Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ZgzIenrtf5.exe

Overview

General Information

Sample Name:ZgzIenrtf5.exe
Analysis ID:560236
MD5:03efbc1aa782599e235f4c1b0303ffb1
SHA1:3877473e9e9014bc8eee7782dc81345772e832f9
SHA256:c5d68d3abd9d6f9b094ea1bdb064ca709cc54de13f86856c4ffe34c64148c87c
Tags:exeNanoCoreRAT
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Yara detected Nanocore RAT
Machine Learning detection for sample
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Internet Provider seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports

Classification

Process Tree

  • System is w10x64
  • ZgzIenrtf5.exe (PID: 3764 cmdline: "C:\Users\user\Desktop\ZgzIenrtf5.exe" MD5: 03EFBC1AA782599E235F4C1B0303FFB1)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "4189f41b-a3e5-405b-b524-4758becc", "Group": "2022", "Domain1": "107.173.60.45", "Domain2": "sys2021.linkpc.net", "Port": 54955, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
ZgzIenrtf5.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1018d:$x1: NanoCore.ClientPluginHost
  • 0x101ca:$x2: IClientNetworkHost
  • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
ZgzIenrtf5.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xff05:$x1: NanoCore Client.exe
  • 0x1018d:$x2: NanoCore.ClientPluginHost
  • 0x117c6:$s1: PluginCommand
  • 0x117ba:$s2: FileCommand
  • 0x1266b:$s3: PipeExists
  • 0x18422:$s4: PipeCreated
  • 0x101b7:$s5: IClientLoggingHost
ZgzIenrtf5.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    ZgzIenrtf5.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfef5:$a: NanoCore
    • 0xff05:$a: NanoCore
    • 0x10139:$a: NanoCore
    • 0x1014d:$a: NanoCore
    • 0x1018d:$a: NanoCore
    • 0xff54:$b: ClientPlugin
    • 0x10156:$b: ClientPlugin
    • 0x10196:$b: ClientPlugin
    • 0x1007b:$c: ProjectData
    • 0x10a82:$d: DESCrypto
    • 0x1844e:$e: KeepAlive
    • 0x1643c:$g: LogClientMessage
    • 0x12637:$i: get_Connected
    • 0x10db8:$j: #=q
    • 0x10de8:$j: #=q
    • 0x10e04:$j: #=q
    • 0x10e34:$j: #=q
    • 0x10e50:$j: #=q
    • 0x10e6c:$j: #=q
    • 0x10e9c:$j: #=q
    • 0x10eb8:$j: #=q

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfcf5:$a: NanoCore
      • 0xfd05:$a: NanoCore
      • 0xff39:$a: NanoCore
      • 0xff4d:$a: NanoCore
      • 0xff8d:$a: NanoCore
      • 0xfd54:$b: ClientPlugin
      • 0xff56:$b: ClientPlugin
      • 0xff96:$b: ClientPlugin
      • 0xfe7b:$c: ProjectData
      • 0x10882:$d: DESCrypto
      • 0x1824e:$e: KeepAlive
      • 0x1623c:$g: LogClientMessage
      • 0x12437:$i: get_Connected
      • 0x10bb8:$j: #=q
      • 0x10be8:$j: #=q
      • 0x10c04:$j: #=q
      • 0x10c34:$j: #=q
      • 0x10c50:$j: #=q
      • 0x10c6c:$j: #=q
      • 0x10c9c:$j: #=q
      • 0x10cb8:$j: #=q
      00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x170a:$a: NanoCore
      • 0x172f:$a: NanoCore
      • 0x1788:$a: NanoCore
      • 0x11925:$a: NanoCore
      • 0x1194b:$a: NanoCore
      • 0x119a7:$a: NanoCore
      • 0x1e7fc:$a: NanoCore
      • 0x1e855:$a: NanoCore
      • 0x1e888:$a: NanoCore
      • 0x1eab4:$a: NanoCore
      • 0x1eb30:$a: NanoCore
      • 0x1f149:$a: NanoCore
      • 0x1f292:$a: NanoCore
      • 0x1f766:$a: NanoCore
      • 0x1fa4d:$a: NanoCore
      • 0x1fa64:$a: NanoCore
      • 0x22ded:$a: NanoCore
      • 0x241a7:$a: NanoCore
      • 0x241f1:$a: NanoCore
      • 0x24e4b:$a: NanoCore
      • 0x2a430:$a: NanoCore
      Process Memory Space: ZgzIenrtf5.exe PID: 3764Nanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x99a3d:$x1: NanoCore.ClientPluginHost
      • 0x111ad1:$x1: NanoCore.ClientPluginHost
      • 0x99a67:$x2: IClientNetworkHost
      • 0x111b0e:$x2: IClientNetworkHost
      • 0x1155ff:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0x120685:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 2 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.3.ZgzIenrtf5.exe.45dcda6.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x6da5:$x1: NanoCore.ClientPluginHost
      • 0x6dd2:$x2: IClientNetworkHost
      0.3.ZgzIenrtf5.exe.45dcda6.1.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x6da5:$x2: NanoCore.ClientPluginHost
      • 0x7d74:$s2: FileCommand
      • 0xc776:$s4: PipeCreated
      • 0x6dbf:$s5: IClientLoggingHost
      0.3.ZgzIenrtf5.exe.45f6dff.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x3831:$x1: NanoCore.ClientPluginHost
      • 0x386a:$x2: IClientNetworkHost
      0.3.ZgzIenrtf5.exe.45f6dff.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x3831:$x2: NanoCore.ClientPluginHost
      • 0x394c:$s4: PipeCreated
      • 0x384b:$s5: IClientLoggingHost
      0.0.ZgzIenrtf5.exe.ae0000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 6 entries

      Sigma Overview

      AV Detection

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\ZgzIenrtf5.exe, ProcessId: 3764, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\ZgzIenrtf5.exe, ProcessId: 3764, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Stealing of Sensitive Information

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\ZgzIenrtf5.exe, ProcessId: 3764, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\ZgzIenrtf5.exe, ProcessId: 3764, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Found malware configuration
      Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "4189f41b-a3e5-405b-b524-4758becc", "Group": "2022", "Domain1": "107.173.60.45", "Domain2": "sys2021.linkpc.net", "Port": 54955, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
      Multi AV Scanner detection for submitted file
      Source: ZgzIenrtf5.exeVirustotal: Detection: 86%Perma Link
      Source: ZgzIenrtf5.exeMetadefender: Detection: 85%Perma Link
      Source: ZgzIenrtf5.exeReversingLabs: Detection: 100%
      Antivirus / Scanner detection for submitted sample
      Source: ZgzIenrtf5.exeAvira: detected
      Antivirus detection for URL or domain
      Source: 107.173.60.45Avira URL Cloud: Label: malware
      Yara detected Nanocore RAT
      Source: Yara matchFile source: ZgzIenrtf5.exe, type: SAMPLE
      Source: Yara matchFile source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: ZgzIenrtf5.exe PID: 3764, type: MEMORYSTR
      Machine Learning detection for sample
      Source: ZgzIenrtf5.exeJoe Sandbox ML: detected
      Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: ZgzIenrtf5.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp

      Networking

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49760 -> 107.173.60.45:54955
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49764 -> 107.173.60.45:54955
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49765 -> 107.173.60.45:54955
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49766 -> 107.173.60.45:54955
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49767 -> 107.173.60.45:54955
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49770 -> 107.173.60.45:54955
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49771 -> 107.173.60.45:54955
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49772 -> 107.173.60.45:54955
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49773 -> 107.173.60.45:54955
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49780 -> 107.173.60.45:54955
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49782 -> 107.173.60.45:54955
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49790 -> 107.173.60.45:54955
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49792 -> 107.173.60.45:54955
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49800 -> 107.173.60.45:54955
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49816 -> 107.173.60.45:54955
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49833 -> 107.173.60.45:54955
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49835 -> 107.173.60.45:54955
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49836 -> 107.173.60.45:54955
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49851 -> 107.173.60.45:54955
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49864 -> 107.173.60.45:54955
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49865 -> 107.173.60.45:54955
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49866 -> 107.173.60.45:54955
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: 107.173.60.45
      Source: Malware configuration extractorURLs: sys2021.linkpc.net
      Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
      Source: global trafficTCP traffic: 192.168.2.7:49760 -> 107.173.60.45:54955
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.60.45
      Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://google.com

      E-Banking Fraud

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: ZgzIenrtf5.exe, type: SAMPLE
      Source: Yara matchFile source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: ZgzIenrtf5.exe PID: 3764, type: MEMORYSTR

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: ZgzIenrtf5.exe, type: SAMPLEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: ZgzIenrtf5.exe, type: SAMPLEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.3.ZgzIenrtf5.exe.45dcda6.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.3.ZgzIenrtf5.exe.45f6dff.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.3.ZgzIenrtf5.exe.45dcda6.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.3.ZgzIenrtf5.exe.45f6dff.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.3.ZgzIenrtf5.exe.45f13d1.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: ZgzIenrtf5.exe PID: 3764, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: ZgzIenrtf5.exe PID: 3764, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: ZgzIenrtf5.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
      Source: ZgzIenrtf5.exe, type: SAMPLEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: ZgzIenrtf5.exe, type: SAMPLEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: ZgzIenrtf5.exe, type: SAMPLEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.3.ZgzIenrtf5.exe.45dcda6.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.3.ZgzIenrtf5.exe.45dcda6.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.3.ZgzIenrtf5.exe.45f6dff.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.3.ZgzIenrtf5.exe.45f6dff.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.3.ZgzIenrtf5.exe.45dcda6.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.3.ZgzIenrtf5.exe.45f6dff.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.3.ZgzIenrtf5.exe.45f13d1.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: ZgzIenrtf5.exe PID: 3764, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: ZgzIenrtf5.exe PID: 3764, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs ZgzIenrtf5.exe
      Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs ZgzIenrtf5.exe
      Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs ZgzIenrtf5.exe
      Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs ZgzIenrtf5.exe
      Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs ZgzIenrtf5.exe
      Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs ZgzIenrtf5.exe
      Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs ZgzIenrtf5.exe
      Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs ZgzIenrtf5.exe
      Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs ZgzIenrtf5.exe
      Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs ZgzIenrtf5.exe
      Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs ZgzIenrtf5.exe
      Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs ZgzIenrtf5.exe
      Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs ZgzIenrtf5.exe
      Source: ZgzIenrtf5.exeStatic PE information: Section: .rsrc ZLIB complexity 0.999866071429
      Source: ZgzIenrtf5.exeVirustotal: Detection: 86%
      Source: ZgzIenrtf5.exeMetadefender: Detection: 85%
      Source: ZgzIenrtf5.exeReversingLabs: Detection: 100%
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeFile read: C:\Users\user\Desktop\ZgzIenrtf5.exeJump to behavior
      Source: ZgzIenrtf5.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@1/5@0/1
      Source: ZgzIenrtf5.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: ZgzIenrtf5.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{4189f41b-a3e5-405b-b524-4758beccda47}
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: ZgzIenrtf5.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: ZgzIenrtf5.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: ZgzIenrtf5.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Source: ZgzIenrtf5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      .NET source code contains potential unpacker
      Source: ZgzIenrtf5.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: ZgzIenrtf5.exe, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: ZgzIenrtf5.exe, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: ZgzIenrtf5.exe, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

      Hooking and other Techniques for Hiding and Protection

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeFile opened: C:\Users\user\Desktop\ZgzIenrtf5.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exe TID: 6196Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWindow / User API: foregroundWindowGot 681Jump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWindow / User API: foregroundWindowGot 709Jump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: ZgzIenrtf5.exe, 00000000.00000003.428666489.0000000001239000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.345115199.0000000001230000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.310965222.0000000001230000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.327147578.0000000001239000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.377753622.0000000001230000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.345264925.0000000001239000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeMemory allocated: page read and write | page guardJump to behavior
      Source: ZgzIenrtf5.exe, 00000000.00000003.377753622.0000000001230000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managern has been aborted because of either a thread exit or an application request.
      Source: ZgzIenrtf5.exe, 00000000.00000003.267807619.000000000127A000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.428823908.0000000001275000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.311041106.0000000001275000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.345144821.0000000001265000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.428666489.0000000001239000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.268003698.000000000127A000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.269915949.000000000127A000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.269371251.000000000127A000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.264789773.0000000001279000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.264327717.0000000001279000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.266555878.0000000001279000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.327181994.0000000001265000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.311025603.0000000001265000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.269207163.000000000127A000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.416726966.000000000125C000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.271493996.000000000127A000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.270074289.000000000127A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\ZgzIenrtf5.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

      Stealing of Sensitive Information

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: ZgzIenrtf5.exe, type: SAMPLE
      Source: Yara matchFile source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: ZgzIenrtf5.exe PID: 3764, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Detected Nanocore Rat
      Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: ZgzIenrtf5.exe, 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ZgzIenrtf5.exeString found in binary or memory: NanoCore.ClientPluginHost
      Yara detected Nanocore RAT
      Source: Yara matchFile source: ZgzIenrtf5.exe, type: SAMPLE
      Source: Yara matchFile source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: ZgzIenrtf5.exe PID: 3764, type: MEMORYSTR

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts1
      Windows Management Instrumentation      		Path Interception1
      Process Injection      		1
      Masquerading      		OS Credential Dumping11
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		Exfiltration Over Other Network Medium1
      Non-Standard Port      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
      Disable or Modify Tools      		LSASS Memory2
      Process Discovery      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
      Remote Access Software      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
      Virtualization/Sandbox Evasion      		Security Account Manager21
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
      Application Layer Protocol      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
      Process Injection      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
      Deobfuscate/Decode Files or Information      		LSA Secrets2
      System Information Discovery      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common1
      Hidden Files and Directories      		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup Items12
      Software Packing      		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      ZgzIenrtf5.exe87%VirustotalBrowse
      ZgzIenrtf5.exe85%MetadefenderBrowse
      ZgzIenrtf5.exe100%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
      ZgzIenrtf5.exe100%AviraTR/Dropper.MSIL.Gen7
      ZgzIenrtf5.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      0.0.ZgzIenrtf5.exe.ae0000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      107.173.60.451%VirustotalBrowse
      107.173.60.45100%Avira URL Cloudmalware

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      107.173.60.45true
      • 1%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown
      sys2021.linkpc.netfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://google.comZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmpfalse
          		high

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          107.173.60.45
          		unknownUnited States
          		36352AS-COLOCROSSINGUStrue

          General Information

          Joe Sandbox Version:34.0.0 Boulder Opal
          Analysis ID:560236
          Start date:26.01.2022
          Start time:09:45:02
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 6m 16s
          Hypervisor based Inspection enabled:false
          Report type:full
          Sample file name:ZgzIenrtf5.exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:22
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@1/5@0/1
          EGA Information:Failed
          HDC Information:Failed
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .exe

          Warnings

          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
          • Excluded IPs from analysis (whitelisted): 23.211.6.115
          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
          • Not all processes where analyzed, report is missing behavior information

          Simulations

          Behavior and APIs

          TimeTypeDescription
          09:46:06API Interceptor972x Sleep call for process: ZgzIenrtf5.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          AS-COLOCROSSINGUSINV_20222401 JANUARY SOA.xlsxGet hashmaliciousBrowse
          • 172.245.27.36
          18022020135702-2200.xlsxGet hashmaliciousBrowse
          • 107.173.229.131
          SEM MINERALS L.P. Y2022.xlsxGet hashmaliciousBrowse
          • 198.12.127.206
          Documents874399.xlsxGet hashmaliciousBrowse
          • 198.144.176.240
          RFQ No.60078.xlsxGet hashmaliciousBrowse
          • 192.3.180.39
          FUGRO MERIDIAN Non Coded food.xlsxGet hashmaliciousBrowse
          • 198.12.107.201
          48DKcXRBdVGet hashmaliciousBrowse
          • 172.245.158.140
          wwpuQwBz3pGet hashmaliciousBrowse
          • 172.245.158.140
          Bz2qBOhqDCGet hashmaliciousBrowse
          • 172.245.158.140
          aeoAiXWTBsGet hashmaliciousBrowse
          • 172.245.158.140
          w2B3FR7ObNGet hashmaliciousBrowse
          • 172.245.158.140
          9AaqI1z2OPGet hashmaliciousBrowse
          • 172.245.158.140
          2YXO62T9XwGet hashmaliciousBrowse
          • 172.245.158.140
          WyctTTdQYOGet hashmaliciousBrowse
          • 172.245.158.140
          l7anbpaMW6Get hashmaliciousBrowse
          • 172.245.158.140
          Order Confirmation 45980.xlsxGet hashmaliciousBrowse
          • 198.144.176.240
          84lvpOxberGet hashmaliciousBrowse
          • 172.245.158.140
          Company profile.xlsxGet hashmaliciousBrowse
          • 192.3.146.154
          zNwwZUz7LiGet hashmaliciousBrowse
          • 172.245.158.140
          7nY11P6Y2OGet hashmaliciousBrowse
          • 172.245.158.140

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

          Download File
          Process:C:\Users\user\Desktop\ZgzIenrtf5.exe
          File Type:data
          Category:dropped
          Size (bytes):232
          Entropy (8bit):7.089541637477408
          Encrypted:false
          SSDEEP:3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
          MD5:9E7D0351E4DF94A9B0BADCEB6A9DB963
          SHA1:76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
          SHA-256:AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
          SHA-512:93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
          Malicious:false
          Reputation:moderate, very likely benign file
          Preview:Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&

          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Download File
          Process:C:\Users\user\Desktop\ZgzIenrtf5.exe
          File Type:ISO-8859 text, with no line terminators
          Category:dropped
          Size (bytes):8
          Entropy (8bit):3.0
          Encrypted:false
          SSDEEP:3:dfl:d9
          MD5:74D04D3CBC86F9FA0D26B5D5CA6F3765
          SHA1:EF3A51C5729BF22CFB8B1AECDC51063879D1170A
          SHA-256:7F87D5B04B82515C9271FC7746408DBB028581F2F0EDA62599FDE036B80E8516
          SHA-512:3F8E9260A3942BD6E0FEC80DFDD92471AB1A0A7B6DF6D7D502DD8A059F132AE804EF04AAC473862EC7E14DF1725EA777D0276A7975B8AD1D94324352B6F72250
          Malicious:true
          Reputation:low
          Preview:{.....H

          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak

          Download File
          Process:C:\Users\user\Desktop\ZgzIenrtf5.exe
          File Type:data
          Category:dropped
          Size (bytes):24
          Entropy (8bit):4.501629167387823
          Encrypted:false
          SSDEEP:3:9bzY6oRDIvYk:RzWDI3
          MD5:ACD3FB4310417DC77FE06F15B0E353E6
          SHA1:80E7002E655EB5765FDEB21114295CB96AD9D5EB
          SHA-256:DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
          SHA-512:DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
          Malicious:false
          Reputation:moderate, very likely benign file
          Preview:9iH...}Z.4..f..J".C;"a

          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

          Download File
          Process:C:\Users\user\Desktop\ZgzIenrtf5.exe
          File Type:data
          Category:dropped
          Size (bytes):40
          Entropy (8bit):5.153055907333276
          Encrypted:false
          SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
          MD5:4E5E92E2369688041CC82EF9650EDED2
          SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
          SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
          SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
          Malicious:false
          Reputation:moderate, very likely benign file
          Preview:9iH...}Z.4..f.~a........~.~.......3.U.

          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

          Download File
          Process:C:\Users\user\Desktop\ZgzIenrtf5.exe
          File Type:data
          Category:dropped
          Size (bytes):426832
          Entropy (8bit):7.999527918131335
          Encrypted:true
          SSDEEP:6144:zKfHbamD8WN+JQYrjM7Ei2CsFJjyh9zvgPonV5HqZcPVT4Eb+Z6no3QSzjeMsdF/:zKf137EiDsTjevgArYcPVLoTQS+0iv
          MD5:653DDDCB6C89F6EC51F3DDC0053C5914
          SHA1:4CF7E7D42495CE01C261E4C5C4B8BF6CD76CCEE5
          SHA-256:83B9CAE66800C768887FB270728F6806CBEBDEAD9946FA730F01723847F17FF9
          SHA-512:27A467F2364C21CD1C6C34EF1CA5FFB09B4C3180FC9C025E293374EB807E4382108617BB4B97F8EBBC27581CD6E5988BB5E21276B3CB829C1C0E49A6FC9463A0
          Malicious:false
          Reputation:moderate, very likely benign file
          Preview:..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h*...J4*...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.*h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H........*...OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........*X...b*Z...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Entropy (8bit):7.44950897695562
          TrID:
          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          • Win32 Executable (generic) a (10002005/4) 49.78%
          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
          • Generic Win/DOS Executable (2004/3) 0.01%
          • DOS Executable Generic (2002/1) 0.01%
          File name:ZgzIenrtf5.exe
          File size:207360
          MD5:03efbc1aa782599e235f4c1b0303ffb1
          SHA1:3877473e9e9014bc8eee7782dc81345772e832f9
          SHA256:c5d68d3abd9d6f9b094ea1bdb064ca709cc54de13f86856c4ffe34c64148c87c
          SHA512:15ac77a5d18d1820a1fa72bcb74b13fe1eeffc12d0899af4a8da94d3abe3947dfbf2a55258d896ee76cb9dd50717e2738daea2a630bbe80e00c0d1ad90319511
          SSDEEP:6144:gLV6Bta6dtJmakIM5D6xUtdHfBTQxVqtjreE:gLV6Btpmkxkd/FcVqx9
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. .....................................................................

          File Icon

          Icon Hash:00828e8e8686b000

          Static PE Info

          General

          Entrypoint:0x41e792
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          DLL Characteristics:
          Time Stamp:0x54E927A1 [Sun Feb 22 00:49:37 2015 UTC]
          TLS Callbacks:
          CLR (.Net) Version:v2.0.50727
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

          Entrypoint Preview

          Instruction
          jmp dword ptr [00402000h]
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x1e7380x57.text
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000x15da0.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x200000xc.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x20000x1c7980x1c800False0.594512404057data6.59808579998IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          .reloc0x200000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
          .rsrc0x220000x15da00x15e00False0.999866071429data7.99790613337IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          RT_RCDATA0x220580x15d48TIM image, Pixel at (56860,48781) Size=63345x11644

          Imports

          DLLImport
          mscoree.dll_CorExeMain

          Network Behavior

          Snort IDS Alerts

          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
          01/26/22-09:46:08.216157TCP2025019ET TROJAN Possible NanoCore C2 60B4976054955192.168.2.7107.173.60.45
          01/26/22-09:46:14.116786TCP2025019ET TROJAN Possible NanoCore C2 60B4976454955192.168.2.7107.173.60.45
          01/26/22-09:46:18.682717TCP2025019ET TROJAN Possible NanoCore C2 60B4976554955192.168.2.7107.173.60.45
          01/26/22-09:46:23.198746TCP2025019ET TROJAN Possible NanoCore C2 60B4976654955192.168.2.7107.173.60.45
          01/26/22-09:46:27.683212TCP2025019ET TROJAN Possible NanoCore C2 60B4976754955192.168.2.7107.173.60.45
          01/26/22-09:46:34.008137TCP2025019ET TROJAN Possible NanoCore C2 60B4977054955192.168.2.7107.173.60.45
          01/26/22-09:46:38.414028TCP2025019ET TROJAN Possible NanoCore C2 60B4977154955192.168.2.7107.173.60.45
          01/26/22-09:46:42.949617TCP2025019ET TROJAN Possible NanoCore C2 60B4977254955192.168.2.7107.173.60.45
          01/26/22-09:46:49.268783TCP2025019ET TROJAN Possible NanoCore C2 60B4977354955192.168.2.7107.173.60.45
          01/26/22-09:46:55.337640TCP2025019ET TROJAN Possible NanoCore C2 60B4978054955192.168.2.7107.173.60.45
          01/26/22-09:47:01.657634TCP2025019ET TROJAN Possible NanoCore C2 60B4978254955192.168.2.7107.173.60.45
          01/26/22-09:47:07.950589TCP2025019ET TROJAN Possible NanoCore C2 60B4979054955192.168.2.7107.173.60.45
          01/26/22-09:47:13.975269TCP2025019ET TROJAN Possible NanoCore C2 60B4979254955192.168.2.7107.173.60.45
          01/26/22-09:47:20.932232TCP2025019ET TROJAN Possible NanoCore C2 60B4980054955192.168.2.7107.173.60.45
          01/26/22-09:47:27.448467TCP2025019ET TROJAN Possible NanoCore C2 60B4981654955192.168.2.7107.173.60.45
          01/26/22-09:47:35.133123TCP2025019ET TROJAN Possible NanoCore C2 60B4983354955192.168.2.7107.173.60.45
          01/26/22-09:47:41.265641TCP2025019ET TROJAN Possible NanoCore C2 60B4983554955192.168.2.7107.173.60.45
          01/26/22-09:47:47.299230TCP2025019ET TROJAN Possible NanoCore C2 60B4983654955192.168.2.7107.173.60.45
          01/26/22-09:47:53.344216TCP2025019ET TROJAN Possible NanoCore C2 60B4985154955192.168.2.7107.173.60.45
          01/26/22-09:47:59.343769TCP2025019ET TROJAN Possible NanoCore C2 60B4986454955192.168.2.7107.173.60.45
          01/26/22-09:48:03.797518TCP2025019ET TROJAN Possible NanoCore C2 60B4986554955192.168.2.7107.173.60.45
          01/26/22-09:48:09.718980TCP2025019ET TROJAN Possible NanoCore C2 60B4986654955192.168.2.7107.173.60.45

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Jan 26, 2022 09:46:07.985819101 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:08.101031065 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:08.101176977 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:08.216156960 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:08.361574888 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:08.361695051 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:08.531954050 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:08.532068968 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:08.647684097 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:08.647931099 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:08.828762054 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:08.828849077 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.000732899 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.000848055 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.169156075 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.169193983 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.169219017 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.169240952 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.169286013 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.169306993 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.284141064 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.284171104 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.284183979 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.284197092 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.284218073 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.284231901 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.284246922 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.284264088 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.284272909 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.284296036 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.284439087 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.399014950 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.399044037 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.399060965 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.399077892 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.399094105 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.399108887 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.399126053 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.399142027 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.399162054 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.399184942 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.399199963 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.399215937 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.399229050 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.399234056 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.399245024 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.399252892 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.399262905 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.399272919 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.399280071 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.399327993 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.399333000 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.514070034 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514096975 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514115095 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514137983 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514153957 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514158010 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.514177084 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514182091 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.514197111 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514214993 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514231920 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514249086 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514249086 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.514266014 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514282942 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514295101 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.514298916 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514298916 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.514317036 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514333963 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514352083 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514369011 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514379978 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.514384985 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.514384985 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514401913 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514417887 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514430046 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.514432907 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.514434099 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514451981 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514467955 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514483929 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514501095 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514516115 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514518976 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.514523983 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.514533997 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514550924 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514566898 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.514570951 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.514575005 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.514626026 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.514628887 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.629300117 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629331112 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629350901 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629373074 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629395962 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629419088 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629440069 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629462957 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629484892 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629487991 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.629508018 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629514933 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.629519939 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.629533052 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629549026 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.629554987 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629578114 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629599094 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.629600048 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629602909 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.629621983 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629637003 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.629641056 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.629645109 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629672050 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629684925 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.629688978 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.629694939 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629717112 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.629718065 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629740000 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629749060 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.629755020 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.629760981 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629775047 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.629784107 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629803896 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629822969 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.629825115 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629827023 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.629841089 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.629861116 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629884005 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629895926 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.629904985 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.629904985 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629925966 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.629928112 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629950047 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629965067 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.629968882 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.629970074 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.629992962 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.630012035 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.630013943 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.630016088 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.630036116 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.630049944 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.630053997 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.630059004 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.630080938 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.630093098 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.630096912 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.630101919 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.630121946 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.630136013 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.630139112 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.630142927 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.630165100 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.630176067 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.630179882 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.630186081 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.630207062 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.630227089 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.630228043 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.630233049 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.630249023 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.630270958 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.630274057 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.630276918 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.630291939 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.630312920 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.630315065 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.630319118 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.630333900 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.630354881 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.630356073 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.630359888 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.630393982 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.630397081 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.745285988 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.745348930 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.745388031 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.745425940 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.745439053 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.745462894 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.745476007 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.745493889 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.745506048 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.745543003 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.745559931 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.745565891 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.745579958 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.745616913 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.745618105 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.745623112 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.745654106 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.745690107 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.745691061 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.745697021 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.745732069 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.745769978 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.745774031 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.745778084 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.745809078 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.745814085 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.745843887 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.745893002 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.745898962 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.745937109 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.745975018 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.745987892 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746011019 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746046066 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746047974 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746053934 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746082067 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746115923 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746126890 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746133089 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746153116 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746189117 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746211052 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746217966 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746226072 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746263027 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746263027 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746273994 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746298075 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746300936 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746334076 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746345043 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746370077 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746403933 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746409893 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746416092 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746438980 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746474028 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746490002 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746495008 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746512890 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746550083 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746555090 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746560097 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746583939 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746619940 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746623039 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746629000 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746654987 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746689081 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746694088 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746700048 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746726036 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746762037 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746764898 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746771097 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746797085 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746834040 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746836901 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746841908 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746867895 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746903896 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746907949 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746912956 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746939898 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746974945 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.746989012 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.746994972 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.747010946 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.747045994 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.747051001 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.747056961 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.747083902 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.747123957 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.747129917 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.861635923 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.861665964 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.861681938 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.861697912 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.861715078 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.861736059 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.861748934 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.861763954 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.861783028 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.861799002 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.861815929 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.861831903 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.861845970 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.861875057 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.861880064 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.861912012 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.861917973 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.861932039 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.861949921 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.861967087 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.861972094 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.861980915 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.861987114 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862004042 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862020969 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862027884 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.862034082 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.862039089 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862056017 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862072945 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862087965 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862099886 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.862103939 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862106085 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.862121105 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862137079 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862148046 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.862152100 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862153053 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.862169027 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862185001 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862200022 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862214088 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.862215996 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862220049 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.862232924 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862250090 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862257957 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.862263918 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.862266064 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862282991 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862298965 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862313032 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862318039 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.862322092 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.862495899 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.862653017 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862673044 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862689018 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862704992 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862718105 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.862723112 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862740993 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862757921 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862782001 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862783909 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.862790108 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.862801075 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862817049 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.862843037 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.862849951 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.862874031 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.976800919 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.976834059 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.976850986 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.976866961 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.976881027 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.976888895 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.976907969 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.976916075 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.976931095 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.976948977 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.976959944 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.976967096 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.976984978 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.976993084 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977003098 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977020979 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977025032 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977039099 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977049112 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977056980 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977073908 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977088928 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977088928 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977106094 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977122068 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977137089 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977138996 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977157116 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977169037 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977180004 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977196932 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977200985 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977216959 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977237940 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977237940 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977256060 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977267027 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977272034 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977289915 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977307081 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977314949 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977324009 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977340937 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977343082 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977359056 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977370024 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977375031 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977392912 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977407932 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977408886 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977427006 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977443933 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977457047 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977462053 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977483034 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977487087 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977502108 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977521896 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977523088 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977540016 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977555990 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977560043 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977574110 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977590084 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977605104 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977607012 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977623940 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977637053 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977642059 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977658987 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977665901 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977674961 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977690935 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977700949 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977708101 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977725029 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977745056 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977746964 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977762938 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977782965 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977783918 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977802038 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977806091 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977818012 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977830887 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977834940 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977865934 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977880955 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977885962 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977904081 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977920055 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977924109 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977936983 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977953911 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977960110 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.977968931 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977986097 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.977998972 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.978007078 CET5495549760107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:09.978027105 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.978055000 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:09.985385895 CET4976054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:14.000458002 CET4976454955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:14.115900993 CET5495549764107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:14.116009951 CET4976454955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:14.116786003 CET4976454955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:14.235274076 CET5495549764107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:14.235375881 CET4976454955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:14.350753069 CET5495549764107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:14.350833893 CET4976454955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:14.460380077 CET4976454955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:14.523346901 CET5495549764107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:14.523408890 CET4976454955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:18.568417072 CET4976554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:18.681885004 CET5495549765107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:18.681978941 CET4976554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:18.682717085 CET4976554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:18.799403906 CET5495549765107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:18.799556017 CET4976554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:18.915411949 CET5495549765107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:18.915574074 CET4976554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:19.065402985 CET4976554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:19.092309952 CET5495549765107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:19.092366934 CET4976554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:23.082948923 CET4976654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:23.197942019 CET5495549766107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:23.198066950 CET4976654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:23.198745966 CET4976654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:23.319066048 CET5495549766107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:23.319231033 CET4976654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:23.434753895 CET5495549766107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:23.434869051 CET4976654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:23.547446012 CET4976654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:23.601072073 CET5495549766107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:23.601196051 CET4976654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:27.564306974 CET4976754955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:27.682173014 CET5495549767107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:27.682295084 CET4976754955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:27.683212042 CET4976754955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:27.850302935 CET5495549767107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:27.850390911 CET4976754955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:27.918167114 CET5495549767107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:27.918247938 CET4976754955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:28.022459984 CET5495549767107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:28.022557020 CET4976754955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:28.137362003 CET5495549767107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:28.172799110 CET4976754955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:28.333739042 CET5495549767107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:28.333837986 CET4976754955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:28.508208990 CET5495549767107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:28.508330107 CET4976754955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:28.610302925 CET5495549767107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:28.610539913 CET4976754955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:28.692776918 CET5495549767107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:28.725486994 CET5495549767107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:28.725639105 CET4976754955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:28.896136045 CET5495549767107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:28.896241903 CET4976754955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:29.012269020 CET5495549767107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:29.016208887 CET4976754955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:29.130942106 CET5495549767107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:29.131094933 CET4976754955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:29.302294970 CET5495549767107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:29.304295063 CET4976754955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:29.474159956 CET5495549767107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:29.769505024 CET4976754955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:29.883045912 CET4976754955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:29.944082975 CET5495549767107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:29.944164991 CET4976754955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:33.893353939 CET4977054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:34.007112026 CET5495549770107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:34.007247925 CET4977054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:34.008136988 CET4977054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:34.124962091 CET5495549770107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:34.125523090 CET4977054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:34.239326000 CET5495549770107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:34.239447117 CET4977054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:34.282645941 CET4977054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:38.300008059 CET4977154955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:38.413212061 CET5495549771107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:38.413337946 CET4977154955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:38.414027929 CET4977154955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:38.530214071 CET5495549771107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:38.530414104 CET4977154955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:38.643872023 CET5495549771107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:38.644304037 CET4977154955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:38.763514996 CET5495549771107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:38.768273115 CET4977154955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:38.798705101 CET4977154955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:42.834646940 CET4977254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:42.948658943 CET5495549772107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:42.948774099 CET4977254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:42.949616909 CET4977254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:43.097579002 CET5495549772107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:43.097795010 CET4977254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:43.256922960 CET5495549772107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:43.257131100 CET4977254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:43.371829033 CET5495549772107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:43.372128010 CET4977254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:43.534384966 CET5495549772107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:43.534486055 CET4977254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:43.706110954 CET5495549772107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:43.706182957 CET4977254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:43.877912998 CET5495549772107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:43.878005981 CET4977254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:43.965656042 CET5495549772107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:44.012527943 CET4977254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:44.049863100 CET5495549772107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:44.049978971 CET4977254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:44.126111984 CET5495549772107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:44.126214981 CET4977254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:44.221653938 CET5495549772107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:44.299865961 CET5495549772107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:44.299994946 CET4977254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:44.413661957 CET5495549772107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:44.413805962 CET4977254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:44.527525902 CET5495549772107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:44.527715921 CET4977254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:44.693487883 CET5495549772107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:44.695745945 CET4977254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:44.865847111 CET5495549772107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:44.866044998 CET4977254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:44.955545902 CET4977254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:45.023662090 CET5495549772107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:45.024589062 CET4977254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:49.152833939 CET4977354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:49.267568111 CET5495549773107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:49.267761946 CET4977354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:49.268783092 CET4977354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:49.386766911 CET5495549773107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:49.386940956 CET4977354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:49.501307964 CET5495549773107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:49.501526117 CET4977354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:49.664249897 CET5495549773107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:49.694494963 CET4977354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:49.752392054 CET4977354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:49.809171915 CET5495549773107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:49.809250116 CET4977354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:55.222409010 CET4978054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:55.336719990 CET5495549780107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:55.336838007 CET4978054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:55.337640047 CET4978054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:55.493623972 CET5495549780107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:55.493715048 CET4978054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:55.671941996 CET5495549780107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:55.672075987 CET4978054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:55.787997961 CET5495549780107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:55.788696051 CET4978054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:55.969285011 CET5495549780107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:55.969372988 CET4978054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:56.140410900 CET5495549780107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:56.140571117 CET4978054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:56.316334963 CET5495549780107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:56.316440105 CET4978054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:56.404839993 CET5495549780107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:56.487947941 CET5495549780107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:56.488095999 CET4978054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:56.601743937 CET5495549780107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:56.602677107 CET4978054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:56.771353960 CET5495549780107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:56.771492004 CET4978054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:56.887533903 CET5495549780107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:56.888719082 CET4978054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:57.002068996 CET5495549780107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:57.002230883 CET4978054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:57.162234068 CET5495549780107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:57.162653923 CET4978054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:57.333983898 CET5495549780107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:57.334104061 CET4978054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:57.489026070 CET4978054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:46:57.505824089 CET5495549780107.173.60.45192.168.2.7
          Jan 26, 2022 09:46:57.506145954 CET4978054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:01.504995108 CET4978254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:01.619781971 CET5495549782107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:01.619983912 CET4978254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:01.657634020 CET4978254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:01.808871031 CET5495549782107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:01.808975935 CET4978254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:01.977605104 CET5495549782107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:01.977689981 CET4978254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:02.092331886 CET5495549782107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:02.092468977 CET4978254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:02.258954048 CET5495549782107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:02.283278942 CET4978254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:02.446204901 CET5495549782107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:02.446332932 CET4978254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:02.618186951 CET5495549782107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:02.618550062 CET4978254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:02.790915966 CET5495549782107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:02.791033983 CET4978254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:02.893907070 CET5495549782107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:02.894150019 CET4978254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:02.962974072 CET5495549782107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:02.963224888 CET4978254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:03.008610964 CET5495549782107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:03.134774923 CET5495549782107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:03.134865046 CET4978254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:03.249825954 CET5495549782107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:03.249952078 CET4978254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:03.364557981 CET5495549782107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:03.365916014 CET4978254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:03.546926975 CET5495549782107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:03.547179937 CET4978254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:03.718391895 CET5495549782107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:03.719257116 CET4978254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:03.736819029 CET4978254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:07.814750910 CET4979054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:07.929707050 CET5495549790107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:07.929898024 CET4979054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:07.950588942 CET4979054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:08.108650923 CET5495549790107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:08.108743906 CET4979054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:08.295250893 CET5495549790107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:08.295341969 CET4979054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:08.411108017 CET5495549790107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:08.411248922 CET4979054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:08.576481104 CET5495549790107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:08.576581001 CET4979054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:08.748390913 CET5495549790107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:08.748703003 CET4979054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:08.920300007 CET5495549790107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:08.920401096 CET4979054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:09.083058119 CET5495549790107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:09.083144903 CET4979054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:09.256494999 CET5495549790107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:09.256586075 CET4979054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:09.428828955 CET5495549790107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:09.428926945 CET4979054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:09.600536108 CET5495549790107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:09.600622892 CET4979054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:09.687179089 CET5495549790107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:09.687335968 CET4979054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:09.772624016 CET5495549790107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:09.773964882 CET4979054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:09.801105976 CET4979054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:09.805265903 CET5495549790107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:09.805386066 CET4979054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:13.858257055 CET4979254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:13.974123001 CET5495549792107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:13.974392891 CET4979254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:13.975269079 CET4979254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:14.132141113 CET5495549792107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:14.134196043 CET4979254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:14.308609962 CET5495549792107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:14.308768034 CET4979254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:14.426074028 CET5495549792107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:14.426238060 CET4979254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:14.589801073 CET5495549792107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:14.589915991 CET4979254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:14.761688948 CET5495549792107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:14.761833906 CET4979254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:14.933269978 CET5495549792107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:14.933403969 CET4979254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:15.023624897 CET5495549792107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:15.105079889 CET5495549792107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:15.105159998 CET4979254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:15.219893932 CET5495549792107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:15.220097065 CET4979254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:15.394249916 CET5495549792107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:15.394365072 CET4979254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:15.511759043 CET5495549792107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:15.522527933 CET4979254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:15.637398958 CET5495549792107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:15.754580975 CET4979254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:15.911312103 CET5495549792107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:15.911422968 CET4979254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:16.081666946 CET5495549792107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:16.081789017 CET4979254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:16.253819942 CET5495549792107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:16.314023972 CET4979254955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:20.804814100 CET4980054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:20.922730923 CET5495549800107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:20.922919035 CET4980054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:20.932231903 CET4980054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:21.085072041 CET5495549800107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:21.087881088 CET4980054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:21.263035059 CET5495549800107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:21.263149977 CET4980054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:21.376750946 CET5495549800107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:21.377099991 CET4980054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:21.544151068 CET5495549800107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:21.546310902 CET4980054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:21.717222929 CET5495549800107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:21.737631083 CET4980054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:21.903669119 CET5495549800107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:21.908488989 CET4980054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:22.075443983 CET5495549800107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:22.087371111 CET4980054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:22.167035103 CET5495549800107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:22.171020985 CET4980054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:22.247960091 CET5495549800107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:22.284914017 CET5495549800107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:22.288882971 CET4980054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:22.466222048 CET5495549800107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:22.467793941 CET4980054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:22.637924910 CET5495549800107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:22.637989044 CET4980054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:22.753134012 CET5495549800107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:22.753629923 CET4980054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:22.867950916 CET5495549800107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:22.868066072 CET4980054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:23.044636965 CET5495549800107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:23.044759035 CET4980054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:23.216180086 CET5495549800107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:23.219858885 CET4980054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:23.255299091 CET4980054955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:27.273067951 CET4981654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:27.391812086 CET5495549816107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:27.392080069 CET4981654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:27.448467016 CET4981654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:27.602030039 CET5495549816107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:27.606406927 CET4981654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:27.721369982 CET5495549816107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:27.721507072 CET4981654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:27.897602081 CET5495549816107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:27.897675991 CET4981654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:28.069405079 CET5495549816107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:28.069504023 CET4981654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:28.241283894 CET5495549816107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:28.241452932 CET4981654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:28.345343113 CET5495549816107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:28.345488071 CET4981654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:28.413193941 CET5495549816107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:28.413383007 CET4981654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:28.461040020 CET5495549816107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:28.555926085 CET4981654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:28.584975004 CET5495549816107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:28.818041086 CET4981654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:28.932708979 CET5495549816107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:28.932876110 CET4981654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:29.047734976 CET5495549816107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:29.047830105 CET4981654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:29.225884914 CET5495549816107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:29.225941896 CET4981654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:29.397486925 CET5495549816107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:29.397587061 CET4981654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:29.571938992 CET5495549816107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:29.572118044 CET4981654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:29.741389036 CET5495549816107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:30.769512892 CET4981654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:30.939244032 CET5495549816107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:30.939326048 CET4981654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:30.999922991 CET4981654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:31.111155987 CET5495549816107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:31.111284018 CET4981654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:35.008539915 CET4983354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:35.123505116 CET5495549833107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:35.123702049 CET4983354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:35.133122921 CET4983354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:35.286685944 CET5495549833107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:35.286921024 CET4983354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:35.466065884 CET5495549833107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:35.466214895 CET4983354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:35.582068920 CET5495549833107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:35.582312107 CET4983354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:35.747313023 CET5495549833107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:35.747400999 CET4983354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:35.918984890 CET5495549833107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:35.919114113 CET4983354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:36.093699932 CET5495549833107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:36.093915939 CET4983354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:36.265639067 CET5495549833107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:36.265810966 CET4983354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:36.437309980 CET5495549833107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:36.443805933 CET4983354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:36.545267105 CET5495549833107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:36.545380116 CET4983354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:36.609637976 CET5495549833107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:36.609715939 CET4983354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:36.663017035 CET5495549833107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:36.663117886 CET4983354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:36.778573990 CET5495549833107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:36.778662920 CET4983354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:36.893383980 CET5495549833107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:36.904195070 CET4983354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:37.018902063 CET5495549833107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:37.019002914 CET4983354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:37.131565094 CET4983354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:37.187170982 CET5495549833107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:37.187237978 CET4983354955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:41.148500919 CET4983554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:41.263629913 CET5495549835107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:41.263789892 CET4983554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:41.265640974 CET4983554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:41.410145044 CET5495549835107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:41.410348892 CET4983554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:41.581448078 CET5495549835107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:41.581542969 CET4983554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:41.696638107 CET5495549835107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:41.696765900 CET4983554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:41.862678051 CET5495549835107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:41.862906933 CET4983554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:42.035439014 CET5495549835107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:42.035511017 CET4983554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:42.197427988 CET5495549835107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:42.197554111 CET4983554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:42.390748978 CET5495549835107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:42.390965939 CET4983554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:42.556396008 CET5495549835107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:42.556513071 CET4983554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:42.728601933 CET5495549835107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:42.729410887 CET4983554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:42.828690052 CET5495549835107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:42.828795910 CET4983554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:42.900130033 CET5495549835107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:42.902427912 CET4983554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:42.943768978 CET5495549835107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:42.990905046 CET4983554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:43.072024107 CET5495549835107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:43.072810888 CET4983554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:43.163259029 CET4983554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:43.188829899 CET5495549835107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:43.192667007 CET4983554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:47.180098057 CET4983654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:47.296668053 CET5495549836107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:47.298099995 CET4983654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:47.299230099 CET4983654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:47.450836897 CET5495549836107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:47.451123953 CET4983654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:47.617186069 CET5495549836107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:47.619085073 CET4983654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:47.734112978 CET5495549836107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:47.734297037 CET4983654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:47.914052963 CET5495549836107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:47.914167881 CET4983654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:48.090908051 CET5495549836107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:48.091012955 CET4983654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:48.262613058 CET5495549836107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:48.262857914 CET4983654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:48.374895096 CET5495549836107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:48.374985933 CET4983654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:48.435069084 CET5495549836107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:48.435183048 CET4983654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:48.528825998 CET5495549836107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:48.553389072 CET5495549836107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:48.553570032 CET4983654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:48.554008007 CET4983654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:48.669373035 CET5495549836107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:48.669482946 CET4983654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:48.784151077 CET5495549836107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:48.785761118 CET4983654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:48.950021029 CET5495549836107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:48.951088905 CET4983654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:49.118041039 CET5495549836107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:49.118156910 CET4983654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:49.211003065 CET4983654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:49.292696953 CET5495549836107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:49.292826891 CET4983654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:53.228136063 CET4985154955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:53.343333006 CET5495549851107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:53.343473911 CET4985154955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:53.344216108 CET4985154955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:53.493794918 CET5495549851107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:53.493937969 CET4985154955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:53.655592918 CET5495549851107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:53.655751944 CET4985154955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:53.770709991 CET5495549851107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:53.770844936 CET4985154955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:53.936552048 CET5495549851107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:53.936646938 CET4985154955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:54.108306885 CET5495549851107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:54.110069036 CET4985154955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:54.280519962 CET5495549851107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:54.280631065 CET4985154955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:54.371836901 CET5495549851107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:54.413825989 CET4985154955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:54.452295065 CET5495549851107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:54.452435970 CET4985154955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:54.528404951 CET5495549851107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:54.570563078 CET4985154955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:54.624142885 CET5495549851107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:54.624253988 CET4985154955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:54.741975069 CET5495549851107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:54.745387077 CET4985154955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:54.860100985 CET5495549851107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:54.860172033 CET4985154955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:55.037121058 CET5495549851107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:55.037233114 CET4985154955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:55.193386078 CET5495549851107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:55.193491936 CET4985154955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:55.211332083 CET4985154955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:59.228224039 CET4986454955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:59.342746019 CET5495549864107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:59.342878103 CET4986454955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:59.343769073 CET4986454955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:59.461402893 CET5495549864107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:59.461730957 CET4986454955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:59.576947927 CET5495549864107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:59.577059984 CET4986454955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:59.664593935 CET4986454955192.168.2.7107.173.60.45
          Jan 26, 2022 09:47:59.747009039 CET5495549864107.173.60.45192.168.2.7
          Jan 26, 2022 09:47:59.747165918 CET4986454955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:03.681905985 CET4986554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:03.796353102 CET5495549865107.173.60.45192.168.2.7
          Jan 26, 2022 09:48:03.796586037 CET4986554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:03.797518015 CET4986554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:03.956962109 CET5495549865107.173.60.45192.168.2.7
          Jan 26, 2022 09:48:03.957199097 CET4986554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:04.132107973 CET5495549865107.173.60.45192.168.2.7
          Jan 26, 2022 09:48:04.132316113 CET4986554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:04.247221947 CET5495549865107.173.60.45192.168.2.7
          Jan 26, 2022 09:48:04.249975920 CET4986554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:04.413634062 CET5495549865107.173.60.45192.168.2.7
          Jan 26, 2022 09:48:04.413806915 CET4986554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:04.585392952 CET5495549865107.173.60.45192.168.2.7
          Jan 26, 2022 09:48:04.585699081 CET4986554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:04.757190943 CET5495549865107.173.60.45192.168.2.7
          Jan 26, 2022 09:48:04.757766962 CET4986554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:04.858851910 CET5495549865107.173.60.45192.168.2.7
          Jan 26, 2022 09:48:04.859020948 CET4986554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:04.929384947 CET5495549865107.173.60.45192.168.2.7
          Jan 26, 2022 09:48:04.929446936 CET4986554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:04.973675013 CET5495549865107.173.60.45192.168.2.7
          Jan 26, 2022 09:48:04.973845005 CET4986554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:05.089030981 CET5495549865107.173.60.45192.168.2.7
          Jan 26, 2022 09:48:05.089226007 CET4986554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:05.203983068 CET5495549865107.173.60.45192.168.2.7
          Jan 26, 2022 09:48:05.204180956 CET4986554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:05.319057941 CET5495549865107.173.60.45192.168.2.7
          Jan 26, 2022 09:48:05.319251060 CET4986554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:05.496073961 CET5495549865107.173.60.45192.168.2.7
          Jan 26, 2022 09:48:05.496170044 CET4986554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:05.587229013 CET4986554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:05.669370890 CET5495549865107.173.60.45192.168.2.7
          Jan 26, 2022 09:48:05.669531107 CET4986554955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:09.603933096 CET4986654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:09.718483925 CET5495549866107.173.60.45192.168.2.7
          Jan 26, 2022 09:48:09.718641043 CET4986654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:09.718980074 CET4986654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:09.837071896 CET5495549866107.173.60.45192.168.2.7
          Jan 26, 2022 09:48:09.883805037 CET4986654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:09.998178005 CET5495549866107.173.60.45192.168.2.7
          Jan 26, 2022 09:48:10.000955105 CET4986654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:10.116801977 CET5495549866107.173.60.45192.168.2.7
          Jan 26, 2022 09:48:10.117691994 CET4986654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:10.287710905 CET5495549866107.173.60.45192.168.2.7
          Jan 26, 2022 09:48:10.388824940 CET5495549866107.173.60.45192.168.2.7
          Jan 26, 2022 09:48:10.389283895 CET4986654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:10.504405022 CET5495549866107.173.60.45192.168.2.7
          Jan 26, 2022 09:48:10.505660057 CET4986654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:10.621619940 CET5495549866107.173.60.45192.168.2.7
          Jan 26, 2022 09:48:10.621788979 CET4986654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:10.736947060 CET5495549866107.173.60.45192.168.2.7
          Jan 26, 2022 09:48:10.790081024 CET4986654955192.168.2.7107.173.60.45
          Jan 26, 2022 09:48:12.496133089 CET5495549866107.173.60.45192.168.2.7
          Jan 26, 2022 09:48:12.541145086 CET4986654955192.168.2.7107.173.60.45

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          System Behavior

          General

          Target ID:0
          Start time:09:46:03
          Start date:26/01/2022
          Path:C:\Users\user\Desktop\ZgzIenrtf5.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\ZgzIenrtf5.exe"
          Imagebase:0xae0000
          File size:207360 bytes
          MD5 hash:03EFBC1AA782599E235F4C1B0303FFB1
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          Reputation:low

          Disassembly

          No disassembly