Hash: 639139a4bbd9f272e395ac44aab73ceefb9fbb5460e1d10448671b0f7ba3e6ee
Instruction Fuzzy Hash: A7F0C8714043449BEB208A15CCC4766FF98DB45335F18C45AED090F282C3759C48CA71

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 7072 Parent PID: 3440 dhcpmon.exeCOMMON

Executed Functions

Function 010BB740, Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 010BB7B0
GetCurrentThread.KERNEL32 ref: 010BB7ED
GetCurrentProcess.KERNEL32 ref: 010BB82A
GetCurrentThreadId.KERNEL32 ref: 010BB883

Memory Dump Source

Source File: 00000013.00000002.426479775.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: bc4667dc68d0b3a526e1f0e6950ceb9b60fd502c5156b7315e1f1316f35c9554
Instruction ID: 8b3e2e396c769422519d79ca0857f49832e72bf05f026fdcbae35029c17aa30e
Opcode Fuzzy Hash: bc4667dc68d0b3a526e1f0e6950ceb9b60fd502c5156b7315e1f1316f35c9554
Instruction Fuzzy Hash: A95177B09017888FDB18CFAAC5887DEBFF0FF49314F2484AAE469A7260C7745944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 010BB750, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 010BB7B0
GetCurrentThread.KERNEL32 ref: 010BB7ED
GetCurrentProcess.KERNEL32 ref: 010BB82A
GetCurrentThreadId.KERNEL32 ref: 010BB883

Memory Dump Source

Source File: 00000013.00000002.426479775.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f679f35f8827f18ca8e34990fb27794e6a1d5dc7bc636b6fe35e4e640baaeb8b
Instruction ID: fa3e837b0b40bf0e1479c305b3707f672c725fef55a32b707bbe43ab8d44ab3c
Opcode Fuzzy Hash: f679f35f8827f18ca8e34990fb27794e6a1d5dc7bc636b6fe35e4e640baaeb8b
Instruction Fuzzy Hash: E75165B09006488FDB18CFAAC588BDEBBF4FF49314F248869E469A3250C7746944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 010B9468, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 010B96AE

Strings

\P, xrefs: 010B960B
\P, xrefs: 010B95E6

Memory Dump Source

Source File: 00000013.00000002.426479775.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID: HandleModule
String ID: \P$\P
API String ID: 4139908857-3576454277
Opcode ID: 6b57d89f0b56a7849a5ae055aa316d9a201408a666957960d2da4b379bd11468
Instruction ID: 4575aacb709705b8ff43c9ba7ceb2c2f34aad22d85d7b0d30b82477990e0e70e
Opcode Fuzzy Hash: 6b57d89f0b56a7849a5ae055aa316d9a201408a666957960d2da4b379bd11468
Instruction Fuzzy Hash: 647136B0A00B058FD764CF69D09079ABBF5BF88318F00892ED586D7A50DB35E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 010BFDAC, Relevance: 1.6, APIs: 1, Instructions: 120COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010BFECA

Memory Dump Source

Source File: 00000013.00000002.426479775.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 860307cfe4a1c02bcde44341eb9704c2f0c12e054d31b922f1ac96659f10da76
Instruction ID: d922c5393191a2d45de3d92b3546a5920f15ae050b0d16eea0c615d0ffb8b14e
Opcode Fuzzy Hash: 860307cfe4a1c02bcde44341eb9704c2f0c12e054d31b922f1ac96659f10da76
Instruction Fuzzy Hash: E551DFB1D003099FDB14CFAAC884ADEBFB5FF48714F24856AE419AB210D774A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010BFDB8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010BFECA

Memory Dump Source

Source File: 00000013.00000002.426479775.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4f3ef76e693dfdc7a5e6842b081873fd64f37da90342e954ea763172105c26f5
Instruction ID: 2006e5284b7b5d8767be62019eded76d3639ae9be2b7435029d8a209b96287d7
Opcode Fuzzy Hash: 4f3ef76e693dfdc7a5e6842b081873fd64f37da90342e954ea763172105c26f5
Instruction Fuzzy Hash: 4F41AEB1D002099FDB14CFAAD884ADEBFF5BF48714F24852AE419AB210D774A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010B5365, Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 010B5421

Memory Dump Source

Source File: 00000013.00000002.426479775.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f04cabb0f62401774ebdbd26c65aaac04cbbfe9c71e8c03784d2b43af080b05a
Instruction ID: bfd7e9e0e6ee5b61a52f72a36993b910a975151e2e109a1b90609fc7c0da6f22
Opcode Fuzzy Hash: f04cabb0f62401774ebdbd26c65aaac04cbbfe9c71e8c03784d2b43af080b05a
Instruction Fuzzy Hash: 7A41E071D04218CFDB24CFAAC8847DEBBF5BF49308F2480AAD458AB251DB75594ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 010B3E20, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 010B5421

Memory Dump Source

Source File: 00000013.00000002.426479775.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 37ccc47737de1d2685a9c81c2fcc1e44d3c3d2475a55feed00210f8ae660268d
Instruction ID: 8cd3b4c1b57c30c88981f5b2d077206c9ccc41a3338eac1678d8a3aa6e23afaf
Opcode Fuzzy Hash: 37ccc47737de1d2685a9c81c2fcc1e44d3c3d2475a55feed00210f8ae660268d
Instruction Fuzzy Hash: 0D41E371D04618CFDB24CFA9C884BCEBBF5BF48308F2484AAD418AB251DB756949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010BB973, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010BB9FF

Memory Dump Source

Source File: 00000013.00000002.426479775.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 63cfb7f96a21ba5610a2b78354003ecdc3cefd7940477903f22c1b05f3719528
Instruction ID: a663c368bed09cd51366b2268be0e90d3352bb9709674b578216536a81415c6e
Opcode Fuzzy Hash: 63cfb7f96a21ba5610a2b78354003ecdc3cefd7940477903f22c1b05f3719528
Instruction Fuzzy Hash: 7321D2B5D002489FDB50CFA9D484AEEBFF8EB49324F14841AE955A3310D379A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010BB978, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010BB9FF

Memory Dump Source

Source File: 00000013.00000002.426479775.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ef23c18e33a286ef4e0abfe4de595043a29fae445cca3cc35e0b73a7d9cfa212
Instruction ID: a0bdb27673f4c0c2c735390cf20f97d8d2364d3d32a4401389c2f114effdc97f
Opcode Fuzzy Hash: ef23c18e33a286ef4e0abfe4de595043a29fae445cca3cc35e0b73a7d9cfa212
Instruction Fuzzy Hash: 5721C2B5D002489FDB10CFAAD984ADEBFF8EB48324F14841AE954B3310D378A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 010B87C0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010B9729,00000800,00000000,00000000), ref: 010B993A

Memory Dump Source

Source File: 00000013.00000002.426479775.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 18ad62aa1a7302b94225fe62e2890cd34d8b0a544368200a918318f8c69a210e
Instruction ID: b2957c2afccd33e60c104f30f3ef1ff4743834a8f5ca0ac5ed918fe6ac0aa6c8
Opcode Fuzzy Hash: 18ad62aa1a7302b94225fe62e2890cd34d8b0a544368200a918318f8c69a210e
Instruction Fuzzy Hash: C71114B69002099FDB50CF9AD484BDEFBF4EB49324F14842EE659B7200C374A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 010B98CC, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010B9729,00000800,00000000,00000000), ref: 010B993A

Memory Dump Source

Source File: 00000013.00000002.426479775.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 41099f32a14012f8901faa56049d7d243db032ea159e854d896159a4839b8483
Instruction ID: 5d2a5a86ac2280bc1e120fb0033de9c9029355be5ea8c901b216d7d8c02dd616
Opcode Fuzzy Hash: 41099f32a14012f8901faa56049d7d243db032ea159e854d896159a4839b8483
Instruction Fuzzy Hash: 781114B69002099FDB10CFAAD484BDEFBF4EB49324F14842AE555B7200C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06CE4358, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 06CE43B8

Memory Dump Source

Source File: 00000013.00000002.431341128.0000000006CE0000.00000040.00000001.sdmp, Offset: 06CE0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 42410a8cf5bff0dad6ef763f798c8de83e86c8db6497a0e2e767e5ddc0b716e8
Instruction ID: c3f0b7dd36621efd6aa9ecc65ba4bc5cc74ee75f4864c98dc25957e2967af189
Opcode Fuzzy Hash: 42410a8cf5bff0dad6ef763f798c8de83e86c8db6497a0e2e767e5ddc0b716e8
Instruction Fuzzy Hash: 7711B8B68003088FDB10CF99C449BEEBFF4EB88324F10842ADA54A7300C738A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 06CE2758, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06CE27BD

Memory Dump Source

Source File: 00000013.00000002.431341128.0000000006CE0000.00000040.00000001.sdmp, Offset: 06CE0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: fcc5c25592d6b428e93be8bef09a7e10558a10e92ec95b1cbab9e433431a4225
Instruction ID: de2b8e7a831b3afc836ca6508b3346a0de022f7d43aeabaacab8d4f1263e870b
Opcode Fuzzy Hash: fcc5c25592d6b428e93be8bef09a7e10558a10e92ec95b1cbab9e433431a4225
Instruction Fuzzy Hash: 321106B68002098FDB50CF99D985BDFBBF8EB48324F14841AE554A7600C378A644CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06CE4360, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 06CE43B8

Memory Dump Source

Source File: 00000013.00000002.431341128.0000000006CE0000.00000040.00000001.sdmp, Offset: 06CE0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 19b82a3a5679acd1a41d104f828b18e027d031cc165040be3a7bc22c543ca2a5
Instruction ID: 16a7a6ec38c54c89a256a3775b838ce4497e25f520a3ad1ef3e8332720d67f3b
Opcode Fuzzy Hash: 19b82a3a5679acd1a41d104f828b18e027d031cc165040be3a7bc22c543ca2a5
Instruction Fuzzy Hash: 991145B19002098FCB10CF9AC489BDEBBF4EB48324F24842AD558A7340C778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 010B9648, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 010B96AE

Memory Dump Source

Source File: 00000013.00000002.426479775.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3663462f15154c7a4d03d3225302874bb0ba4e3d5eb12780e75004b6bd0c3263
Instruction ID: 766244358155f4927201de6b94937c4c4fbd3a56c389cf8c9531f356ba368ef2
Opcode Fuzzy Hash: 3663462f15154c7a4d03d3225302874bb0ba4e3d5eb12780e75004b6bd0c3263
Instruction Fuzzy Hash: 421110B6D002098FDB10CF9AC484BDEFBF4EB89328F14842AD569A7200C378A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06CE2760, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06CE27BD

Memory Dump Source

Source File: 00000013.00000002.431341128.0000000006CE0000.00000040.00000001.sdmp, Offset: 06CE0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b6dcd6b4a2bd2f7af0eac0f29f273e5a4922f8313ba39cade985b78d63758177
Instruction ID: 3ecbe7ae256dcb4366430546a65e1f9dda3bc68b9dc315fdc175871d629e0375
Opcode Fuzzy Hash: b6dcd6b4a2bd2f7af0eac0f29f273e5a4922f8313ba39cade985b78d63758177
Instruction Fuzzy Hash: 1E11E5B59003499FDB50CF9AD885BDFBFF8EB48324F24841AE555A7600C378A644CFA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report tj9KzQvUFy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts